search

gridcf / gct

Grid Community Toolkit
Apache License 2.0
46 stars 30 forks source link

gsissh and hpn #166

Open rapier1 opened 2 years ago

rapier1 commented 2 years ago

Hey there,

First, I wanted to let you know that I put out a new patch set for OpenSSH 8.7p1 at github/rapier1/openssh-portable.

Second, I'm working on some debian packaging. The default deb packages include the gssapi extension which, as far as I can tell, are these patches with the hpnssh code stripped out. Since I'm trying to recreate their setup do you have a version of gsissh without the hpn patch applied? If so can you point it out to me?

Thanks!

Chris

fscheiner commented 2 years ago

@rapier1 Hi Chris,

not sure if my email from late September reached you, so I'll put the content here, too:

First, I wanted to let you know that I put out a new patch set for OpenSSH 8.7p1 at github/rapier1/openssh-portable.

That's great news! I assume Mattias (@ellert) will pick it up when Fedora starts to use OpenSSH 8.7p1, they're currently still on 8.6p1.

Second, I'm working on some debian packaging. The default deb packages include the gssapi extension which, as far as I can tell, are these patches with the hpnssh code stripped out.

With "these patches", do you mean the GSI patches? Because I think Debian is actually just using the GSSKEX patches from here instead. Or did you mean the patches that were used to create the GSI-OpenSSH sources that are included in the GCT since v6.2.20210826? This GSI-OpenSSH is based on gsi-openssh-8.6p1-2 from Fedora 34 (see https://github.com/gridcf/gct/pull/154) which is itself based on the respective OpenSSH version there and not related to any specific OpenSSH version from Debian.

Since I'm trying to recreate their setup do you have a version of gsissh without the hpn patch applied? If so can you point it out to me?

Not sure for Debian, because IIC we don't have any GSI-OpenSSH packages built because IIRC Debian doesn't want to have two versions of OpenSSH in their package repositories. GSI and Kerberos auth can't be compiled together AFAIK.

But for EPEL/Fedora, the hpn patch comes on top of all other patches IIRC, so you could take any GSI-OpenSSH source RPM from EPEL/Fedora and just remove the hpn patch from the RPM spec file. The sources for these RPMs are maintained on 2.

Cheers, Frank

rapier1 commented 2 years ago

I'm sorry I haven't replied. There have been a cascading series of family emergencies over the past 10 months and there are times where I simply lose the ability to keep up with anything else.

On 10/7/21 1:31 PM, fscheiner wrote:

@rapier1 https://github.com/rapier1 Hi Chris,

not sure if my email from late September reached you, so I'll put the content here, too:

First, I wanted to let you know that I put out a new patch set for
OpenSSH 8.7p1 at github/rapier1/openssh-portable.

That's great news! I assume Mattias @.*** https://github.com/ellert) will pick it up when Fedora starts to use OpenSSH 8.7p1, they're currently still on 8.6p1.

Excellent. Of course they already released 8.8. I haven't ported to that yet.

Second, I'm working on some debian packaging. The default deb
packages include the gssapi extension which, as far as I can tell,
are these patches with the hpnssh code stripped out.

With "these patches", do you mean the GSI patches? Because I think Debian is actually just using the GSSKEX patches from here https://github.com/openssh-gsskex/openssh-gsskex/ instead. Or did you mean the patches that were used to create the GSI-OpenSSH sources that are included in the GCT since v6.2.20210826? This GSI-OpenSSH is based on gsi-openssh-8.6p1-2 from Fedora 34 (see #154 https://github.com/gridcf/gct/pull/154) which is itself based on the respective OpenSSH version there and not related to any specific OpenSSH version from Debian.

You are right, it's just the GSSKEX patches. I gotta be honest I hate the packaging process when I'm building off of current packages. Probably because I don't have a lot of experience with it and the learning curve isn't necessarily gentle. That said, turns out a lot of people want that and I want to boost adoption.

Since I'm trying to recreate their setup do you have a version of
gsissh without the hpn patch applied? If so can you point it out to me?

Not sure for Debian, because IIC we don't have any GSI-OpenSSH packages built because IIRC Debian doesn't want to have two versions of OpenSSH in their package repositories. GSI and Kerberos auth can't be compiled together AFAIK.

Yeah, I looked into that and from what I heard they don't want to even consider it. That's why I'm working on setting up PPAs for debian, fedora, etc.

But for EPEL/Fedora, the hpn patch comes on top of all other patches IIRC, so you could take any GSI-OpenSSH source RPM from EPEL/Fedora and just remove the hpn patch from the RPM spec file. The sources for these RPMs are maintained on 2 https://src.fedoraproject.org/rpms/gsi-openssh/.

Cool, thank you for that. I'll take a look.

Also, I appreciate the follow up. I just have way too many things falling off of my plate lately.

Chris