From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:470:142:3::10]:39917)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ieEky-00040a-L3
 for guix-patches@gnu.org; Mon, 09 Dec 2019 03:51:06 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ieEkw-0006GK-Ud
 for guix-patches@gnu.org; Mon, 09 Dec 2019 03:51:04 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:46588)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1ieEkw-0006Er-Je
 for guix-patches@gnu.org; Mon, 09 Dec 2019 03:51:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ieEkw-0007RG-IN
 for guix-patches@gnu.org; Mon, 09 Dec 2019 03:51:02 -0500
Subject: [bug#38541] [PATCH] ssh: Add Kerberos-support to ssh:// daemon URLs
Resent-Message-ID: <handler.38541.B.157588145328576@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:35428)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ldb@leibniz-psychology.org>) id 1ieEY1-00080K-LV
 for guix-patches@gnu.org; Mon, 09 Dec 2019 03:37:43 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ldb@leibniz-psychology.org>) id 1ieEY0-0001Ch-3w
 for guix-patches@gnu.org; Mon, 09 Dec 2019 03:37:41 -0500
Received: from mail-wr1-x42f.google.com ([2a00:1450:4864:20::42f]:37420)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <ldb@leibniz-psychology.org>)
 id 1ieEXz-0001CC-KA
 for guix-patches@gnu.org; Mon, 09 Dec 2019 03:37:40 -0500
Received: by mail-wr1-x42f.google.com with SMTP id w15so15213210wru.4
 for <guix-patches@gnu.org>; Mon, 09 Dec 2019 00:37:38 -0800 (PST)
Received: from localhost (zpidlx9.uni-trier.de. [136.199.85.49])
 by smtp.gmail.com with ESMTPSA id x18sm26381558wrr.75.2019.12.09.00.37.36
 for <guix-patches@gnu.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 09 Dec 2019 00:37:36 -0800 (PST)
Date: Mon, 9 Dec 2019 09:37:37 +0100
From: Lars-Dominik Braun <ldb@leibniz-psychology.org>
Message-ID: <20191209083737.GA10190@zpidnp36>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: 38541@debbugs.gnu.org

* gnu/packages/ssh.scm (libssh): Depend on mit-krb5
(guile-ssh): Support gssapi functions, see
https://github.com/artyom-poptsov/guile-ssh/pull/15
* guix/ssh.scm (open-ssh-session): Fall back to GSSAPI if public key
authentication does not work
---
 doc/guix.texi                               |   5 +-
 gnu/packages/patches/guile-ssh-gssapi.patch | 115 ++++++++++++++++++++
 gnu/packages/ssh.scm                        |   4 +-
 guix/ssh.scm                                |  15 ++-
 4 files changed, 131 insertions(+), 8 deletions(-)
 create mode 100644 gnu/packages/patches/guile-ssh-gssapi.patch

diff --git a/doc/guix.texi b/doc/guix.texi
index 7d50f31d20..81ea5153b6 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6753,8 +6753,9 @@ instruct it to listen for TCP connections (@pxref{Invoking guix-daemon,
 @item ssh
 @cindex SSH access to build daemons
 These URIs allow you to connect to a remote daemon over
-SSH@footnote{This feature requires Guile-SSH (@pxref{Requirements}).}.
-A typical URL might look like this:
+SSH. This feature requires Guile-SSH (@pxref{Requirements}) and a working
+@code{guile} binary in @code{PATH} on the destination machine. It supports
+public key and GSSAPI authentication. A typical URL might look like this:
 
 @example
 ssh://charlie@@guix.example.org:22
diff --git a/gnu/packages/patches/guile-ssh-gssapi.patch b/gnu/packages/patches/guile-ssh-gssapi.patch
new file mode 100644
index 0000000000..522687d589
--- /dev/null
+++ b/gnu/packages/patches/guile-ssh-gssapi.patch
@@ -0,0 +1,115 @@
+commit 8b728dc144ea12f3a339a2009e403e9bbd8fd39c
+Author: Lars-Dominik Braun <ldb@leibniz-psychology.org>
+Date:   Thu Dec 5 10:31:00 2019 +0100
+
+    Add GSSAPI user authentication method
+    
+    Bind to libssh’s ssh_userauth_gssapi().
+
+diff --git a/doc/api-auth.texi b/doc/api-auth.texi
+index b2975d2..9f2884d 100644
+--- a/doc/api-auth.texi
++++ b/doc/api-auth.texi
+@@ -125,6 +125,26 @@ In nonblocking mode, you've got to call this again later.
+ 
+ @end deffn
+ 
++@deffn {Scheme Procedure} userauth-gssapi! session
++Try to authenticate through the @code{gssapi-with-mic} method.
++
++Return one of the following symbols: 
++
++@table @samp
++@item success
++Authentication success.
++@item partial
++You've been partially authenticated, you still have to use another method.
++@item again
++In nonblocking mode, you've got to call this again later.
++@item denied
++Authentication failed: use another method.
++@item error
++A serious error happened.
++@end table
++
++@end deffn
++
+ @deffn {Scheme Procedure} userauth-none! session
+ Try to authenticate through the @code{none} method.
+ 
+diff --git a/libguile-ssh/auth.c b/libguile-ssh/auth.c
+index 52d3262..e9efe9e 100644
+--- a/libguile-ssh/auth.c
++++ b/libguile-ssh/auth.c
+@@ -206,6 +206,27 @@ Throw `wrong-type-arg' if a disconnected SESSION is passed as an argument.\
+ }
+ #undef FUNC_NAME
+ 
++SCM_DEFINE (guile_ssh_userauth_gssapi_x,
++            "userauth-gssapi!", 1, 0, 0,
++            (SCM session),
++            "\
++Try to authenticate through the \"gssapi-with-mic\" method.\
++Throw `wrong-type-arg' if a disconnected SESSION is passed as an argument.\
++")
++#define FUNC_NAME s_guile_ssh_userauth_gssapi_x
++{
++  struct session_data *sd = _scm_to_session_data (session);
++
++  int res;
++
++  GSSH_VALIDATE_CONNECTED_SESSION (sd, session, SCM_ARG1);
++
++  res = ssh_userauth_gssapi (sd->ssh_session);
++
++  return ssh_auth_result_to_symbol (res);
++}
++#undef FUNC_NAME
++
+ 
+ /* Try to authenticate through the "none" method.
+ 
+diff --git a/modules/ssh/auth.scm b/modules/ssh/auth.scm
+index 158cab1..7a4be10 100644
+--- a/modules/ssh/auth.scm
++++ b/modules/ssh/auth.scm
+@@ -29,6 +29,7 @@
+ ;;   userauth-public-key/try
+ ;;   userauth-agent!
+ ;;   userauth-password!
++;;   userauth-gssapi!
+ ;;   userauth-none!
+ ;;   userauth-get-list
+ 
+@@ -46,6 +47,7 @@
+             userauth-public-key/try
+             userauth-agent!
+             userauth-password!
++            userauth-gssapi!
+             userauth-none!
+             userauth-get-list
+             openssh-agent-start
+diff --git a/tests/client-server.scm b/tests/client-server.scm
+index 2704280..d8f490a 100644
+--- a/tests/client-server.scm
++++ b/tests/client-server.scm
+@@ -429,6 +429,19 @@
+   (userauth-public-key/auto! (make-session-for-test)))
+ 
+ 
++;;; 'userauth-gssapi!'
++
++;; The procedure called with a wrong object as a parameter which leads to an
++;; exception.
++(test-error-with-log "userauth-gssapi!, wrong parameter" 'wrong-type-arg
++  (userauth-gssapi! "Not a session."))
++
++;; Client tries to authenticate using a non-connected session which leads to
++;; an exception.
++(test-error-with-log "userauth-gssapi!, not connected" 'wrong-type-arg
++  (userauth-gssapi! (make-session-for-test)))
++
++
+ ;;;
+ 
+ 
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index b82d280089..5a001525d0 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -99,7 +99,8 @@
        ;; TODO: Add 'CMockery' and '-DWITH_TESTING=ON' for the test suite.
        #:tests? #f))
     (inputs `(("zlib" ,zlib)
-              ("libgcrypt" ,libgcrypt)))
+              ("libgcrypt" ,libgcrypt)
+              ("mit-krb5" ,mit-krb5)))
     (synopsis "SSH client library")
     (description
      "libssh is a C library implementing the SSHv2 and SSHv1 protocol for client
@@ -244,6 +245,7 @@ Additionally, various channel-specific options can be negotiated.")
               (sha256
                (base32
                 "03bv3hwp2s8f0bqgfjaan9jx4dyab0abv27n2zn2g0izlidv0vl6"))
+              (patches (search-patches "guile-ssh-gssapi.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
diff --git a/guix/ssh.scm b/guix/ssh.scm
index 291ce20b61..56b49b177f 100644
--- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -157,11 +157,16 @@ server at '~a': ~a")
           (session-set! session 'timeout timeout)
           session)
          (x
-          (disconnect! session)
-          (raise (condition
-                  (&message
-                   (message (format #f (G_ "SSH authentication failed for '~a': ~a~%")
-                                    host (get-error session)))))))))
+          (match (userauth-gssapi! session)
+            ('success
+             (session-set! session 'timeout timeout)
+             session)
+            (x
+             (disconnect! session)
+             (raise (condition
+                     (&message
+                      (message (format #f (G_ "SSH authentication failed for '~a': ~a~%")
+                                       host (get-error session)))))))))))
       (x
        ;; Connection failed or timeout expired.
        (raise (condition
-- 
2.20.1