Date: Thu, 13 Aug 2009 10:21:59 -0500
To: cygwin AT cygwin DOT com
Subject: Re: Successful build of ssh from openssh w. MIT kerberos
Message-ID: <20090813152159.GV13418@hamlet.SetFilePointer.com>
References: <4A54345F DOT 3060203 AT users DOT sourceforge DOT net> 	<20090812195553 DOT GU13418 AT hamlet DOT SetFilePointer DOT com> 	<4A836C6A DOT 7020803 AT users DOT sourceforge DOT net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1; 	protocol="application/pgp-signature"; boundary="npbjE3dh3wBH6WIP"
Content-Disposition: inline
In-Reply-To: <4A836C6A.7020803@users.sourceforge.net>
User-Agent: Mutt/1.4.2.3i
From: Alec Kloss <alec-keyword-cygwin DOT 2518a7 AT SetFilePointer DOT com>
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com

--npbjE3dh3wBH6WIP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2009-08-12 20:29, Yaakov (Cygwin/X) wrote:
> On 12/08/2009 14:55, Alec Kloss wrote:
> >I'm not having much luck with heimdal-1.2.1 from cygwin-ports trunk
> >on Cygwin 1.7 beta.  This is all downloaded today.  cygwin-ports
> >revision 7337.
>=20
> 1) If patch(1) is segfaulting, something else is wrong with your=20
> installation.

Hrm... there appears to be some problems with the filesystem in
cygwin 1.7.  I was working on an OpenAFS volume where patch was
segfaulting.  Working on a NTFS volume doesn't segfault.

Unfortunately, I'm still having trouble with
heimdal-1.2.1-1.cygport.  Running "cygport heimdal-1.2.1-1.cygport"
results in:

>>> Preparing heimdal-1.2.1-1
*** Info: SOURCE 1 signature follows:
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Mon Jul 28 07:33:35 2008 CDT using DSA key ID
45D901D8
gpg: Can't check signature: public key not found
>>> Unpacking source heimdal-1.2.1.tar.gz
*** Info: applying patch 001_all_heimdal-no_libedit.patch:
patching file cf/krb-readline.m4
*** Info: applying patch 003_all_heimdal-rxapps.patch:
patching file appl/kx/rxtelnet.in
Hunk #1 succeeded at 2 with fuzz 1.
patching file appl/kx/rxterm.in
Hunk #1 succeeded at 2 with fuzz 1.
*** Info: applying patch 014_all_heimdal-path.patch:
*** Info: applying patch 022_all_heimdal-as-needed.patch:
patching file lib/roken/Makefile.am
Hunk #1 succeeded at 110 (offset 3 lines).
patching file lib/editline/Makefile.am
*** Info: applying patch heimdal-r23238-kb5_locl_h-wind_h.patch:
patching file lib/krb5/Makefile.am
*** Info: applying patch heimdal-r23235-kb5-libwind_la.patch:
*** Info: applying patch heimdal-kdc-sans_pkinit.patch:
patching file kdc/Makefile.am
*** Info: applying patch heimdal-system_sqlite.patch:
*** Info: applying patch heimdal-symlinked-manpages.patch:
*** Info: applying patch heimdal-autoconf-ipv6-backport.patch:
patching file cf/krb-ipv6.m4
patching file lib/roken/mini_inetd.c
*** ERROR: patch 1.2.1-no-editline.patch will not apply


> 2) Why is your cygport(1) under /usr/local?  The cygport packages that=20
> are part of the distro (curr. 0.9.9) install under /usr.

I compiled my own from the Subversion trunk sources.  I also just
installed the cygport binary and it behaves exactly the same way.

> >I've had success compiling Heimdal 1.2 directly and linking openssh
> >to it to get GSSAPI authentication working but it seems like
> >getting cygwin-ports to do the work would be a better solution.
>=20
> The major difference if you built heimdal OOTB is that you have only=20
> static libraries; the Ports .cygport makes shared libs as well.

That's true.

> I just uploaded the binary packages here:
>=20
> ftp://ftp.cygwinports.org/pub/cygwinports/release-2/heimdal/
>=20
> You'll have to download them manually for now.

Hrm, these must be cygwin packages;  just untarring them doesn't
appear to be sufficient.  Pointing Cygwin's setup-1.7.exe at
ftp://ftp.cygwinports.org/pub/cygwinports/ seems to download the
setup-2.bz2 file, but I the setup-2.bz2.sig doesn't survive the
signature testing.  I'm (obviously) no cygwin packaging expert
so if someone can give me a hint about this, that'd be great.

> One reason I haven't ITP'd this build is because I have no means of=20
> testing it in real world scenarios.  'make check' did pass, so that's=20
> promising, but I need someone else who is familiar with KRB5 to tell me=
=20
> it really works (or tell me how else I could test it).

I can probably find some time to test a small installation.  I'd
think most users would just want the client tools and the GSSAPI
integration in sshd to work.  I'd be a little surprised if someone
wanted to run a KDC under cygwin, but one never knows.

The earlier poster had openssh linked against MIT Kerberos for
Windows.  This has a significant advantage over linking for heimdal
in that KfW can use the MSLSA ticket cache.  This means a user
could sit at a workstation, log in using their Windows domain
username and password, click the cygwin icon, type "ssh
myfavoriteserver" and be logged in without any additional password
prompting.  I don't think heimdal can access the MSLSA cache, so...
someone needs to think about if/when a kerberized openssh is
included in cygwin if it should link against cygwin-compiled
heimdal or against MIT KfW.=20=20


--=20
Alec Kloss  alec AT SetFilePointer DOT com   IM: daemonalec AT gmail DOT com
PGP key at http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xA241980E
"No Bunny!" -- Simon, http://wiki.adultswim.com/xwiki/bin/Frisky+Dingo/Simon

--npbjE3dh3wBH6WIP
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFKhC+XkQ6e6D/NCvIRAjTyAKCo0ocGeIrid27Z6EPOYzOfeIeCsACghmla
0SCPx9JgTDLVGs8G9o5q9qI=
=eIVh
-----END PGP SIGNATURE-----

--npbjE3dh3wBH6WIP--