* Create transitional ssh-krb5 package which enables GSSAPI configuration

  in sshd_config.
* Default client to attempting GSSAPI authentication.
* Remove obsolete GSSAPINoMICAuthentication from sshd_config if it's
  found.

1 files changed, 54 insertions, 0 deletions

diff --git a/debian/ssh-krb5.postinst b/debian/ssh-krb5.postinst
new file mode 100644
index 000000000..989a66801
--- /dev/null
+++ b/debian/ssh-krb5.postinst
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+set -e
+
+action="$1"
+oldversion="$2"
+
+if [ "$action" = configure ] ; then
+    if dpkg --compare-versions "$oldversion" lt-nl 1:4.3p2-7; then
+        if [ ! -L /usr/share/doc/ssh-krb5 ]; then
+            rm -rf /usr/share/doc/ssh-krb5
+            ln -s openssh-client /usr/share/doc/ssh-krb5
+        fi
+
+        # Replaced by /etc/init.d/ssh.
+        if [ -f /etc/init.d/ssh-krb5 ]; then
+            mv /etc/init.d/ssh-krb5 /etc/init.d/ssh-krb5.dpkg-old
+            update-rc.d ssh-krb5 remove || true
+        fi
+    fi
+
+    if dpkg --compare-versions "$oldversion" ge 1:4.3p2-7 || \
+       grep -qi '^[     ]*GSSAPI' /etc/ssh/sshd_config ; then
+        :
+    else
+        if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
+            perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+            chown --reference /etc/ssh/sshd_config \
+                /etc/ssh/sshd_config.dpkg-new
+            chmod --reference /etc/ssh/sshd_config \
+                /etc/ssh/sshd_config.dpkg-new
+            mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+        else
+            cat >> /etc/ssh/sshd_config <<EOF
+
+# GSSAPI authentication
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+EOF
+        fi
+        if [ -x /etc/init.d/ssh ] ; then
+            if [ -x /usr/sbin/invoke-rc.d ] ; then
+                invoke-rc.d ssh restart
+            else
+                /etc/init.d/ssh restart
+            fi
+        fi
+    fi
+fi
+
+#DEBHELPER#
+
+exit 0