gsissh and hpn

[rapier1]

Hey there,

First, I wanted to let you know that I put out a new patch set for OpenSSH 8.7p1 at github/rapier1/openssh-portable.

Second, I'm working on some debian packaging. The default deb packages include the gssapi extension which, as far as I can tell, are these patches with the hpnssh code stripped out. Since I'm trying to recreate their setup do you have a version of gsissh without the hpn patch applied? If so can you point it out to me?

Thanks!

Chris

[fscheiner]

@rapier1
Hi Chris,

not sure if my email from late September reached you, so I'll put the content here, too:

First, I wanted to let you know that I put out a new patch set for OpenSSH 8.7p1 at github/rapier1/openssh-portable.

That's great news! I assume Mattias (@ellert) will pick it up when Fedora starts to use OpenSSH 8.7p1, they're currently still on 8.6p1.

Second, I'm working on some debian packaging. The default deb packages include the gssapi extension which, as far as I can tell, are these patches with the hpnssh code stripped out.

With "these patches", do you mean the GSI patches? Because I think Debian is actually just using the GSSKEX patches from here instead. Or did you mean the patches that were used to create the GSI-OpenSSH sources that are included in the GCT since v6.2.20210826? This GSI-OpenSSH is based on gsi-openssh-8.6p1-2 from Fedora 34 (see #154) which is itself based on the respective OpenSSH version there and not related to any specific OpenSSH version from Debian.

Since I'm trying to recreate their setup do you have a version of gsissh without the hpn patch applied? If so can you point it out to me?

Not sure for Debian, because IIC we don't have any GSI-OpenSSH packages built because IIRC Debian doesn't want to have two versions of OpenSSH in their package repositories. GSI and Kerberos auth can't be compiled together AFAIK.

But for EPEL/Fedora, the hpn patch comes on top of all other patches IIRC, so you could take any GSI-OpenSSH source RPM from EPEL/Fedora and just remove the hpn patch from the RPM spec file. The sources for these RPMs are maintained on 2.

Cheers,
Frank

[rapier1]

I'm sorry I haven't replied. There have been a cascading series of family emergencies over the past 10 months and there are times where I simply lose the ability to keep up with anything else.

On 10/7/21 1:31 PM, fscheiner wrote: @rapier1 <https://github.com/rapier1> Hi Chris, not sure if my email from late September reached you, so I'll put the content here, too: First, I wanted to let you know that I put out a new patch set for OpenSSH 8.7p1 at github/rapier1/openssh-portable. That's great news! I assume Mattias ***@***.*** <https://github.com/ellert>) will pick it up when Fedora starts to use OpenSSH 8.7p1, they're currently still on 8.6p1.

Excellent. Of course they already released 8.8. I haven't ported to that yet.

Second, I'm working on some debian packaging. The default deb packages include the gssapi extension which, as far as I can tell, are these patches with the hpnssh code stripped out. With "these patches", do you mean the GSI patches? Because I think Debian is actually just using the GSSKEX patches from here <https://github.com/openssh-gsskex/openssh-gsskex/> instead. Or did you mean the patches that were used to create the GSI-OpenSSH sources that are included in the GCT since v6.2.20210826? This GSI-OpenSSH is based on gsi-openssh-8.6p1-2 from Fedora 34 (see #154 <#154>) which is itself based on the respective OpenSSH version there and not related to any specific OpenSSH version from Debian.

You are right, it's just the GSSKEX patches. I gotta be honest I hate the packaging process when I'm building off of current packages. Probably because I don't have a lot of experience with it and the learning curve isn't necessarily gentle. That said, turns out a lot of people want that and I want to boost adoption.

Since I'm trying to recreate their setup do you have a version of gsissh without the hpn patch applied? If so can you point it out to me? Not sure for Debian, because IIC we don't have any GSI-OpenSSH packages built because IIRC Debian doesn't want to have two versions of OpenSSH in their package repositories. GSI and Kerberos auth can't be compiled together AFAIK.

Yeah, I looked into that and from what I heard they don't want to even consider it. That's why I'm working on setting up PPAs for debian, fedora, etc.

But for EPEL/Fedora, the hpn patch comes on top of all other patches IIRC, so you could take any GSI-OpenSSH source RPM from EPEL/Fedora and just remove the hpn patch from the RPM spec file. The sources for these RPMs are maintained on 2 <https://src.fedoraproject.org/rpms/gsi-openssh/>.

Cool, thank you for that. I'll take a look. Also, I appreciate the follow up. I just have way too many things falling off of my plate lately. Chris