[bug#38541] [PATCH] ssh: Add Kerberos-support to ssh:// daemon URLs

[bug#38541] [PATCH] ssh: Add Kerberos-support to ssh:// daemon URLs

[Lars-Dominik Braun]

* gnu/packages/ssh.scm (libssh): Depend on mit-krb5
(guile-ssh): Support gssapi functions, see
https://github.com/artyom-poptsov/guile-ssh/pull/15
* guix/ssh.scm (open-ssh-session): Fall back to GSSAPI if public key
authentication does not work
---
 doc/guix.texi                               |   5 +-
 gnu/packages/patches/guile-ssh-gssapi.patch | 115 ++++++++++++++++++++
 gnu/packages/ssh.scm                        |   4 +-
 guix/ssh.scm                                |  15 ++-
 4 files changed, 131 insertions(+), 8 deletions(-)
 create mode 100644 gnu/packages/patches/guile-ssh-gssapi.patch

diff --git a/doc/guix.texi b/doc/guix.texi
index 7d50f31d20..81ea5153b6 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6753,8 +6753,9 @@ instruct it to listen for TCP connections (@pxref{Invoking guix-daemon,
 @item ssh
 @cindex SSH access to build daemons
 These URIs allow you to connect to a remote daemon over
-SSH@footnote{This feature requires Guile-SSH (@pxref{Requirements}).}.
-A typical URL might look like this:
+SSH. This feature requires Guile-SSH (@pxref{Requirements}) and a working
+@code{guile} binary in @code{PATH} on the destination machine. It supports
+public key and GSSAPI authentication. A typical URL might look like this:
 
 @example
 ssh://charlie@@guix.example.org:22
diff --git a/gnu/packages/patches/guile-ssh-gssapi.patch b/gnu/packages/patches/guile-ssh-gssapi.patch
new file mode 100644
index 0000000000..522687d589
--- /dev/null
+++ b/gnu/packages/patches/guile-ssh-gssapi.patch
@@ -0,0 +1,115 @@
+commit 8b728dc144ea12f3a339a2009e403e9bbd8fd39c
+Author: Lars-Dominik Braun <ldb@leibniz-psychology.org>
+Date:   Thu Dec 5 10:31:00 2019 +0100
+
+    Add GSSAPI user authentication method
+    
+    Bind to libssh’s ssh_userauth_gssapi().
+
+diff --git a/doc/api-auth.texi b/doc/api-auth.texi
+index b2975d2..9f2884d 100644
+--- a/doc/api-auth.texi
++++ b/doc/api-auth.texi
+@@ -125,6 +125,26 @@ In nonblocking mode, you've got to call this again later.
+ 
+ @end deffn
+ 
++@deffn {Scheme Procedure} userauth-gssapi! session
++Try to authenticate through the @code{gssapi-with-mic} method.
++
++Return one of the following symbols: 
++
++@table @samp
++@item success
++Authentication success.
++@item partial
++You've been partially authenticated, you still have to use another method.
++@item again
++In nonblocking mode, you've got to call this again later.
++@item denied
++Authentication failed: use another method.
++@item error
++A serious error happened.
++@end table
++
++@end deffn
++
+ @deffn {Scheme Procedure} userauth-none! session
+ Try to authenticate through the @code{none} method.
+ 
+diff --git a/libguile-ssh/auth.c b/libguile-ssh/auth.c
+index 52d3262..e9efe9e 100644
+--- a/libguile-ssh/auth.c
++++ b/libguile-ssh/auth.c
+@@ -206,6 +206,27 @@ Throw `wrong-type-arg' if a disconnected SESSION is passed as an argument.\
+ }
+ #undef FUNC_NAME
+ 
++SCM_DEFINE (guile_ssh_userauth_gssapi_x,
++            "userauth-gssapi!", 1, 0, 0,
++            (SCM session),
++            "\
++Try to authenticate through the \"gssapi-with-mic\" method.\
++Throw `wrong-type-arg' if a disconnected SESSION is passed as an argument.\
++")
++#define FUNC_NAME s_guile_ssh_userauth_gssapi_x
++{
++  struct session_data *sd = _scm_to_session_data (session);
++
++  int res;
++
++  GSSH_VALIDATE_CONNECTED_SESSION (sd, session, SCM_ARG1);
++
++  res = ssh_userauth_gssapi (sd->ssh_session);
++
++  return ssh_auth_result_to_symbol (res);
++}
++#undef FUNC_NAME
++
+ \f
+ /* Try to authenticate through the "none" method.
+ 
+diff --git a/modules/ssh/auth.scm b/modules/ssh/auth.scm
+index 158cab1..7a4be10 100644
+--- a/modules/ssh/auth.scm
++++ b/modules/ssh/auth.scm
+@@ -29,6 +29,7 @@
+ ;;   userauth-public-key/try
+ ;;   userauth-agent!
+ ;;   userauth-password!
++;;   userauth-gssapi!
+ ;;   userauth-none!
+ ;;   userauth-get-list
+ 
+@@ -46,6 +47,7 @@
+             userauth-public-key/try
+             userauth-agent!
+             userauth-password!
++            userauth-gssapi!
+             userauth-none!
+             userauth-get-list
+             openssh-agent-start
+diff --git a/tests/client-server.scm b/tests/client-server.scm
+index 2704280..d8f490a 100644
+--- a/tests/client-server.scm
++++ b/tests/client-server.scm
+@@ -429,6 +429,19 @@
+   (userauth-public-key/auto! (make-session-for-test)))
+ 
+ \f
++;;; 'userauth-gssapi!'
++
++;; The procedure called with a wrong object as a parameter which leads to an
++;; exception.
++(test-error-with-log "userauth-gssapi!, wrong parameter" 'wrong-type-arg
++  (userauth-gssapi! "Not a session."))
++
++;; Client tries to authenticate using a non-connected session which leads to
++;; an exception.
++(test-error-with-log "userauth-gssapi!, not connected" 'wrong-type-arg
++  (userauth-gssapi! (make-session-for-test)))
++
++\f
+ ;;;
+ 
+ \f
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index b82d280089..5a001525d0 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -99,7 +99,8 @@
        ;; TODO: Add 'CMockery' and '-DWITH_TESTING=ON' for the test suite.
        #:tests? #f))
     (inputs `(("zlib" ,zlib)
-              ("libgcrypt" ,libgcrypt)))
+              ("libgcrypt" ,libgcrypt)
+              ("mit-krb5" ,mit-krb5)))
     (synopsis "SSH client library")
     (description
      "libssh is a C library implementing the SSHv2 and SSHv1 protocol for client
@@ -244,6 +245,7 @@ Additionally, various channel-specific options can be negotiated.")
               (sha256
                (base32
                 "03bv3hwp2s8f0bqgfjaan9jx4dyab0abv27n2zn2g0izlidv0vl6"))
+              (patches (search-patches "guile-ssh-gssapi.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
diff --git a/guix/ssh.scm b/guix/ssh.scm
index 291ce20b61..56b49b177f 100644
--- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -157,11 +157,16 @@ server at '~a': ~a")
           (session-set! session 'timeout timeout)
           session)
          (x
-          (disconnect! session)
-          (raise (condition
-                  (&message
-                   (message (format #f (G_ "SSH authentication failed for '~a': ~a~%")
-                                    host (get-error session)))))))))
+          (match (userauth-gssapi! session)
+            ('success
+             (session-set! session 'timeout timeout)
+             session)
+            (x
+             (disconnect! session)
+             (raise (condition
+                     (&message
+                      (message (format #f (G_ "SSH authentication failed for '~a': ~a~%")
+                                       host (get-error session)))))))))))
       (x
        ;; Connection failed or timeout expired.
        (raise (condition
-- 
2.20.1

[bug#38541] [PATCH] ssh: Add Kerberos-support to ssh:// daemon URLs

[Ludovic Courtès]

Hello,

Lars-Dominik Braun <ldb@leibniz-psychology.org> skribis:

> * gnu/packages/ssh.scm (libssh): Depend on mit-krb5
> (guile-ssh): Support gssapi functions, see
> https://github.com/artyom-poptsov/guile-ssh/pull/15
> * guix/ssh.scm (open-ssh-session): Fall back to GSSAPI if public key
> authentication does not work
> ---
>  doc/guix.texi                               |   5 +-
>  gnu/packages/patches/guile-ssh-gssapi.patch | 115 ++++++++++++++++++++
>  gnu/packages/ssh.scm                        |   4 +-
>  guix/ssh.scm                                |  15 ++-
>  4 files changed, 131 insertions(+), 8 deletions(-)
>  create mode 100644 gnu/packages/patches/guile-ssh-gssapi.patch

Nice!  (Note that we normally list all the modified files/entities in
the commit log; see
<https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html>.)

Do you know if a Guile-SSH release is coming?  If so, we could wait and
avoid carrying the Guile-SSH patch.

Other than that, the patch LGTM!

Thank you,
Ludo’.

[bug#38541] [PATCH] ssh: Add Kerberos-support to ssh:// daemon URLs

[Lars-Dominik Braun]

Hey,

> Nice!  (Note that we normally list all the modified files/entities in
> the commit log; see
> <https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html>.)
oh, ok, I guess that includes the .texi and .patch files as well then:

* doc/guix.texi: Document requirements for SSH-based connection to guix-daemon
* gnu/packages/patches/guile-ssh-gssapi.patch: Add GSSAPI user authentication
method to guile-ssh

> Do you know if a Guile-SSH release is coming?  If so, we could wait and
> avoid carrying the Guile-SSH patch.
I don’t know.

Lars

[bug#38541] [PATCH] ssh: Add Kerberos-support to ssh:// daemon URLs

[Ludovic Courtès]

Hi,

Lars-Dominik Braun <ldb@leibniz-psychology.org> skribis:

>> Nice!  (Note that we normally list all the modified files/entities in
>> the commit log; see
>> <https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html>.)
> oh, ok, I guess that includes the .texi and .patch files as well then:
>
> * doc/guix.texi: Document requirements for SSH-based connection to guix-daemon
> * gnu/packages/patches/guile-ssh-gssapi.patch: Add GSSAPI user authentication
> method to guile-ssh

Yes, more specifically:

  * doc/guix.texi (The Store): Document requirements for SSH-based
  connection to guix-daemon.
  * gnu/packages/patches/guile-ssh-gssapi.patch: New file.

Documentation of the patch should go to the first lines of the patch.

>> Do you know if a Guile-SSH release is coming?  If so, we could wait and
>> avoid carrying the Guile-SSH patch.
> I don’t know.

OK, let’s see…

Ludo’.

[bug#38541] Guile-SSH release?

[Ludovic Courtès]

Hi Artyom!

While discussing Kerberos support contributed by Lars-Dominik in
<https://bugs.gnu.org/38541>, we were wondering about your plans for a
new Guile-SSH release?

If you’re planning to release soonish, we won’t need to carry
Lars-Dominik’s patch in Guix proper, which is always better.

Another thing that would be nice to have is Guile 2.9/3.0 support while
we’re at it.  :-)  It requires very few changes, as shown here:

  https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/ssh.scm#n317

Let us know what you think!

Thanks,
Ludo’.

[bug#38541] Guile-SSH release?

[Artyom Poptsov]

Hello Ludovic,

glad to hear from you.  It's quite unfortunate, but recently I had a
hard time giving any attention to Guile-SSH as I was
overloaded with various urgent tasks.

Now I have more free time, so I'm hoping to make some progress in
releasing a new Guile-SSH version in a month or so.

Thanks,

- Artyom

On Mon, 16 Dec 2019 at 13:17, Ludovic Courtès <ludo@gnu.org> wrote:
>
> Hi Artyom!
>
> While discussing Kerberos support contributed by Lars-Dominik in
> <https://bugs.gnu.org/38541>, we were wondering about your plans for a
> new Guile-SSH release?
>
> If you’re planning to release soonish, we won’t need to carry
> Lars-Dominik’s patch in Guix proper, which is always better.
>
> Another thing that would be nice to have is Guile 2.9/3.0 support while
> we’re at it.  :-)  It requires very few changes, as shown here:
>
>   https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/ssh.scm#n317
>
> Let us know what you think!
>
> Thanks,
> Ludo’.



-- 
Artyom V. Poptsov <poptsov.artyom@gmail.com>
Home page: http://poptsov-artyom.narod.ru/
CADR Hackerspace co-founder: https://cadrspace.ru/
GPG: D0C2 EAC1 3310 822D 98DE  B57C E9C5 A2D9 0898 A02F

[bug#38541] Guile-SSH release?

[Ludovic Courtès]

Hi Artyom,

Artyom Poptsov <poptsov.artyom@gmail.com> skribis:

> glad to hear from you.  It's quite unfortunate, but recently I had a
> hard time giving any attention to Guile-SSH as I was
> overloaded with various urgent tasks.
>
> Now I have more free time, so I'm hoping to make some progress in
> releasing a new Guile-SSH version in a month or so.

Awesome, thanks for your feedback!

Ludo’.

[bug#38541] [PATCH] ssh: Add Kerberos-support to ssh:// daemon URLs

[Lars-Dominik Braun]

[-- Attachment #1: Type: text/plain, Size: 154 bytes --]

Hey,

now that guile-ssh 0.12.0 has landed in guix (commit
38655d7b88ae9d82208e5750480c9b91dd9dda8b), I’ve update the patch, see attached
files.

Lars


[-- Attachment #2: 0001-gnu-Add-Kerberos-support-to-libssh.patch --]
[-- Type: text/x-diff, Size: 928 bytes --]

From 5609c51e623b21aead73d29c555400f256a77a5e Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <ldb@leibniz-psychology.org>
Date: Wed, 19 Feb 2020 11:13:15 +0100
Subject: [PATCH 1/2] gnu: Add Kerberos support to libssh

* gnu/packages/ssh.scm (libssh)[inputs]: Depend on mit-krb5
---
 gnu/packages/ssh.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 72b7c745f9..fdb3450e01 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -90,7 +90,8 @@
        ;; TODO: Add 'CMockery' and '-DWITH_TESTING=ON' for the test suite.
        #:tests? #f))
     (inputs `(("zlib" ,zlib)
-              ("libgcrypt" ,libgcrypt)))
+              ("libgcrypt" ,libgcrypt)
+              ("mit-krb5" ,mit-krb5)))
     (synopsis "SSH client library")
     (description
      "libssh is a C library implementing the SSHv2 and SSHv1 protocol for client
-- 
2.20.1


[-- Attachment #3: 0002-ssh-Add-Kerberos-support-to-ssh-daemon-URLs.patch --]
[-- Type: text/x-diff, Size: 2165 bytes --]

From 8c5246eb6e38cfb97a1580876fe484e1a038fef6 Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <ldb@leibniz-psychology.org>
Date: Wed, 19 Feb 2020 11:13:54 +0100
Subject: [PATCH 2/2] ssh: Add Kerberos-support to ssh:// daemon URLs

* guix/ssh.scm (open-ssh-session): Fall back to GSSAPI if public key
authentication does not work
---
 doc/guix.texi |  5 +++--
 guix/ssh.scm  | 15 ++++++++++-----
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index afb70d5378..f1ca285a25 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6811,8 +6811,9 @@ instruct it to listen for TCP connections (@pxref{Invoking guix-daemon,
 @item ssh
 @cindex SSH access to build daemons
 These URIs allow you to connect to a remote daemon over
-SSH@footnote{This feature requires Guile-SSH (@pxref{Requirements}).}.
-A typical URL might look like this:
+SSH. This feature requires Guile-SSH (@pxref{Requirements}) and a working
+@code{guile} binary in @code{PATH} on the destination machine. It supports
+public key and GSSAPI authentication. A typical URL might look like this:
 
 @example
 ssh://charlie@@guix.example.org:22
diff --git a/guix/ssh.scm b/guix/ssh.scm
index 291ce20b61..56b49b177f 100644
--- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -157,11 +157,16 @@ server at '~a': ~a")
           (session-set! session 'timeout timeout)
           session)
          (x
-          (disconnect! session)
-          (raise (condition
-                  (&message
-                   (message (format #f (G_ "SSH authentication failed for '~a': ~a~%")
-                                    host (get-error session)))))))))
+          (match (userauth-gssapi! session)
+            ('success
+             (session-set! session 'timeout timeout)
+             session)
+            (x
+             (disconnect! session)
+             (raise (condition
+                     (&message
+                      (message (format #f (G_ "SSH authentication failed for '~a': ~a~%")
+                                       host (get-error session)))))))))))
       (x
        ;; Connection failed or timeout expired.
        (raise (condition
-- 
2.20.1

bug#38541: [PATCH] ssh: Add Kerberos-support to ssh:// daemon URLs

[Ludovic Courtès]

Hi Lars-Dominik,

Lars-Dominik Braun <ldb@leibniz-psychology.org> skribis:

> now that guile-ssh 0.12.0 has landed in guix (commit
> 38655d7b88ae9d82208e5750480c9b91dd9dda8b), I’ve update the patch, see attached
> files.

Awesome, pushed both!

[...]

> +          (match (userauth-gssapi! session)
> +            ('success
> +             (session-set! session 'timeout timeout)
> +             session)
> +            (x
> +             (disconnect! session)
> +             (raise (condition
> +                     (&message
> +                      (message (format #f (G_ "SSH authentication failed for '~a': ~a~%")
> +                                       host (get-error session)))))))))))

Note that someone running this with an older Guile-SSH will get an
unbound variable error.

We should probably document the 0.12.0 requirement in the manual, at
least.

Thanks,
Ludo’.

[bug#38541] [PATCH] ssh: Add Kerberos-support to ssh:// daemon URLs

[Lars-Dominik Braun]

[-- Attachment #1: Type: text/plain, Size: 235 bytes --]

Hi Ludo,

> Note that someone running this with an older Guile-SSH will get an
> unbound variable error.
> We should probably document the 0.12.0 requirement in the manual, at
> least.
you’re right, attached patch fixes that.

Lars


[-- Attachment #2: 0001-build-Depend-on-guile-ssh-0.12.0.patch --]
[-- Type: text/x-diff, Size: 1940 bytes --]

From 0e2898c26f26ec5871bae9fd2b5d15047e38075c Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <ldb@leibniz-psychology.org>
Date: Thu, 20 Feb 2020 12:36:10 +0100
Subject: [PATCH] build: Depend on guile-ssh 0.12.0

* m4/guix.m4 (GUIX_CHECK_GUILE_SSH): Check for userauth-gssapi!
* doc/guix.texi: Document version requirement
---
 doc/guix.texi | 4 ++--
 m4/guix.m4    | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index f1ca285a25..df52d24155 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -772,11 +772,11 @@ The following dependencies are optional:
 
 @itemize
 @item
-@c Note: We need at least 0.10.2 for 'channel-send-eof'.
+@c Note: We need at least 0.12.0 for 'userauth-gssapi!'.
 Support for build offloading (@pxref{Daemon Offload Setup}) and
 @command{guix copy} (@pxref{Invoking guix copy}) depends on
 @uref{https://github.com/artyom-poptsov/guile-ssh, Guile-SSH},
-version 0.10.2 or later.
+version 0.12.0 or later.
 
 @item
 When @url{https://www.nongnu.org/lzip/lzlib.html, lzlib} is available, lzlib
diff --git a/m4/guix.m4 b/m4/guix.m4
index 8be7cca54f..961ce838ac 100644
--- a/m4/guix.m4
+++ b/m4/guix.m4
@@ -142,13 +142,14 @@ dnl GUIX_CHECK_GUILE_SSH
 dnl
 dnl Check whether a recent-enough Guile-SSH is available.
 AC_DEFUN([GUIX_CHECK_GUILE_SSH], [
-  dnl Check whether 'channel-send-eof' (introduced in 0.10.2) is present.
+  dnl Check whether 'userauth-gssapi!' (introduced in 0.12.0) is present.
   AC_CACHE_CHECK([whether Guile-SSH is available and recent enough],
     [guix_cv_have_recent_guile_ssh],
     [GUILE_CHECK([retval],
       [(and (@ (ssh channel) channel-send-eof)
             (@ (ssh popen) open-remote-pipe)
-	    (@ (ssh dist node) node-eval))])
+            (@ (ssh dist node) node-eval)
+            (@ (ssh auth) userauth-gssapi!))])
      if test "$retval" = 0; then
        guix_cv_have_recent_guile_ssh="yes"
      else
-- 
2.20.1

[bug#38541] [PATCH] ssh: Add Kerberos-support to ssh:// daemon URLs

[Ludovic Courtès]

Hi Lars,

Lars-Dominik Braun <ldb@leibniz-psychology.org> skribis:

> From 0e2898c26f26ec5871bae9fd2b5d15047e38075c Mon Sep 17 00:00:00 2001
> From: Lars-Dominik Braun <ldb@leibniz-psychology.org>
> Date: Thu, 20 Feb 2020 12:36:10 +0100
> Subject: [PATCH] build: Depend on guile-ssh 0.12.0
>
> * m4/guix.m4 (GUIX_CHECK_GUILE_SSH): Check for userauth-gssapi!
> * doc/guix.texi: Document version requirement

Applied, thanks!

Ludo’.