[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#390986: openssh: change ssh-krb5 into a dummy package

On Tue, Oct 03, 2006 at 11:38:36PM -0700, Russ Allbery wrote:
> Sam and I, and I'm sure the security team as well, would love to get rid
> of the separate ssh-krb5 package for etch now that the GSSAPI patch has
> been incorporated into openssh.  There are only a few small issues in the
> way of doing this:
>  * openssh-client doesn't default to attempting GSSAPI authentication.
>    There's no reason not to enable this by default; it is quietly skipped
>    if the user has no Kerberos ticket cache or if the remote host doesn't
>    advertise GSSAPI.  Without this enabled, the upgrade from ssh-krb5 to
>    openssh-client would silently break GSSAPI authentication for users.
>  * openssh-server doesn't enable GSSAPI by default.  This is a reasonable
>    default and ideally should be a debconf prompt, but in the interim,
>    installing ssh-krb5 needs to result in a GSSAPI-enabled server.  We
>    therefore need a transitional package that will do the right thing in
>    the configuration.
>  * ssh-krb5 in sarge supports the GSSAPINoMICAuthentication configuration
>    option, which is no longer supported by the current GSSAPI code.  This
>    option should therefore be removed from the sshd_config if seen there.
> Attached is a lightly tested patch that takes care of all of these issues
> and adds an ssh-krb5 transitional package to the openssh package.  I would
> very much like to get this into etch; I'm sorry that it's taken me so long
> to get around to writing it.

OK, sorry this took me so long. I've committed this to CVS now. I made a
couple of additional changes, namely to turn /usr/share/doc/ssh-krb5
into a symlink to /usr/share/doc/openssh-client (like /usr/share/doc/ssh
already is), to disable the ssh-krb5 init script on upgrade, and to
guarantee never to add GSSAPI options to sshd_config more than once on
repeated upgrades. This is all at least as lightly tested as your
changes :-), but I think should be relatively straightforward.

I'll upload this over the course of the next day.


Colin Watson                                       [cjwatson@debian.org]

Reply to: