Bug#390986: openssh: change ssh-krb5 into a dummy package

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#390986: openssh: change ssh-krb5 into a dummy package
From: Russ Allbery <rra@debian.org>
Date: Tue, 03 Oct 2006 23:38:36 -0700
Message-id: <[🔎] 20061004063836.432.2757.reportbug@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 390986@bugs.debian.org

Package: openssh
Version: 1:4.3p2-4
Severity: wishlist
Tags: patch

Hello folks,

Sam and I, and I'm sure the security team as well, would love to get rid
of the separate ssh-krb5 package for etch now that the GSSAPI patch has
been incorporated into openssh.  There are only a few small issues in the
way of doing this:

 * openssh-client doesn't default to attempting GSSAPI authentication.
   There's no reason not to enable this by default; it is quietly skipped
   if the user has no Kerberos ticket cache or if the remote host doesn't
   advertise GSSAPI.  Without this enabled, the upgrade from ssh-krb5 to
   openssh-client would silently break GSSAPI authentication for users.

 * openssh-server doesn't enable GSSAPI by default.  This is a reasonable
   default and ideally should be a debconf prompt, but in the interim,
   installing ssh-krb5 needs to result in a GSSAPI-enabled server.  We
   therefore need a transitional package that will do the right thing in
   the configuration.

 * ssh-krb5 in sarge supports the GSSAPINoMICAuthentication configuration
   option, which is no longer supported by the current GSSAPI code.  This
   option should therefore be removed from the sshd_config if seen there.

Attached is a lightly tested patch that takes care of all of these issues
and adds an ssh-krb5 transitional package to the openssh package.  I would
very much like to get this into etch; I'm sorry that it's taken me so long
to get around to writing it.

Please let me know if you have any additional concerns.

(BTW, I also noticed that the current openssh-client package does not
include the -K patch to add a -K option that's the inverse of -k and
turns on ticket delegation regardless of the config setting.  I thought
that this was part of the standard GSSAPI patch, but possibly not.  Could
you include this?  This may also be necessary for this transition, and it's
very useful.)

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

diff -ruN openssh-4.3p2-current/debian/control openssh-4.3p2/debian/control
--- openssh-4.3p2-current/debian/control	2006-10-03 22:16:37.000000000 -0700
+++ openssh-4.3p2/debian/control	2006-10-03 23:07:05.000000000 -0700
@@ -9,8 +9,8 @@
 Package: openssh-client
 Architecture: any
 Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0), passwd
-Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5
-Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5
+Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-5)
+Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5 (<< 1:4.3p2-5)
 Suggests: ssh-askpass, xbase-clients
 Provides: rsh-client, ssh-client
 Description: Secure shell client, an rlogin/rsh/rcp replacement
@@ -39,8 +39,8 @@
 Priority: optional
 Architecture: any
 Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version})
-Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5
-Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5
+Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-5)
+Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5 (<< 1:4.3p2-5)
 Suggests: ssh-askpass, xbase-clients, rssh
 Provides: ssh-server
 Description: Secure shell server, an rshd replacement
@@ -72,6 +72,16 @@
  the OpenSSH server, which are now in separate packages. You may remove
  it once the upgrade is complete and nothing depends on it.
 
+Package: ssh-krb5
+Priority: extra
+Architecture: all
+Depends: openssh-client, openssh-server
+Description: Secure shell client and server (transitional package)
+ This is a transitional package depending on the regular Debian OpenSSH
+ client and server, which now support GSSAPI natively.  It will add the
+ necessary GSSAPI options to the server configuration file.  You can
+ remove it once the upgrade is complete and nothing depends on it.
+
 Package: ssh-askpass-gnome
 Section: gnome
 Priority: optional
diff -ruN openssh-4.3p2-current/debian/openssh-server.postinst openssh-4.3p2/debian/openssh-server.postinst
--- openssh-4.3p2-current/debian/openssh-server.postinst	2006-10-03 22:16:37.000000000 -0700
+++ openssh-4.3p2/debian/openssh-server.postinst	2006-10-03 23:27:05.000000000 -0700
@@ -72,6 +72,17 @@
 }
 
 
+remove_obsolete_gssapi() {
+	grep -qi '^[ 	]*GSSAPINoMICAuthentication' /etc/ssh/sshd_config \
+		|| return 0
+	perl -pe 's/^(\s*GSSAPINoMICAuthentication)/\#$1/i' \
+		< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+
+
 host_keys_required() {
 	hostkeys="$(get_config_option HostKey)"
 	if [ "$hostkeys" ]; then
@@ -190,6 +201,9 @@
 		    move_subsystem_sftp
 		fi
 
+		# Remove obsolete GSSAPI options.
+		remove_obsolete_gssapi
+
 		return 0
 	    fi
 	fi
diff -ruN openssh-4.3p2-current/debian/rules openssh-4.3p2/debian/rules
--- openssh-4.3p2-current/debian/rules	2006-10-03 22:16:37.000000000 -0700
+++ openssh-4.3p2/debian/rules	2006-10-03 22:58:25.000000000 -0700
@@ -166,7 +166,7 @@
 	install -m 755 build-udeb/ssh-keygen debian/openssh-server-udeb/usr/bin/ssh-keygen
 
 # Build architecture-independent files here.
-binary-indep: binary-ssh
+binary-indep: binary-ssh binary-ssh-krb5
 
 # Build architecture-dependent files here.
 binary-arch: binary-openssh-client binary-openssh-server
@@ -244,6 +244,19 @@
 	dh_md5sums
 	dh_builddeb
 
+binary-ssh-krb5: DH_OPTIONS=-pssh-krb5
+binary-ssh-krb5: build install
+	dh_testdir
+	dh_testroot
+	dh_installdocs
+	dh_link
+	dh_compress
+	dh_fixperms
+	dh_installdeb
+	dh_gencontrol
+	dh_md5sums
+	dh_builddeb
+
 binary-ssh-askpass-gnome: DH_OPTIONS=-pssh-askpass-gnome
 binary-ssh-askpass-gnome: build install
 	dh_testdir
@@ -292,5 +305,5 @@
 .PHONY: build clean binary-indep binary-arch binary install
 .PHONY: build-deb build-udeb
 .PHONY: binary-openssh-client binary-openssh-server binary-ssh
-.PHONY: binary-ssh-askpass-gnome
+.PHONY: binary-ssh-krb5 binary-ssh-askpass-gnome
 .PHONY: binary-openssh-client-udeb binary-openssh-server-udeb
diff -ruN openssh-4.3p2-current/debian/ssh-krb5.NEWS openssh-4.3p2/debian/ssh-krb5.NEWS
--- openssh-4.3p2-current/debian/ssh-krb5.NEWS	1969-12-31 16:00:00.000000000 -0800
+++ openssh-4.3p2/debian/ssh-krb5.NEWS	2006-10-03 22:27:35.000000000 -0700
@@ -0,0 +1,18 @@
+ssh-krb5 (1:4.3p2-5) unstable; urgency=low
+
+  The normal openssh-server and openssh-client packages in Debian now
+  include full GSSAPI support, including key exchange.  This package is
+  now only a transitional package that depends on openssh-server and
+  openssh-client and configures openssh-server for GSSAPI configuration
+  if it wasn't already.
+
+  You can now simply install openssh-server and openssh-client directly
+  and remove this package.  Just make sure that /etc/ssh/sshd_config
+  contains:
+
+    GSSAPIAuthentication yes
+    GSSAPIKeyExchange yes
+
+  if you want to support GSSAPI authentication to your ssh server.
+
+ -- Russ Allbery <rra@debian.org>  Tue, 03 Oct 2006 22:27:27 -0700
diff -ruN openssh-4.3p2-current/debian/ssh-krb5.postinst openssh-4.3p2/debian/ssh-krb5.postinst
--- openssh-4.3p2-current/debian/ssh-krb5.postinst	1969-12-31 16:00:00.000000000 -0800
+++ openssh-4.3p2/debian/ssh-krb5.postinst	2006-10-03 23:27:02.000000000 -0700
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = configure ] ; then
+    if grep -qi '^[ 	]*GSSAPI' /etc/ssh/sshd_config ; then
+        :
+    else
+        if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
+            perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+            chown --reference /etc/ssh/sshd_config \
+                /etc/ssh/sshd_config.dpkg-new
+            chmod --reference /etc/ssh/sshd_config \
+                /etc/ssh/sshd_config.dpkg-new
+            mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+        else
+            cat >> /etc/ssh/sshd_config <<EOF
+
+# GSSAPI authentication
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+EOF
+        fi
+        if [ -x /etc/init.d/ssh ] ; then
+            if [ -x /usr/sbin/invoke-rc.d ] ; then
+                invoke-rc.d ssh restart
+            else
+                /etc/init.d/ssh restart
+            fi
+        fi
+    fi
+fi
+
+#DEBHELPER#
+
+exit 0
diff -ruN openssh-4.3p2-current/ssh_config openssh-4.3p2/ssh_config
--- openssh-4.3p2-current/ssh_config	2006-10-03 22:16:37.000000000 -0700
+++ openssh-4.3p2/ssh_config	2006-10-03 22:30:14.000000000 -0700
@@ -43,3 +43,5 @@
 #   PermitLocalCommand no
     SendEnv LANG LC_*
     HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no

Reply to:

Prev by Date: Bug#390700: closed by Colin Watson <cjwatson@debian.org> (Re: Bug#390700: 'man ssh-keysign' typos: "hostbased x 4)
Next by Date: Bug#391081: openssh-server: Please remove inappropriate debconf error for telnetd
Previous by thread: Processed: Re: Bug#390701: 'man sshd' typo: "hostbased"
Next by thread: Bug#391081: openssh-server: Please remove inappropriate debconf error for telnetd
Index(es):
- Date
- Thread