--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh: change ssh-krb5 into a dummy package
- From: Russ Allbery <rra@debian.org>
- Date: Tue, 03 Oct 2006 23:38:36 -0700
- Message-id: <20061004063836.432.2757.reportbug@windlord.stanford.edu>
Package: openssh
Version: 1:4.3p2-4
Severity: wishlist
Tags: patch
Hello folks,
Sam and I, and I'm sure the security team as well, would love to get rid
of the separate ssh-krb5 package for etch now that the GSSAPI patch has
been incorporated into openssh. There are only a few small issues in the
way of doing this:
* openssh-client doesn't default to attempting GSSAPI authentication.
There's no reason not to enable this by default; it is quietly skipped
if the user has no Kerberos ticket cache or if the remote host doesn't
advertise GSSAPI. Without this enabled, the upgrade from ssh-krb5 to
openssh-client would silently break GSSAPI authentication for users.
* openssh-server doesn't enable GSSAPI by default. This is a reasonable
default and ideally should be a debconf prompt, but in the interim,
installing ssh-krb5 needs to result in a GSSAPI-enabled server. We
therefore need a transitional package that will do the right thing in
the configuration.
* ssh-krb5 in sarge supports the GSSAPINoMICAuthentication configuration
option, which is no longer supported by the current GSSAPI code. This
option should therefore be removed from the sshd_config if seen there.
Attached is a lightly tested patch that takes care of all of these issues
and adds an ssh-krb5 transitional package to the openssh package. I would
very much like to get this into etch; I'm sorry that it's taken me so long
to get around to writing it.
Please let me know if you have any additional concerns.
(BTW, I also noticed that the current openssh-client package does not
include the -K patch to add a -K option that's the inverse of -k and
turns on ticket delegation regardless of the config setting. I thought
that this was part of the standard GSSAPI patch, but possibly not. Could
you include this? This may also be necessary for this transition, and it's
very useful.)
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -ruN openssh-4.3p2-current/debian/control openssh-4.3p2/debian/control
--- openssh-4.3p2-current/debian/control 2006-10-03 22:16:37.000000000 -0700
+++ openssh-4.3p2/debian/control 2006-10-03 23:07:05.000000000 -0700
@@ -9,8 +9,8 @@
Package: openssh-client
Architecture: any
Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0), passwd
-Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5
-Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5
+Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-5)
+Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5 (<< 1:4.3p2-5)
Suggests: ssh-askpass, xbase-clients
Provides: rsh-client, ssh-client
Description: Secure shell client, an rlogin/rsh/rcp replacement
@@ -39,8 +39,8 @@
Priority: optional
Architecture: any
Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version})
-Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5
-Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5
+Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-5)
+Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5 (<< 1:4.3p2-5)
Suggests: ssh-askpass, xbase-clients, rssh
Provides: ssh-server
Description: Secure shell server, an rshd replacement
@@ -72,6 +72,16 @@
the OpenSSH server, which are now in separate packages. You may remove
it once the upgrade is complete and nothing depends on it.
+Package: ssh-krb5
+Priority: extra
+Architecture: all
+Depends: openssh-client, openssh-server
+Description: Secure shell client and server (transitional package)
+ This is a transitional package depending on the regular Debian OpenSSH
+ client and server, which now support GSSAPI natively. It will add the
+ necessary GSSAPI options to the server configuration file. You can
+ remove it once the upgrade is complete and nothing depends on it.
+
Package: ssh-askpass-gnome
Section: gnome
Priority: optional
diff -ruN openssh-4.3p2-current/debian/openssh-server.postinst openssh-4.3p2/debian/openssh-server.postinst
--- openssh-4.3p2-current/debian/openssh-server.postinst 2006-10-03 22:16:37.000000000 -0700
+++ openssh-4.3p2/debian/openssh-server.postinst 2006-10-03 23:27:05.000000000 -0700
@@ -72,6 +72,17 @@
}
+remove_obsolete_gssapi() {
+ grep -qi '^[ ]*GSSAPINoMICAuthentication' /etc/ssh/sshd_config \
+ || return 0
+ perl -pe 's/^(\s*GSSAPINoMICAuthentication)/\#$1/i' \
+ < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+ chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+ chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+ mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+
+
host_keys_required() {
hostkeys="$(get_config_option HostKey)"
if [ "$hostkeys" ]; then
@@ -190,6 +201,9 @@
move_subsystem_sftp
fi
+ # Remove obsolete GSSAPI options.
+ remove_obsolete_gssapi
+
return 0
fi
fi
diff -ruN openssh-4.3p2-current/debian/rules openssh-4.3p2/debian/rules
--- openssh-4.3p2-current/debian/rules 2006-10-03 22:16:37.000000000 -0700
+++ openssh-4.3p2/debian/rules 2006-10-03 22:58:25.000000000 -0700
@@ -166,7 +166,7 @@
install -m 755 build-udeb/ssh-keygen debian/openssh-server-udeb/usr/bin/ssh-keygen
# Build architecture-independent files here.
-binary-indep: binary-ssh
+binary-indep: binary-ssh binary-ssh-krb5
# Build architecture-dependent files here.
binary-arch: binary-openssh-client binary-openssh-server
@@ -244,6 +244,19 @@
dh_md5sums
dh_builddeb
+binary-ssh-krb5: DH_OPTIONS=-pssh-krb5
+binary-ssh-krb5: build install
+ dh_testdir
+ dh_testroot
+ dh_installdocs
+ dh_link
+ dh_compress
+ dh_fixperms
+ dh_installdeb
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
binary-ssh-askpass-gnome: DH_OPTIONS=-pssh-askpass-gnome
binary-ssh-askpass-gnome: build install
dh_testdir
@@ -292,5 +305,5 @@
.PHONY: build clean binary-indep binary-arch binary install
.PHONY: build-deb build-udeb
.PHONY: binary-openssh-client binary-openssh-server binary-ssh
-.PHONY: binary-ssh-askpass-gnome
+.PHONY: binary-ssh-krb5 binary-ssh-askpass-gnome
.PHONY: binary-openssh-client-udeb binary-openssh-server-udeb
diff -ruN openssh-4.3p2-current/debian/ssh-krb5.NEWS openssh-4.3p2/debian/ssh-krb5.NEWS
--- openssh-4.3p2-current/debian/ssh-krb5.NEWS 1969-12-31 16:00:00.000000000 -0800
+++ openssh-4.3p2/debian/ssh-krb5.NEWS 2006-10-03 22:27:35.000000000 -0700
@@ -0,0 +1,18 @@
+ssh-krb5 (1:4.3p2-5) unstable; urgency=low
+
+ The normal openssh-server and openssh-client packages in Debian now
+ include full GSSAPI support, including key exchange. This package is
+ now only a transitional package that depends on openssh-server and
+ openssh-client and configures openssh-server for GSSAPI configuration
+ if it wasn't already.
+
+ You can now simply install openssh-server and openssh-client directly
+ and remove this package. Just make sure that /etc/ssh/sshd_config
+ contains:
+
+ GSSAPIAuthentication yes
+ GSSAPIKeyExchange yes
+
+ if you want to support GSSAPI authentication to your ssh server.
+
+ -- Russ Allbery <rra@debian.org> Tue, 03 Oct 2006 22:27:27 -0700
diff -ruN openssh-4.3p2-current/debian/ssh-krb5.postinst openssh-4.3p2/debian/ssh-krb5.postinst
--- openssh-4.3p2-current/debian/ssh-krb5.postinst 1969-12-31 16:00:00.000000000 -0800
+++ openssh-4.3p2/debian/ssh-krb5.postinst 2006-10-03 23:27:02.000000000 -0700
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = configure ] ; then
+ if grep -qi '^[ ]*GSSAPI' /etc/ssh/sshd_config ; then
+ :
+ else
+ if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
+ perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \
+ < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+ chown --reference /etc/ssh/sshd_config \
+ /etc/ssh/sshd_config.dpkg-new
+ chmod --reference /etc/ssh/sshd_config \
+ /etc/ssh/sshd_config.dpkg-new
+ mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+ else
+ cat >> /etc/ssh/sshd_config <<EOF
+
+# GSSAPI authentication
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+EOF
+ fi
+ if [ -x /etc/init.d/ssh ] ; then
+ if [ -x /usr/sbin/invoke-rc.d ] ; then
+ invoke-rc.d ssh restart
+ else
+ /etc/init.d/ssh restart
+ fi
+ fi
+ fi
+fi
+
+#DEBHELPER#
+
+exit 0
diff -ruN openssh-4.3p2-current/ssh_config openssh-4.3p2/ssh_config
--- openssh-4.3p2-current/ssh_config 2006-10-03 22:16:37.000000000 -0700
+++ openssh-4.3p2/ssh_config 2006-10-03 22:30:14.000000000 -0700
@@ -43,3 +43,5 @@
# PermitLocalCommand no
SendEnv LANG LC_*
HashKnownHosts yes
+ GSSAPIAuthentication yes
+ GSSAPIDelegateCredentials no
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:4.3p2-7
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_4.3p2-7_powerpc.udeb
to pool/main/o/openssh/openssh-client-udeb_4.3p2-7_powerpc.udeb
openssh-client_4.3p2-7_powerpc.deb
to pool/main/o/openssh/openssh-client_4.3p2-7_powerpc.deb
openssh-server-udeb_4.3p2-7_powerpc.udeb
to pool/main/o/openssh/openssh-server-udeb_4.3p2-7_powerpc.udeb
openssh-server_4.3p2-7_powerpc.deb
to pool/main/o/openssh/openssh-server_4.3p2-7_powerpc.deb
openssh_4.3p2-7.diff.gz
to pool/main/o/openssh/openssh_4.3p2-7.diff.gz
openssh_4.3p2-7.dsc
to pool/main/o/openssh/openssh_4.3p2-7.dsc
ssh-askpass-gnome_4.3p2-7_powerpc.deb
to pool/main/o/openssh/ssh-askpass-gnome_4.3p2-7_powerpc.deb
ssh-krb5_4.3p2-7_all.deb
to pool/main/o/openssh/ssh-krb5_4.3p2-7_all.deb
ssh_4.3p2-7_all.deb
to pool/main/o/openssh/ssh_4.3p2-7_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 390986@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 6 Dec 2006 23:00:49 +0000
Source: openssh
Binary: ssh-askpass-gnome ssh-krb5 openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.3p2-7
Distribution: unstable
Urgency: medium
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
openssh-client-udeb - Secure shell client for the Debian installer (udeb)
openssh-server - Secure shell server, an rshd replacement
openssh-server-udeb - Secure shell server for the Debian installer (udeb)
ssh - Secure shell client and server (transitional package)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
ssh-krb5 - Secure shell client and server (transitional package)
Closes: 335259 335276 390986 391248 398436 401483
Changes:
openssh (1:4.3p2-7) unstable; urgency=medium
.
[ Colin Watson ]
* Ignore errors from usermod when changing sshd's shell, since it will
fail if the sshd user is not local (closes: #398436).
* Remove version control tags from /etc/ssh/moduli and /etc/ssh/ssh_config
to avoid unnecessary conffile resolution steps for administrators
(thanks, Jari Aalto; closes: #335259).
* Fix quoting error in configure.ac and regenerate configure (thanks, Ben
Pfaff; closes: #391248).
* When installing openssh-client or openssh-server from scratch, remove
any unchanged conffiles from the pre-split ssh package to work around a
bug in sarge's dpkg (thanks, Justin Pryzby and others; closes: #335276).
.
[ Russ Allbery ]
* Create transitional ssh-krb5 package which enables GSSAPI configuration
in sshd_config (closes: #390986).
* Default client to attempting GSSAPI authentication.
* Remove obsolete GSSAPINoMICAuthentication from sshd_config if it's
found.
* Add ssh -K option, the converse of -k, to enable GSSAPI credential
delegation (closes: #401483).
Files:
976d80c02546f5b6b8b9254a97cfaec3 1000 net standard openssh_4.3p2-7.dsc
c38ee430b3f59225b9e96e7ad7529e3c 254719 net standard openssh_4.3p2-7.diff.gz
f61c287091686f202980ea0981276324 1054 net extra ssh_4.3p2-7_all.deb
1bcf5661b3340ff11b00be8f293c8a5f 90614 net extra ssh-krb5_4.3p2-7_all.deb
91a45b129bbf56e07a40e717184b70e4 643674 net standard openssh-client_4.3p2-7_powerpc.deb
eb03bd0b385940aafaf038659479241a 231148 net optional openssh-server_4.3p2-7_powerpc.deb
a1e8ffceecf9d60bdcc6dcf8e421064a 100002 gnome optional ssh-askpass-gnome_4.3p2-7_powerpc.deb
018cb1112ab2bcb45d874a5499184b12 166780 debian-installer optional openssh-client-udeb_4.3p2-7_powerpc.udeb
1a139b804d28fdc4bb993667f9150747 169888 debian-installer optional openssh-server-udeb_4.3p2-7_powerpc.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFd07Q9t0zAhD6TNERAtbVAJ9yxAAVobbK29ofod+gTa9SKY05vwCcDHVL
pxPLSjXZs8Ylj+eQV8QRIhA=
=hG8h
-----END PGP SIGNATURE-----
--- End Message ---