Add OpenSSH GSSAPI key exchange patch

[lassi.tuura@…]

Would it be possible to build openssh with patches from ​http://www.sxw.org.uk/computing/patches/ or at least provide a variant which includes the patch?

In particular it adds support for GSSAPITrustDNS option, which OS X system SSH appears to be built with and which is very useful for working in Kerberos V5 environment. Or more accurately put ssh without that option isn't really very useful in Kerberos V5 environment where DNS aliased host names are common, e.g. for load balanced ones.

From ​http://paste.lisp.org/display/64135 it looks like the predecessor patch might have been included before, but I can't find any corresponding section in revision log of openssh port file.

I took the patch for 5.3p1 from ​http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch, adapted it to OpenSSH 5.6p1 code (Makefile.in, key.h and key.c need trivial patch updates), and attached it to this ticket.

[lassi.tuura@…]

Patch to Portfile to add gsskex variant

[lassi.tuura@…]

Actual patch

[lassi.tuura@…]

Updated patch for openssh 5.9p1

[lassi.tuura@…]

Updated patch for openssh 5.9p1

[lassi.tuura@…]

Patch to add apple keychain support (+ other apple changes)

[lassi.tuura@…]

I've added patches to portfile and to add to 'files' directory, for openssh currently in use in macports (5.9p1). The gsskex patch is just a refreshed version of swx.org.uk one (there is no patch for 5.9p1 there).

The second apple-keychain.patch contains selected subset of differences between standard openssh and Apple's version, most notably the automatic integration with keychain, as per running diff against the version available from www.opensource.apple.com/source/OpenSSH. As far as I understand the license in the additional source files, they are ok for distribution in macports (= Apple BSD license). I didn't include quite all the differences, as some seemed deprecated (SACL), others can't be compiled without apparently internal private sources (APPLE_CROSS_REALM requires OpenDirectoryPriv.h), others are effectively already in openssh (sandboxing). I can't really vouch for some of the additional configury options, but that's what the opensource version used.

The second patch only applies after the gsskex one.

I'd really appreciate if these patches, or some derivative of them, could be applied to the macports version.

[lassi.tuura@…]

Patch regenerated in more clean format with git

[lassi.tuura@…]

Patch regenerated in more clean format with git

[khepler]

Cc Me!

[mmpestorich (Mike M Pestorich)]

Cc Me!

[maehne (Torsten Maehne)]

Cc Me!

[nonstop.server@…]

Cc Me!

[vkuznet (Valentin Kuznetsov)]

Cc Me!

[vkuznet (Valentin Kuznetsov)]

Please include those patches into next macport upgrade.

[mmpestorich (Mike M Pestorich)]

Cc Me!

[mmpestorich (Mike M Pestorich)]

Cc Me!

[matty2fatty@…]

Cc Me!

[matty2fatty@…]

Would it be possible to spell out how to include the provided patches so that they are automatically applied by macports? I've looked over the official docs and tried editing the portfile in seemingly reasonable ways, but things don't seem to be working. I'm particularly interested in getting the GSSAPIKeyExchange business working.

[lassi.tuura@…]

Say you want to keep your private port modifications in ~/Dev/MacPorts, and openssh would be in ~/Dev/MacPorts/openssh, something like this should work assuming you've downloaded into ~/Downloads Portfile2.patch​, 0001-GSS-key-exchange-patch.patch​ and 0002-Apple-keychain-integration-other-changes.patch​:

mkdir -p ~/Dev/MacPorts/openssh
rsync -av /opt/local/var/macports/sources/rsync.macports.org/release/ports/net/openssh/ ~/Dev/MacPorts/openssh/
cd ~/Dev/MacPorts/openssh
patch < ~/Downloads/Portfile2.patch
mv ~/Downloads/0001-GSS-key-exchange-patch.patch files/openssh-5.9p1-gsskex-all-20110920.patch
mv ~/Downloads/0002-Apple-keychain-integration-other-changes.patch files/apple-keychain.patch
sudo port -f uninstall
sudo port install +gsskex

I didn't try rebuilding it just now with that recipe, but I did rebuild my openssh using something very much like that about a month ago.

[matty2fatty@…]

Thanks! That is really helpful; it's exactly what I needed to get everything working. (And thanks for all your other contributions to this port as well!)

[jyrkiwahlstedt]

done in r91536, thanks Lassi