Bug#390986: openssh: change ssh-krb5 into a dummy package
Package: openssh
Version: 1:4.3p2-4
Severity: wishlist
Tags: patch
Hello folks,
Sam and I, and I'm sure the security team as well, would love to get rid
of the separate ssh-krb5 package for etch now that the GSSAPI patch has
been incorporated into openssh. There are only a few small issues in the
way of doing this:
* openssh-client doesn't default to attempting GSSAPI authentication.
There's no reason not to enable this by default; it is quietly skipped
if the user has no Kerberos ticket cache or if the remote host doesn't
advertise GSSAPI. Without this enabled, the upgrade from ssh-krb5 to
openssh-client would silently break GSSAPI authentication for users.
* openssh-server doesn't enable GSSAPI by default. This is a reasonable
default and ideally should be a debconf prompt, but in the interim,
installing ssh-krb5 needs to result in a GSSAPI-enabled server. We
therefore need a transitional package that will do the right thing in
the configuration.
* ssh-krb5 in sarge supports the GSSAPINoMICAuthentication configuration
option, which is no longer supported by the current GSSAPI code. This
option should therefore be removed from the sshd_config if seen there.
Attached is a lightly tested patch that takes care of all of these issues
and adds an ssh-krb5 transitional package to the openssh package. I would
very much like to get this into etch; I'm sorry that it's taken me so long
to get around to writing it.
Please let me know if you have any additional concerns.
(BTW, I also noticed that the current openssh-client package does not
include the -K patch to add a -K option that's the inverse of -k and
turns on ticket delegation regardless of the config setting. I thought
that this was part of the standard GSSAPI patch, but possibly not. Could
you include this? This may also be necessary for this transition, and it's
very useful.)
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -ruN openssh-4.3p2-current/debian/control openssh-4.3p2/debian/control
--- openssh-4.3p2-current/debian/control 2006-10-03 22:16:37.000000000 -0700
+++ openssh-4.3p2/debian/control 2006-10-03 23:07:05.000000000 -0700
@@ -9,8 +9,8 @@
Package: openssh-client
Architecture: any
Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0), passwd
-Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5
-Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5
+Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-5)
+Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5 (<< 1:4.3p2-5)
Suggests: ssh-askpass, xbase-clients
Provides: rsh-client, ssh-client
Description: Secure shell client, an rlogin/rsh/rcp replacement
@@ -39,8 +39,8 @@
Priority: optional
Architecture: any
Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version})
-Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5
-Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5
+Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-5)
+Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5 (<< 1:4.3p2-5)
Suggests: ssh-askpass, xbase-clients, rssh
Provides: ssh-server
Description: Secure shell server, an rshd replacement
@@ -72,6 +72,16 @@
the OpenSSH server, which are now in separate packages. You may remove
it once the upgrade is complete and nothing depends on it.
+Package: ssh-krb5
+Priority: extra
+Architecture: all
+Depends: openssh-client, openssh-server
+Description: Secure shell client and server (transitional package)
+ This is a transitional package depending on the regular Debian OpenSSH
+ client and server, which now support GSSAPI natively. It will add the
+ necessary GSSAPI options to the server configuration file. You can
+ remove it once the upgrade is complete and nothing depends on it.
+
Package: ssh-askpass-gnome
Section: gnome
Priority: optional
diff -ruN openssh-4.3p2-current/debian/openssh-server.postinst openssh-4.3p2/debian/openssh-server.postinst
--- openssh-4.3p2-current/debian/openssh-server.postinst 2006-10-03 22:16:37.000000000 -0700
+++ openssh-4.3p2/debian/openssh-server.postinst 2006-10-03 23:27:05.000000000 -0700
@@ -72,6 +72,17 @@
}
+remove_obsolete_gssapi() {
+ grep -qi '^[ ]*GSSAPINoMICAuthentication' /etc/ssh/sshd_config \
+ || return 0
+ perl -pe 's/^(\s*GSSAPINoMICAuthentication)/\#$1/i' \
+ < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+ chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+ chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+ mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+
+
host_keys_required() {
hostkeys="$(get_config_option HostKey)"
if [ "$hostkeys" ]; then
@@ -190,6 +201,9 @@
move_subsystem_sftp
fi
+ # Remove obsolete GSSAPI options.
+ remove_obsolete_gssapi
+
return 0
fi
fi
diff -ruN openssh-4.3p2-current/debian/rules openssh-4.3p2/debian/rules
--- openssh-4.3p2-current/debian/rules 2006-10-03 22:16:37.000000000 -0700
+++ openssh-4.3p2/debian/rules 2006-10-03 22:58:25.000000000 -0700
@@ -166,7 +166,7 @@
install -m 755 build-udeb/ssh-keygen debian/openssh-server-udeb/usr/bin/ssh-keygen
# Build architecture-independent files here.
-binary-indep: binary-ssh
+binary-indep: binary-ssh binary-ssh-krb5
# Build architecture-dependent files here.
binary-arch: binary-openssh-client binary-openssh-server
@@ -244,6 +244,19 @@
dh_md5sums
dh_builddeb
+binary-ssh-krb5: DH_OPTIONS=-pssh-krb5
+binary-ssh-krb5: build install
+ dh_testdir
+ dh_testroot
+ dh_installdocs
+ dh_link
+ dh_compress
+ dh_fixperms
+ dh_installdeb
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
binary-ssh-askpass-gnome: DH_OPTIONS=-pssh-askpass-gnome
binary-ssh-askpass-gnome: build install
dh_testdir
@@ -292,5 +305,5 @@
.PHONY: build clean binary-indep binary-arch binary install
.PHONY: build-deb build-udeb
.PHONY: binary-openssh-client binary-openssh-server binary-ssh
-.PHONY: binary-ssh-askpass-gnome
+.PHONY: binary-ssh-krb5 binary-ssh-askpass-gnome
.PHONY: binary-openssh-client-udeb binary-openssh-server-udeb
diff -ruN openssh-4.3p2-current/debian/ssh-krb5.NEWS openssh-4.3p2/debian/ssh-krb5.NEWS
--- openssh-4.3p2-current/debian/ssh-krb5.NEWS 1969-12-31 16:00:00.000000000 -0800
+++ openssh-4.3p2/debian/ssh-krb5.NEWS 2006-10-03 22:27:35.000000000 -0700
@@ -0,0 +1,18 @@
+ssh-krb5 (1:4.3p2-5) unstable; urgency=low
+
+ The normal openssh-server and openssh-client packages in Debian now
+ include full GSSAPI support, including key exchange. This package is
+ now only a transitional package that depends on openssh-server and
+ openssh-client and configures openssh-server for GSSAPI configuration
+ if it wasn't already.
+
+ You can now simply install openssh-server and openssh-client directly
+ and remove this package. Just make sure that /etc/ssh/sshd_config
+ contains:
+
+ GSSAPIAuthentication yes
+ GSSAPIKeyExchange yes
+
+ if you want to support GSSAPI authentication to your ssh server.
+
+ -- Russ Allbery <rra@debian.org> Tue, 03 Oct 2006 22:27:27 -0700
diff -ruN openssh-4.3p2-current/debian/ssh-krb5.postinst openssh-4.3p2/debian/ssh-krb5.postinst
--- openssh-4.3p2-current/debian/ssh-krb5.postinst 1969-12-31 16:00:00.000000000 -0800
+++ openssh-4.3p2/debian/ssh-krb5.postinst 2006-10-03 23:27:02.000000000 -0700
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = configure ] ; then
+ if grep -qi '^[ ]*GSSAPI' /etc/ssh/sshd_config ; then
+ :
+ else
+ if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
+ perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \
+ < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+ chown --reference /etc/ssh/sshd_config \
+ /etc/ssh/sshd_config.dpkg-new
+ chmod --reference /etc/ssh/sshd_config \
+ /etc/ssh/sshd_config.dpkg-new
+ mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+ else
+ cat >> /etc/ssh/sshd_config <<EOF
+
+# GSSAPI authentication
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+EOF
+ fi
+ if [ -x /etc/init.d/ssh ] ; then
+ if [ -x /usr/sbin/invoke-rc.d ] ; then
+ invoke-rc.d ssh restart
+ else
+ /etc/init.d/ssh restart
+ fi
+ fi
+ fi
+fi
+
+#DEBHELPER#
+
+exit 0
diff -ruN openssh-4.3p2-current/ssh_config openssh-4.3p2/ssh_config
--- openssh-4.3p2-current/ssh_config 2006-10-03 22:16:37.000000000 -0700
+++ openssh-4.3p2/ssh_config 2006-10-03 22:30:14.000000000 -0700
@@ -43,3 +43,5 @@
# PermitLocalCommand no
SendEnv LANG LC_*
HashKnownHosts yes
+ GSSAPIAuthentication yes
+ GSSAPIDelegateCredentials no
Reply to: