Bug#390986: openssh: change ssh-krb5 into a dummy package
On Tue, Oct 03, 2006 at 11:38:36PM -0700, Russ Allbery wrote:
> Sam and I, and I'm sure the security team as well, would love to get rid
> of the separate ssh-krb5 package for etch now that the GSSAPI patch has
> been incorporated into openssh. There are only a few small issues in the
> way of doing this:
>
> * openssh-client doesn't default to attempting GSSAPI authentication.
> There's no reason not to enable this by default; it is quietly skipped
> if the user has no Kerberos ticket cache or if the remote host doesn't
> advertise GSSAPI. Without this enabled, the upgrade from ssh-krb5 to
> openssh-client would silently break GSSAPI authentication for users.
>
> * openssh-server doesn't enable GSSAPI by default. This is a reasonable
> default and ideally should be a debconf prompt, but in the interim,
> installing ssh-krb5 needs to result in a GSSAPI-enabled server. We
> therefore need a transitional package that will do the right thing in
> the configuration.
>
> * ssh-krb5 in sarge supports the GSSAPINoMICAuthentication configuration
> option, which is no longer supported by the current GSSAPI code. This
> option should therefore be removed from the sshd_config if seen there.
>
> Attached is a lightly tested patch that takes care of all of these issues
> and adds an ssh-krb5 transitional package to the openssh package. I would
> very much like to get this into etch; I'm sorry that it's taken me so long
> to get around to writing it.
OK, sorry this took me so long. I've committed this to CVS now. I made a
couple of additional changes, namely to turn /usr/share/doc/ssh-krb5
into a symlink to /usr/share/doc/openssh-client (like /usr/share/doc/ssh
already is), to disable the ssh-krb5 init script on upgrade, and to
guarantee never to add GSSAPI options to sshd_config more than once on
repeated upgrades. This is all at least as lightly tested as your
changes :-), but I think should be relatively straightforward.
I'll upload this over the course of the next day.
Cheers,
--
Colin Watson [cjwatson@debian.org]
Reply to: