This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Successful build of ssh from openssh w. MIT kerberos

From: Alec Kloss <alec-keyword-cygwin dot 2518a7 at SetFilePointer dot com>
To: cygwin at cygwin dot com
Date: Thu, 13 Aug 2009 10:21:59 -0500
Subject: Re: Successful build of ssh from openssh w. MIT kerberos
References: <4A54345F.3060203@users.sourceforge.net> <20090812195553.GU13418@hamlet.SetFilePointer.com> <4A836C6A.7020803@users.sourceforge.net>

On 2009-08-12 20:29, Yaakov (Cygwin/X) wrote:
> On 12/08/2009 14:55, Alec Kloss wrote:
> >I'm not having much luck with heimdal-1.2.1 from cygwin-ports trunk
> >on Cygwin 1.7 beta.  This is all downloaded today.  cygwin-ports
> >revision 7337.
> 
> 1) If patch(1) is segfaulting, something else is wrong with your 
> installation.

Hrm... there appears to be some problems with the filesystem in
cygwin 1.7.  I was working on an OpenAFS volume where patch was
segfaulting.  Working on a NTFS volume doesn't segfault.

Unfortunately, I'm still having trouble with
heimdal-1.2.1-1.cygport.  Running "cygport heimdal-1.2.1-1.cygport"
results in:

>>> Preparing heimdal-1.2.1-1
*** Info: SOURCE 1 signature follows:
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Mon Jul 28 07:33:35 2008 CDT using DSA key ID
45D901D8
gpg: Can't check signature: public key not found
>>> Unpacking source heimdal-1.2.1.tar.gz
*** Info: applying patch 001_all_heimdal-no_libedit.patch:
patching file cf/krb-readline.m4
*** Info: applying patch 003_all_heimdal-rxapps.patch:
patching file appl/kx/rxtelnet.in
Hunk #1 succeeded at 2 with fuzz 1.
patching file appl/kx/rxterm.in
Hunk #1 succeeded at 2 with fuzz 1.
*** Info: applying patch 014_all_heimdal-path.patch:
*** Info: applying patch 022_all_heimdal-as-needed.patch:
patching file lib/roken/Makefile.am
Hunk #1 succeeded at 110 (offset 3 lines).
patching file lib/editline/Makefile.am
*** Info: applying patch heimdal-r23238-kb5_locl_h-wind_h.patch:
patching file lib/krb5/Makefile.am
*** Info: applying patch heimdal-r23235-kb5-libwind_la.patch:
*** Info: applying patch heimdal-kdc-sans_pkinit.patch:
patching file kdc/Makefile.am
*** Info: applying patch heimdal-system_sqlite.patch:
*** Info: applying patch heimdal-symlinked-manpages.patch:
*** Info: applying patch heimdal-autoconf-ipv6-backport.patch:
patching file cf/krb-ipv6.m4
patching file lib/roken/mini_inetd.c
*** ERROR: patch 1.2.1-no-editline.patch will not apply

> 2) Why is your cygport(1) under /usr/local?  The cygport packages that 
> are part of the distro (curr. 0.9.9) install under /usr.

I compiled my own from the Subversion trunk sources.  I also just
installed the cygport binary and it behaves exactly the same way.

> >I've had success compiling Heimdal 1.2 directly and linking openssh
> >to it to get GSSAPI authentication working but it seems like
> >getting cygwin-ports to do the work would be a better solution.
> 
> The major difference if you built heimdal OOTB is that you have only 
> static libraries; the Ports .cygport makes shared libs as well.

That's true.

> I just uploaded the binary packages here:
> 
> ftp://ftp.cygwinports.org/pub/cygwinports/release-2/heimdal/
> 
> You'll have to download them manually for now.

Hrm, these must be cygwin packages;  just untarring them doesn't
appear to be sufficient.  Pointing Cygwin's setup-1.7.exe at
ftp://ftp.cygwinports.org/pub/cygwinports/ seems to download the
setup-2.bz2 file, but I the setup-2.bz2.sig doesn't survive the
signature testing.  I'm (obviously) no cygwin packaging expert
so if someone can give me a hint about this, that'd be great.

> One reason I haven't ITP'd this build is because I have no means of 
> testing it in real world scenarios.  'make check' did pass, so that's 
> promising, but I need someone else who is familiar with KRB5 to tell me 
> it really works (or tell me how else I could test it).

I can probably find some time to test a small installation.  I'd
think most users would just want the client tools and the GSSAPI
integration in sshd to work.  I'd be a little surprised if someone
wanted to run a KDC under cygwin, but one never knows.

The earlier poster had openssh linked against MIT Kerberos for
Windows.  This has a significant advantage over linking for heimdal
in that KfW can use the MSLSA ticket cache.  This means a user
could sit at a workstation, log in using their Windows domain
username and password, click the cygwin icon, type "ssh
myfavoriteserver" and be logged in without any additional password
prompting.  I don't think heimdal can access the MSLSA cache, so...
someone needs to think about if/when a kerberized openssh is
included in cygwin if it should link against cygwin-compiled
heimdal or against MIT KfW.  

-- 
Alec Kloss  alec@SetFilePointer.com   IM: daemonalec@gmail.com
PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E
"No Bunny!" -- Simon, http://wiki.adultswim.com/xwiki/bin/Frisky+Dingo/Simon

Attachment: pgp00000.pgp
Description: PGP signature

References:
- Re: Successful build of ssh from openssh w. MIT kerberos
  - From: Alec Kloss
- Re: Successful build of ssh from openssh w. MIT kerberos
  - From: Yaakov (Cygwin/X)

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]