Opened 10 years ago

Closed 9 years ago

#27250 closed enhancement (fixed)

Add OpenSSH GSSAPI key exchange patch

Reported by: lassi.tuura@… Owned by: jyrkiwahlstedt
Priority: Normal Milestone:
Component: ports Version:
Keywords: haspatch Cc: khepler, maehne (Torsten Maehne), nonstop.server@…, vkuznet (Valentin Kuznetsov), mmpestorich (Mike M Pestorich), matty2fatty@…
Port: openssh

Description

Would it be possible to build openssh with patches from http://www.sxw.org.uk/computing/patches/ or at least provide a variant which includes the patch?

In particular it adds support for GSSAPITrustDNS option, which OS X system SSH appears to be built with and which is very useful for working in Kerberos V5 environment. Or more accurately put ssh without that option isn't really very useful in Kerberos V5 environment where DNS aliased host names are common, e.g. for load balanced ones.

From http://paste.lisp.org/display/64135 it looks like the predecessor patch might have been included before, but I can't find any corresponding section in revision log of openssh port file.

I took the patch for 5.3p1 from http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch, adapted it to OpenSSH 5.6p1 code (Makefile.in, key.h and key.c need trivial patch updates), and attached it to this ticket.

Attachments (7)

Portfile.patch (589 bytes) - added by lassi.tuura@… 10 years ago.
Patch to Portfile to add gsskex variant
openssh-5.3p1-gsskex-all-20100124.patch (88.2 KB) - added by lassi.tuura@… 10 years ago.
Actual patch
Portfile2.patch (1.0 KB) - added by lassi.tuura@… 9 years ago.
Updated patch for openssh 5.9p1
openssh-5.9p1-gsskex-all-20110920.patch (88.4 KB) - added by lassi.tuura@… 9 years ago.
Updated patch for openssh 5.9p1
apple-keychain.patch (60.7 KB) - added by lassi.tuura@… 9 years ago.
Patch to add apple keychain support (+ other apple changes)
0001-GSS-key-exchange-patch.patch (90.0 KB) - added by lassi.tuura@… 9 years ago.
Patch regenerated in more clean format with git
0002-Apple-keychain-integration-other-changes.patch (64.0 KB) - added by lassi.tuura@… 9 years ago.
Patch regenerated in more clean format with git

Download all attachments as: .zip

Change History (22)

Changed 10 years ago by lassi.tuura@…

Attachment: Portfile.patch added

Patch to Portfile to add gsskex variant

Changed 10 years ago by lassi.tuura@…

Actual patch

comment:1 Changed 10 years ago by mf2k (Frank Schima)

Keywords: haspatch added
Owner: changed from macports-tickets@… to jwa@…
Version: 1.9.2

Changed 9 years ago by lassi.tuura@…

Attachment: Portfile2.patch added

Updated patch for openssh 5.9p1

Changed 9 years ago by lassi.tuura@…

Updated patch for openssh 5.9p1

Changed 9 years ago by lassi.tuura@…

Attachment: apple-keychain.patch added

Patch to add apple keychain support (+ other apple changes)

comment:2 Changed 9 years ago by lassi.tuura@…

I've added patches to portfile and to add to 'files' directory, for openssh currently in use in macports (5.9p1). The gsskex patch is just a refreshed version of swx.org.uk one (there is no patch for 5.9p1 there).

The second apple-keychain.patch contains selected subset of differences between standard openssh and Apple's version, most notably the automatic integration with keychain, as per running diff against the version available from www.opensource.apple.com/source/OpenSSH. As far as I understand the license in the additional source files, they are ok for distribution in macports (= Apple BSD license). I didn't include quite all the differences, as some seemed deprecated (SACL), others can't be compiled without apparently internal private sources (APPLE_CROSS_REALM requires OpenDirectoryPriv.h), others are effectively already in openssh (sandboxing). I can't really vouch for some of the additional configury options, but that's what the opensource version used.

The second patch only applies after the gsskex one.

I'd really appreciate if these patches, or some derivative of them, could be applied to the macports version.

Changed 9 years ago by lassi.tuura@…

Patch regenerated in more clean format with git

Changed 9 years ago by lassi.tuura@…

Patch regenerated in more clean format with git

comment:3 Changed 9 years ago by khepler

Cc: khepler@… added

Cc Me!

comment:4 Changed 9 years ago by mmpestorich (Mike M Pestorich)

Cc: mmpestorich@… added

Cc Me!

comment:5 Changed 9 years ago by maehne (Torsten Maehne)

Cc: Torsten.Maehne@… added

Cc Me!

comment:6 Changed 9 years ago by nonstop.server@…

Cc: nonstop.server@… added

Cc Me!

comment:7 Changed 9 years ago by vkuznet (Valentin Kuznetsov)

Cc: vkuznet@… added

Cc Me!

comment:8 Changed 9 years ago by vkuznet (Valentin Kuznetsov)

Please include those patches into next macport upgrade.

comment:9 Changed 9 years ago by mmpestorich (Mike M Pestorich)

Cc: mmpestorich@… removed

Cc Me!

comment:10 Changed 9 years ago by mmpestorich (Mike M Pestorich)

Cc: mmpestorich@… added

Cc Me!

comment:11 Changed 9 years ago by matty2fatty@…

Cc: matty2fatty@… added

Cc Me!

comment:12 in reply to:  11 Changed 9 years ago by matty2fatty@…

Would it be possible to spell out how to include the provided patches so that they are automatically applied by macports? I've looked over the official docs and tried editing the portfile in seemingly reasonable ways, but things don't seem to be working. I'm particularly interested in getting the GSSAPIKeyExchange business working.

comment:13 Changed 9 years ago by lassi.tuura@…

Say you want to keep your private port modifications in ~/Dev/MacPorts, and openssh would be in ~/Dev/MacPorts/openssh, something like this should work assuming you've downloaded into ~/Downloads Portfile2.patch, 0001-GSS-key-exchange-patch.patch and 0002-Apple-keychain-integration-other-changes.patch:

mkdir -p ~/Dev/MacPorts/openssh
rsync -av /opt/local/var/macports/sources/rsync.macports.org/release/ports/net/openssh/ ~/Dev/MacPorts/openssh/
cd ~/Dev/MacPorts/openssh
patch < ~/Downloads/Portfile2.patch
mv ~/Downloads/0001-GSS-key-exchange-patch.patch files/openssh-5.9p1-gsskex-all-20110920.patch
mv ~/Downloads/0002-Apple-keychain-integration-other-changes.patch files/apple-keychain.patch
sudo port -f uninstall
sudo port install +gsskex

I didn't try rebuilding it just now with that recipe, but I did rebuild my openssh using something very much like that about a month ago.

comment:14 Changed 9 years ago by matty2fatty@…

Thanks! That is really helpful; it's exactly what I needed to get everything working. (And thanks for all your other contributions to this port as well!)

comment:15 Changed 9 years ago by jyrkiwahlstedt

Resolution: fixed
Status: newclosed

done in r91536, thanks Lassi

Note: See TracTickets for help on using tickets.