Bug 2495

Summary: add GSI GSSAPI SSO authentication to OpenSSH
Product: Portable OpenSSH Reporter: Tom Downes <thomas.downes>
Component: Kerberos supportAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: andre, calestyo, djm, grawity, jbasney, m.pawlik, pfcouvar+bugzilla.mindrot
Priority: P5    
Version: 7.1p1   
Hardware: amd64   
OS: Linux   

Description Tom Downes 2015-11-13 09:11:54 AEDT 
This is effectively a bump of bug 958, filed by Jim Basney, to the current version of openssh. Jim maintains a patch for openssh which enables authentication with GSI GSSAPI.

Effectively it enables single-sign-on with certificate verification by the client of the host and of the client by the host. This is in use securely by a large number of users in scientific and other computing projects.

Patch:

http://grid.ncsa.illinois.edu/ssh/installpatch.html
http://grid.ncsa.illinois.edu/ssh/dl/patch/

Full releases:

https://github.com/globus/gsi-openssh/releases

We would like you to review this patch and consider it for inclusion in the standard release of openssh. Currently, we are compelled to recompile and repackage openssh ourselves on both linux and OS X. Practically speaking, it can be hard to keep the packaging going although I believe (hope) the burden on Jim of maintaining the patch itself is fairly low.
Comment 1 Tom Downes 2015-11-13 09:14:02 AEDT 
*** Bug 958 has been marked as a duplicate of this bug. ***
Comment 2 Damien Miller 2020-01-25 23:16:10 AEDT 
We don't planning on implementing any additional GSSAPI authentication methods, sorry.
Comment 3 Andre Merzky 2020-01-26 03:03:23 AEDT 
Hi Damien, may I ask for the reason of declining the patch?  I am asking as a user which frequently has to deploy manually patched versions of GSI-SSH, which is rather painful and not always possible.  Is the patch itself problematic, or is it too difficult / involved to review it?  Are you able to enumerate conditions which would allow an acceptance of the patch?

Many thanks, Andre.
Comment 4 Damien Miller 2020-01-26 11:57:45 AEDT 
Hi Andre,

I declined it because we barely have the knowledge and environments needed to maintain the existing GSSAPI code, and have no familiarity with GSI nor means to test it.
Comment 5 Damien Miller 2021-04-23 15:02:02 AEST 
closing resolved bugs as of 8.6p1 release