From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:470:142:3::10]:58293)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1j4Oqd-0003S3-26
 for guix-patches@gnu.org; Wed, 19 Feb 2020 07:53:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1j4Oqb-0007Ug-TZ
 for guix-patches@gnu.org; Wed, 19 Feb 2020 07:53:03 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:35771)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1j4Oqb-0007UU-Py
 for guix-patches@gnu.org; Wed, 19 Feb 2020 07:53:01 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1j4Oqb-0006YN-OO
 for guix-patches@gnu.org; Wed, 19 Feb 2020 07:53:01 -0500
Subject: [bug#38541] [PATCH] ssh: Add Kerberos-support to ssh:// daemon URLs
Resent-Message-ID: <handler.38541.B38541.158211677525179@debbugs.gnu.org>
Date: Wed, 19 Feb 2020 13:52:51 +0100
From: Lars-Dominik Braun <ldb@leibniz-psychology.org>
Message-ID: <20200219125251.GC2938@zpidnp36>
References: <20191209083737.GA10190@zpidnp36>
 <87a77uwkh1.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="uQr8t48UFsdbeI+V"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87a77uwkh1.fsf@gnu.org>
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 38541@debbugs.gnu.org


--uQr8t48UFsdbeI+V
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Hey,

now that guile-ssh 0.12.0 has landed in guix (commit
38655d7b88ae9d82208e5750480c9b91dd9dda8b), I’ve update the patch, see attached
files.

Lars


--uQr8t48UFsdbeI+V
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="0001-gnu-Add-Kerberos-support-to-libssh.patch"

>From 5609c51e623b21aead73d29c555400f256a77a5e Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <ldb@leibniz-psychology.org>
Date: Wed, 19 Feb 2020 11:13:15 +0100
Subject: [PATCH 1/2] gnu: Add Kerberos support to libssh

* gnu/packages/ssh.scm (libssh)[inputs]: Depend on mit-krb5
---
 gnu/packages/ssh.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 72b7c745f9..fdb3450e01 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -90,7 +90,8 @@
        ;; TODO: Add 'CMockery' and '-DWITH_TESTING=ON' for the test suite.
        #:tests? #f))
     (inputs `(("zlib" ,zlib)
-              ("libgcrypt" ,libgcrypt)))
+              ("libgcrypt" ,libgcrypt)
+              ("mit-krb5" ,mit-krb5)))
     (synopsis "SSH client library")
     (description
      "libssh is a C library implementing the SSHv2 and SSHv1 protocol for client
-- 
2.20.1


--uQr8t48UFsdbeI+V
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="0002-ssh-Add-Kerberos-support-to-ssh-daemon-URLs.patch"

>From 8c5246eb6e38cfb97a1580876fe484e1a038fef6 Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <ldb@leibniz-psychology.org>
Date: Wed, 19 Feb 2020 11:13:54 +0100
Subject: [PATCH 2/2] ssh: Add Kerberos-support to ssh:// daemon URLs

* guix/ssh.scm (open-ssh-session): Fall back to GSSAPI if public key
authentication does not work
---
 doc/guix.texi |  5 +++--
 guix/ssh.scm  | 15 ++++++++++-----
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index afb70d5378..f1ca285a25 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6811,8 +6811,9 @@ instruct it to listen for TCP connections (@pxref{Invoking guix-daemon,
 @item ssh
 @cindex SSH access to build daemons
 These URIs allow you to connect to a remote daemon over
-SSH@footnote{This feature requires Guile-SSH (@pxref{Requirements}).}.
-A typical URL might look like this:
+SSH. This feature requires Guile-SSH (@pxref{Requirements}) and a working
+@code{guile} binary in @code{PATH} on the destination machine. It supports
+public key and GSSAPI authentication. A typical URL might look like this:
 
 @example
 ssh://charlie@@guix.example.org:22
diff --git a/guix/ssh.scm b/guix/ssh.scm
index 291ce20b61..56b49b177f 100644
--- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -157,11 +157,16 @@ server at '~a': ~a")
           (session-set! session 'timeout timeout)
           session)
          (x
-          (disconnect! session)
-          (raise (condition
-                  (&message
-                   (message (format #f (G_ "SSH authentication failed for '~a': ~a~%")
-                                    host (get-error session)))))))))
+          (match (userauth-gssapi! session)
+            ('success
+             (session-set! session 'timeout timeout)
+             session)
+            (x
+             (disconnect! session)
+             (raise (condition
+                     (&message
+                      (message (format #f (G_ "SSH authentication failed for '~a': ~a~%")
+                                       host (get-error session)))))))))))
       (x
        ;; Connection failed or timeout expired.
        (raise (condition
-- 
2.20.1


--uQr8t48UFsdbeI+V--