Bug#404863: ssh-krb5: enable GSSAPIKeyExchange on transitional upgrades
Package: ssh-krb5
Version: 1:4.3p2-8
Severity: important
Tags: patch
Sam pointed out that ssh-krb5 automatically enabled GSSAPIKeyExchange
without a configuration option, which means that upgrades from ssh-krb5
to openssh-server with the standard ssh-krb5 sshd_config would disable
GSSAPIKeyExchange since they would have GSSAPI configuration options
present but not that one.
This patch corrects this, adds comments to the postinst so that it's
more obvious what's going on, and fixes a mistaken word choice in the
ssh-krb5 NEWS.Debian file. The resulting transitional package has been
tested for each of the possibilities of present or missing GSSAPI
options in sshd_config.
If you could apply this patch and upload for etch, I would greatly
appreciate it. It's only a borderline RC problem, but sites that use
key exchange are going to find it very surprising to have it disabled
after the upgrade.
Thanks!
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
--- openssh-4.3p2/debian/ssh-krb5.NEWS 2006-12-28 10:57:00.000000000 -0800
+++ openssh-4.3p2.new/debian/ssh-krb5.NEWS 2006-12-28 10:35:43.000000000 -0800
@@ -3,7 +3,7 @@
The normal openssh-server and openssh-client packages in Debian now
include full GSSAPI support, including key exchange. This package is
now only a transitional package that depends on openssh-server and
- openssh-client and configures openssh-server for GSSAPI configuration
+ openssh-client and configures openssh-server for GSSAPI authentication
if it wasn't already.
You can now simply install openssh-server and openssh-client directly
diff -ru openssh-4.3p2/debian/ssh-krb5.postinst openssh-4.3p2.new/debian/ssh-krb5.postinst
--- openssh-4.3p2/debian/ssh-krb5.postinst 2006-12-28 10:57:00.000000000 -0800
+++ openssh-4.3p2.new/debian/ssh-krb5.postinst 2006-12-28 10:47:40.000000000 -0800
@@ -14,27 +14,51 @@
fi
fi
- if dpkg --compare-versions "$oldversion" ge 1:4.3p2-7 || \
- grep -qi '^[ ]*GSSAPI' /etc/ssh/sshd_config ; then
+ # Make sure that GSSAPI is enabled. If there is no uncommented GSSAPI
+ # configuration, uncomment any commented-out configuration if present
+ # (this will catch the case of a fresh install of openssh-server).
+ # Otherwise, add configuration turning on GSSAPIAutentication and
+ # GSSAPIKeyExchange.
+ #
+ # If there is some configuration, we may be upgrading from ssh-krb5. It
+ # enabled GSSAPIKeyExchange without any configuration option. Therefore,
+ # if it isn't explicitly set, always enable it for compatible behavior
+ # with ssh-krb5.
+ if dpkg --compare-versions "$oldversion" ge 1:4.3p2-8 ; then
:
else
- if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
- perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \
- < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
- chown --reference /etc/ssh/sshd_config \
- /etc/ssh/sshd_config.dpkg-new
- chmod --reference /etc/ssh/sshd_config \
- /etc/ssh/sshd_config.dpkg-new
- mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+ changed=
+ if grep -qi '^[ ]*GSSAPI' /etc/ssh/sshd_config ; then
+ if grep -qi '^[ ]*GSSAPIKeyExchange' /etc/ssh/sshd_config ; then
+ :
+ else
+ changed=true
+ cat >> /etc/ssh/sshd_config <<EOF
+
+# GSSAPI key exchange (added by ssh-krb5 transitional package)
+GSSAPIKeyExchange yes
+EOF
+ fi
else
- cat >> /etc/ssh/sshd_config <<EOF
+ changed=true
+ if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
+ perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \
+ < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+ chown --reference /etc/ssh/sshd_config \
+ /etc/ssh/sshd_config.dpkg-new
+ chmod --reference /etc/ssh/sshd_config \
+ /etc/ssh/sshd_config.dpkg-new
+ mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+ else
+ cat >> /etc/ssh/sshd_config <<EOF
-# GSSAPI authentication
+# GSSAPI authentication (added by ssh-krb5 transitional package)
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
EOF
+ fi
fi
- if [ -x /etc/init.d/ssh ] ; then
+ if [ -n "$changed" ] && [ -x /etc/init.d/ssh ] ; then
if [ -x /usr/sbin/invoke-rc.d ] ; then
invoke-rc.d ssh restart
else
Reply to: