GNU bug report logs -
#38541
[PATCH] ssh: Add Kerberos-support to ssh:// daemon URLs
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 38541 in the body.
You can then email your comments to 38541 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#38541; Package
guix-patches.
(Mon, 09 Dec 2019 08:51:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Lars-Dominik Braun <ldb <at> leibniz-psychology.org>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Mon, 09 Dec 2019 08:51:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/ssh.scm (libssh): Depend on mit-krb5
(guile-ssh): Support gssapi functions, see
https://github.com/artyom-poptsov/guile-ssh/pull/15
* guix/ssh.scm (open-ssh-session): Fall back to GSSAPI if public key
authentication does not work
---
doc/guix.texi | 5 +-
gnu/packages/patches/guile-ssh-gssapi.patch | 115 ++++++++++++++++++++
gnu/packages/ssh.scm | 4 +-
guix/ssh.scm | 15 ++-
4 files changed, 131 insertions(+), 8 deletions(-)
create mode 100644 gnu/packages/patches/guile-ssh-gssapi.patch
diff --git a/doc/guix.texi b/doc/guix.texi
index 7d50f31d20..81ea5153b6 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6753,8 +6753,9 @@ instruct it to listen for TCP connections (@pxref{Invoking guix-daemon,
@item ssh
@cindex SSH access to build daemons
These URIs allow you to connect to a remote daemon over
-SSH <at> footnote{This feature requires Guile-SSH (@pxref{Requirements}).}.
-A typical URL might look like this:
+SSH. This feature requires Guile-SSH (@pxref{Requirements}) and a working
+@code{guile} binary in @code{PATH} on the destination machine. It supports
+public key and GSSAPI authentication. A typical URL might look like this:
@example
ssh://charlie@@guix.example.org:22
diff --git a/gnu/packages/patches/guile-ssh-gssapi.patch b/gnu/packages/patches/guile-ssh-gssapi.patch
new file mode 100644
index 0000000000..522687d589
--- /dev/null
+++ b/gnu/packages/patches/guile-ssh-gssapi.patch
@@ -0,0 +1,115 @@
+commit 8b728dc144ea12f3a339a2009e403e9bbd8fd39c
+Author: Lars-Dominik Braun <ldb <at> leibniz-psychology.org>
+Date: Thu Dec 5 10:31:00 2019 +0100
+
+ Add GSSAPI user authentication method
+
+ Bind to libssh’s ssh_userauth_gssapi().
+
+diff --git a/doc/api-auth.texi b/doc/api-auth.texi
+index b2975d2..9f2884d 100644
+--- a/doc/api-auth.texi
++++ b/doc/api-auth.texi
+@@ -125,6 +125,26 @@ In nonblocking mode, you've got to call this again later.
+
+ @end deffn
+
++@deffn {Scheme Procedure} userauth-gssapi! session
++Try to authenticate through the @code{gssapi-with-mic} method.
++
++Return one of the following symbols:
++
++@table @samp
++@item success
++Authentication success.
++@item partial
++You've been partially authenticated, you still have to use another method.
++@item again
++In nonblocking mode, you've got to call this again later.
++@item denied
++Authentication failed: use another method.
++@item error
++A serious error happened.
++@end table
++
++@end deffn
++
+ @deffn {Scheme Procedure} userauth-none! session
+ Try to authenticate through the @code{none} method.
+
+diff --git a/libguile-ssh/auth.c b/libguile-ssh/auth.c
+index 52d3262..e9efe9e 100644
+--- a/libguile-ssh/auth.c
++++ b/libguile-ssh/auth.c
+@@ -206,6 +206,27 @@ Throw `wrong-type-arg' if a disconnected SESSION is passed as an argument.\
+ }
+ #undef FUNC_NAME
+
++SCM_DEFINE (guile_ssh_userauth_gssapi_x,
++ "userauth-gssapi!", 1, 0, 0,
++ (SCM session),
++ "\
++Try to authenticate through the \"gssapi-with-mic\" method.\
++Throw `wrong-type-arg' if a disconnected SESSION is passed as an argument.\
++")
++#define FUNC_NAME s_guile_ssh_userauth_gssapi_x
++{
++ struct session_data *sd = _scm_to_session_data (session);
++
++ int res;
++
++ GSSH_VALIDATE_CONNECTED_SESSION (sd, session, SCM_ARG1);
++
++ res = ssh_userauth_gssapi (sd->ssh_session);
++
++ return ssh_auth_result_to_symbol (res);
++}
++#undef FUNC_NAME
++
+ �
+ /* Try to authenticate through the "none" method.
+
+diff --git a/modules/ssh/auth.scm b/modules/ssh/auth.scm
+index 158cab1..7a4be10 100644
+--- a/modules/ssh/auth.scm
++++ b/modules/ssh/auth.scm
+@@ -29,6 +29,7 @@
+ ;; userauth-public-key/try
+ ;; userauth-agent!
+ ;; userauth-password!
++;; userauth-gssapi!
+ ;; userauth-none!
+ ;; userauth-get-list
+
+@@ -46,6 +47,7 @@
+ userauth-public-key/try
+ userauth-agent!
+ userauth-password!
++ userauth-gssapi!
+ userauth-none!
+ userauth-get-list
+ openssh-agent-start
+diff --git a/tests/client-server.scm b/tests/client-server.scm
+index 2704280..d8f490a 100644
+--- a/tests/client-server.scm
++++ b/tests/client-server.scm
+@@ -429,6 +429,19 @@
+ (userauth-public-key/auto! (make-session-for-test)))
+
+ �
++;;; 'userauth-gssapi!'
++
++;; The procedure called with a wrong object as a parameter which leads to an
++;; exception.
++(test-error-with-log "userauth-gssapi!, wrong parameter" 'wrong-type-arg
++ (userauth-gssapi! "Not a session."))
++
++;; Client tries to authenticate using a non-connected session which leads to
++;; an exception.
++(test-error-with-log "userauth-gssapi!, not connected" 'wrong-type-arg
++ (userauth-gssapi! (make-session-for-test)))
++
++�
+ ;;;
+
+ �
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index b82d280089..5a001525d0 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -99,7 +99,8 @@
;; TODO: Add 'CMockery' and '-DWITH_TESTING=ON' for the test suite.
#:tests? #f))
(inputs `(("zlib" ,zlib)
- ("libgcrypt" ,libgcrypt)))
+ ("libgcrypt" ,libgcrypt)
+ ("mit-krb5" ,mit-krb5)))
(synopsis "SSH client library")
(description
"libssh is a C library implementing the SSHv2 and SSHv1 protocol for client
@@ -244,6 +245,7 @@ Additionally, various channel-specific options can be negotiated.")
(sha256
(base32
"03bv3hwp2s8f0bqgfjaan9jx4dyab0abv27n2zn2g0izlidv0vl6"))
+ (patches (search-patches "guile-ssh-gssapi.patch"))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/guix/ssh.scm b/guix/ssh.scm
index 291ce20b61..56b49b177f 100644
--- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -157,11 +157,16 @@ server at '~a': ~a")
(session-set! session 'timeout timeout)
session)
(x
- (disconnect! session)
- (raise (condition
- (&message
- (message (format #f (G_ "SSH authentication failed for '~a': ~a~%")
- host (get-error session)))))))))
+ (match (userauth-gssapi! session)
+ ('success
+ (session-set! session 'timeout timeout)
+ session)
+ (x
+ (disconnect! session)
+ (raise (condition
+ (&message
+ (message (format #f (G_ "SSH authentication failed for '~a': ~a~%")
+ host (get-error session)))))))))))
(x
;; Connection failed or timeout expired.
(raise (condition
--
2.20.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#38541; Package
guix-patches.
(Sat, 14 Dec 2019 23:34:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 38541 <at> debbugs.gnu.org (full text, mbox):
Hello,
Lars-Dominik Braun <ldb <at> leibniz-psychology.org> skribis:
> * gnu/packages/ssh.scm (libssh): Depend on mit-krb5
> (guile-ssh): Support gssapi functions, see
> https://github.com/artyom-poptsov/guile-ssh/pull/15
> * guix/ssh.scm (open-ssh-session): Fall back to GSSAPI if public key
> authentication does not work
> ---
> doc/guix.texi | 5 +-
> gnu/packages/patches/guile-ssh-gssapi.patch | 115 ++++++++++++++++++++
> gnu/packages/ssh.scm | 4 +-
> guix/ssh.scm | 15 ++-
> 4 files changed, 131 insertions(+), 8 deletions(-)
> create mode 100644 gnu/packages/patches/guile-ssh-gssapi.patch
Nice! (Note that we normally list all the modified files/entities in
the commit log; see
<https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html>.)
Do you know if a Guile-SSH release is coming? If so, we could wait and
avoid carrying the Guile-SSH patch.
Other than that, the patch LGTM!
Thank you,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#38541; Package
guix-patches.
(Mon, 16 Dec 2019 07:16:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 38541 <at> debbugs.gnu.org (full text, mbox):
Hey,
> Nice! (Note that we normally list all the modified files/entities in
> the commit log; see
> <https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html>.)
oh, ok, I guess that includes the .texi and .patch files as well then:
* doc/guix.texi: Document requirements for SSH-based connection to guix-daemon
* gnu/packages/patches/guile-ssh-gssapi.patch: Add GSSAPI user authentication
method to guile-ssh
> Do you know if a Guile-SSH release is coming? If so, we could wait and
> avoid carrying the Guile-SSH patch.
I don’t know.
Lars
Information forwarded
to
guix-patches <at> gnu.org:
bug#38541; Package
guix-patches.
(Mon, 16 Dec 2019 10:14:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 38541 <at> debbugs.gnu.org (full text, mbox):
Hi,
Lars-Dominik Braun <ldb <at> leibniz-psychology.org> skribis:
>> Nice! (Note that we normally list all the modified files/entities in
>> the commit log; see
>> <https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html>.)
> oh, ok, I guess that includes the .texi and .patch files as well then:
>
> * doc/guix.texi: Document requirements for SSH-based connection to guix-daemon
> * gnu/packages/patches/guile-ssh-gssapi.patch: Add GSSAPI user authentication
> method to guile-ssh
Yes, more specifically:
* doc/guix.texi (The Store): Document requirements for SSH-based
connection to guix-daemon.
* gnu/packages/patches/guile-ssh-gssapi.patch: New file.
Documentation of the patch should go to the first lines of the patch.
>> Do you know if a Guile-SSH release is coming? If so, we could wait and
>> avoid carrying the Guile-SSH patch.
> I don’t know.
OK, let’s see…
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#38541; Package
guix-patches.
(Mon, 16 Dec 2019 10:18:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 38541 <at> debbugs.gnu.org (full text, mbox):
Hi Artyom!
While discussing Kerberos support contributed by Lars-Dominik in
<https://bugs.gnu.org/38541>, we were wondering about your plans for a
new Guile-SSH release?
If you’re planning to release soonish, we won’t need to carry
Lars-Dominik’s patch in Guix proper, which is always better.
Another thing that would be nice to have is Guile 2.9/3.0 support while
we’re at it. :-) It requires very few changes, as shown here:
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/ssh.scm#n317
Let us know what you think!
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#38541; Package
guix-patches.
(Tue, 17 Dec 2019 17:44:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 38541 <at> debbugs.gnu.org (full text, mbox):
Hello Ludovic,
glad to hear from you. It's quite unfortunate, but recently I had a
hard time giving any attention to Guile-SSH as I was
overloaded with various urgent tasks.
Now I have more free time, so I'm hoping to make some progress in
releasing a new Guile-SSH version in a month or so.
Thanks,
- Artyom
On Mon, 16 Dec 2019 at 13:17, Ludovic Courtès <ludo <at> gnu.org> wrote:
>
> Hi Artyom!
>
> While discussing Kerberos support contributed by Lars-Dominik in
> <https://bugs.gnu.org/38541>, we were wondering about your plans for a
> new Guile-SSH release?
>
> If you’re planning to release soonish, we won’t need to carry
> Lars-Dominik’s patch in Guix proper, which is always better.
>
> Another thing that would be nice to have is Guile 2.9/3.0 support while
> we’re at it. :-) It requires very few changes, as shown here:
>
> https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/ssh.scm#n317
>
> Let us know what you think!
>
> Thanks,
> Ludo’.
--
Artyom V. Poptsov <poptsov.artyom <at> gmail.com>
Home page: http://poptsov-artyom.narod.ru/
CADR Hackerspace co-founder: https://cadrspace.ru/
GPG: D0C2 EAC1 3310 822D 98DE B57C E9C5 A2D9 0898 A02F
Information forwarded
to
guix-patches <at> gnu.org:
bug#38541; Package
guix-patches.
(Wed, 18 Dec 2019 14:51:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 38541 <at> debbugs.gnu.org (full text, mbox):
Hi Artyom,
Artyom Poptsov <poptsov.artyom <at> gmail.com> skribis:
> glad to hear from you. It's quite unfortunate, but recently I had a
> hard time giving any attention to Guile-SSH as I was
> overloaded with various urgent tasks.
>
> Now I have more free time, so I'm hoping to make some progress in
> releasing a new Guile-SSH version in a month or so.
Awesome, thanks for your feedback!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#38541; Package
guix-patches.
(Wed, 19 Feb 2020 12:53:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 38541 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hey,
now that guile-ssh 0.12.0 has landed in guix (commit
38655d7b88ae9d82208e5750480c9b91dd9dda8b), I’ve update the patch, see attached
files.
Lars
[0001-gnu-Add-Kerberos-support-to-libssh.patch (text/x-diff, attachment)]
[0002-ssh-Add-Kerberos-support-to-ssh-daemon-URLs.patch (text/x-diff, attachment)]
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Thu, 20 Feb 2020 10:24:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Lars-Dominik Braun <ldb <at> leibniz-psychology.org>:
bug acknowledged by developer.
(Thu, 20 Feb 2020 10:24:02 GMT)
Full text and
rfc822 format available.
Message #31 received at 38541-done <at> debbugs.gnu.org (full text, mbox):
Hi Lars-Dominik,
Lars-Dominik Braun <ldb <at> leibniz-psychology.org> skribis:
> now that guile-ssh 0.12.0 has landed in guix (commit
> 38655d7b88ae9d82208e5750480c9b91dd9dda8b), I’ve update the patch, see attached
> files.
Awesome, pushed both!
[...]
> + (match (userauth-gssapi! session)
> + ('success
> + (session-set! session 'timeout timeout)
> + session)
> + (x
> + (disconnect! session)
> + (raise (condition
> + (&message
> + (message (format #f (G_ "SSH authentication failed for '~a': ~a~%")
> + host (get-error session)))))))))))
Note that someone running this with an older Guile-SSH will get an
unbound variable error.
We should probably document the 0.12.0 requirement in the manual, at
least.
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#38541; Package
guix-patches.
(Thu, 20 Feb 2020 11:40:02 GMT)
Full text and
rfc822 format available.
Message #34 received at 38541-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Ludo,
> Note that someone running this with an older Guile-SSH will get an
> unbound variable error.
> We should probably document the 0.12.0 requirement in the manual, at
> least.
you’re right, attached patch fixes that.
Lars
[0001-build-Depend-on-guile-ssh-0.12.0.patch (text/x-diff, attachment)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#38541; Package
guix-patches.
(Fri, 21 Feb 2020 23:38:01 GMT)
Full text and
rfc822 format available.
Message #37 received at 38541-done <at> debbugs.gnu.org (full text, mbox):
Hi Lars,
Lars-Dominik Braun <ldb <at> leibniz-psychology.org> skribis:
> From 0e2898c26f26ec5871bae9fd2b5d15047e38075c Mon Sep 17 00:00:00 2001
> From: Lars-Dominik Braun <ldb <at> leibniz-psychology.org>
> Date: Thu, 20 Feb 2020 12:36:10 +0100
> Subject: [PATCH] build: Depend on guile-ssh 0.12.0
>
> * m4/guix.m4 (GUIX_CHECK_GUILE_SSH): Check for userauth-gssapi!
> * doc/guix.texi: Document version requirement
Applied, thanks!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 21 Mar 2020 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 34 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.