Bug 178885 - security/openssh-portable upgrade broke GSSAPI keyex with no warning
Summary: security/openssh-portable upgrade broke GSSAPI keyex with no warning
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Bryan Drewery
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-23 23:40 UTC by wollman
Modified: 2013-05-25 17:50 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description wollman 2013-05-23 23:40:00 UTC 
I upgraded openssh-portable from 5.7 to 6.2 and started getting errors
on ssh_config and sshd_config.  Investigating, I found that the
GSSAPIKeyExchange support had gone missing, and this is not reported
in /usr/ports/UPDATING or elsewhere that I could find.  Large sites
like ours absolutely depend on this functionality (which also includes
rekey-on-ticket-renewal and store-tickets-on-rekey functions to keep
long-running sessions authenticated).

Fix: 

RedHat forward-ported the patch from 5.7 to 6.2 and with a few
modifications I made theirs work, but I'm not sure what the legal
status of this patch is.  You can find it by searching for
"openssh-6.2p1-gsskex.patch".
How-To-Repeat: 
Upgrade openssh-portable.  Notice that the GSSAPIKeyExchange parameter
causes config file parsing to error out.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2013-05-24 14:22:56 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->bdrewery

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Bryan Drewery freebsd_committer freebsd_triage 2013-05-24 20:53:33 UTC 
Sorry for the trouble. I originally removed this and then found that
every other patch in the port needed manual work to forward port to 6.2.
I meant to re-add this but forgot.

I am working on updating and re-adding the patch now and should be done
in the next few days.

-- 
Regards,
Bryan Drewery
Comment 3 dfilter service freebsd_committer freebsd_triage 2013-05-25 17:44:13 UTC 
Author: bdrewery
Date: Sat May 25 16:44:00 2013
New Revision: 319062
URL: http://svnweb.freebsd.org/changeset/ports/319062

Log:
  - Update and re-add KERB_GSSAPI gsskex patch.
    I did very minor porting of the upstream patch to make
    it apply.
    Note that this currently does not build with base heimdal, but
    does build with port MIT or port HEIMDAL.
  - Bump PORTREVISION in case someone built the update, expecting
    this option to work and now have a broken ssh.
  
  PR:		ports/178885
  Reported by:	Garrett Wollman <wollman@csail.mit.edu>

Modified:
  head/security/openssh-portable/Makefile
  head/security/openssh-portable/distinfo

Modified: head/security/openssh-portable/Makefile
==============================================================================
--- head/security/openssh-portable/Makefile	Sat May 25 16:27:41 2013	(r319061)
+++ head/security/openssh-portable/Makefile	Sat May 25 16:44:00 2013	(r319062)
@@ -3,7 +3,7 @@
 
 PORTNAME=	openssh
 DISTVERSION=	6.2p2
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	${MASTER_SITE_OPENBSD}
@@ -40,13 +40,14 @@ SUDO?=		# empty
 MAKE_ENV+=	SUDO="${SUDO}"
 
 OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
-			HPN LPK X509 \
+			HPN LPK X509 KERB_GSSAPI \
 			OVERWRITE_BASE SCTP AES_THREADED
 OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS HPN
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	Enable tcp_wrappers support
 BSM_DESC=		Enable OpenBSM Auditing
+KERB_GSSAPI_DESC=	Enable Kerberos/GSSAPI patch (req: GSSAPI)
 HPN_DESC=		Enable HPN-SSH patch
 LPK_DESC=		Enable LDAP Public Key (LPK) [OBSOLETE]
 X509_DESC=		Enable x509 certificate patch
@@ -86,6 +87,15 @@ BROKEN=		X509 patch and SCTP patch do no
 .  if ${PORT_OPTIONS:MLPK}
 BROKEN=		X509 patch and LPK patch do not apply cleanly together
 .  endif
+
+.  if ${PORT_OPTIONS:MKERB_GSSAPI}
+BROKEN=		X509 patch incompatible with KERB_GSSAPI patch
+.  endif
+
+.endif
+
+.if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI}
+BROKEN=		KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
 .endif
 
 .if defined(OPENSSH_OVERWRITE_BASE)
@@ -121,6 +131,12 @@ IGNORE=		You have selected HEIMDAL_BASE 
 CONFIGURE_LIBS+=	-lgssapi_krb5
 .	endif
 .  endif
+
+# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/
+.if ${PORT_OPTIONS:MKERB_GSSAPI}
+PATCHFILES+=		openssh-6.2p2-gsskex-all-20110125.patch.gz
+PATCH_DIST_STRIP=
+.endif
 .if ${OPENSSLBASE} == "/usr"
 CONFIGURE_ARGS+=	--without-rpath
 LDFLAGS=		# empty

Modified: head/security/openssh-portable/distinfo
==============================================================================
--- head/security/openssh-portable/distinfo	Sat May 25 16:27:41 2013	(r319061)
+++ head/security/openssh-portable/distinfo	Sat May 25 16:44:00 2013	(r319062)
@@ -6,6 +6,8 @@ SHA256 (openssh-6.2p1-CTR-threaded-v14.d
 SIZE (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4908
 SHA256 (openssh-6.2p1+x509-7.4.1.diff.gz) = cdfa0ac38184062de7e0af36eeda7713095fbcffffb598d785047f6f47e48eae
 SIZE (openssh-6.2p1+x509-7.4.1.diff.gz) = 215496
+SHA256 (openssh-6.2p2-gsskex-all-20110125.patch.gz) = 1c54be66bfedb90b4909f0dda11dde09b10db6dca5a1c565c4c3efaed2036b2d
+SIZE (openssh-6.2p2-gsskex-all-20110125.patch.gz) = 24309
 SHA256 (openssh-lpk-6.2p1.patch.gz) = 96c7a5435f3fd7d83875ee06c4a3c83ee6172c7d9de31b9ffdeb18118f285a24
 SIZE (openssh-lpk-6.2p1.patch.gz) = 17881
 SHA256 (openssh-sctp-2163.patch.gz) = 86ac3a59119c9c26193334d8ba7c3be9f143209080e4f8a2a00577c24c0c9e03
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 4 Bryan Drewery freebsd_committer freebsd_triage 2013-05-25 17:44:15 UTC 
State Changed
From-To: open->closed

Option/patch re-added.