| Summary: | Review Request: gsi-openssh - An implementation of the SSH protocol with GSI authentication | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mattias Ellert <mattias.ellert> |
| Component: | Package Review | Assignee: | Andrew Elwell <andrew.elwell> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | andrew.elwell, bbockelm, christos.triantafyllidis, dennisvd, fedora-package-review, gholms, jbasney, notting, orion, steve.traylen |
| Target Milestone: | --- | Flags: | andrew.elwell:
fedora-review+
gwync: fedora-cvs+ |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | gsi-openssh-5.3p1-3.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-11-27 21:54:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Mattias Ellert
2011-03-09 19:15:05 UTC
Hi Mattias,
although i can only do an unofficial review, i think that there is an issue with these packages. As rpmlint reports, there is no link to upstream source packages. (I'm putting just the putting the el5 report):
$ rpmlint gsissh.el5.spec
gsissh.el5.spec:37: W: macro-in-comment %{version}
gsissh.el5.spec:38: W: macro-in-comment %{version}
gsissh.el5.spec:327: W: rpm-buildroot-usage %build fipshmac $RPM_BUILD_ROOT%{_bindir}/gsissh \
gsissh.el5.spec:328: W: rpm-buildroot-usage %build fipshmac $RPM_BUILD_ROOT%{_sbindir}/gsisshd \
gsissh.el5.spec: W: invalid-url Source0: openssh-4.3p2-noacss.tar.bz2
0 packages and 1 specfiles checked; 0 errors, 5 warnings.
I saw your comment about the ACSS in the SPEC file but i think this would be much much clearer if you used the upstream openssh package and added a patch file that removes the ACCS cipher.
Fedora reviewing guidelines require:
MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use md5sum for this task. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this.
Regards,
Christos
(In reply to comment #1) > I saw your comment about the ACSS in the SPEC file but i think this would be > much much clearer if you used the upstream openssh package and added a patch > file that removes the ACCS cipher. > > Fedora reviewing guidelines require: > MUST: The sources used to build the package must match the upstream source, as > provided in the spec URL. Reviewers should use md5sum for this task. If no > upstream URL can be specified for this package, please see the Source URL > Guidelines for how to deal with this. Most of the gsissh specfile is copied from the openssh specfile, including the part regarding the source. The source tarball is the same as in the openssh package. It is not possible to do the removal of the ACCS sources in %prep only, since they can not be legally distributed. This is not a case of "make sure the code is not used during the build", but a case of "make sure the sources are not illegally redistributed by Fedora inside the source RPM". The spec is compliant with the guidelines for this case: http://fedoraproject.org/wiki/Packaging:SourceURL#When_Upstream_uses_Prohibited_Code Andrew - Are you going to review this? Hi,
I just tested the posted SRPM for RHEL5. Builds fine in mock for me. However, when I try to use the service, I get:
[brian@brian-test vdt-release]$ sudo /sbin/service gsisshd start
Starting gsisshd: Could not load host key: /etc/gsissh/ssh_host_rsa_key
Could not load host key: /etc/gsissh/ssh_host_dsa_key
[ OK ]
I hand-generated new keys and hand-changed the port to 23 from 22 (conflicting with normal SSH), and the server worked. Even properly invokes the Globus plugin infrastructure!
However, when logging out, zombie processes were left over. Process tree looks like this:
root 6807 0.0 0.0 165308 6052 ? Ssl 07:42 0:00 gsisshd: brian [priv]
brian 6823 0.0 0.0 165308 3208 ? S 07:42 0:00 \_ gsisshd: brian@pts/11
brian 6824 0.0 0.0 0 0 ? Zs 07:42 0:00 \_ [bash] <defunct>
After installing debuginfo RPMs, I get see the middle process (6823) has the following stack trace:
(gdb) bt
#0 0x00007f1123eeb212 in select () from /lib64/libc.so.6
#1 0x00007f11281f1cad in wait_until_can_do_something (readsetp=0x7fffa66904a8, writesetp=0x7fffa66904a0, maxfdp=0x7fffa66904b4,
nallocp=0x7fffa66904b0, max_time_milliseconds=0) at serverloop.c:338
#2 0x00007f11281f2660 in server_loop2 (authctxt=<value optimized out>) at serverloop.c:810
#3 0x00007f11281f9c7f in do_authenticated2 (authctxt=0x7f11293cbbb0) at session.c:2506
#4 do_authenticated (authctxt=0x7f11293cbbb0) at session.c:226
#5 0x00007f11281ebf00 in main (ac=<value optimized out>, av=<value optimized out>) at sshd.c:1797
Maybe we should bring the gsissh devs into the loop on this one?
The zombie process issue is caused by the Globus pthr libraries blocking SIGCHLD: https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7105 It is fixed in the Globus Toolkit v5.1.0 libraries. The problem does not occur with earlier non-pthr Globus libraries. Hi Jim, I can't quite tell from the comments on the ticket: is it possible to fix this? Or should we just hold off here until Globus 5.2. FWIW - OSG is switching to EPEL's Globus, meaning that we're going to have to make gsissh work *somehow*. It's just a matter of "how dirty do our hands get"? Brian I suppose it'd be possible to patch the gsissh sources to unblock the signals after the pthr Globus libraries block them, if you're forced to use pre-5.1.0 pthr Globus libraries. Hi Jim, I tried a few approaches: - Re-install the signal handlers after globus is initialized - Hook the OpenSSH signal handlers into the globus callback system. No dice on either. Can you take a whack at it for me? Maybe you'll see something I missed. We still very much desire it! Brian Brian, Are you sure you unblocked the signals in the main OpenSSH thread? Here's the work-around I added in MyProxy for this Globus pthr library issue: http://lists.globus.org/pipermail/myproxy-commit/2010-June/000429.html Of course MyProxy is much simpler than OpenSSH. The fact that the OpenSSH server forks multiple processes per incoming connection may mean that you need work-arounds in multiple places. The Globus pthr libraries are simply not designed for applications that don't use the Globus threading API, which is why I've always recommended use of non-pthr Globus libraries with GSI-OpenSSH. -Jim Hi Jim, I figured out what I was doing wrong. Here's an SRPM with the issue fixed: http://vdt.cs.wisc.edu/repos/3.0/el5/development/src/gsissh-4.3p2-2.osg.src.rpm I also changed around some defaults in sshd_config so "yum install gsissh-server && service gsisshd start" Just Works. Brian (In reply to comment #10) > Hi Jim, > > I figured out what I was doing wrong. Here's an SRPM with the issue fixed: Thanks for figuring out these issues. Here are updates SRPMS: http://grid.tsl.uu.se/review/gsissh-4.3p2-2.el5.src.rpm http://grid.tsl.uu.se/review/gsissh-5.3p1-2.el6.src.rpm http://grid.tsl.uu.se/review/gsissh-5.5p1-2.fc14.src.rpm http://grid.tsl.uu.se/review/gsissh-5.6p1-2.fc15.src.rpm http://grid.tsl.uu.se/review/gsissh-5.8p2-1.fc16.src.rpm Specfiles: http://grid.tsl.uu.se/review/el5/gsissh.spec http://grid.tsl.uu.se/review/el6/gsissh.spec http://grid.tsl.uu.se/review/fc14/gsissh.spec http://grid.tsl.uu.se/review/fc15/gsissh.spec http://grid.tsl.uu.se/review/fc16/gsissh.spec I talked to the upstream folks a bit. Apparently, they are also preparing a gsissh RPM (which looks to be in decent shape) for GT5.2. However, they are calling it "gsi_openssh" while this package is called "gsissh". Is it worth it to rename the package in hopes that we can align better with upstream? (In reply to comment #12) > However, they are calling it "gsi_openssh" ... Having an underscore in the name is a bad idea. The globus RPM packages are named "globus-common" etc, and and not "globus_common" etc which are the internal GPT package names, for good reasons. The underscore is part of the set of characters allowed in package names in the Fedora Guidelines, however its use is discouraged since the guidelines also say: "When naming packages for Fedora, the maintainer must use the dash '-' as the delimiter for name parts. The maintainer must NOT use an underscore '_', a plus '+', or a period '.' as a delimiter." Also, having an underscore in the name makes it impossible to comply with the guideline that says "If this package has been packaged by other distributions/packagers in the past, then you should try to match their name for consistency", since other distributions like Debian don't allow underscores at all in the package names. Naming it "gsi-openssh" would be an acceptable name though - if that is preferred. Looking at the upstream 5.1.1 alpha release it looks like upstream did the right thing for their debian packages and called them gsi-openssh. Why they screwed up with the RPMs I don't know. Alright - the next upstream release correctly calls this "gsi-openssh", and it doesn't need the patch. The two options I see are: 1) Wait until Fedora goes to GT 5.2. We've been testing the pre-release pretty hard, and the upstream RPMs are getting closer to Fedora-quality. 2) Rename the posted package to "gsi-openssh" and include my patch - this prevents us from having to rename it in 6 months. Renamed packages for review SRPMS: http://grid.tsl.uu.se/review/gsi-openssh-4.3p2-3.el5.src.rpm http://grid.tsl.uu.se/review/gsi-openssh-5.3p1-3.el6.src.rpm http://grid.tsl.uu.se/review/gsi-openssh-5.5p1-3.fc14.src.rpm http://grid.tsl.uu.se/review/gsi-openssh-5.6p1-3.fc15.src.rpm http://grid.tsl.uu.se/review/gsi-openssh-5.8p2-2.fc16.src.rpm http://grid.tsl.uu.se/review/gsi-openssh-5.9p1-1.fc17.src.rpm SPECS: http://grid.tsl.uu.se/review/el5/gsi-openssh.spec http://grid.tsl.uu.se/review/el6/gsi-openssh.spec http://grid.tsl.uu.se/review/fc14/gsi-openssh.spec http://grid.tsl.uu.se/review/fc15/gsi-openssh.spec http://grid.tsl.uu.se/review/fc16/gsi-openssh.spec http://grid.tsl.uu.se/review/fc17/gsi-openssh.spec Hello Andrew - are you still planning to do this review? OK - my bad. I'd cleared the review flag as I didn't have time, but had left it assigned to me. Ho Hum. In that case I'll get stuck in tonight. OK - reviewing based on installation / use tests with F16 and EL6 binaries
-- the 'tl;dr' version is "please can you check the dependencies in EL6"
given that this package needs separate src.rpm / spec files for each release I'll do a full check on each release. That said - review for F16 is fine
Normal review process:
MUST Items:
Rpmlint - src: PASS
rpmlint ./gsi-openssh-5.8p2-2.fc16.src.rpm
gsi-openssh.src: W: spelling-error %description -l en_US rlogin -> logging
gsi-openssh.src: W: spelling-error %description -l en_US rsh -> rah, rs, sh
gsi-openssh.src: W: spelling-error %description -l en_US untrusted -> entrusted, trusted, encrusted
gsi-openssh.src: W: spelling-error %description -l en_US gsissh -> Gish
gsi-openssh.src: W: strange-permission openssh-nukeacss.sh 0755L
gsi-openssh.src:48: W: macro-in-comment %{version}
gsi-openssh.src:49: W: macro-in-comment %{version}
gsi-openssh.src:222: W: macro-in-comment %triggerun
gsi-openssh.src:223: W: macro-in-comment %post
gsi-openssh.src:223: W: macro-in-comment %triggerun
gsi-openssh.src:279: W: macro-in-comment %patch22
gsi-openssh.src:394: W: rpm-buildroot-usage %build fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/gsissh $RPM_BUILD_ROOT%{_sbindir}/gsisshd \
gsi-openssh.src: W: invalid-url Source0: openssh-5.8p2-noacss.tar.bz2
1 packages and 0 specfiles checked; 0 errors, 13 warnings.
spelling errors - false +ve
strange-permission / macro-in-comment / rpm-buildroot-usage : same as the 'normal' openssh package. Nice to clean up but upstream should be fixed too.
rpmlint built: PASS
[aelwell@pcitgtelwell review]$ rpmlint /var/lib/mock/fedora-16-x86_64/result/gsi-openssh-5.8p2-2.fc16.x86_64.rpm
gsi-openssh.x86_64: W: spelling-error %description -l en_US rlogin -> logging
gsi-openssh.x86_64: W: spelling-error %description -l en_US rsh -> rah, rs, sh
gsi-openssh.x86_64: W: spelling-error %description -l en_US untrusted -> entrusted, trusted, encrusted
gsi-openssh.x86_64: W: file-not-utf8 /usr/share/doc/gsi-openssh-5.8p2/LICENCE
gsi-openssh.x86_64: W: non-standard-gid /usr/libexec/gsissh/ssh-keysign ssh_keys
gsi-openssh.x86_64: E: setgid-binary /usr/libexec/gsissh/ssh-keysign ssh_keys 02755L
gsi-openssh.x86_64: E: non-standard-executable-perm /usr/libexec/gsissh/ssh-keysign 02755L
gsi-openssh.x86_64: W: file-not-utf8 /usr/share/doc/gsi-openssh-5.8p2/CREDITS
gsi-openssh.x86_64: E: non-readable /etc/gsissh/moduli 0600L
gsi-openssh.x86_64: W: install-file-in-docs /usr/share/doc/gsi-openssh-5.8p2/INSTALL
1 packages and 0 specfiles checked; 3 errors, 7 warnings.
The setgid Error matches that for openssh - ie
[aelwell@pcitgtelwell review]$ ls -l /usr/libexec/openssh/ssh-keysign
---x--s--x. 1 root ssh_keys 245408 Jul 25 09:47 /usr/libexec/openssh/ssh-keysign
ditto moduli:
-rw-------. 1 root root 125811 Jul 25 09:47 /etc/ssh/moduli
LICENCE and CREDITS matches upstream:
/usr/share/doc/openssh-5.8p2/LICENCE: ISO-8859 English text
/usr/share/doc/openssh-5.8p2/CREDITS: ISO-8859 English text
so overall pass
* Naming Guidelines - PASS
* Spec matches %{name}.spec - PASS (gsi-openssh)
* Packaging Guidelines - PASS
previous discussions about naming, underscores, ACCS are explained and compliant. This package reuses the openssh spec file (as a diff will show) which is approved.
* Licence - BSD - PASS.
* Spec licence must match actual - PASS (detailed description in LICENSE)
* Licence in %doc - PASS
* Spec in en_US - PASS
* md5sun of upsream - PASS - 123003edd779504e12e1c8b58e7ce5dc for main openssh-5.8p2-noacss.tar.bz2 file
-- similar status for other release sources (matches that comparable in the openssh source)
* Builds OK -- PASS For F16, on both x86_64 and i386, however the EL6 doesn't build under mock:
ERROR: Command failed:
# ['/usr/bin/yum-builddep', '--installroot', '/var/lib/mock/epel-6-x86_64/root/', '/var/lib/mock/epel-6-x86_64/root///builddir/build/SRPMS/gsi-openssh-5.3p1-3.el6.src.rpm']
Getting requirements for gsi-openssh-5.3p1-3.el6.src
--> autoconf-2.63-5.1.el6.noarch
--> automake-1.11.1-1.2.el6.noarch
--> Already installed : 4:perl-5.10.1-115.el6.x86_64
--> zlib-devel-1.2.3-25.el6.x86_64
Error: No Package found for audit-libs-devel >= 2.0.5
installed OK on F16 and sanity checked:
[aelwell@pcitgtelwell result]$ sudo yum localinstall ./gsi-openssh-clients-5.8p2-2.fc16.x86_64.rpm ./gsi-openssh-5.8p2-2.fc16.x86_64.rpm
Loaded plugins: auto-update-debuginfo, langpacks, presto, refresh-packagekit
Setting up Local Package Process
Examining ./gsi-openssh-clients-5.8p2-2.fc16.x86_64.rpm: gsi-openssh-clients-5.8p2-2.fc16.x86_64
Marking ./gsi-openssh-clients-5.8p2-2.fc16.x86_64.rpm to be installed
Examining ./gsi-openssh-5.8p2-2.fc16.x86_64.rpm: gsi-openssh-5.8p2-2.fc16.x86_64
Marking ./gsi-openssh-5.8p2-2.fc16.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package gsi-openssh.x86_64 0:5.8p2-2.fc16 will be installed
--> Processing Dependency: libglobus_gsi_callback.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_gsi_cert_utils.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_gsi_credential.so.1()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_gsi_proxy_core.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_gsi_sysconfig.so.1()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_gss_assist.so.3()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_gssapi_gsi.so.4()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_oldgaa.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_openssl.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_openssl_error.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_proxy_ssl.so.1()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
---> Package gsi-openssh-clients.x86_64 0:5.8p2-2.fc16 will be installed
--> Running transaction check
---> Package globus-gsi-callback.x86_64 0:2.8-2.fc16 will be installed
---> Package globus-gsi-cert-utils.x86_64 0:6.7-2.fc16 will be installed
---> Package globus-gsi-credential.x86_64 0:3.5-3.fc16 will be installed
---> Package globus-gsi-openssl-error.x86_64 0:0.14-8.fc16 will be installed
---> Package globus-gsi-proxy-core.x86_64 0:4.7-2.fc16 will be installed
---> Package globus-gsi-proxy-ssl.x86_64 0:2.3-3.fc16 will be installed
---> Package globus-gsi-sysconfig.x86_64 0:3.2-1.fc16 will be installed
---> Package globus-gss-assist.x86_64 0:5.10-1.fc16 will be installed
---> Package globus-gssapi-gsi.x86_64 0:7.8-1.fc16 will be installed
---> Package globus-openssl-module.x86_64 0:1.3-3.fc16 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================================================================================
Package Arch Version Repository Size
===========================================================================================================================================
Installing:
gsi-openssh x86_64 5.8p2-2.fc16 /gsi-openssh-5.8p2-2.fc16.x86_64 721 k
gsi-openssh-clients x86_64 5.8p2-2.fc16 /gsi-openssh-clients-5.8p2-2.fc16.x86_64 652 k
Installing for dependencies:
globus-gsi-callback x86_64 2.8-2.fc16 fedora 34 k
globus-gsi-cert-utils x86_64 6.7-2.fc16 fedora 18 k
globus-gsi-credential x86_64 3.5-3.fc16 fedora 30 k
globus-gsi-openssl-error x86_64 0.14-8.fc16 fedora 15 k
globus-gsi-proxy-core x86_64 4.7-2.fc16 fedora 30 k
globus-gsi-proxy-ssl x86_64 2.3-3.fc16 fedora 17 k
globus-gsi-sysconfig x86_64 3.2-1.fc16 fedora 26 k
globus-gss-assist x86_64 5.10-1.fc16 fedora 28 k
globus-gssapi-gsi x86_64 7.8-1.fc16 fedora 49 k
globus-openssl-module x86_64 1.3-3.fc16 fedora 14 k
Transaction Summary
===========================================================================================================================================
Install 12 Packages
Total size: 1.6 M
Total download size: 261 k
Installed size: 1.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/10): globus-gsi-callback-2.8-2.fc16.x86_64.rpm | 34 kB 00:00
(2/10): globus-gsi-cert-utils-6.7-2.fc16.x86_64.rpm | 18 kB 00:00
(3/10): globus-gsi-credential-3.5-3.fc16.x86_64.rpm | 30 kB 00:00
(4/10): globus-gsi-openssl-error-0.14-8.fc16.x86_64.rpm | 15 kB 00:00
(5/10): globus-gsi-proxy-core-4.7-2.fc16.x86_64.rpm | 30 kB 00:00
(6/10): globus-gsi-proxy-ssl-2.3-3.fc16.x86_64.rpm | 17 kB 00:00
(7/10): globus-gsi-sysconfig-3.2-1.fc16.x86_64.rpm | 26 kB 00:00
(8/10): globus-gss-assist-5.10-1.fc16.x86_64.rpm | 28 kB 00:00
(9/10): globus-gssapi-gsi-7.8-1.fc16.x86_64.rpm | 49 kB 00:00
(10/10): globus-openssl-module-1.3-3.fc16.x86_64.rpm | 14 kB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------
Total 209 kB/s | 261 kB 00:01
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : globus-gsi-openssl-error-0.14-8.fc16.x86_64 1/12
Installing : globus-gsi-proxy-ssl-2.3-3.fc16.x86_64 2/12
Installing : globus-gsi-sysconfig-3.2-1.fc16.x86_64 3/12
Installing : globus-openssl-module-1.3-3.fc16.x86_64 4/12
Installing : globus-gsi-cert-utils-6.7-2.fc16.x86_64 5/12
Installing : globus-gsi-callback-2.8-2.fc16.x86_64 6/12
Installing : globus-gsi-credential-3.5-3.fc16.x86_64 7/12
Installing : globus-gsi-proxy-core-4.7-2.fc16.x86_64 8/12
Installing : globus-gssapi-gsi-7.8-1.fc16.x86_64 9/12
Installing : globus-gss-assist-5.10-1.fc16.x86_64 10/12
Installing : gsi-openssh-5.8p2-2.fc16.x86_64 11/12
Installing : gsi-openssh-clients-5.8p2-2.fc16.x86_64 12/12
Installed:
gsi-openssh.x86_64 0:5.8p2-2.fc16 gsi-openssh-clients.x86_64 0:5.8p2-2.fc16
Dependency Installed:
globus-gsi-callback.x86_64 0:2.8-2.fc16 globus-gsi-cert-utils.x86_64 0:6.7-2.fc16 globus-gsi-credential.x86_64 0:3.5-3.fc16
globus-gsi-openssl-error.x86_64 0:0.14-8.fc16 globus-gsi-proxy-core.x86_64 0:4.7-2.fc16 globus-gsi-proxy-ssl.x86_64 0:2.3-3.fc16
globus-gsi-sysconfig.x86_64 0:3.2-1.fc16 globus-gss-assist.x86_64 0:5.10-1.fc16 globus-gssapi-gsi.x86_64 0:7.8-1.fc16
globus-openssl-module.x86_64 0:1.3-3.fc16
Complete!
[aelwell@pcitgtelwell result]$ gsissh -V
OpenSSH_5.8p1 GSI_GSSAPI_20110531 GSI, OpenSSL 1.0.0e-fips 6 Sep 2011
* Excluded Arch - None Mentioned. N/A
* BuildRequires - PASS
* locales - None listed - PASS
* Shared libraries call ldconfig - N/A
* System Libraries - None bundled. PASS
* Non-relocatable package - N/A
* Directory Ownweship - PASS
* Dup files listed in spec - PASS
* Permissions - PASS. see note above about setgid.
* Macros - PASS
* Package contains code - PASS
* -doc subpackage - N/A - small no of small files.
* %doc files non-critical - PASS
* -devel package - N/A - no .h files bundled
* -static package - N/A - no static libs bundled
* suffixed library files - N/A - none bundled.
* devel is fully versioned - N/A - no -devel package built.
* Libtool .la - PASS. None present
* GUI - PASS. N/A
* owning other files - PASS. clashing (manpage / openssh) files are removed at build time.
* UTF-8 filenames - PASS.
SHOULD Items:
* Licence file - PASS. As upstream.
* non-english - N/A - Same as upstream openssh
* mockbuilds - PASS (F16 / EL6 tested)
* Functional tests:
F16-x86_64 client OK, Positive fail against a machine my key's NOT installed on:
[aelwell@pcitgtelwell review]$ voms-proxy-init --debug
Detected Globus version: 2.2
Unspecified proxy version, settling on Globus version: 2
Number of bits in key :1024
Files being used:
CA certificate file: none
Trusted certificates directory : /etc/grid-security/certificates
Proxy certificate file : /tmp/x509up_u500
User certificate file: /home/aelwell/.globus/usercert.pem
User key file: /home/aelwell/.globus/userkey.pem
Output to /tmp/x509up_u500
Enter GRID pass phrase:
Your identity: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=aelwell/CN=671736/CN=Andrew Elwell
Creating proxy to /tmp/x509up_u500 .....................................++++++
.....++++++
Done
Your proxy is valid until Wed Nov 16 23:55:59 2011
[aelwell@pcitgtelwell review]$ gsissh -vv voalice12 -p 1975
OpenSSH_5.8p1 GSI_GSSAPI_20110531 GSI, OpenSSL 1.0.0e-fips 6 Sep 2011
debug1: Reading configuration data /home/aelwell/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/gsissh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to voalice12 [128.142.198.14] port 1975.
debug1: Connection established.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/aelwell/.ssh/id_rsa type 1
debug1: identity file /home/aelwell/.ssh/id_rsa-cert type -1
debug1: identity file /home/aelwell/.ssh/id_dsa type -1
debug1: identity file /home/aelwell/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0p1-hpn13v1 NCSA_GSSAPI_GPT_4.3 GSI
debug1: match: OpenSSH_5.0p1-hpn13v1 NCSA_GSSAPI_GPT_4.3 GSI pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug2: fd 3 setting O_NONBLOCK
debug1: Offering GSSAPI proposal: gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01,ssh-rsa-cert-v00,ssh-rsa,ssh-dss-cert-v01,ssh-dss-cert-v00,ssh-dss,null
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib,zlib
debug2: kex_parse_kexinit: none,zlib,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Doing group exchange
debug2: dh_gen_key: priv key bits set: 131/256
debug2: bits set: 527/1024
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_CONTINUE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_CONTINUE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_CONTINUE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_COMPLETE
debug2: bits set: 508/1024
debug1: Rekey has happened - updating saved versions
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/aelwell/.ssh/id_rsa (0x7fcff4b0c750)
debug2: key: aelwell.ch (0x7fcff4b7d5d0)
debug2: key: /home/aelwell/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: gssapi-keyex,external-keyx,gssapi-with-mic,gssapi
debug1: Next authentication method: gssapi-keyex
debug2: we sent a gssapi-keyex packet, wait for reply
debug1: Remote: failed to set username from gssapi context
debug1: Authentications that can continue: gssapi-keyex,external-keyx,gssapi-with-mic,gssapi
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue: gssapi-keyex,external-keyx,gssapi-with-mic,gssapi
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (gssapi-keyex,external-keyx,gssapi-with-mic,gssapi).
I'd install the server but mockbuild on EL6 fails
Mock build results - EPEL5 - i386, x86_64 - Both OK INFO: Done(gsi-openssh-4.3p2-3.el5.src.rpm) Config(epel-5-i386) 7 minutes 50 seconds INFO: Done(gsi-openssh-4.3p2-3.el5.src.rpm) Config(epel-5-x86_64) 7 minutes 30 seconds EPEL6 - i386, x86_64 - Both FAILED - ERROR: Exception(gsi-openssh-5.3p1-3.el6.src.rpm) Config(epel-6-i386) 1 minutes 38 seconds ERROR: Exception(gsi-openssh-5.3p1-3.el6.src.rpm) Config(epel-6-x86_64) 0 minutes 34 seconds Error: No Package found for audit-libs-devel >= 2.0.5 Fedora-14 - i386,x86_64 - Both OK INFO: Done(gsi-openssh-5.5p1-3.fc14.src.rpm) Config(fedora-14-i386) 5 minutes 15 seconds INFO: Done(gsi-openssh-5.5p1-3.fc14.src.rpm) Config(fedora-14-x86_64) 3 minutes 28 seconds Fedora-15 - i386,x86_64 - both OK INFO: Done(gsi-openssh-5.6p1-3.fc15.src.rpm) Config(fedora-15-i386) 3 minutes 46 seconds INFO: Done(gsi-openssh-5.6p1-3.fc15.src.rpm) Config(fedora-15-x86_64) 6 minutes 29 seconds Fedora-16 - i386,x86_64 - Both OK (see comment above) Fedora-17 (rawhide) - i386,x86_64 - OK INFO: Done(gsi-openssh-5.9p1-1.fc17.src.rpm) Config(fedora-rawhide-i386) 5 minutes 28 seconds INFO: Done(gsi-openssh-5.9p1-1.fc17.src.rpm) Config(fedora-rawhide-x86_64) 5 minutes 32 seconds Given the above, I'm happy to mark as OK once the EL6 one builds OK The epel 6 srpm builds OK for me as a koji scratch build for the dist-6E-epel build target: https://koji.fedoraproject.org/koji/taskinfo?taskID=3521322 Mattias Many thanks for the review!
Mattias
New Package SCM Request
=======================
Package Name: gsi-openssh
Short Description: An implementation of the SSH protocol with GSI authentication
Owners: ellert
Branches: f15 f16 el5 el6
InitialCC:
Git done (by process-git-requests). gsi-openssh-5.3p1-3.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/gsi-openssh-5.3p1-3.el6 gsi-openssh-4.3p2-3.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/gsi-openssh-4.3p2-3.el5 gsi-openssh-5.6p1-3.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/gsi-openssh-5.6p1-3.fc15 gsi-openssh-5.8p2-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/gsi-openssh-5.8p2-2.fc16 gsi-openssh-5.3p1-3.el6 has been pushed to the Fedora EPEL 6 testing repository. gsi-openssh-5.6p1-3.fc15 has been pushed to the Fedora 15 stable repository. gsi-openssh-5.8p2-2.fc16 has been pushed to the Fedora 16 stable repository. gsi-openssh-4.3p2-3.el5 has been pushed to the Fedora EPEL 5 stable repository. gsi-openssh-5.3p1-3.el6 has been pushed to the Fedora EPEL 6 stable repository. |