Bug#404863: ssh-krb5: enable GSSAPIKeyExchange on transitional upgrades

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#404863: ssh-krb5: enable GSSAPIKeyExchange on transitional upgrades
From: Russ Allbery <rra@debian.org>
Date: Thu, 28 Dec 2006 11:03:58 -0800
Message-id: <[🔎] 20061228190358.4210.15132.reportbug@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 404863@bugs.debian.org

Package: ssh-krb5
Version: 1:4.3p2-8
Severity: important
Tags: patch

Sam pointed out that ssh-krb5 automatically enabled GSSAPIKeyExchange
without a configuration option, which means that upgrades from ssh-krb5
to openssh-server with the standard ssh-krb5 sshd_config would disable
GSSAPIKeyExchange since they would have GSSAPI configuration options
present but not that one.

This patch corrects this, adds comments to the postinst so that it's
more obvious what's going on, and fixes a mistaken word choice in the
ssh-krb5 NEWS.Debian file.  The resulting transitional package has been
tested for each of the possibilities of present or missing GSSAPI
options in sshd_config.

If you could apply this patch and upload for etch, I would greatly
appreciate it.  It's only a borderline RC problem, but sites that use
key exchange are going to find it very surprising to have it disabled
after the upgrade.

Thanks!

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

--- openssh-4.3p2/debian/ssh-krb5.NEWS	2006-12-28 10:57:00.000000000 -0800
+++ openssh-4.3p2.new/debian/ssh-krb5.NEWS	2006-12-28 10:35:43.000000000 -0800
@@ -3,7 +3,7 @@
   The normal openssh-server and openssh-client packages in Debian now
   include full GSSAPI support, including key exchange.  This package is
   now only a transitional package that depends on openssh-server and
-  openssh-client and configures openssh-server for GSSAPI configuration
+  openssh-client and configures openssh-server for GSSAPI authentication
   if it wasn't already.
 
   You can now simply install openssh-server and openssh-client directly
diff -ru openssh-4.3p2/debian/ssh-krb5.postinst openssh-4.3p2.new/debian/ssh-krb5.postinst
--- openssh-4.3p2/debian/ssh-krb5.postinst	2006-12-28 10:57:00.000000000 -0800
+++ openssh-4.3p2.new/debian/ssh-krb5.postinst	2006-12-28 10:47:40.000000000 -0800
@@ -14,27 +14,51 @@
         fi
     fi
 
-    if dpkg --compare-versions "$oldversion" ge 1:4.3p2-7 || \
-       grep -qi '^[ 	]*GSSAPI' /etc/ssh/sshd_config ; then
+    # Make sure that GSSAPI is enabled.  If there is no uncommented GSSAPI
+    # configuration, uncomment any commented-out configuration if present
+    # (this will catch the case of a fresh install of openssh-server).
+    # Otherwise, add configuration turning on GSSAPIAutentication and
+    # GSSAPIKeyExchange.
+    #
+    # If there is some configuration, we may be upgrading from ssh-krb5.  It
+    # enabled GSSAPIKeyExchange without any configuration option.  Therefore,
+    # if it isn't explicitly set, always enable it for compatible behavior
+    # with ssh-krb5.
+    if dpkg --compare-versions "$oldversion" ge 1:4.3p2-8 ; then
         :
     else
-        if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
-            perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \
-                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
-            chown --reference /etc/ssh/sshd_config \
-                /etc/ssh/sshd_config.dpkg-new
-            chmod --reference /etc/ssh/sshd_config \
-                /etc/ssh/sshd_config.dpkg-new
-            mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+        changed=
+        if grep -qi '^[ 	]*GSSAPI' /etc/ssh/sshd_config ; then
+            if grep -qi '^[ 	]*GSSAPIKeyExchange' /etc/ssh/sshd_config ; then
+                :
+            else
+                changed=true
+                cat >> /etc/ssh/sshd_config <<EOF
+
+# GSSAPI key exchange (added by ssh-krb5 transitional package)
+GSSAPIKeyExchange yes
+EOF
+            fi
         else
-            cat >> /etc/ssh/sshd_config <<EOF
+            changed=true
+            if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
+                perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \
+                    < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+                chown --reference /etc/ssh/sshd_config \
+                    /etc/ssh/sshd_config.dpkg-new
+                chmod --reference /etc/ssh/sshd_config \
+                    /etc/ssh/sshd_config.dpkg-new
+                mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+            else
+                cat >> /etc/ssh/sshd_config <<EOF
 
-# GSSAPI authentication
+# GSSAPI authentication (added by ssh-krb5 transitional package)
 GSSAPIAuthentication yes
 GSSAPIKeyExchange yes
 EOF
+            fi
         fi
-        if [ -x /etc/init.d/ssh ] ; then
+        if [ -n "$changed" ] && [ -x /etc/init.d/ssh ] ; then
             if [ -x /usr/sbin/invoke-rc.d ] ; then
                 invoke-rc.d ssh restart
             else

Reply to:

Prev by Date: Re: SSH upgrade problem
Next by Date: Re: SSH upgrade problem
Previous by thread: Re: SSH upgrade problem
Next by thread: Processed: reassign 258131 to openssh ..., reassign 372680 to openssh-server, reassign 311689 to openssh-client ... ...
Index(es):
- Date
- Thread