* Make GSSAPICleanupCreds a compatibility alias for

  GSSAPICleanupCredentials. Mark GSSUseSessionCCache and
  GSSAPIUseSessionCredCache as known-but-unsupported options, and migrate
  away from them on upgrade.

3 files changed, 35 insertions, 5 deletions

diff --git a/debian/changelog b/debian/changelog
index 08bc4b453..611a9ef0c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,10 @@ openssh (1:4.3p2-8) UNRELEASED; urgency=low
   [ Colin Watson ]
   * Drop versioning on ssh/ssh-krb5 Replaces, as otherwise it isn't
     sufficient to replace conffiles (closes: #402804).
+  * Make GSSAPICleanupCreds a compatibility alias for
+    GSSAPICleanupCredentials. Mark GSSUseSessionCCache and
+    GSSAPIUseSessionCredCache as known-but-unsupported options, and migrate
+    away from them on upgrade.
   * debconf template translations:
     - Add Romanian (thanks, Stan Ioan-Eugen; closes: #403528).
 
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 4e91098df..ee660165e 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -72,10 +72,23 @@ set_config_option() {
 }
 
 
-remove_obsolete_gssapi() {
-        grep -qi '^[    ]*GSSAPINoMICAuthentication' /etc/ssh/sshd_config \
-                || return 0
-        perl -pe 's/^(\s*GSSAPINoMICAuthentication)/\#$1/i' \
+disable_config_option() {
+        option="$1"
+
+        value="$(get_config_option "$option")"
+        [ "$value" ] || return 0
+
+        perl -le '
+                $option = $ARGV[0];
+                while (<STDIN>) {
+                        chomp;
+                        (my $match = $_) =~ s/\s+/ /g;
+                        # TODO: actually only one "=" allowed after option
+                        if ($match =~ s/^(\s*\Q$option\E[[:space:]=]+.*)/#$1/i) {
+                                $_ = $match;
+                        }
+                        print;
+                }' \
                 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
         chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
         chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
@@ -83,6 +96,13 @@ remove_obsolete_gssapi() {
 }
 
 
+remove_obsolete_gssapi() {
+        disable_config_option GSSAPINoMICAuthentication
+        disable_config_option GSSUseSessionCCache
+        disable_config_option GSSAPIUseSessionCredCache
+}
+
+
 host_keys_required() {
         hostkeys="$(get_config_option HostKey)"
         if [ "$hostkeys" ]; then
@@ -202,7 +222,9 @@ create_sshdconfig() {
                 fi
 
                 # Remove obsolete GSSAPI options.
-                remove_obsolete_gssapi
+                if dpkg --compare-versions "$oldversion" lt 1:4.3p2-8; then
+                    remove_obsolete_gssapi
+                fi
 
                 return 0
             fi
diff --git a/servconf.c b/servconf.c
index 219a0300f..60febff99 100644
--- a/servconf.c
+++ b/servconf.c
@@ -333,11 +333,15 @@ static struct {
         { "gssapiauthentication", sGssAuthentication },
         { "gssapikeyexchange", sGssKeyEx },
         { "gssapicleanupcredentials", sGssCleanupCreds },
+        { "gssapicleanupcreds", sGssCleanupCreds },
 #else
         { "gssapiauthentication", sUnsupported },
         { "gssapikeyexchange", sUnsupported },
         { "gssapicleanupcredentials", sUnsupported },
+        { "gssapicleanupcreds", sUnsupported },
 #endif
+        { "gssusesessionccache", sUnsupported },
+        { "gssapiusesessioncredcache", sUnsupported },
         { "passwordauthentication", sPasswordAuthentication },
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
         { "challengeresponseauthentication", sChallengeResponseAuthentication },