Bug#390986: openssh: change ssh-krb5 into a dummy package

To: Russ Allbery <rra@debian.org>, 390986@bugs.debian.org
Subject: Bug#390986: openssh: change ssh-krb5 into a dummy package
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 6 Dec 2006 04:50:22 +0000
Message-id: <[🔎] 20061206045022.GV28442@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 390986@bugs.debian.org
In-reply-to: <20061004063836.432.2757.reportbug@windlord.stanford.edu>
References: <20061004063836.432.2757.reportbug@windlord.stanford.edu>

On Tue, Oct 03, 2006 at 11:38:36PM -0700, Russ Allbery wrote:
> Sam and I, and I'm sure the security team as well, would love to get rid
> of the separate ssh-krb5 package for etch now that the GSSAPI patch has
> been incorporated into openssh.  There are only a few small issues in the
> way of doing this:
> 
>  * openssh-client doesn't default to attempting GSSAPI authentication.
>    There's no reason not to enable this by default; it is quietly skipped
>    if the user has no Kerberos ticket cache or if the remote host doesn't
>    advertise GSSAPI.  Without this enabled, the upgrade from ssh-krb5 to
>    openssh-client would silently break GSSAPI authentication for users.
> 
>  * openssh-server doesn't enable GSSAPI by default.  This is a reasonable
>    default and ideally should be a debconf prompt, but in the interim,
>    installing ssh-krb5 needs to result in a GSSAPI-enabled server.  We
>    therefore need a transitional package that will do the right thing in
>    the configuration.
> 
>  * ssh-krb5 in sarge supports the GSSAPINoMICAuthentication configuration
>    option, which is no longer supported by the current GSSAPI code.  This
>    option should therefore be removed from the sshd_config if seen there.
> 
> Attached is a lightly tested patch that takes care of all of these issues
> and adds an ssh-krb5 transitional package to the openssh package.  I would
> very much like to get this into etch; I'm sorry that it's taken me so long
> to get around to writing it.

OK, sorry this took me so long. I've committed this to CVS now. I made a
couple of additional changes, namely to turn /usr/share/doc/ssh-krb5
into a symlink to /usr/share/doc/openssh-client (like /usr/share/doc/ssh
already is), to disable the ssh-krb5 init script on upgrade, and to
guarantee never to add GSSAPI options to sshd_config more than once on
repeated upgrades. This is all at least as lightly tested as your
changes :-), but I think should be relatively straightforward.

I'll upload this over the course of the next day.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Bug#390986: openssh: change ssh-krb5 into a dummy package
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Processed: unmerging 335259
Next by Date: Bug#391248: autoconf: produces syntax error in configure script
Previous by thread: Processed: unmerging 335259
Next by thread: Bug#390986: openssh: change ssh-krb5 into a dummy package
Index(es):
- Date
- Thread