From wollman@khavrinen.csail.mit.edu  Fri Aug 28 19:30:03 2009
Return-Path: <wollman@khavrinen.csail.mit.edu>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 62884106566B
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 28 Aug 2009 19:30:03 +0000 (UTC)
	(envelope-from wollman@khavrinen.csail.mit.edu)
Received: from khavrinen.csail.mit.edu (khavrinen.csail.mit.edu [128.30.28.20])
	by mx1.freebsd.org (Postfix) with ESMTP id 354DD8FC1E
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 28 Aug 2009 19:30:02 +0000 (UTC)
Received: from khavrinen.csail.mit.edu (localhost [127.0.0.1])
	by khavrinen.csail.mit.edu (8.14.3/8.14.3) with ESMTP id n7SJU20W065739
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
	verify=FAIL CN=khavrinen.csail.mit.edu issuer=Client+20CA)
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 28 Aug 2009 15:30:02 -0400 (EDT)
	(envelope-from wollman@khavrinen.csail.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.csail.mit.edu (8.14.3/8.14.3/Submit) id n7SJU1Ro065738;
	Fri, 28 Aug 2009 15:30:02 -0400 (EDT)
	(envelope-from wollman)
Message-Id: <200908281930.n7SJU1Ro065738@khavrinen.csail.mit.edu>
Date: Fri, 28 Aug 2009 15:30:02 -0400 (EDT)
From: Garrett Wollman <wollman@khavrinen.csail.mit.edu>
Reply-To: Garrett Wollman <wollman@khavrinen.csail.mit.edu>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: OpenSSH GSSAPI Key Exchange patch updated
X-Send-Pr-Version: 3.113
X-GNATS-Notify: dindin@dindin.ru

>Number:         138284
>Category:       ports
>Synopsis:       security/openssh-portable: OpenSSH GSSAPI Key Exchange patch updated
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 28 19:40:04 UTC 2009
>Closed-Date:    Fri Sep 18 14:07:22 UTC 2009
>Last-Modified:  Fri Sep 18 14:07:22 UTC 2009
>Originator:     Garrett Wollman
>Release:        FreeBSD 7.2-RELEASE-p2 amd64
>Organization:
MIT Computer Science & Artificial Intelligence Laboratory
>Environment:
System: FreeBSD khavrinen.csail.mit.edu 7.2-RELEASE-p2 FreeBSD 7.2-RELEASE-p2 #7 r195442M: Wed Jul 8 17:38:11 EDT 2009 wollman@khavrinen.csail.mit.edu:/usr/obj/usr/src/sys/KHAVRINEN amd64


>Description:

Upgrading security/openssh-portable currently fails if you are using
GSSAPI key exchange.  Simon Wilkinson has now released a patch for
OpenSSH 5.2p1.  Tested and works with krb5-1.6.3_6, including the new
"cascading credentials" function.

>How-To-Repeat:

cd /usr/ports/security/openssh-portable
make

>Fix:

Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/openssh-portable/Makefile,v
retrieving revision 1.139
diff -u -r1.139 Makefile
--- Makefile	8 Aug 2009 07:13:49 -0000	1.139
+++ Makefile	28 Aug 2009 19:07:17 -0000
@@ -100,15 +100,17 @@
 .if !defined(WITHOUT_KERBEROS)
 .if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI)
 .if defined(WITH_KERB_GSSAPI)
-BROKEN=			KERB_GSSAPI patch incompatible with ${PORTNAME}-5.2p1
 PATCH_DIST_STRIP=	-p0
 PATCH_SITES+=		http://www.sxw.org.uk/computing/patches/
-PATCHFILES+=		openssh-5.0p1-gsskex-20080404.patch
+PATCHFILES+=		openssh-5.2p1-gsskex-all-20090726.patch
 .endif
 PORTABLE_SUFFIX=	# empty
 GSSAPI_SUFFIX=		-gssapi
 CONFLICTS+=		openssh-portable-*-[0-9]*
 CONFIGURE_ARGS+=	--with-kerberos5=${KRB5_HOME}
+.if ${KRB5_HOME} == ${LOCALBASE}
+LIB_DEPENDS+=		krb5.3:${PORTSDIR}/security/krb5
+.endif
 .if ${OPENSSLBASE} == "/usr"
 CONFIGURE_ARGS+=	--without-rpath
 LDFLAGS=		# empty
Index: distinfo
===================================================================
RCS file: /home/ncvs/ports/security/openssh-portable/distinfo,v
retrieving revision 1.50
diff -u -r1.50 distinfo
--- distinfo	15 May 2009 11:00:27 -0000	1.50
+++ distinfo	28 Aug 2009 19:07:26 -0000
@@ -1,6 +1,6 @@
 MD5 (openssh-5.2p1.tar.gz) = ada79c7328a8551bdf55c95e631e7dad
 SHA256 (openssh-5.2p1.tar.gz) = 4023710c37d0b3d79e6299cb79b6de2a31db7d581fe59e775a5351784034ecae
 SIZE (openssh-5.2p1.tar.gz) = 1016612
-MD5 (openssh-5.2p1+x509-6.2.diff.gz) = 8dbbfb743226864f6bb49b56e77776d9
-SHA256 (openssh-5.2p1+x509-6.2.diff.gz) = 72cfb1e232b6ae0a9df6e8539a9f6b53db7c0a2141cf2e4dd65b407748fa9f34
-SIZE (openssh-5.2p1+x509-6.2.diff.gz) = 153010
+MD5 (openssh-5.2p1-gsskex-all-20090726.patch) = e5c116b4bc3f4b816206e8403dd08af7
+SHA256 (openssh-5.2p1-gsskex-all-20090726.patch) = 6eb297d6fa74be3323c5e4f53df5b6e1f4edf6bf394e3e707c075846886e18e7
+SIZE (openssh-5.2p1-gsskex-all-20090726.patch) = 90959

>Release-Note:
>Audit-Trail:

From: Alec Kloss <alec-keyword-freebsd.org.a6e2e4@SetFilePointer.com>
To: bug-followup@freebsd.org, wollman@khavrinen.csail.mit.edu
Cc:  
Subject: Re: ports/138284: security/openssh-portable: OpenSSH GSSAPI Key
	Exchange patch updated
Date: Sat, 29 Aug 2009 08:47:33 -0500

 --qdStaANDtnP76DUZ
 Content-Type: multipart/mixed; boundary="OKFp/nMBquCu/qa9"
 Content-Disposition: inline
 
 
 --OKFp/nMBquCu/qa9
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 The current patch in the PR is heimdal-unfriendly.  Consider the
 attached variation which checks for HEIMDAL_HOME and
 defines a krb5_free_unparsed_name macro when using heimdal.
 
 SHA1(patch-2.txt)=3D e5a97acaafca3124cd360504f11b067fee5b293c
 
 --=20
 Alec Kloss  alec@SetFilePointer.com   IM: daemonalec@gmail.com
 PGP key at http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xA241980E
 "No Bunny!" -- Simon, http://wiki.adultswim.com/xwiki/bin/Frisky+Dingo/Simon
 
 --OKFp/nMBquCu/qa9
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="patch-2.txt"
 
 --- Makefile.orig	2009-08-29 13:23:34.000000000 +0000
 +++ Makefile	2009-08-29 13:41:28.000000000 +0000
 @@ -100,15 +100,19 @@
  .if !defined(WITHOUT_KERBEROS)
  .if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI)
  .if defined(WITH_KERB_GSSAPI)
 -BROKEN=			KERB_GSSAPI patch incompatible with ${PORTNAME}-5.2p1
  PATCH_DIST_STRIP=	-p0
 -PATCH_SITES+=		http://www.sxw.org.uk/computing/patches/
 -PATCHFILES+=		openssh-5.0p1-gsskex-20080404.patch
 +PATCH_SITES+=		http://setfilepointer.com/ajk/FreeBSD/patches/
 +PATCHFILES+=		openssh-5.2p1-gsskex-all-20090829.patch
  .endif
  PORTABLE_SUFFIX=	# empty
  GSSAPI_SUFFIX=		-gssapi
  CONFLICTS+=		openssh-portable-*-[0-9]*
  CONFIGURE_ARGS+=	--with-kerberos5=${KRB5_HOME}
 +.if ${HEIMDAL_HOME} == ${LOCALBASE}
 +LIB_DEPENDS+=		krb5.23:${PORTSDIR}/security/heimdal
 +.elif ${KRB5_HOME} == ${LOCALBASE}
 +LIB_DEPENDS+=		krb5.3:${PORTSDIR}/security/krb5
 +.endif
  .if ${OPENSSLBASE} == "/usr"
  CONFIGURE_ARGS+=	--without-rpath
  LDFLAGS=		# empty
 --- distinfo.orig	2009-08-29 13:41:34.000000000 +0000
 +++ distinfo	2009-08-29 13:41:38.000000000 +0000
 @@ -1,6 +1,6 @@
  MD5 (openssh-5.2p1.tar.gz) = ada79c7328a8551bdf55c95e631e7dad
  SHA256 (openssh-5.2p1.tar.gz) = 4023710c37d0b3d79e6299cb79b6de2a31db7d581fe59e775a5351784034ecae
  SIZE (openssh-5.2p1.tar.gz) = 1016612
 -MD5 (openssh-5.2p1+x509-6.2.diff.gz) = 8dbbfb743226864f6bb49b56e77776d9
 -SHA256 (openssh-5.2p1+x509-6.2.diff.gz) = 72cfb1e232b6ae0a9df6e8539a9f6b53db7c0a2141cf2e4dd65b407748fa9f34
 -SIZE (openssh-5.2p1+x509-6.2.diff.gz) = 153010
 +MD5 (openssh-5.2p1-gsskex-all-20090829.patch) = 571636f241132246e20fecfdccf93ddb
 +SHA256 (openssh-5.2p1-gsskex-all-20090829.patch) = cf4cdbc075314027beaec2d8f05745d9e7b11345b5f2c00990d8c0461d077aee
 +SIZE (openssh-5.2p1-gsskex-all-20090829.patch) = 91044
 
 --OKFp/nMBquCu/qa9--
 
 --qdStaANDtnP76DUZ
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.5 (FreeBSD)
 
 iD8DBQFKmTF1kQ6e6D/NCvIRAt7RAKCwr1YGbYdhGPjJ+vWroAri2mQcXQCfdPT7
 8HtdKZYADuFm4JX3WSN8rHY=
 =JOsx
 -----END PGP SIGNATURE-----
 
 --qdStaANDtnP76DUZ--

From: Garrett Wollman <wollman@csail.mit.edu>
To: Alec Kloss <alec-keyword-freebsd.org.a6e2e4@SetFilePointer.com>
Cc: bug-followup@freebsd.org
Subject: Re: ports/138284: security/openssh-portable: OpenSSH GSSAPI Key
	Exchange patch updated
Date: Sat, 29 Aug 2009 22:12:24 -0400

 <<On Sat, 29 Aug 2009 08:47:33 -0500, Alec Kloss <alec-keyword-freebsd.org.a6e2e4@SetFilePointer.com> said:
 
 > The current patch in the PR is heimdal-unfriendly.
 
 I must admit that this really isn't a concern for me.  (At this point,
 I rather wish Heimdal would Just Go Away; it's served its purpose, and
 it's still not sufficiently compatible with the Reference
 Implementation to be useful to anyone doesn't have a 100%-Heimdal
 environment.)
 
 > Consider the attached variation which checks for HEIMDAL_HOME and
 > defines a krb5_free_unparsed_name macro when using heimdal.
 
 I'm slightly concerned about having this version of the patch not be
 at the "official" site for this code.  Have you offered your changes
 to Simon?
 
 -GAWollman

From: Alec Kloss <alec-keyword-freebsd.org.a6e2e4@SetFilePointer.com>
To: Garrett Wollman <wollman@csail.mit.edu>
Cc: Alec Kloss <alec-keyword-freebsd.org.a6e2e4@SetFilePointer.com>,
  bug-followup@freebsd.org
Subject: Re: ports/138284: security/openssh-portable: OpenSSH GSSAPI Key
	Exchange patch updated
Date: Sun, 30 Aug 2009 09:00:55 -0500

 --jdAw5H+0hw/nhz1g
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On 2009-08-29 22:12, Garrett Wollman wrote:
 > <<On Sat, 29 Aug 2009 08:47:33 -0500, Alec Kloss <alec-keyword-freebsd.or=
 g.a6e2e4@SetFilePointer.com> said:
 >=20
 > > The current patch in the PR is heimdal-unfriendly.
 >=20
 > I must admit that this really isn't a concern for me.  (At this point,
 > I rather wish Heimdal would Just Go Away; it's served its purpose, and
 > it's still not sufficiently compatible with the Reference
 > Implementation to be useful to anyone doesn't have a 100%-Heimdal
 > environment.)
 
 Hrm... I haven't tried using MIT krb5 for anything serious for a
 long time as heimdal's always done what I needed.  After a brief
 internet search it doesn't appear that anyone's had the
 heimdal-vs-mit debate lately.  But that debate is a separate issue.
 
 > > Consider the attached variation which checks for HEIMDAL_HOME and
 > > defines a krb5_free_unparsed_name macro when using heimdal.
 >=20
 > I'm slightly concerned about having this version of the patch not be
 > at the "official" site for this code.  Have you offered your changes
 > to Simon?
 >=20
 
 I have not explicitly offered the changes to Simon;  I thought
 following up on the bug would be the best way to get in touch with
 the right people.  I'm 100% fine with having the patch located
 anywhere else and the corresponding changes made to the Makefile
 and distinfo.  The changes are pretty obvious so if someone offical
 wanted to re-implement them, that'd be fine too.  If there's an
 alternative way to follow up with more appropriate people, just let
 me know.
 
 --=20
 Alec Kloss  alec@SetFilePointer.com   IM: daemonalec@gmail.com
 PGP key at http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xA241980E
 "No Bunny!" -- Simon, http://wiki.adultswim.com/xwiki/bin/Frisky+Dingo/Simon
 
 --jdAw5H+0hw/nhz1g
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.5 (FreeBSD)
 
 iD8DBQFKmoYXkQ6e6D/NCvIRArvEAKDwaW2fJhsjAcwxfSs58RwFsfR4LQCgiUzo
 H8LFL/SYF1GrcnH9te4JVzs=
 =gacX
 -----END PGP SIGNATURE-----
 
 --jdAw5H+0hw/nhz1g--
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Mon Aug 31 02:35:36 UTC 2009 
State-Changed-Why:  
Awaiting maintainers feedback (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138284 

From: Edwin Groothuis <edwin@FreeBSD.org>
To: dindin@dindin.ru
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/138284: security/openssh-portable: OpenSSH GSSAPI Key Exchange patch updated
Date: Mon, 31 Aug 2009 02:35:35 UT

 Maintainer of security/openssh-portable,
 
 Please note that PR ports/138284 has just been submitted.
 
 If it contains a patch for an upgrade, an enhancement or a bug fix
 you agree on, reply to this email stating that you approve the patch
 and a committer will take care of it.
 
 The full text of the PR can be found at:
     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/138284
 
 -- 
 Edwin Groothuis via the GNATS Auto Assign Tool
 edwin@FreeBSD.org
State-Changed-From-To: feedback->closed 
State-Changed-By: pav 
State-Changed-When: Fri Sep 18 14:04:47 UTC 2009 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138284 
>Unformatted:
