Due to maintainer reset for security/openssh-portable port on 23 August I prepared patch with upgrade this port from 5.2p1 to 5.6p1. Since patch is 385kb I put it on http://files.roorback.net/openssh-portable.diff.txt I also can be new maintainer of this port.
Responsible Changed From-To: freebsd-ports-bugs->des des@ wants his PRs (via the GNATS Auto Assign Tool)
Responsible Changed From-To: des->freebsd-ports-bugs not mine
Responsible Changed From-To: des->freebsd-ports-bugs I am not the maintainer of the security/openssh-portable port
I have come up with a patchset independently. If Grzegorz Blach wants to maintain this port, that's okay with me. But this new patchset here addresses a few missing details in Grzegorz's original submission. Or I'm willing to maintain, too (I'll defer to Grzegorz if he would like to do it). Either way, we should get this port updated since it is quite out of date. This patch set included here: - removes more old opensc related patches. - does not remove patches pulled from des@ changes in src/crypto/openssh that are still valid. - points to upstream hpn patch instead of including a local copy - does not remove GSSAPI, LPK or FILECONTROL options, but does mark them BROKEN for now - upstream for each seems still active, so the port here can just be updated when upstream catches up. We can also patch the patches ourselves for 5.6 (or maintained a tweaked local copy), but I prefer to update the port to 5.6p1 first and then separately commit those updates. It makes following the history of changes in CVS much easier. - remove PATCH_DIST_STRIP - it's unecessary and portlint hates it - I think the post-patch version.h changes in the original patchset in this PR are wrong. The upstream patches (for hpn and filecontrol) have changes for version.h that seem to work fine unchanged, even applied together. Also the HAVE_LPK part that adds SSH_HPN seems wrong. I have two patchsets. The second just refreshes old files/patch-* even though they apply cleanly against 5.6p1 - it could be considered optional. I'll send the second set separately. Here is the 'Description' that I was going to submit as a PR until I found this PR... ======================= security/openssh-portable has not been update in a long time (currently 5.2p1 which is 1.5+ years old). There are significant nice feature updates and fixes in 5.6p1. Attached are two patchsets. Then main one is enough to get the port updated and working. But see comments at the top of the patchset. The second patchset just refreshes the remaining patches that still apply cleaning to 5.6p1 files. It's probably a good idea to apply it when committing to the port, but it's not strictly necessary. And I would commit them separately just for the sake of clarity in the commit logs. Actually, I'll send the second patchset in a separate submission to avoid confusing PR patch detection tools. ======================= Attached is the first patchset including a decent description of the changes at the top of the patch...
As I mentioned in the last submission, here is a second patchset that just refreshes patches (diff hunk line numbers and dates) that otherwise apply cleanly. It can be considered optional.
On Thu, 23 Sep 2010 10:35:30 -0600, John Hein <jhein@symmetricom.com> wrote: > I have come up with a patchset independently. > > If Grzegorz Blach wants to maintain this port, that's okay > with me. But this new patchset here addresses a few missing > details in Grzegorz's original submission. Or I'm willing > to maintain, too (I'll defer to Grzegorz if he would like to > do it). Either way, we should get this port updated since > it is quite out of date. > > This patch set included here: > - removes more old opensc related patches. > > - does not remove patches pulled from des@ changes in > src/crypto/openssh that are still valid. > > - points to upstream hpn patch instead of including a local copy > > - does not remove GSSAPI, LPK or FILECONTROL options, but does > mark them BROKEN for now - upstream for each seems still active, > so the port here can just be updated when upstream catches up. > > We can also patch the patches ourselves for 5.6 (or maintained a > tweaked local copy), but I prefer to update the port to 5.6p1 first > and then separately commit those updates. It makes following the > history of changes in CVS much easier. > > - remove PATCH_DIST_STRIP - it's unecessary and portlint hates it > > - I think the post-patch version.h changes in the original patchset > in this PR are wrong. The upstream patches (for hpn and filecontrol) > have changes for version.h that seem to work fine unchanged, > even applied together. Also the HAVE_LPK part that > adds SSH_HPN seems wrong. > > > I have two patchsets. The second just refreshes old files/patch-* > even though they apply cleanly against 5.6p1 - it could be considered > optional. I'll send the second set separately. > > Here is the 'Description' that I was going to submit as a PR > until I found this PR... > > ======================= > security/openssh-portable has not been update in a long time > (currently 5.2p1 which is 1.5+ years old). There are significant > nice feature updates and fixes in 5.6p1. > > Attached are two patchsets. Then main one is enough to get > the port updated and working. But see comments at the top > of the patchset. > > The second patchset just refreshes the remaining patches that still > apply cleaning to 5.6p1 files. It's probably a good idea to apply > it when committing to the port, but it's not strictly necessary. > And I would commit them separately just for the sake of clarity > in the commit logs. > > Actually, I'll send the second patchset in a separate submission > to avoid confusing PR patch detection tools. > ======================= > > Attached is the first patchset including a decent description of > the changes at the top of the patch... Thanks for your patches, I'll review its at the weekend, but now I thing, that GSSAPI option should be explicit removed, not marked as broken. On http://www.sxw.org.uk/computing/patches/openssh.html is noticed: "OpenSSH now contains support out of the box for GSSAPI user authentication using the 'gssapi-with-mic' mechanism".
Grzegorz Blach wrote at 20:00 +0200 on Sep 23, 2010: > Thanks for your patches, I'll review its at the weekend, > but now I thing, that GSSAPI option should be explicit removed, > not marked as broken. On > http://www.sxw.org.uk/computing/patches/openssh.html > is noticed: "OpenSSH now contains support out of the box for > GSSAPI user authentication using the 'gssapi-with-mic' mechanism". I emailed the gssapi patch maintainer. From his reply [1], it turns out the "now" is not really "now" anymore. It's "now" as of perhaps 5 years ago. 3.5 doesn't have the GSSAPIAuthentication stuff, but 4.3 does, so it was added somewhere in between (I didn't bisect any further). The second paragraph on the web page ("Larger sites...") cites why the patch is still useful. I let Simon know that his latest patch set... http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch ... does not apply cleanly to 5.6p1. He may refresh that patch (it's only slightly broken), so I think it will be useful to just mark it BROKEN for now. We can always remove it later. We can even deprecate the option, but right now bsd.ports.mk doesn't really support deprecating individual options so just adding some text to that effect to the BROKEN string may be the best option I am aware of. I CC'd ports@ - maybe someone there knows of some precedent in this area. Unfortunately, there's really no way of knowing how many people will be disappointed if the GSSAPI option disappears. [1] ================================= From: Simon Wilkinson <simon@sxw.org.uk> To: John Hein <jhein@symmetricom.com> Subject: Re: gssapi patches for openssh Date: Thu, 23 Sep 2010 19:37:06 +0100 Message-Id: <92C531E6-D12C-4180-BDA3-C0757FF39636@sxw.org.uk> On 23 Sep 2010, at 19:27, John Hein wrote: > For the freebsd port of openssh-portable (about to be updated to > openssh 5.6p1), I am trying to determine whether to remove > the GSSAPI patch option or perhaps to refresh it for 5.6p1. > > A couple questions: > > - The "now" above refers to which version of OpenSSH? > ("OpenSSH now contains..."). The now is OpenSSH for about the last 5 years. OpenSSH includes GSSAPI user authentication, but not GSSAPI key exchange. User authentication is useful until you have more than 5 or so machines on your site, beyond that, virtually every large organisation that I'm aware of with Kerberos deployed is using OpenSSH with GSSAPI key exchange. > - It sounds like there may be some benefit to using > the key exchange part of the patch. Do you think > someone should try to determine which parts could > still be useful on 5.6p1 or should we just remove > the GSSAPI option altogether? The patch as given on my website is all applicable to 5.6p1. In addition to supporting key exchange it also supports cascading credentials upon renewal, which is useful if you have a chain of many ssh connections from your desktop machine. Cheers, Simon. =================================
Here's an update to the Makefile patch that moves PATCH_DIST_STRIP rather than removing it. I mis-read the portlint whine and overriding the default -p0 is needed for the dist patches. As it turns out just using no -p arg at all works for all the openssh dist patches. Updated Makefile patch attached...
Is there any new follow up on these?, the port really need a new maintainer.
Sorry for delay, I reviewed your patches and openssh is working well, but for broken options I suggest to append ' (broken)' keyword to option label, to tell user don't use this right now. Like: GSSAPI "Enable GSSAPI support (req: KERBEROS) (broken)" off \ LPK "Enable LDAP Public Key (LPK) patch (broken)" off \ FILECONTROL "Enable file control patch (broken)" off \ And I think you know better openssh code, so You should be new maintainer of this port.
Guys, can I ask if you have tested your work and especially your patches? Every patch on this page submitted on this page has errors. Some are failed hunks and others appear to patch cleanly but then I get a folder full of ,rej files. I am assuming this is why noone has commited anything to the port yet. Perhaps I am patching wrong? if so what is the correct syntax to use, thanks.
well my last followup hasnt appeared but here is a new followup. I applied the patches from John Hein, and now no .rej files when using -l with patch (ignore whitespaces) . However the port doesnt compile because one of the patches has a failed hunk. session.c 1 out of 9 hunks failed--saving rejects to session.c.rej => Patch patch-session.c failed to apply cleanly. => Patch(es) patch-Makefile.in patch-auth.c patch-auth1.c patch-auth2.c patch-loginrec.c patch-readconf.c patch-servconf.c applied cleanly. *** Error code 1 Stop in /usr/ports/security/openssh-portable. *** Error code 1 # less session.c.rej *************** *** 1791,1799 **** /* Change current directory to the user's home directory. */ if (chdir(pw->pw_dir) < 0) { /* Suppress missing homedir warning for chroot case */ - #ifdef HAVE_LOGIN_CAP - r = login_getcapbool(lc, "requirehome", 0); - #endif if (r || options.chroot_directory == NULL || strcasecmp(options.chroot_directory, "none") == 0) fprintf(stderr, "Could not chdir to home " --- 1844,1849 ---- /* Change current directory to the user's home directory. */ if (chdir(pw->pw_dir) < 0) { /* Suppress missing homedir warning for chroot case */ if (r || options.chroot_directory == NULL || strcasecmp(options.chroot_directory, "none") == 0) fprintf(stderr, "Could not chdir to home " Regards Chris
OpenSSH won't compile after applying these patches. files/patch-session.c can't be applied
Maybe is something wrong with pr system, currently available patches are wrongly decoded by my browser (Firefox 4 beta). I put working copy on: http://files.roorback.net/openssh-portable/patch-1,3.diff http://files.roorback.net/openssh-portable/patch-2.diff where patch-1,3.diff is combined patch-1.diff and patch-3.diff, which is mandatory and patch-2.diff is unchanged and optional.
Grzegorz thank you, now it patches without -l and now session.c is fixed = as well. unfortenatly the compile still fails, not sure if naything to do with = the patch tho. "gss-serv-krb5.o: In function `ssh_gssapi_krb5_storecreds': gss-serv-krb5.c:(.text+0x11b): undefined reference to = `gss_krb5_copy_ccache'" Regards Chris -----Original Message----- From: Grzegorz Blach [mailto:magik@roorback.net]=20 Sent: 07 November 2010 13:55 To: Chris Cc: bug-followup@FreeBSD.org Subject: Re: ports/150493: Update for: security/openssh-portable port = from 5.2p1 to 5.6p1 Maybe is something wrong with pr system, currently available patches are wrongly decoded by my browser (Firefox 4 beta). I put working copy on: http://files.roorback.net/openssh-portable/patch-1,3.diff http://files.roorback.net/openssh-portable/patch-2.diff where patch-1,3.diff is combined patch-1.diff and patch-3.diff, which is mandatory and patch-2.diff is unchanged and optional. =20 __________ Information from ESET NOD32 Antivirus, version of virus = signature database 5597 (20101106) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com =20
Ok the port compiles fine with kerberos off (Default on). -----Original Message----- From: Grzegorz Blach [mailto:magik@roorback.net]=20 Sent: 07 November 2010 13:55 To: Chris Cc: bug-followup@FreeBSD.org Subject: Re: ports/150493: Update for: security/openssh-portable port = from 5.2p1 to 5.6p1 Maybe is something wrong with pr system, currently available patches are wrongly decoded by my browser (Firefox 4 beta). I put working copy on: http://files.roorback.net/openssh-portable/patch-1,3.diff http://files.roorback.net/openssh-portable/patch-2.diff where patch-1,3.diff is combined patch-1.diff and patch-3.diff, which is mandatory and patch-2.diff is unchanged and optional. =20 __________ Information from ESET NOD32 Antivirus, version of virus = signature database 5597 (20101106) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com =20
To build SSH with kerberos I have this line in /etc/make.conf: WITH_OPENSSL_PORT=yes
I also have the same line, I still get the compile error. Am running 8.1 release amd64. Chris
I'm also using FreeBSD 8.1 on amd64 and I must manually install security/krb5 port before building openssh-portable with kerberos.
ok then I suggest 2 changes :) 1 - add security/krb5 as a dependency if kerberos is enabled and FreeBSD = is version 8 or above. 2 - disable kerberos by default because security/krb5 pulls in some very = large dependencies. Thanks Chris
On Mon, 2010-11-08 at 00:27 +0100, Grzegorz Blach wrote: > I'm also using FreeBSD 8.1 on amd64 and I must manually install > security/krb5 port before building openssh-portable with kerberos. > I updated http://files.roorback.net/openssh-portable/patch-1,c3.diff with five steps: 1) added ' (broken)' to temporary broken options 2) KERBEROS default is off 3) if KERBEROS is on depends on security/krb5 4) conditional depends on security/heimdal is removed, since this don't work (on my machine at least) 5) removed GSSAPI option as useless, but I still keep KERB_GSSAPI patch option.
Your new patch has another error I think. it renames the port. Upgrading 'openssh-portable-5.2.p1_2,1' to 'openssh-gssapi-5.6.p1,1' (security/openssh-portable) Regards Chris
Why LPK patchset is marked as broken? It works perfectly on Gentoo with 5.6p1. -- Signed, Oleg Gawriloff.
Is there any news? Because sftp is also broken in 5.2pl1. [gawriloff@martin /usr/ports]$ sftp gawriloff@falcon-cl4 Connecting to falcon-cl4... Password: sftp> ls -l Bus error: 10 5.3pl1 is working perfectly. Patch attached. -- Signed, Oleg Gawriloff.
So ... what's the magical patch incantation that's needed to apply these patches, in order to help test the new port, to get it into the tree sooner? The following fails with all kinds of rejected hunks in various files: cd /usr/ports/security/openssh-portable patch < /path/to/patch.diff The same with -p0 added to the patch command. And the same with -l and -p0 added to the patch command. It also error out with all the hunks that are diffed against /dev/null, asking which file to work on. I would really like to test this, as we're currently testing ZFSv28 on 9-CURRENT, and using rsync-over-ssh without HPN is extremely slow. -- Freddie Cash fjwcash@gmail.com
Upon closer inspection, I see that OpenSSH in the base for 9-CURRENT is already 5.6, so there's no reason the port shouldn't compile. According to SVN, it looks like DES was the last one to touch OpenSSH in the base, so maybe he'll have some ideas on how to make the port compile on 9.0? I did a first go-round of trying to manually patch the /usr/src/crypto/openssh tree with the HPN patches. The "kitchensink" patch didn't work, all kinds of errors with the multi-threaded cipher patches. However, the dynamic window and none cipher patch applied with only 3 rejected hunks (due to VersionAddendum lines in our sources) that are easily hand-merged. Recompiling /usr/src/secure and re-installing it enables the NONE cipher in the base OpenSSH. :) So, for those running 9-CURRENT, it's possible to get the benefits of some of the HPN patches, without installing a port. -- Freddie Cash fjwcash@gmail.com
Responsible Changed From-To: freebsd-ports-bugs->stephen I'll take it for now.
State Changed From-To: open->feedback I need to see who wants maintainer, and we need more up to date patches.
Hi Grzegorz Blach and John Hein, As a committer, I am prepared to work with either of you if you become maintainer of this port. Just decide between the two of you who wants to maintain it. If there is any indecision (for example, both are willing to defer), I will make Grzegorz Blach the maintainer on the basis of he asked first in this PR. I doubt any of your patches will apply cleanly, because I recently committed someone else's changes to this port: ports/142824. Also I see it is now at version 5.8p2. But whoever decides to maintain it, I am prepared to start committing the various changes as you start submitting them. I don't use openssh-portable myself, so I will be relying on you guys to see that it works. But I am willing to do the work to make sure the port builds, and stays compliant with the various practices of port management. See if you can answer the following PR's as well: ports/144597, ports/155456, ports/156926.
I'm coming back to maintain this port. And I wanna be official maintainer. Now I'm working on update to recent version (5.8) and I need week or two before I'll send new patches.
I'll set magik@roorback.net as maintainer ASAP. I am a new committer, so I need to get approval from my mentors first. After I have set you as maintainer, I set you up as getting feedback from all the other security/openssh-portable PR's.
magik@roorback.net is now maintainer of openssh-portable.
State Changed From-To: feedback->closed Superseded by ports/161818