Spec URL: http://www.grid.tsl.uu.se/review/el5/gsissh.spec http://www.grid.tsl.uu.se/review/el6/gsissh.spec http://www.grid.tsl.uu.se/review/fc14/gsissh.spec http://www.grid.tsl.uu.se/review/fc15/gsissh.spec http://www.grid.tsl.uu.se/review/fc16/gsissh.spec SRPM URL: http://www.grid.tsl.uu.se/review/gsissh-4.3p2-1.el5.src.rpm http://www.grid.tsl.uu.se/review/gsissh-5.3p1-1.el6.src.rpm http://www.grid.tsl.uu.se/review/gsissh-5.5p1-1.fc14.src.rpm http://www.grid.tsl.uu.se/review/gsissh-5.6p1-1.fc15.src.rpm http://www.grid.tsl.uu.se/review/gsissh-5.8p1-1.fc16.src.rpm Description: This is a modified version of openssh that supports GSI authentication. It is not possible to apply the patch to the normal openssh package without loosing functionality, since you can not compile openssh with support for GSI and kerberos at the same time, and the normal openssh package is compiled with kerberos support. Instead this parallel installable package can be used when GSI authentication is needed. The source RPMS are based on the normal openssh packages for each release, using the same versions and applying the same patches with the addition of the patch that implements the GSI support. This was done in order to ensure compatibility and minimize the risk of introducing security problems.
Hi Mattias, although i can only do an unofficial review, i think that there is an issue with these packages. As rpmlint reports, there is no link to upstream source packages. (I'm putting just the putting the el5 report): $ rpmlint gsissh.el5.spec gsissh.el5.spec:37: W: macro-in-comment %{version} gsissh.el5.spec:38: W: macro-in-comment %{version} gsissh.el5.spec:327: W: rpm-buildroot-usage %build fipshmac $RPM_BUILD_ROOT%{_bindir}/gsissh \ gsissh.el5.spec:328: W: rpm-buildroot-usage %build fipshmac $RPM_BUILD_ROOT%{_sbindir}/gsisshd \ gsissh.el5.spec: W: invalid-url Source0: openssh-4.3p2-noacss.tar.bz2 0 packages and 1 specfiles checked; 0 errors, 5 warnings. I saw your comment about the ACSS in the SPEC file but i think this would be much much clearer if you used the upstream openssh package and added a patch file that removes the ACCS cipher. Fedora reviewing guidelines require: MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use md5sum for this task. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this. Regards, Christos
(In reply to comment #1) > I saw your comment about the ACSS in the SPEC file but i think this would be > much much clearer if you used the upstream openssh package and added a patch > file that removes the ACCS cipher. > > Fedora reviewing guidelines require: > MUST: The sources used to build the package must match the upstream source, as > provided in the spec URL. Reviewers should use md5sum for this task. If no > upstream URL can be specified for this package, please see the Source URL > Guidelines for how to deal with this. Most of the gsissh specfile is copied from the openssh specfile, including the part regarding the source. The source tarball is the same as in the openssh package. It is not possible to do the removal of the ACCS sources in %prep only, since they can not be legally distributed. This is not a case of "make sure the code is not used during the build", but a case of "make sure the sources are not illegally redistributed by Fedora inside the source RPM". The spec is compliant with the guidelines for this case: http://fedoraproject.org/wiki/Packaging:SourceURL#When_Upstream_uses_Prohibited_Code
Andrew - Are you going to review this?
Hi, I just tested the posted SRPM for RHEL5. Builds fine in mock for me. However, when I try to use the service, I get: [brian@brian-test vdt-release]$ sudo /sbin/service gsisshd start Starting gsisshd: Could not load host key: /etc/gsissh/ssh_host_rsa_key Could not load host key: /etc/gsissh/ssh_host_dsa_key [ OK ] I hand-generated new keys and hand-changed the port to 23 from 22 (conflicting with normal SSH), and the server worked. Even properly invokes the Globus plugin infrastructure! However, when logging out, zombie processes were left over. Process tree looks like this: root 6807 0.0 0.0 165308 6052 ? Ssl 07:42 0:00 gsisshd: brian [priv] brian 6823 0.0 0.0 165308 3208 ? S 07:42 0:00 \_ gsisshd: brian@pts/11 brian 6824 0.0 0.0 0 0 ? Zs 07:42 0:00 \_ [bash] <defunct> After installing debuginfo RPMs, I get see the middle process (6823) has the following stack trace: (gdb) bt #0 0x00007f1123eeb212 in select () from /lib64/libc.so.6 #1 0x00007f11281f1cad in wait_until_can_do_something (readsetp=0x7fffa66904a8, writesetp=0x7fffa66904a0, maxfdp=0x7fffa66904b4, nallocp=0x7fffa66904b0, max_time_milliseconds=0) at serverloop.c:338 #2 0x00007f11281f2660 in server_loop2 (authctxt=<value optimized out>) at serverloop.c:810 #3 0x00007f11281f9c7f in do_authenticated2 (authctxt=0x7f11293cbbb0) at session.c:2506 #4 do_authenticated (authctxt=0x7f11293cbbb0) at session.c:226 #5 0x00007f11281ebf00 in main (ac=<value optimized out>, av=<value optimized out>) at sshd.c:1797 Maybe we should bring the gsissh devs into the loop on this one?
The zombie process issue is caused by the Globus pthr libraries blocking SIGCHLD: https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7105 It is fixed in the Globus Toolkit v5.1.0 libraries. The problem does not occur with earlier non-pthr Globus libraries.
Hi Jim, I can't quite tell from the comments on the ticket: is it possible to fix this? Or should we just hold off here until Globus 5.2. FWIW - OSG is switching to EPEL's Globus, meaning that we're going to have to make gsissh work *somehow*. It's just a matter of "how dirty do our hands get"? Brian
I suppose it'd be possible to patch the gsissh sources to unblock the signals after the pthr Globus libraries block them, if you're forced to use pre-5.1.0 pthr Globus libraries.
Hi Jim, I tried a few approaches: - Re-install the signal handlers after globus is initialized - Hook the OpenSSH signal handlers into the globus callback system. No dice on either. Can you take a whack at it for me? Maybe you'll see something I missed. We still very much desire it! Brian
Brian, Are you sure you unblocked the signals in the main OpenSSH thread? Here's the work-around I added in MyProxy for this Globus pthr library issue: http://lists.globus.org/pipermail/myproxy-commit/2010-June/000429.html Of course MyProxy is much simpler than OpenSSH. The fact that the OpenSSH server forks multiple processes per incoming connection may mean that you need work-arounds in multiple places. The Globus pthr libraries are simply not designed for applications that don't use the Globus threading API, which is why I've always recommended use of non-pthr Globus libraries with GSI-OpenSSH. -Jim
Hi Jim, I figured out what I was doing wrong. Here's an SRPM with the issue fixed: http://vdt.cs.wisc.edu/repos/3.0/el5/development/src/gsissh-4.3p2-2.osg.src.rpm I also changed around some defaults in sshd_config so "yum install gsissh-server && service gsisshd start" Just Works. Brian
(In reply to comment #10) > Hi Jim, > > I figured out what I was doing wrong. Here's an SRPM with the issue fixed: Thanks for figuring out these issues. Here are updates SRPMS: http://grid.tsl.uu.se/review/gsissh-4.3p2-2.el5.src.rpm http://grid.tsl.uu.se/review/gsissh-5.3p1-2.el6.src.rpm http://grid.tsl.uu.se/review/gsissh-5.5p1-2.fc14.src.rpm http://grid.tsl.uu.se/review/gsissh-5.6p1-2.fc15.src.rpm http://grid.tsl.uu.se/review/gsissh-5.8p2-1.fc16.src.rpm Specfiles: http://grid.tsl.uu.se/review/el5/gsissh.spec http://grid.tsl.uu.se/review/el6/gsissh.spec http://grid.tsl.uu.se/review/fc14/gsissh.spec http://grid.tsl.uu.se/review/fc15/gsissh.spec http://grid.tsl.uu.se/review/fc16/gsissh.spec
I talked to the upstream folks a bit. Apparently, they are also preparing a gsissh RPM (which looks to be in decent shape) for GT5.2. However, they are calling it "gsi_openssh" while this package is called "gsissh". Is it worth it to rename the package in hopes that we can align better with upstream?
(In reply to comment #12) > However, they are calling it "gsi_openssh" ... Having an underscore in the name is a bad idea. The globus RPM packages are named "globus-common" etc, and and not "globus_common" etc which are the internal GPT package names, for good reasons. The underscore is part of the set of characters allowed in package names in the Fedora Guidelines, however its use is discouraged since the guidelines also say: "When naming packages for Fedora, the maintainer must use the dash '-' as the delimiter for name parts. The maintainer must NOT use an underscore '_', a plus '+', or a period '.' as a delimiter." Also, having an underscore in the name makes it impossible to comply with the guideline that says "If this package has been packaged by other distributions/packagers in the past, then you should try to match their name for consistency", since other distributions like Debian don't allow underscores at all in the package names. Naming it "gsi-openssh" would be an acceptable name though - if that is preferred. Looking at the upstream 5.1.1 alpha release it looks like upstream did the right thing for their debian packages and called them gsi-openssh. Why they screwed up with the RPMs I don't know.
Alright - the next upstream release correctly calls this "gsi-openssh", and it doesn't need the patch. The two options I see are: 1) Wait until Fedora goes to GT 5.2. We've been testing the pre-release pretty hard, and the upstream RPMs are getting closer to Fedora-quality. 2) Rename the posted package to "gsi-openssh" and include my patch - this prevents us from having to rename it in 6 months.
Renamed packages for review SRPMS: http://grid.tsl.uu.se/review/gsi-openssh-4.3p2-3.el5.src.rpm http://grid.tsl.uu.se/review/gsi-openssh-5.3p1-3.el6.src.rpm http://grid.tsl.uu.se/review/gsi-openssh-5.5p1-3.fc14.src.rpm http://grid.tsl.uu.se/review/gsi-openssh-5.6p1-3.fc15.src.rpm http://grid.tsl.uu.se/review/gsi-openssh-5.8p2-2.fc16.src.rpm http://grid.tsl.uu.se/review/gsi-openssh-5.9p1-1.fc17.src.rpm SPECS: http://grid.tsl.uu.se/review/el5/gsi-openssh.spec http://grid.tsl.uu.se/review/el6/gsi-openssh.spec http://grid.tsl.uu.se/review/fc14/gsi-openssh.spec http://grid.tsl.uu.se/review/fc15/gsi-openssh.spec http://grid.tsl.uu.se/review/fc16/gsi-openssh.spec http://grid.tsl.uu.se/review/fc17/gsi-openssh.spec
Hello Andrew - are you still planning to do this review?
OK - my bad. I'd cleared the review flag as I didn't have time, but had left it assigned to me. Ho Hum. In that case I'll get stuck in tonight.
OK - reviewing based on installation / use tests with F16 and EL6 binaries -- the 'tl;dr' version is "please can you check the dependencies in EL6" given that this package needs separate src.rpm / spec files for each release I'll do a full check on each release. That said - review for F16 is fine Normal review process: MUST Items: Rpmlint - src: PASS rpmlint ./gsi-openssh-5.8p2-2.fc16.src.rpm gsi-openssh.src: W: spelling-error %description -l en_US rlogin -> logging gsi-openssh.src: W: spelling-error %description -l en_US rsh -> rah, rs, sh gsi-openssh.src: W: spelling-error %description -l en_US untrusted -> entrusted, trusted, encrusted gsi-openssh.src: W: spelling-error %description -l en_US gsissh -> Gish gsi-openssh.src: W: strange-permission openssh-nukeacss.sh 0755L gsi-openssh.src:48: W: macro-in-comment %{version} gsi-openssh.src:49: W: macro-in-comment %{version} gsi-openssh.src:222: W: macro-in-comment %triggerun gsi-openssh.src:223: W: macro-in-comment %post gsi-openssh.src:223: W: macro-in-comment %triggerun gsi-openssh.src:279: W: macro-in-comment %patch22 gsi-openssh.src:394: W: rpm-buildroot-usage %build fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/gsissh $RPM_BUILD_ROOT%{_sbindir}/gsisshd \ gsi-openssh.src: W: invalid-url Source0: openssh-5.8p2-noacss.tar.bz2 1 packages and 0 specfiles checked; 0 errors, 13 warnings. spelling errors - false +ve strange-permission / macro-in-comment / rpm-buildroot-usage : same as the 'normal' openssh package. Nice to clean up but upstream should be fixed too. rpmlint built: PASS [aelwell@pcitgtelwell review]$ rpmlint /var/lib/mock/fedora-16-x86_64/result/gsi-openssh-5.8p2-2.fc16.x86_64.rpm gsi-openssh.x86_64: W: spelling-error %description -l en_US rlogin -> logging gsi-openssh.x86_64: W: spelling-error %description -l en_US rsh -> rah, rs, sh gsi-openssh.x86_64: W: spelling-error %description -l en_US untrusted -> entrusted, trusted, encrusted gsi-openssh.x86_64: W: file-not-utf8 /usr/share/doc/gsi-openssh-5.8p2/LICENCE gsi-openssh.x86_64: W: non-standard-gid /usr/libexec/gsissh/ssh-keysign ssh_keys gsi-openssh.x86_64: E: setgid-binary /usr/libexec/gsissh/ssh-keysign ssh_keys 02755L gsi-openssh.x86_64: E: non-standard-executable-perm /usr/libexec/gsissh/ssh-keysign 02755L gsi-openssh.x86_64: W: file-not-utf8 /usr/share/doc/gsi-openssh-5.8p2/CREDITS gsi-openssh.x86_64: E: non-readable /etc/gsissh/moduli 0600L gsi-openssh.x86_64: W: install-file-in-docs /usr/share/doc/gsi-openssh-5.8p2/INSTALL 1 packages and 0 specfiles checked; 3 errors, 7 warnings. The setgid Error matches that for openssh - ie [aelwell@pcitgtelwell review]$ ls -l /usr/libexec/openssh/ssh-keysign ---x--s--x. 1 root ssh_keys 245408 Jul 25 09:47 /usr/libexec/openssh/ssh-keysign ditto moduli: -rw-------. 1 root root 125811 Jul 25 09:47 /etc/ssh/moduli LICENCE and CREDITS matches upstream: /usr/share/doc/openssh-5.8p2/LICENCE: ISO-8859 English text /usr/share/doc/openssh-5.8p2/CREDITS: ISO-8859 English text so overall pass * Naming Guidelines - PASS * Spec matches %{name}.spec - PASS (gsi-openssh) * Packaging Guidelines - PASS previous discussions about naming, underscores, ACCS are explained and compliant. This package reuses the openssh spec file (as a diff will show) which is approved. * Licence - BSD - PASS. * Spec licence must match actual - PASS (detailed description in LICENSE) * Licence in %doc - PASS * Spec in en_US - PASS * md5sun of upsream - PASS - 123003edd779504e12e1c8b58e7ce5dc for main openssh-5.8p2-noacss.tar.bz2 file -- similar status for other release sources (matches that comparable in the openssh source) * Builds OK -- PASS For F16, on both x86_64 and i386, however the EL6 doesn't build under mock: ERROR: Command failed: # ['/usr/bin/yum-builddep', '--installroot', '/var/lib/mock/epel-6-x86_64/root/', '/var/lib/mock/epel-6-x86_64/root///builddir/build/SRPMS/gsi-openssh-5.3p1-3.el6.src.rpm'] Getting requirements for gsi-openssh-5.3p1-3.el6.src --> autoconf-2.63-5.1.el6.noarch --> automake-1.11.1-1.2.el6.noarch --> Already installed : 4:perl-5.10.1-115.el6.x86_64 --> zlib-devel-1.2.3-25.el6.x86_64 Error: No Package found for audit-libs-devel >= 2.0.5 installed OK on F16 and sanity checked: [aelwell@pcitgtelwell result]$ sudo yum localinstall ./gsi-openssh-clients-5.8p2-2.fc16.x86_64.rpm ./gsi-openssh-5.8p2-2.fc16.x86_64.rpm Loaded plugins: auto-update-debuginfo, langpacks, presto, refresh-packagekit Setting up Local Package Process Examining ./gsi-openssh-clients-5.8p2-2.fc16.x86_64.rpm: gsi-openssh-clients-5.8p2-2.fc16.x86_64 Marking ./gsi-openssh-clients-5.8p2-2.fc16.x86_64.rpm to be installed Examining ./gsi-openssh-5.8p2-2.fc16.x86_64.rpm: gsi-openssh-5.8p2-2.fc16.x86_64 Marking ./gsi-openssh-5.8p2-2.fc16.x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package gsi-openssh.x86_64 0:5.8p2-2.fc16 will be installed --> Processing Dependency: libglobus_gsi_callback.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64 --> Processing Dependency: libglobus_gsi_cert_utils.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64 --> Processing Dependency: libglobus_gsi_credential.so.1()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64 --> Processing Dependency: libglobus_gsi_proxy_core.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64 --> Processing Dependency: libglobus_gsi_sysconfig.so.1()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64 --> Processing Dependency: libglobus_gss_assist.so.3()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64 --> Processing Dependency: libglobus_gssapi_gsi.so.4()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64 --> Processing Dependency: libglobus_oldgaa.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64 --> Processing Dependency: libglobus_openssl.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64 --> Processing Dependency: libglobus_openssl_error.so.0()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64 --> Processing Dependency: libglobus_proxy_ssl.so.1()(64bit) for package: gsi-openssh-5.8p2-2.fc16.x86_64 ---> Package gsi-openssh-clients.x86_64 0:5.8p2-2.fc16 will be installed --> Running transaction check ---> Package globus-gsi-callback.x86_64 0:2.8-2.fc16 will be installed ---> Package globus-gsi-cert-utils.x86_64 0:6.7-2.fc16 will be installed ---> Package globus-gsi-credential.x86_64 0:3.5-3.fc16 will be installed ---> Package globus-gsi-openssl-error.x86_64 0:0.14-8.fc16 will be installed ---> Package globus-gsi-proxy-core.x86_64 0:4.7-2.fc16 will be installed ---> Package globus-gsi-proxy-ssl.x86_64 0:2.3-3.fc16 will be installed ---> Package globus-gsi-sysconfig.x86_64 0:3.2-1.fc16 will be installed ---> Package globus-gss-assist.x86_64 0:5.10-1.fc16 will be installed ---> Package globus-gssapi-gsi.x86_64 0:7.8-1.fc16 will be installed ---> Package globus-openssl-module.x86_64 0:1.3-3.fc16 will be installed --> Finished Dependency Resolution Dependencies Resolved =========================================================================================================================================== Package Arch Version Repository Size =========================================================================================================================================== Installing: gsi-openssh x86_64 5.8p2-2.fc16 /gsi-openssh-5.8p2-2.fc16.x86_64 721 k gsi-openssh-clients x86_64 5.8p2-2.fc16 /gsi-openssh-clients-5.8p2-2.fc16.x86_64 652 k Installing for dependencies: globus-gsi-callback x86_64 2.8-2.fc16 fedora 34 k globus-gsi-cert-utils x86_64 6.7-2.fc16 fedora 18 k globus-gsi-credential x86_64 3.5-3.fc16 fedora 30 k globus-gsi-openssl-error x86_64 0.14-8.fc16 fedora 15 k globus-gsi-proxy-core x86_64 4.7-2.fc16 fedora 30 k globus-gsi-proxy-ssl x86_64 2.3-3.fc16 fedora 17 k globus-gsi-sysconfig x86_64 3.2-1.fc16 fedora 26 k globus-gss-assist x86_64 5.10-1.fc16 fedora 28 k globus-gssapi-gsi x86_64 7.8-1.fc16 fedora 49 k globus-openssl-module x86_64 1.3-3.fc16 fedora 14 k Transaction Summary =========================================================================================================================================== Install 12 Packages Total size: 1.6 M Total download size: 261 k Installed size: 1.6 M Is this ok [y/N]: y Downloading Packages: (1/10): globus-gsi-callback-2.8-2.fc16.x86_64.rpm | 34 kB 00:00 (2/10): globus-gsi-cert-utils-6.7-2.fc16.x86_64.rpm | 18 kB 00:00 (3/10): globus-gsi-credential-3.5-3.fc16.x86_64.rpm | 30 kB 00:00 (4/10): globus-gsi-openssl-error-0.14-8.fc16.x86_64.rpm | 15 kB 00:00 (5/10): globus-gsi-proxy-core-4.7-2.fc16.x86_64.rpm | 30 kB 00:00 (6/10): globus-gsi-proxy-ssl-2.3-3.fc16.x86_64.rpm | 17 kB 00:00 (7/10): globus-gsi-sysconfig-3.2-1.fc16.x86_64.rpm | 26 kB 00:00 (8/10): globus-gss-assist-5.10-1.fc16.x86_64.rpm | 28 kB 00:00 (9/10): globus-gssapi-gsi-7.8-1.fc16.x86_64.rpm | 49 kB 00:00 (10/10): globus-openssl-module-1.3-3.fc16.x86_64.rpm | 14 kB 00:00 ------------------------------------------------------------------------------------------------------------------------------------------- Total 209 kB/s | 261 kB 00:01 Running Transaction Check Running Transaction Test Transaction Test Succeeded Running Transaction Installing : globus-gsi-openssl-error-0.14-8.fc16.x86_64 1/12 Installing : globus-gsi-proxy-ssl-2.3-3.fc16.x86_64 2/12 Installing : globus-gsi-sysconfig-3.2-1.fc16.x86_64 3/12 Installing : globus-openssl-module-1.3-3.fc16.x86_64 4/12 Installing : globus-gsi-cert-utils-6.7-2.fc16.x86_64 5/12 Installing : globus-gsi-callback-2.8-2.fc16.x86_64 6/12 Installing : globus-gsi-credential-3.5-3.fc16.x86_64 7/12 Installing : globus-gsi-proxy-core-4.7-2.fc16.x86_64 8/12 Installing : globus-gssapi-gsi-7.8-1.fc16.x86_64 9/12 Installing : globus-gss-assist-5.10-1.fc16.x86_64 10/12 Installing : gsi-openssh-5.8p2-2.fc16.x86_64 11/12 Installing : gsi-openssh-clients-5.8p2-2.fc16.x86_64 12/12 Installed: gsi-openssh.x86_64 0:5.8p2-2.fc16 gsi-openssh-clients.x86_64 0:5.8p2-2.fc16 Dependency Installed: globus-gsi-callback.x86_64 0:2.8-2.fc16 globus-gsi-cert-utils.x86_64 0:6.7-2.fc16 globus-gsi-credential.x86_64 0:3.5-3.fc16 globus-gsi-openssl-error.x86_64 0:0.14-8.fc16 globus-gsi-proxy-core.x86_64 0:4.7-2.fc16 globus-gsi-proxy-ssl.x86_64 0:2.3-3.fc16 globus-gsi-sysconfig.x86_64 0:3.2-1.fc16 globus-gss-assist.x86_64 0:5.10-1.fc16 globus-gssapi-gsi.x86_64 0:7.8-1.fc16 globus-openssl-module.x86_64 0:1.3-3.fc16 Complete! [aelwell@pcitgtelwell result]$ gsissh -V OpenSSH_5.8p1 GSI_GSSAPI_20110531 GSI, OpenSSL 1.0.0e-fips 6 Sep 2011 * Excluded Arch - None Mentioned. N/A * BuildRequires - PASS * locales - None listed - PASS * Shared libraries call ldconfig - N/A * System Libraries - None bundled. PASS * Non-relocatable package - N/A * Directory Ownweship - PASS * Dup files listed in spec - PASS * Permissions - PASS. see note above about setgid. * Macros - PASS * Package contains code - PASS * -doc subpackage - N/A - small no of small files. * %doc files non-critical - PASS * -devel package - N/A - no .h files bundled * -static package - N/A - no static libs bundled * suffixed library files - N/A - none bundled. * devel is fully versioned - N/A - no -devel package built. * Libtool .la - PASS. None present * GUI - PASS. N/A * owning other files - PASS. clashing (manpage / openssh) files are removed at build time. * UTF-8 filenames - PASS. SHOULD Items: * Licence file - PASS. As upstream. * non-english - N/A - Same as upstream openssh * mockbuilds - PASS (F16 / EL6 tested) * Functional tests: F16-x86_64 client OK, Positive fail against a machine my key's NOT installed on: [aelwell@pcitgtelwell review]$ voms-proxy-init --debug Detected Globus version: 2.2 Unspecified proxy version, settling on Globus version: 2 Number of bits in key :1024 Files being used: CA certificate file: none Trusted certificates directory : /etc/grid-security/certificates Proxy certificate file : /tmp/x509up_u500 User certificate file: /home/aelwell/.globus/usercert.pem User key file: /home/aelwell/.globus/userkey.pem Output to /tmp/x509up_u500 Enter GRID pass phrase: Your identity: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=aelwell/CN=671736/CN=Andrew Elwell Creating proxy to /tmp/x509up_u500 .....................................++++++ .....++++++ Done Your proxy is valid until Wed Nov 16 23:55:59 2011 [aelwell@pcitgtelwell review]$ gsissh -vv voalice12 -p 1975 OpenSSH_5.8p1 GSI_GSSAPI_20110531 GSI, OpenSSL 1.0.0e-fips 6 Sep 2011 debug1: Reading configuration data /home/aelwell/.ssh/config debug1: Applying options for * debug1: Reading configuration data /etc/gsissh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to voalice12 [128.142.198.14] port 1975. debug1: Connection established. debug2: key_type_from_name: unknown key type '-----BEGIN' debug2: key_type_from_name: unknown key type 'Proc-Type:' debug2: key_type_from_name: unknown key type 'DEK-Info:' debug2: key_type_from_name: unknown key type '-----END' debug1: identity file /home/aelwell/.ssh/id_rsa type 1 debug1: identity file /home/aelwell/.ssh/id_rsa-cert type -1 debug1: identity file /home/aelwell/.ssh/id_dsa type -1 debug1: identity file /home/aelwell/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0p1-hpn13v1 NCSA_GSSAPI_GPT_4.3 GSI debug1: match: OpenSSH_5.0p1-hpn13v1 NCSA_GSSAPI_GPT_4.3 GSI pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.8 debug2: fd 3 setting O_NONBLOCK debug1: Offering GSSAPI proposal: gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw== debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01,ssh-rsa-cert-v00,ssh-rsa,ssh-dss-cert-v01,ssh-dss-cert-v00,ssh-dss,null debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib,zlib debug2: kex_parse_kexinit: none,zlib,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: Doing group exchange debug2: dh_gen_key: priv key bits set: 131/256 debug2: bits set: 527/1024 debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_CONTINUE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_CONTINUE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_CONTINUE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_COMPLETE debug2: bits set: 508/1024 debug1: Rekey has happened - updating saved versions debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/aelwell/.ssh/id_rsa (0x7fcff4b0c750) debug2: key: aelwell.ch (0x7fcff4b7d5d0) debug2: key: /home/aelwell/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: gssapi-keyex,external-keyx,gssapi-with-mic,gssapi debug1: Next authentication method: gssapi-keyex debug2: we sent a gssapi-keyex packet, wait for reply debug1: Remote: failed to set username from gssapi context debug1: Authentications that can continue: gssapi-keyex,external-keyx,gssapi-with-mic,gssapi debug2: we did not send a packet, disable method debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Authentications that can continue: gssapi-keyex,external-keyx,gssapi-with-mic,gssapi debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (gssapi-keyex,external-keyx,gssapi-with-mic,gssapi). I'd install the server but mockbuild on EL6 fails
Mock build results - EPEL5 - i386, x86_64 - Both OK INFO: Done(gsi-openssh-4.3p2-3.el5.src.rpm) Config(epel-5-i386) 7 minutes 50 seconds INFO: Done(gsi-openssh-4.3p2-3.el5.src.rpm) Config(epel-5-x86_64) 7 minutes 30 seconds EPEL6 - i386, x86_64 - Both FAILED - ERROR: Exception(gsi-openssh-5.3p1-3.el6.src.rpm) Config(epel-6-i386) 1 minutes 38 seconds ERROR: Exception(gsi-openssh-5.3p1-3.el6.src.rpm) Config(epel-6-x86_64) 0 minutes 34 seconds Error: No Package found for audit-libs-devel >= 2.0.5 Fedora-14 - i386,x86_64 - Both OK INFO: Done(gsi-openssh-5.5p1-3.fc14.src.rpm) Config(fedora-14-i386) 5 minutes 15 seconds INFO: Done(gsi-openssh-5.5p1-3.fc14.src.rpm) Config(fedora-14-x86_64) 3 minutes 28 seconds Fedora-15 - i386,x86_64 - both OK INFO: Done(gsi-openssh-5.6p1-3.fc15.src.rpm) Config(fedora-15-i386) 3 minutes 46 seconds INFO: Done(gsi-openssh-5.6p1-3.fc15.src.rpm) Config(fedora-15-x86_64) 6 minutes 29 seconds Fedora-16 - i386,x86_64 - Both OK (see comment above) Fedora-17 (rawhide) - i386,x86_64 - OK INFO: Done(gsi-openssh-5.9p1-1.fc17.src.rpm) Config(fedora-rawhide-i386) 5 minutes 28 seconds INFO: Done(gsi-openssh-5.9p1-1.fc17.src.rpm) Config(fedora-rawhide-x86_64) 5 minutes 32 seconds Given the above, I'm happy to mark as OK once the EL6 one builds OK
The epel 6 srpm builds OK for me as a koji scratch build for the dist-6E-epel build target: https://koji.fedoraproject.org/koji/taskinfo?taskID=3521322 Mattias
Many thanks for the review! Mattias New Package SCM Request ======================= Package Name: gsi-openssh Short Description: An implementation of the SSH protocol with GSI authentication Owners: ellert Branches: f15 f16 el5 el6 InitialCC:
Git done (by process-git-requests).
gsi-openssh-5.3p1-3.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/gsi-openssh-5.3p1-3.el6
gsi-openssh-4.3p2-3.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/gsi-openssh-4.3p2-3.el5
gsi-openssh-5.6p1-3.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/gsi-openssh-5.6p1-3.fc15
gsi-openssh-5.8p2-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/gsi-openssh-5.8p2-2.fc16
gsi-openssh-5.3p1-3.el6 has been pushed to the Fedora EPEL 6 testing repository.
gsi-openssh-5.6p1-3.fc15 has been pushed to the Fedora 15 stable repository.
gsi-openssh-5.8p2-2.fc16 has been pushed to the Fedora 16 stable repository.
gsi-openssh-4.3p2-3.el5 has been pushed to the Fedora EPEL 5 stable repository.
gsi-openssh-5.3p1-3.el6 has been pushed to the Fedora EPEL 6 stable repository.