From patchwork Mon Dec 9 08:37:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Lars-Dominik Braun X-Patchwork-Id: 16439 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 2E92617837; Mon, 9 Dec 2019 08:51:30 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTP id 6EA361782A for ; Mon, 9 Dec 2019 08:51:29 +0000 (GMT) Received: from localhost ([::1]:37382 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ieElM-0004Bg-RL for patchwork@mira.cbaines.net; Mon, 09 Dec 2019 03:51:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39917) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ieEky-00040a-L3 for guix-patches@gnu.org; Mon, 09 Dec 2019 03:51:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ieEkw-0006GK-Ud for guix-patches@gnu.org; Mon, 09 Dec 2019 03:51:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:46588) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ieEkw-0006Er-Je for guix-patches@gnu.org; Mon, 09 Dec 2019 03:51:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ieEkw-0007RG-IN for guix-patches@gnu.org; Mon, 09 Dec 2019 03:51:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#38541] [PATCH] ssh: Add Kerberos-support to ssh:// daemon URLs Resent-From: Lars-Dominik Braun Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 09 Dec 2019 08:51:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 38541 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 38541@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.157588145328576 (code B ref -1); Mon, 09 Dec 2019 08:51:02 +0000 Received: (at submit) by debbugs.gnu.org; 9 Dec 2019 08:50:53 +0000 Received: from localhost ([127.0.0.1]:52561 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ieEkn-0007Qp-7x for submit@debbugs.gnu.org; Mon, 09 Dec 2019 03:50:53 -0500 Received: from lists.gnu.org ([209.51.188.17]:43502) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ieEY3-00077y-Ma for submit@debbugs.gnu.org; Mon, 09 Dec 2019 03:37:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35428) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ieEY1-00080K-LV for guix-patches@gnu.org; Mon, 09 Dec 2019 03:37:43 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ieEY0-0001Ch-3w for guix-patches@gnu.org; Mon, 09 Dec 2019 03:37:41 -0500 Received: from mail-wr1-x42f.google.com ([2a00:1450:4864:20::42f]:37420) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ieEXz-0001CC-KA for guix-patches@gnu.org; Mon, 09 Dec 2019 03:37:40 -0500 Received: by mail-wr1-x42f.google.com with SMTP id w15so15213210wru.4 for ; Mon, 09 Dec 2019 00:37:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leibniz-psychology-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:subject:message-id:mime-version:content-disposition :content-transfer-encoding:user-agent; bh=ocwlck+/3EpqqFP17xKTOU+6NwlVUr5mZ6gfXalvXI8=; b=R8Jy9J8ovshZZEbVjmnPR4ymfAd/qXY3Hng9RNbRI22yJg4PJ2X2hmeoHNtn+Vpk6X fjOiZgLQnFUu78x1fbQ2RAa1g4WY6kVJhmifDCUZ8AVqJPu3tjEBRh9YAOu542FC5uFP WB7dYeECA1E3iVOiOufQ4Fkgq7wViGGwrBNJOEMWQrmx3qiMGB+4977F+/8UGprZ6n9/ SqhjmD4WWJhD3tVoew9Lr+4Wg+BLV3ZgzRl0yEfBspKgCouPJ+O/LRxPV0SWJADdCHC6 DyvmSGPBJFffFG2cXmuyyvrVNrKzYoHAWpBTbFFQE8AnnwcYbEIE/9+HOvfjdV/0VDTe n0Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:content-transfer-encoding:user-agent; bh=ocwlck+/3EpqqFP17xKTOU+6NwlVUr5mZ6gfXalvXI8=; b=Ew0RzdpUw1ti/DfqyDxNgH4psCQ9JWtuIAjiMig4Eu9LNjjo4f1k8rDzHV9H5nLFdX HYxGfmkydS9o4dr1ioJl4fIHOK0jU9lZf3RBJdTg0SmsRthSkNLchaYJB12kDaaG5dZ4 8F+Cj8C9MyjTahNQP9LzdN8WFiyvA248+h3hq1JjlLN0nCkVC9sjrAqEY8Pu4/CgKPa5 U/lLFgUACWJzxcMrvtr0ZMjE8btbsGf9+b869WrjGvHpClUYAMwv7dONjKmxRGtYq0qG kv+y3+ST3OMI66TaXGICqATD/vL9rgnpID1f4Qy2UHFDR2GGiPur/AXLq+C7mskpsOY+ /y5w== X-Gm-Message-State: APjAAAWQ8tFnWRrNceMrHzFWjF0PpL8/ltH8QDBV4WIBKdfkHX7KJxBV Hvm8HaD9MLVaQpwzZw35HAiaizrj+ejvqusGj8kZStvd6qka1H/maBDjy1elBWt1t0kArdsGgBx gc9z3jMrubu2HeD4QrSJLqrAY4LGBTLKBm6+UVR/K+UZQlYnI/F57vVpCJLgyJWJZ2b5ZJIWVRq HY7Ia2oKU= X-Google-Smtp-Source: APXvYqz94QcuIJiRAMneT6NV6O5iaBkhQdjhsvtoKoMnkVvYgqm7u/lKH4HaxNUOqYM8iC+t4l8yQw== X-Received: by 2002:adf:f1c6:: with SMTP id z6mr704731wro.279.1575880656912; Mon, 09 Dec 2019 00:37:36 -0800 (PST) Received: from localhost (zpidlx9.uni-trier.de. [136.199.85.49]) by smtp.gmail.com with ESMTPSA id x18sm26381558wrr.75.2019.12.09.00.37.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Dec 2019 00:37:36 -0800 (PST) Date: Mon, 9 Dec 2019 09:37:37 +0100 From: Lars-Dominik Braun Message-ID: <20191209083737.GA10190@zpidnp36> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Mailman-Approved-At: Mon, 09 Dec 2019 03:50:51 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches * gnu/packages/ssh.scm (libssh): Depend on mit-krb5 (guile-ssh): Support gssapi functions, see https://github.com/artyom-poptsov/guile-ssh/pull/15 * guix/ssh.scm (open-ssh-session): Fall back to GSSAPI if public key authentication does not work --- doc/guix.texi | 5 +- gnu/packages/patches/guile-ssh-gssapi.patch | 115 ++++++++++++++++++++ gnu/packages/ssh.scm | 4 +- guix/ssh.scm | 15 ++- 4 files changed, 131 insertions(+), 8 deletions(-) create mode 100644 gnu/packages/patches/guile-ssh-gssapi.patch diff --git a/doc/guix.texi b/doc/guix.texi index 7d50f31d20..81ea5153b6 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -6753,8 +6753,9 @@ instruct it to listen for TCP connections (@pxref{Invoking guix-daemon, @item ssh @cindex SSH access to build daemons These URIs allow you to connect to a remote daemon over -SSH@footnote{This feature requires Guile-SSH (@pxref{Requirements}).}. -A typical URL might look like this: +SSH. This feature requires Guile-SSH (@pxref{Requirements}) and a working +@code{guile} binary in @code{PATH} on the destination machine. It supports +public key and GSSAPI authentication. A typical URL might look like this: @example ssh://charlie@@guix.example.org:22 diff --git a/gnu/packages/patches/guile-ssh-gssapi.patch b/gnu/packages/patches/guile-ssh-gssapi.patch new file mode 100644 index 0000000000..522687d589 --- /dev/null +++ b/gnu/packages/patches/guile-ssh-gssapi.patch @@ -0,0 +1,115 @@ +commit 8b728dc144ea12f3a339a2009e403e9bbd8fd39c +Author: Lars-Dominik Braun +Date: Thu Dec 5 10:31:00 2019 +0100 + + Add GSSAPI user authentication method + + Bind to libssh’s ssh_userauth_gssapi(). + +diff --git a/doc/api-auth.texi b/doc/api-auth.texi +index b2975d2..9f2884d 100644 +--- a/doc/api-auth.texi ++++ b/doc/api-auth.texi +@@ -125,6 +125,26 @@ In nonblocking mode, you've got to call this again later. + + @end deffn + ++@deffn {Scheme Procedure} userauth-gssapi! session ++Try to authenticate through the @code{gssapi-with-mic} method. ++ ++Return one of the following symbols: ++ ++@table @samp ++@item success ++Authentication success. ++@item partial ++You've been partially authenticated, you still have to use another method. ++@item again ++In nonblocking mode, you've got to call this again later. ++@item denied ++Authentication failed: use another method. ++@item error ++A serious error happened. ++@end table ++ ++@end deffn ++ + @deffn {Scheme Procedure} userauth-none! session + Try to authenticate through the @code{none} method. + +diff --git a/libguile-ssh/auth.c b/libguile-ssh/auth.c +index 52d3262..e9efe9e 100644 +--- a/libguile-ssh/auth.c ++++ b/libguile-ssh/auth.c +@@ -206,6 +206,27 @@ Throw `wrong-type-arg' if a disconnected SESSION is passed as an argument.\ + } + #undef FUNC_NAME + ++SCM_DEFINE (guile_ssh_userauth_gssapi_x, ++ "userauth-gssapi!", 1, 0, 0, ++ (SCM session), ++ "\ ++Try to authenticate through the \"gssapi-with-mic\" method.\ ++Throw `wrong-type-arg' if a disconnected SESSION is passed as an argument.\ ++") ++#define FUNC_NAME s_guile_ssh_userauth_gssapi_x ++{ ++ struct session_data *sd = _scm_to_session_data (session); ++ ++ int res; ++ ++ GSSH_VALIDATE_CONNECTED_SESSION (sd, session, SCM_ARG1); ++ ++ res = ssh_userauth_gssapi (sd->ssh_session); ++ ++ return ssh_auth_result_to_symbol (res); ++} ++#undef FUNC_NAME ++ + + /* Try to authenticate through the "none" method. + +diff --git a/modules/ssh/auth.scm b/modules/ssh/auth.scm +index 158cab1..7a4be10 100644 +--- a/modules/ssh/auth.scm ++++ b/modules/ssh/auth.scm +@@ -29,6 +29,7 @@ + ;; userauth-public-key/try + ;; userauth-agent! + ;; userauth-password! ++;; userauth-gssapi! + ;; userauth-none! + ;; userauth-get-list + +@@ -46,6 +47,7 @@ + userauth-public-key/try + userauth-agent! + userauth-password! ++ userauth-gssapi! + userauth-none! + userauth-get-list + openssh-agent-start +diff --git a/tests/client-server.scm b/tests/client-server.scm +index 2704280..d8f490a 100644 +--- a/tests/client-server.scm ++++ b/tests/client-server.scm +@@ -429,6 +429,19 @@ + (userauth-public-key/auto! (make-session-for-test))) + + ++;;; 'userauth-gssapi!' ++ ++;; The procedure called with a wrong object as a parameter which leads to an ++;; exception. ++(test-error-with-log "userauth-gssapi!, wrong parameter" 'wrong-type-arg ++ (userauth-gssapi! "Not a session.")) ++ ++;; Client tries to authenticate using a non-connected session which leads to ++;; an exception. ++(test-error-with-log "userauth-gssapi!, not connected" 'wrong-type-arg ++ (userauth-gssapi! (make-session-for-test))) ++ ++ + ;;; + + diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index b82d280089..5a001525d0 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -99,7 +99,8 @@ ;; TODO: Add 'CMockery' and '-DWITH_TESTING=ON' for the test suite. #:tests? #f)) (inputs `(("zlib" ,zlib) - ("libgcrypt" ,libgcrypt))) + ("libgcrypt" ,libgcrypt) + ("mit-krb5" ,mit-krb5))) (synopsis "SSH client library") (description "libssh is a C library implementing the SSHv2 and SSHv1 protocol for client @@ -244,6 +245,7 @@ Additionally, various channel-specific options can be negotiated.") (sha256 (base32 "03bv3hwp2s8f0bqgfjaan9jx4dyab0abv27n2zn2g0izlidv0vl6")) + (patches (search-patches "guile-ssh-gssapi.patch")) (modules '((guix build utils))) (snippet '(begin diff --git a/guix/ssh.scm b/guix/ssh.scm index 291ce20b61..56b49b177f 100644 --- a/guix/ssh.scm +++ b/guix/ssh.scm @@ -157,11 +157,16 @@ server at '~a': ~a") (session-set! session 'timeout timeout) session) (x - (disconnect! session) - (raise (condition - (&message - (message (format #f (G_ "SSH authentication failed for '~a': ~a~%") - host (get-error session))))))))) + (match (userauth-gssapi! session) + ('success + (session-set! session 'timeout timeout) + session) + (x + (disconnect! session) + (raise (condition + (&message + (message (format #f (G_ "SSH authentication failed for '~a': ~a~%") + host (get-error session))))))))))) (x ;; Connection failed or timeout expired. (raise (condition