openssh and openssh-krb5

To: debian-release@lists.debian.org, matthew@debian.org, cjwatson@debian.org
Cc: hartmans@debian.org
Subject: openssh and openssh-krb5
From: Russ Allbery <rra@debian.org>
Date: Mon, 13 Nov 2006 17:46:50 -0800
Message-id: <[🔎] 87r6w6n6k5.fsf@windlord.stanford.edu>

Hello folks,

My patch to turn ssh-krb5 into a transitional package provided by openssh
has languished in the BTS for a while now without any comment
(Bug##390986).  The security team is very unenthused about the idea of
continuing to maintain the current ssh-krb5 package for etch, and it
doesn't fill me with joy either.  In this patch, I tried to deal with the
various configuration issues involved and keep the upgrade as smooth as
possible and ensure that people with ssh-krb5 installed will get an ssh
installation with GSSAPI enabled.

Where should I go from here?  Should I NMU openssh with this patch?  I'd
really like to get a few more eyes on it if so; it seems to work for me,
but I may well be missing something vital.

Also, the current openssh-client package doesn't have the patch to add the
-K command-line option, which forces credential delegation even if it
it's normally turned off by configuration (the opposite of -k).  Not
having this in etch if ssh-krb5 were changed to a transitional package
would be a feature regression that I think some users would notice.  I
think this should be a relatively straightforward patch, although I've not
yet tried to extract it from the ssh-krb5 package and see how simple it
is.  Should I prepare a patch for this as well?  Put it in the same NMU?

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Prev by Date: Re: pciutils frozen
Next by Date: apache2 DSA considerations for etch
Previous by thread: Re: pciutils frozen
Next by thread: apache2 DSA considerations for etch
Index(es):
- Date
- Thread