Bug 683587 - Review Request: gsi-openssh - An implementation of the SSH protocol with GSI authentication
Review Request: gsi-openssh - An implementation of the SSH protocol with GSI ...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Andrew Elwell
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-09 14:15 EST by Mattias Ellert
Modified: 2011-12-03 15:54 EST (History)
10 users (show)

See Also:
Fixed In Version: gsi-openssh-5.3p1-3.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-11-27 16:54:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
andrew.elwell: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Mattias Ellert 2011-03-09 14:15:05 EST
Spec URL:
http://www.grid.tsl.uu.se/review/el5/gsissh.spec
http://www.grid.tsl.uu.se/review/el6/gsissh.spec
http://www.grid.tsl.uu.se/review/fc14/gsissh.spec
http://www.grid.tsl.uu.se/review/fc15/gsissh.spec
http://www.grid.tsl.uu.se/review/fc16/gsissh.spec

SRPM URL:
http://www.grid.tsl.uu.se/review/gsissh-4.3p2-1.el5.src.rpm
http://www.grid.tsl.uu.se/review/gsissh-5.3p1-1.el6.src.rpm
http://www.grid.tsl.uu.se/review/gsissh-5.5p1-1.fc14.src.rpm
http://www.grid.tsl.uu.se/review/gsissh-5.6p1-1.fc15.src.rpm
http://www.grid.tsl.uu.se/review/gsissh-5.8p1-1.fc16.src.rpm

Description:
This is a modified version of openssh that supports GSI authentication. It is not possible to apply the patch to the normal openssh package without loosing functionality, since you can not compile openssh with support for GSI and kerberos at the same time, and the normal openssh package is compiled with kerberos support. Instead this parallel installable package can be used when GSI authentication is needed.

The source RPMS are based on the normal openssh packages for each release, using the same versions and applying the same patches with the addition of the patch that implements the GSI support. This was done in order to ensure compatibility and minimize the risk of introducing security problems.
Comment 1 Christos Triantafyllidis 2011-03-14 04:09:38 EDT
Hi Mattias,
   although i can only do an unofficial review, i think that there is an issue with these packages. As rpmlint reports, there is no link to upstream source packages. (I'm putting just the putting the el5 report):
$ rpmlint gsissh.el5.spec
gsissh.el5.spec:37: W: macro-in-comment %{version}
gsissh.el5.spec:38: W: macro-in-comment %{version}
gsissh.el5.spec:327: W: rpm-buildroot-usage %build fipshmac $RPM_BUILD_ROOT%{_bindir}/gsissh \
gsissh.el5.spec:328: W: rpm-buildroot-usage %build fipshmac $RPM_BUILD_ROOT%{_sbindir}/gsisshd \
gsissh.el5.spec: W: invalid-url Source0: openssh-4.3p2-noacss.tar.bz2
0 packages and 1 specfiles checked; 0 errors, 5 warnings.

I saw your comment about the ACSS in the SPEC file but i think this would be much much clearer if you used the upstream openssh package and added a patch file that removes the ACCS cipher.

Fedora reviewing guidelines require:
MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use md5sum for this task. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this.

Regards,
Christos
Comment 2 Mattias Ellert 2011-03-14 04:46:58 EDT
(In reply to comment #1)

> I saw your comment about the ACSS in the SPEC file but i think this would be
> much much clearer if you used the upstream openssh package and added a patch
> file that removes the ACCS cipher.
> 
> Fedora reviewing guidelines require:
> MUST: The sources used to build the package must match the upstream source, as
> provided in the spec URL. Reviewers should use md5sum for this task. If no
> upstream URL can be specified for this package, please see the Source URL
> Guidelines for how to deal with this.

Most of the gsissh specfile is copied from the openssh specfile, including the part regarding the source. The source tarball is the same as in the openssh package.

It is not possible to do the removal of the ACCS sources in %prep only, since they can not be legally distributed. This is not a case of "make sure the code is not used during the build", but a case of "make sure the sources are not illegally redistributed by Fedora inside the source RPM". The spec is compliant with the guidelines for this case:

http://fedoraproject.org/wiki/Packaging:SourceURL#When_Upstream_uses_Prohibited_Code
Comment 3 Orion Poplawski 2011-04-04 11:13:40 EDT
Andrew - Are you going to review this?
Comment 4 Brian Bockelman 2011-07-07 09:08:18 EDT
Hi,

I just tested the posted SRPM for RHEL5.  Builds fine in mock for me.  However, when I try to use the service, I get:

[brian@brian-test vdt-release]$ sudo /sbin/service gsisshd start
Starting gsisshd: Could not load host key: /etc/gsissh/ssh_host_rsa_key
Could not load host key: /etc/gsissh/ssh_host_dsa_key
                                                           [  OK  ]

I hand-generated new keys and hand-changed the port to 23 from 22 (conflicting with normal SSH), and the server worked.  Even properly invokes the Globus plugin infrastructure!

However, when logging out, zombie processes were left over.  Process tree looks like this:

root      6807  0.0  0.0 165308  6052 ?        Ssl  07:42   0:00 gsisshd: brian [priv]
brian     6823  0.0  0.0 165308  3208 ?        S    07:42   0:00  \_ gsisshd: brian@pts/11
brian     6824  0.0  0.0      0     0 ?        Zs   07:42   0:00      \_ [bash] <defunct>

After installing debuginfo RPMs, I get see the middle process (6823) has the following stack trace:

(gdb) bt
#0  0x00007f1123eeb212 in select () from /lib64/libc.so.6
#1  0x00007f11281f1cad in wait_until_can_do_something (readsetp=0x7fffa66904a8, writesetp=0x7fffa66904a0, maxfdp=0x7fffa66904b4, 
    nallocp=0x7fffa66904b0, max_time_milliseconds=0) at serverloop.c:338
#2  0x00007f11281f2660 in server_loop2 (authctxt=<value optimized out>) at serverloop.c:810
#3  0x00007f11281f9c7f in do_authenticated2 (authctxt=0x7f11293cbbb0) at session.c:2506
#4  do_authenticated (authctxt=0x7f11293cbbb0) at session.c:226
#5  0x00007f11281ebf00 in main (ac=<value optimized out>, av=<value optimized out>) at sshd.c:1797

Maybe we should bring the gsissh devs into the loop on this one?
Comment 5 Jim Basney 2011-07-07 09:52:30 EDT
The zombie process issue is caused by the Globus pthr libraries blocking SIGCHLD:

  https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7105

It is fixed in the Globus Toolkit v5.1.0 libraries. The problem does not occur with earlier non-pthr Globus libraries.
Comment 6 Brian Bockelman 2011-07-07 12:31:32 EDT
Hi Jim,

I can't quite tell from the comments on the ticket: is it possible to fix this?  Or should we just hold off here until Globus 5.2.

FWIW - OSG is switching to EPEL's Globus, meaning that we're going to have to make gsissh work *somehow*.  It's just a matter of "how dirty do our hands get"?

Brian
Comment 7 Jim Basney 2011-07-07 12:39:43 EDT
I suppose it'd be possible to patch the gsissh sources to unblock the signals after the pthr Globus libraries block them, if you're forced to use pre-5.1.0 pthr Globus libraries.
Comment 8 Brian Bockelman 2011-07-07 21:20:05 EDT
Hi Jim,

I tried a few approaches:
- Re-install the signal handlers after globus is initialized
- Hook the OpenSSH signal handlers into the globus callback system.

No dice on either.  Can you take a whack at it for me?  Maybe you'll see something I missed.  We still very much desire it!

Brian
Comment 9 Jim Basney 2011-07-08 11:08:03 EDT
Brian,

Are you sure you unblocked the signals in the main OpenSSH thread? Here's the work-around I added in MyProxy for this Globus pthr library issue:

  http://lists.globus.org/pipermail/myproxy-commit/2010-June/000429.html

Of course MyProxy is much simpler than OpenSSH. The fact that the OpenSSH server forks multiple processes per incoming connection may mean that you need work-arounds in multiple places.

The Globus pthr libraries are simply not designed for applications that don't use the Globus threading API, which is why I've always recommended use of non-pthr Globus libraries with GSI-OpenSSH.

-Jim
Comment 10 Brian Bockelman 2011-08-03 14:56:38 EDT
Hi Jim,

I figured out what I was doing wrong.  Here's an SRPM with the issue fixed:

http://vdt.cs.wisc.edu/repos/3.0/el5/development/src/gsissh-4.3p2-2.osg.src.rpm

I also changed around some defaults in sshd_config so "yum install gsissh-server && service gsisshd start" Just Works.

Brian
Comment 12 Brian Bockelman 2011-08-12 07:30:28 EDT
I talked to the upstream folks a bit.  Apparently, they are also preparing a gsissh RPM (which looks to be in decent shape) for GT5.2.

However, they are calling it "gsi_openssh" while this package is called "gsissh".  Is it worth it to rename the package in hopes that we can align better with upstream?
Comment 13 Mattias Ellert 2011-08-12 09:30:51 EDT
(In reply to comment #12)
> However, they are calling it "gsi_openssh" ...

Having an underscore in the name is a bad idea. The globus RPM packages are named "globus-common" etc, and and not "globus_common" etc which are the internal GPT package names, for good reasons.

The underscore is part of the set of characters allowed in package names in the Fedora Guidelines, however its use is discouraged since the guidelines also say: "When naming packages for Fedora, the maintainer must use the dash '-' as the delimiter for name parts. The maintainer must NOT use an underscore '_', a plus '+', or a period '.' as a delimiter."

Also, having an underscore in the name makes it impossible to comply with the guideline that says "If this package has been packaged by other distributions/packagers in the past, then you should try to match their name for consistency", since other distributions like Debian don't allow underscores at all in the package names.

Naming it "gsi-openssh" would be an acceptable name though - if that is preferred. Looking at the upstream 5.1.1 alpha release it looks like upstream did the right thing for their debian packages and called them gsi-openssh. Why they screwed up with the RPMs I don't know.
Comment 14 Brian Bockelman 2011-09-22 09:10:04 EDT
Alright - the next upstream release correctly calls this "gsi-openssh", and it doesn't need the patch.

The two options I see are:
1) Wait until Fedora goes to GT 5.2.  We've been testing the pre-release pretty hard, and the upstream RPMs are getting closer to Fedora-quality.
2) Rename the posted package to "gsi-openssh" and include my patch - this prevents us from having to rename it in 6 months.
Comment 16 Mattias Ellert 2011-11-15 12:23:56 EST
Hello Andrew - are you still planning to do this review?
Comment 17 Andrew Elwell 2011-11-15 15:12:23 EST
OK - my bad. I'd cleared the review flag as I didn't have time, but had left it assigned to me. Ho Hum. In that case I'll get stuck in tonight.
Comment 18 Andrew Elwell 2011-11-16 06:07:21 EST
OK - reviewing based on installation / use tests with F16 and EL6 binaries
-- the 'tl;dr' version is "please can you check the dependencies in EL6"

given that this package needs separate src.rpm / spec files for each release I'll do a full check on each release. That said - review for F16 is fine 

Normal review process:

MUST Items:
Rpmlint - src: PASS

rpmlint ./gsi-openssh-5.8p2-2.fc16.src.rpm 
gsi-openssh.src: W: spelling-error %description -l en_US rlogin -> logging
gsi-openssh.src: W: spelling-error %description -l en_US rsh -> rah, rs, sh
gsi-openssh.src: W: spelling-error %description -l en_US untrusted -> entrusted, trusted, encrusted
gsi-openssh.src: W: spelling-error %description -l en_US gsissh -> Gish
gsi-openssh.src: W: strange-permission openssh-nukeacss.sh 0755L
gsi-openssh.src:48: W: macro-in-comment %{version}
gsi-openssh.src:49: W: macro-in-comment %{version}
gsi-openssh.src:222: W: macro-in-comment %triggerun
gsi-openssh.src:223: W: macro-in-comment %post
gsi-openssh.src:223: W: macro-in-comment %triggerun
gsi-openssh.src:279: W: macro-in-comment %patch22
gsi-openssh.src:394: W: rpm-buildroot-usage %build fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/gsissh $RPM_BUILD_ROOT%{_sbindir}/gsisshd \
gsi-openssh.src: W: invalid-url Source0: openssh-5.8p2-noacss.tar.bz2
1 packages and 0 specfiles checked; 0 errors, 13 warnings.

spelling errors - false +ve
strange-permission / macro-in-comment / rpm-buildroot-usage : same as the 'normal' openssh package. Nice to clean up but upstream should be fixed too. 


rpmlint built: PASS
[aelwell@pcitgtelwell review]$ rpmlint /var/lib/mock/fedora-16-x86_64/result/gsi-openssh-5.8p2-2.fc16.x86_64.rpm 
gsi-openssh.x86_64: W: spelling-error %description -l en_US rlogin -> logging
gsi-openssh.x86_64: W: spelling-error %description -l en_US rsh -> rah, rs, sh
gsi-openssh.x86_64: W: spelling-error %description -l en_US untrusted -> entrusted, trusted, encrusted
gsi-openssh.x86_64: W: file-not-utf8 /usr/share/doc/gsi-openssh-5.8p2/LICENCE
gsi-openssh.x86_64: W: non-standard-gid /usr/libexec/gsissh/ssh-keysign ssh_keys
gsi-openssh.x86_64: E: setgid-binary /usr/libexec/gsissh/ssh-keysign ssh_keys 02755L
gsi-openssh.x86_64: E: non-standard-executable-perm /usr/libexec/gsissh/ssh-keysign 02755L
gsi-openssh.x86_64: W: file-not-utf8 /usr/share/doc/gsi-openssh-5.8p2/CREDITS
gsi-openssh.x86_64: E: non-readable /etc/gsissh/moduli 0600L
gsi-openssh.x86_64: W: install-file-in-docs /usr/share/doc/gsi-openssh-5.8p2/INSTALL
1 packages and 0 specfiles checked; 3 errors, 7 warnings.

The setgid Error matches that for openssh - ie
[aelwell@pcitgtelwell review]$ ls -l /usr/libexec/openssh/ssh-keysign 
---x--s--x. 1 root ssh_keys 245408 Jul 25 09:47 /usr/libexec/openssh/ssh-keysign
ditto moduli:
-rw-------. 1 root root 125811 Jul 25 09:47 /etc/ssh/moduli

LICENCE and CREDITS matches upstream:
/usr/share/doc/openssh-5.8p2/LICENCE: ISO-8859 English text
/usr/share/doc/openssh-5.8p2/CREDITS: ISO-8859 English text

so overall pass


* Naming Guidelines - PASS 
* Spec matches %{name}.spec - PASS (gsi-openssh)
* Packaging Guidelines - PASS
   previous discussions about naming, underscores, ACCS are explained and compliant. This package reuses the openssh spec file (as a diff will show) which is approved.
* Licence - BSD - PASS.
* Spec licence must match actual - PASS (detailed description in LICENSE)
* Licence in %doc - PASS
* Spec in en_US - PASS
* md5sun of upsream - PASS - 123003edd779504e12e1c8b58e7ce5dc for main openssh-5.8p2-noacss.tar.bz2 file
  -- similar status for other release sources (matches that comparable in the openssh source)
* Builds OK -- PASS For F16, on both x86_64 and i386, however the EL6 doesn't build under mock:
ERROR: Command failed: 
 # ['/usr/bin/yum-builddep', '--installroot', '/var/lib/mock/epel-6-x86_64/root/', '/var/lib/mock/epel-6-x86_64/root///builddir/build/SRPMS/gsi-openssh-5.3p1-3.el6.src.rpm']
Getting requirements for gsi-openssh-5.3p1-3.el6.src
 --> autoconf-2.63-5.1.el6.noarch
 --> automake-1.11.1-1.2.el6.noarch
 --> Already installed : 4:perl-5.10.1-115.el6.x86_64
 --> zlib-devel-1.2.3-25.el6.x86_64
Error: No Package found for audit-libs-devel >= 2.0.5

 

installed OK on F16 and sanity checked:

[aelwell@pcitgtelwell result]$ sudo yum localinstall ./gsi-openssh-clients-5.8p2-2.fc16.x86_64.rpm ./gsi-openssh-5.8p2-2.fc16.x86_64.rpm 
Loaded plugins: auto-update-debuginfo, langpacks, presto, refresh-packagekit
Setting up Local Package Process
Examining ./gsi-openssh-clients-5.8p2-2.fc16.x86_64.rpm: gsi-openssh-clients-5.8p2-2.fc16.x86_64
Marking ./gsi-openssh-clients-5.8p2-2.fc16.x86_64.rpm to be installed
Examining ./gsi-openssh-5.8p2-2.fc16.x86_64.rpm: gsi-openssh-5.8p2-2.fc16.x86_64
Marking ./gsi-openssh-5.8p2-2.fc16.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package gsi-openssh.x86_64 0:5.8p2-2.fc16 will be installed
--> Processing Dependency: libglobus_gsi_callback.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_gsi_cert_utils.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_gsi_credential.so.1()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_gsi_proxy_core.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_gsi_sysconfig.so.1()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_gss_assist.so.3()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_gssapi_gsi.so.4()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_oldgaa.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_openssl.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_openssl_error.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
--> Processing Dependency: libglobus_proxy_ssl.so.1()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64
---> Package gsi-openssh-clients.x86_64 0:5.8p2-2.fc16 will be installed
--> Running transaction check
---> Package globus-gsi-callback.x86_64 0:2.8-2.fc16 will be installed
---> Package globus-gsi-cert-utils.x86_64 0:6.7-2.fc16 will be installed
---> Package globus-gsi-credential.x86_64 0:3.5-3.fc16 will be installed
---> Package globus-gsi-openssl-error.x86_64 0:0.14-8.fc16 will be installed
---> Package globus-gsi-proxy-core.x86_64 0:4.7-2.fc16 will be installed
---> Package globus-gsi-proxy-ssl.x86_64 0:2.3-3.fc16 will be installed
---> Package globus-gsi-sysconfig.x86_64 0:3.2-1.fc16 will be installed
---> Package globus-gss-assist.x86_64 0:5.10-1.fc16 will be installed
---> Package globus-gssapi-gsi.x86_64 0:7.8-1.fc16 will be installed
---> Package globus-openssl-module.x86_64 0:1.3-3.fc16 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===========================================================================================================================================
 Package                             Arch              Version                   Repository                                           Size
===========================================================================================================================================
Installing:
 gsi-openssh                         x86_64            5.8p2-2.fc16              /gsi-openssh-5.8p2-2.fc16.x86_64                    721 k
 gsi-openssh-clients                 x86_64            5.8p2-2.fc16              /gsi-openssh-clients-5.8p2-2.fc16.x86_64            652 k
Installing for dependencies:
 globus-gsi-callback                 x86_64            2.8-2.fc16                fedora                                               34 k
 globus-gsi-cert-utils               x86_64            6.7-2.fc16                fedora                                               18 k
 globus-gsi-credential               x86_64            3.5-3.fc16                fedora                                               30 k
 globus-gsi-openssl-error            x86_64            0.14-8.fc16               fedora                                               15 k
 globus-gsi-proxy-core               x86_64            4.7-2.fc16                fedora                                               30 k
 globus-gsi-proxy-ssl                x86_64            2.3-3.fc16                fedora                                               17 k
 globus-gsi-sysconfig                x86_64            3.2-1.fc16                fedora                                               26 k
 globus-gss-assist                   x86_64            5.10-1.fc16               fedora                                               28 k
 globus-gssapi-gsi                   x86_64            7.8-1.fc16                fedora                                               49 k
 globus-openssl-module               x86_64            1.3-3.fc16                fedora                                               14 k

Transaction Summary
===========================================================================================================================================
Install      12 Packages

Total size: 1.6 M
Total download size: 261 k
Installed size: 1.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/10): globus-gsi-callback-2.8-2.fc16.x86_64.rpm                                                                   |  34 kB     00:00     
(2/10): globus-gsi-cert-utils-6.7-2.fc16.x86_64.rpm                                                                 |  18 kB     00:00     
(3/10): globus-gsi-credential-3.5-3.fc16.x86_64.rpm                                                                 |  30 kB     00:00     
(4/10): globus-gsi-openssl-error-0.14-8.fc16.x86_64.rpm                                                             |  15 kB     00:00     
(5/10): globus-gsi-proxy-core-4.7-2.fc16.x86_64.rpm                                                                 |  30 kB     00:00     
(6/10): globus-gsi-proxy-ssl-2.3-3.fc16.x86_64.rpm                                                                  |  17 kB     00:00     
(7/10): globus-gsi-sysconfig-3.2-1.fc16.x86_64.rpm                                                                  |  26 kB     00:00     
(8/10): globus-gss-assist-5.10-1.fc16.x86_64.rpm                                                                    |  28 kB     00:00     
(9/10): globus-gssapi-gsi-7.8-1.fc16.x86_64.rpm                                                                     |  49 kB     00:00     
(10/10): globus-openssl-module-1.3-3.fc16.x86_64.rpm                                                                |  14 kB     00:00     
-------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                      209 kB/s | 261 kB     00:01     
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : globus-gsi-openssl-error-0.14-8.fc16.x86_64                                                                            1/12 
  Installing : globus-gsi-proxy-ssl-2.3-3.fc16.x86_64                                                                                 2/12 
  Installing : globus-gsi-sysconfig-3.2-1.fc16.x86_64                                                                                 3/12 
  Installing : globus-openssl-module-1.3-3.fc16.x86_64                                                                                4/12 
  Installing : globus-gsi-cert-utils-6.7-2.fc16.x86_64                                                                                5/12 
  Installing : globus-gsi-callback-2.8-2.fc16.x86_64                                                                                  6/12 
  Installing : globus-gsi-credential-3.5-3.fc16.x86_64                                                                                7/12 
  Installing : globus-gsi-proxy-core-4.7-2.fc16.x86_64                                                                                8/12 
  Installing : globus-gssapi-gsi-7.8-1.fc16.x86_64                                                                                    9/12 
  Installing : globus-gss-assist-5.10-1.fc16.x86_64                                                                                  10/12 
  Installing : gsi-openssh-5.8p2-2.fc16.x86_64                                                                                       11/12 
  Installing : gsi-openssh-clients-5.8p2-2.fc16.x86_64                                                                               12/12 

Installed:
  gsi-openssh.x86_64 0:5.8p2-2.fc16                                gsi-openssh-clients.x86_64 0:5.8p2-2.fc16                               

Dependency Installed:
  globus-gsi-callback.x86_64 0:2.8-2.fc16         globus-gsi-cert-utils.x86_64 0:6.7-2.fc16   globus-gsi-credential.x86_64 0:3.5-3.fc16  
  globus-gsi-openssl-error.x86_64 0:0.14-8.fc16   globus-gsi-proxy-core.x86_64 0:4.7-2.fc16   globus-gsi-proxy-ssl.x86_64 0:2.3-3.fc16   
  globus-gsi-sysconfig.x86_64 0:3.2-1.fc16        globus-gss-assist.x86_64 0:5.10-1.fc16      globus-gssapi-gsi.x86_64 0:7.8-1.fc16      
  globus-openssl-module.x86_64 0:1.3-3.fc16      

Complete!

[aelwell@pcitgtelwell result]$ gsissh -V
OpenSSH_5.8p1 GSI_GSSAPI_20110531 GSI, OpenSSL 1.0.0e-fips 6 Sep 2011


* Excluded Arch - None Mentioned. N/A
* BuildRequires - PASS
* locales - None listed - PASS
* Shared libraries call ldconfig - N/A
* System Libraries - None bundled. PASS
* Non-relocatable package - N/A
* Directory Ownweship - PASS
* Dup files listed in spec - PASS
* Permissions - PASS. see note above about setgid.
* Macros - PASS
* Package contains code - PASS
* -doc subpackage - N/A - small no of small files.
* %doc files non-critical - PASS
* -devel package - N/A - no .h files bundled
* -static package - N/A - no static libs bundled
* suffixed library files - N/A - none bundled.
* devel is fully versioned - N/A - no -devel package built.
* Libtool .la - PASS. None present
* GUI - PASS. N/A
* owning other files - PASS. clashing (manpage / openssh) files are removed at build time.
* UTF-8 filenames - PASS.

SHOULD Items:
* Licence file - PASS. As upstream.
* non-english - N/A - Same as upstream openssh
* mockbuilds - PASS (F16 / EL6 tested)
* Functional tests:
	F16-x86_64 client OK, Positive fail against a machine my key's NOT installed on:
[aelwell@pcitgtelwell review]$ voms-proxy-init --debug
Detected Globus version: 2.2
Unspecified proxy version, settling on Globus version: 2
Number of bits in key :1024
Files being used:
 CA certificate file: none
 Trusted certificates directory : /etc/grid-security/certificates
 Proxy certificate file : /tmp/x509up_u500
 User certificate file: /home/aelwell/.globus/usercert.pem
 User key file: /home/aelwell/.globus/userkey.pem
Output to /tmp/x509up_u500
Enter GRID pass phrase:
Your identity: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=aelwell/CN=671736/CN=Andrew Elwell
Creating proxy to /tmp/x509up_u500 .....................................++++++
.....++++++
 Done

Your proxy is valid until Wed Nov 16 23:55:59 2011
[aelwell@pcitgtelwell review]$ gsissh -vv voalice12 -p 1975
OpenSSH_5.8p1 GSI_GSSAPI_20110531 GSI, OpenSSL 1.0.0e-fips 6 Sep 2011
debug1: Reading configuration data /home/aelwell/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/gsissh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to voalice12 [128.142.198.14] port 1975.
debug1: Connection established.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/aelwell/.ssh/id_rsa type 1
debug1: identity file /home/aelwell/.ssh/id_rsa-cert type -1
debug1: identity file /home/aelwell/.ssh/id_dsa type -1
debug1: identity file /home/aelwell/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0p1-hpn13v1 NCSA_GSSAPI_GPT_4.3 GSI
debug1: match: OpenSSH_5.0p1-hpn13v1 NCSA_GSSAPI_GPT_4.3 GSI pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug2: fd 3 setting O_NONBLOCK
debug1: Offering GSSAPI proposal: gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss,null
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Doing group exchange

debug2: dh_gen_key: priv key bits set: 131/256
debug2: bits set: 527/1024
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_CONTINUE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_CONTINUE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_CONTINUE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_COMPLETE
debug2: bits set: 508/1024
debug1: Rekey has happened - updating saved versions
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/aelwell/.ssh/id_rsa (0x7fcff4b0c750)
debug2: key: aelwell@pcitgtelwell.cern.ch (0x7fcff4b7d5d0)
debug2: key: /home/aelwell/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: gssapi-keyex,external-keyx,gssapi-with-mic,gssapi
debug1: Next authentication method: gssapi-keyex
debug2: we sent a gssapi-keyex packet, wait for reply
debug1: Remote: failed to set username from gssapi context
debug1: Authentications that can continue: gssapi-keyex,external-keyx,gssapi-with-mic,gssapi
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue: gssapi-keyex,external-keyx,gssapi-with-mic,gssapi
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (gssapi-keyex,external-keyx,gssapi-with-mic,gssapi).


I'd install the server but mockbuild on EL6 fails
Comment 19 Andrew Elwell 2011-11-16 08:59:36 EST
Mock build results - 
EPEL5 - i386, x86_64 - Both OK
INFO: Done(gsi-openssh-4.3p2-3.el5.src.rpm) Config(epel-5-i386) 7 minutes 50 seconds
INFO: Done(gsi-openssh-4.3p2-3.el5.src.rpm) Config(epel-5-x86_64) 7 minutes 30 seconds

EPEL6 - i386, x86_64 - Both FAILED - 
ERROR: Exception(gsi-openssh-5.3p1-3.el6.src.rpm) Config(epel-6-i386) 1 minutes 38 seconds
ERROR: Exception(gsi-openssh-5.3p1-3.el6.src.rpm) Config(epel-6-x86_64) 0 minutes 34 seconds

Error: No Package found for audit-libs-devel >= 2.0.5

Fedora-14 - i386,x86_64 - Both OK
INFO: Done(gsi-openssh-5.5p1-3.fc14.src.rpm) Config(fedora-14-i386) 5 minutes 15 seconds
INFO: Done(gsi-openssh-5.5p1-3.fc14.src.rpm) Config(fedora-14-x86_64) 3 minutes 28 seconds

Fedora-15 - i386,x86_64 - both OK
INFO: Done(gsi-openssh-5.6p1-3.fc15.src.rpm) Config(fedora-15-i386) 3 minutes 46 seconds
INFO: Done(gsi-openssh-5.6p1-3.fc15.src.rpm) Config(fedora-15-x86_64) 6 minutes 29 seconds

Fedora-16 - i386,x86_64 - Both OK (see comment above)

Fedora-17 (rawhide) - i386,x86_64 - OK
INFO: Done(gsi-openssh-5.9p1-1.fc17.src.rpm) Config(fedora-rawhide-i386) 5 minutes 28 seconds
INFO: Done(gsi-openssh-5.9p1-1.fc17.src.rpm) Config(fedora-rawhide-x86_64) 5 minutes 32 seconds


Given the above, I'm happy to mark as OK once the EL6 one builds OK
Comment 20 Mattias Ellert 2011-11-17 03:10:02 EST
The epel 6 srpm builds OK for me as a koji scratch build for the dist-6E-epel build target:

https://koji.fedoraproject.org/koji/taskinfo?taskID=3521322

    Mattias
Comment 21 Mattias Ellert 2011-11-17 03:19:32 EST
Many thanks for the review!

    Mattias

New Package SCM Request
=======================
Package Name: gsi-openssh
Short Description: An implementation of the SSH protocol with GSI authentication
Owners: ellert
Branches: f15 f16 el5 el6
InitialCC:
Comment 22 Jon Ciesla 2011-11-17 07:58:15 EST
Git done (by process-git-requests).
Comment 23 Fedora Update System 2011-11-17 14:51:09 EST
gsi-openssh-5.3p1-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/gsi-openssh-5.3p1-3.el6
Comment 24 Fedora Update System 2011-11-17 14:51:19 EST
gsi-openssh-4.3p2-3.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/gsi-openssh-4.3p2-3.el5
Comment 25 Fedora Update System 2011-11-17 14:51:33 EST
gsi-openssh-5.6p1-3.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/gsi-openssh-5.6p1-3.fc15
Comment 26 Fedora Update System 2011-11-17 14:51:41 EST
gsi-openssh-5.8p2-2.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/gsi-openssh-5.8p2-2.fc16
Comment 27 Fedora Update System 2011-11-18 13:39:19 EST
gsi-openssh-5.3p1-3.el6 has been pushed to the Fedora EPEL 6 testing repository.
Comment 28 Fedora Update System 2011-11-27 16:54:20 EST
gsi-openssh-5.6p1-3.fc15 has been pushed to the Fedora 15 stable repository.
Comment 29 Fedora Update System 2011-11-27 16:56:11 EST
gsi-openssh-5.8p2-2.fc16 has been pushed to the Fedora 16 stable repository.
Comment 30 Fedora Update System 2011-12-03 15:54:13 EST
gsi-openssh-4.3p2-3.el5 has been pushed to the Fedora EPEL 5 stable repository.
Comment 31 Fedora Update System 2011-12-03 15:54:30 EST
gsi-openssh-5.3p1-3.el6 has been pushed to the Fedora EPEL 6 stable repository.

Note You need to log in before you can comment on or make changes to this bug.