[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#404863: marked as done (ssh-krb5: enable GSSAPIKeyExchange on transitional upgrades)

Your message dated Mon, 05 Mar 2007 16:32:04 +0000
with message-id <E1HOG6W-0007Z6-2V@ries.debian.org>
and subject line Bug#404863: fixed in openssh 1:4.3p2-9
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: ssh-krb5
Version: 1:4.3p2-8
Severity: important
Tags: patch

Sam pointed out that ssh-krb5 automatically enabled GSSAPIKeyExchange
without a configuration option, which means that upgrades from ssh-krb5
to openssh-server with the standard ssh-krb5 sshd_config would disable
GSSAPIKeyExchange since they would have GSSAPI configuration options
present but not that one.

This patch corrects this, adds comments to the postinst so that it's
more obvious what's going on, and fixes a mistaken word choice in the
ssh-krb5 NEWS.Debian file.  The resulting transitional package has been
tested for each of the possibilities of present or missing GSSAPI
options in sshd_config.

If you could apply this patch and upload for etch, I would greatly
appreciate it.  It's only a borderline RC problem, but sites that use
key exchange are going to find it very surprising to have it disabled
after the upgrade.

Thanks!

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

--- openssh-4.3p2/debian/ssh-krb5.NEWS	2006-12-28 10:57:00.000000000 -0800
+++ openssh-4.3p2.new/debian/ssh-krb5.NEWS	2006-12-28 10:35:43.000000000 -0800
@@ -3,7 +3,7 @@
   The normal openssh-server and openssh-client packages in Debian now
   include full GSSAPI support, including key exchange.  This package is
   now only a transitional package that depends on openssh-server and
-  openssh-client and configures openssh-server for GSSAPI configuration
+  openssh-client and configures openssh-server for GSSAPI authentication
   if it wasn't already.
 
   You can now simply install openssh-server and openssh-client directly
diff -ru openssh-4.3p2/debian/ssh-krb5.postinst openssh-4.3p2.new/debian/ssh-krb5.postinst
--- openssh-4.3p2/debian/ssh-krb5.postinst	2006-12-28 10:57:00.000000000 -0800
+++ openssh-4.3p2.new/debian/ssh-krb5.postinst	2006-12-28 10:47:40.000000000 -0800
@@ -14,27 +14,51 @@
         fi
     fi
 
-    if dpkg --compare-versions "$oldversion" ge 1:4.3p2-7 || \
-       grep -qi '^[ 	]*GSSAPI' /etc/ssh/sshd_config ; then
+    # Make sure that GSSAPI is enabled.  If there is no uncommented GSSAPI
+    # configuration, uncomment any commented-out configuration if present
+    # (this will catch the case of a fresh install of openssh-server).
+    # Otherwise, add configuration turning on GSSAPIAutentication and
+    # GSSAPIKeyExchange.
+    #
+    # If there is some configuration, we may be upgrading from ssh-krb5.  It
+    # enabled GSSAPIKeyExchange without any configuration option.  Therefore,
+    # if it isn't explicitly set, always enable it for compatible behavior
+    # with ssh-krb5.
+    if dpkg --compare-versions "$oldversion" ge 1:4.3p2-8 ; then
         :
     else
-        if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
-            perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \
-                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
-            chown --reference /etc/ssh/sshd_config \
-                /etc/ssh/sshd_config.dpkg-new
-            chmod --reference /etc/ssh/sshd_config \
-                /etc/ssh/sshd_config.dpkg-new
-            mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+        changed=
+        if grep -qi '^[ 	]*GSSAPI' /etc/ssh/sshd_config ; then
+            if grep -qi '^[ 	]*GSSAPIKeyExchange' /etc/ssh/sshd_config ; then
+                :
+            else
+                changed=true
+                cat >> /etc/ssh/sshd_config <<EOF
+
+# GSSAPI key exchange (added by ssh-krb5 transitional package)
+GSSAPIKeyExchange yes
+EOF
+            fi
         else
-            cat >> /etc/ssh/sshd_config <<EOF
+            changed=true
+            if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
+                perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \
+                    < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+                chown --reference /etc/ssh/sshd_config \
+                    /etc/ssh/sshd_config.dpkg-new
+                chmod --reference /etc/ssh/sshd_config \
+                    /etc/ssh/sshd_config.dpkg-new
+                mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+            else
+                cat >> /etc/ssh/sshd_config <<EOF
 
-# GSSAPI authentication
+# GSSAPI authentication (added by ssh-krb5 transitional package)
 GSSAPIAuthentication yes
 GSSAPIKeyExchange yes
 EOF
+            fi
         fi
-        if [ -x /etc/init.d/ssh ] ; then
+        if [ -n "$changed" ] && [ -x /etc/init.d/ssh ] ; then
             if [ -x /usr/sbin/invoke-rc.d ] ; then
                 invoke-rc.d ssh restart
             else

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:4.3p2-9

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.3p2-9_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.3p2-9_powerpc.udeb
openssh-client_4.3p2-9_powerpc.deb
  to pool/main/o/openssh/openssh-client_4.3p2-9_powerpc.deb
openssh-server-udeb_4.3p2-9_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.3p2-9_powerpc.udeb
openssh-server_4.3p2-9_powerpc.deb
  to pool/main/o/openssh/openssh-server_4.3p2-9_powerpc.deb
openssh_4.3p2-9.diff.gz
  to pool/main/o/openssh/openssh_4.3p2-9.diff.gz
openssh_4.3p2-9.dsc
  to pool/main/o/openssh/openssh_4.3p2-9.dsc
ssh-askpass-gnome_4.3p2-9_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.3p2-9_powerpc.deb
ssh-krb5_4.3p2-9_all.deb
  to pool/main/o/openssh/ssh-krb5_4.3p2-9_all.deb
ssh_4.3p2-9_all.deb
  to pool/main/o/openssh/ssh_4.3p2-9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 404863@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  5 Mar 2007 16:13:50 +0000
Source: openssh
Binary: ssh-askpass-gnome ssh-krb5 openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.3p2-9
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server - Secure shell server, an rshd replacement
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh        - Secure shell client and server (transitional package)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
 ssh-krb5   - Secure shell client and server (transitional package)
Closes: 404863 407766 412330
Changes: 
 openssh (1:4.3p2-9) unstable; urgency=high
 .
   [ Russ Allbery ]
   * Fix GSSAPIKeyExchange configuration file handling logic in ssh-krb5
     (closes: #404863).
   * Fix uncommenting of GSSAPI options by ssh-krb5 (closes: #407766).
 .
   [ Colin Watson ]
   * debconf template translations:
     - Add Norwegian Bokmål (thanks, Bjørn Steensrud; closes: #412330).
Files: 
 d7615f49e4f55d79c6b1ba3bbdee8a79 1000 net standard openssh_4.3p2-9.dsc
 d4255feb7a987059b1ec43483a3b3bd2 259760 net standard openssh_4.3p2-9.diff.gz
 3813ca3973d4b5101de98acbb951c32f 1054 net extra ssh_4.3p2-9_all.deb
 37221ae6edec410f61923a4584744973 91464 net extra ssh-krb5_4.3p2-9_all.deb
 b80c9ed4ccfc37ca7c74d967c91830e0 651760 net standard openssh-client_4.3p2-9_powerpc.deb
 b9286d4f557d84b18e43d5cdddc6123e 234426 net optional openssh-server_4.3p2-9_powerpc.deb
 cd88ec5af1d667d1b77c4eaa5b8cca5f 100602 gnome optional ssh-askpass-gnome_4.3p2-9_powerpc.deb
 9cc95b5eff7028141d62c901d317095b 166786 debian-installer optional openssh-client-udeb_4.3p2-9_powerpc.udeb
 b60818d59b459ac0dad988d8699007e7 169936 debian-installer optional openssh-server-udeb_4.3p2-9_powerpc.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFF7EUP9t0zAhD6TNERAnNuAJ9DL2GJM0vFYeScnoTPQlbPsfmKWwCeLguu
gTdM9U7Y3I3bRT0R1/Zoyf8=
=BKll
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: