From owner-freebsd-ports@FreeBSD.ORG  Thu Sep 23 20:00:21 2010
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 26B011065673
	for <ports@freebsd.org>; Thu, 23 Sep 2010 20:00:21 +0000 (UTC)
	(envelope-from jhein@gossamer.timing.com)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195])
	by mx1.freebsd.org (Postfix) with ESMTP id E661F8FC18
	for <ports@freebsd.org>; Thu, 23 Sep 2010 20:00:20 +0000 (UTC)
Received: from gossamer.timing.com ([206.168.13.144])
	by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis)
	id 0Mdaw0-1PB2Qe3Nfg-00PS0O; Thu, 23 Sep 2010 15:47:25 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <19611.44743.884250.799604@gossamer.timing.com>
Date: Thu, 23 Sep 2010 13:47:19 -0600
From: John Hein <jhein@symmetricom.com>
To: Grzegorz Blach <magik@roorback.net>
In-Reply-To: <bda0b7e3643cd07ed798d9419951abc0@roorback.net>
References: <19611.33234.127943.370546@gossamer.timing.com>
	<bda0b7e3643cd07ed798d9419951abc0@roorback.net>
X-Provags-ID: V02:K0:c93et5LiWd5EuMIUlUuaNZ16eMaAnSBO/37qsu/rOjW
	9tRQF7kBT9SGionlWR73+L2J5z+Sw77Eh74GKDlBEcfuMkLt6Z
	kN2iTvRyWonqdsGz/mBJCdk/QhLc0B34yKMD2nuXVXeRr9myPI
	zrWKWvC96fvaAi6YONufLhxnB888+zulPYQKE4ulELgbNUsd0x
	01Lxb2LYscPEHZ4jja3CA==
Cc: ports@freebsd.org, bug-followup@FreeBSD.org
Subject: Re: ports/150493: Update for: security%2Fopenssh-portable port from
	5.2p1 to 5.6p1
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2010 20:00:21 -0000

Grzegorz Blach wrote at 20:00 +0200 on Sep 23, 2010:
 > Thanks for your patches, I'll review its at the weekend,
 > but now I thing, that GSSAPI option should be explicit removed,
 > not marked as broken. On
 > http://www.sxw.org.uk/computing/patches/openssh.html
 > is noticed: "OpenSSH now contains support out of the box for
 > GSSAPI user authentication using the 'gssapi-with-mic' mechanism".

I emailed the gssapi patch maintainer.

>From his reply [1], it turns out the "now" is not really "now"
anymore.  It's "now" as of perhaps 5 years ago.  3.5 doesn't
have the GSSAPIAuthentication stuff, but 4.3 does, so it was
added somewhere in between (I didn't bisect any further).

The second paragraph on the web page ("Larger sites...") cites why the
patch is still useful.

I let Simon know that his latest patch set...
http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch

... does not apply cleanly to 5.6p1.
He may refresh that patch (it's only slightly broken), so I think it
will be useful to just mark it BROKEN for now.  We can always
remove it later.

We can even deprecate the option, but right now bsd.ports.mk doesn't
really support deprecating individual options so just adding some text
to that effect to the BROKEN string may be the best option I am aware
of.  I CC'd ports@ - maybe someone there knows of some precedent in this
area.

Unfortunately, there's really no way of knowing how many people will
be disappointed if the GSSAPI option disappears.

[1]
=================================
From: Simon Wilkinson <simon@sxw.org.uk>
To: John Hein <jhein@symmetricom.com>
Subject: Re: gssapi patches for openssh
Date: Thu, 23 Sep 2010 19:37:06 +0100
Message-Id: <92C531E6-D12C-4180-BDA3-C0757FF39636@sxw.org.uk>

On 23 Sep 2010, at 19:27, John Hein wrote:
> For the freebsd port of openssh-portable (about to be updated to
> openssh 5.6p1), I am trying to determine whether to remove
> the GSSAPI patch option or perhaps to refresh it for 5.6p1.
>
> A couple questions:
> 
> - The "now" above refers to which version of OpenSSH?
>   ("OpenSSH now contains...").

The now is OpenSSH for about the last 5 years. OpenSSH includes GSSAPI
user authentication, but not GSSAPI key exchange. User authentication
is useful until you have more than 5 or so machines on your site,
beyond that, virtually every large organisation that I'm aware of with
Kerberos deployed is using OpenSSH with GSSAPI key exchange.

> - It sounds like there may be some benefit to using
>   the key exchange part of the patch.  Do you think
>   someone should try to determine which parts could
>   still be useful on 5.6p1 or should we just remove
>   the GSSAPI option altogether?

The patch as given on my website is all applicable to 5.6p1. In
addition to supporting key exchange it also supports cascading
credentials upon renewal, which is useful if you have a chain of many
ssh connections from your desktop machine.

Cheers,

Simon.
=================================