diff options
| -rw-r--r-- | debian/changelog | 5 | ||||
| -rw-r--r-- | debian/ssh-krb5.NEWS | 2 | ||||
| -rw-r--r-- | debian/ssh-krb5.postinst | 50 |
3 files changed, 43 insertions, 14 deletions
diff --git a/debian/changelog b/debian/changelog index 107aca11a..555b49d80 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -1,5 +1,10 @@ | |||
| 1 | openssh (1:4.3p2-9) UNRELEASED; urgency=low | 1 | openssh (1:4.3p2-9) UNRELEASED; urgency=low |
| 2 | 2 | ||
| 3 | [ Russ Allbery ] | ||
| 4 | * Fix GSSAPIKeyExchange configuration file handling logic in ssh-krb5 | ||
| 5 | (closes: #404863). | ||
| 6 | |||
| 7 | [ Colin Watson ] | ||
| 3 | * debconf template translations: | 8 | * debconf template translations: |
| 4 | - Add Norwegian Bokmål (thanks, Bjørn Steensrud; closes: #412330). | 9 | - Add Norwegian Bokmål (thanks, Bjørn Steensrud; closes: #412330). |
| 5 | 10 | ||
diff --git a/debian/ssh-krb5.NEWS b/debian/ssh-krb5.NEWS index 833c36328..5a6433ab2 100644 --- a/debian/ssh-krb5.NEWS +++ b/debian/ssh-krb5.NEWS | |||
| @@ -3,7 +3,7 @@ ssh-krb5 (1:4.3p2-7) unstable; urgency=low | |||
| 3 | The normal openssh-server and openssh-client packages in Debian now | 3 | The normal openssh-server and openssh-client packages in Debian now |
| 4 | include full GSSAPI support, including key exchange. This package is | 4 | include full GSSAPI support, including key exchange. This package is |
| 5 | now only a transitional package that depends on openssh-server and | 5 | now only a transitional package that depends on openssh-server and |
| 6 | openssh-client and configures openssh-server for GSSAPI configuration | 6 | openssh-client and configures openssh-server for GSSAPI authentication |
| 7 | if it wasn't already. | 7 | if it wasn't already. |
| 8 | 8 | ||
| 9 | You can now simply install openssh-server and openssh-client directly | 9 | You can now simply install openssh-server and openssh-client directly |
diff --git a/debian/ssh-krb5.postinst b/debian/ssh-krb5.postinst index b1bea1e29..89ef8d86e 100644 --- a/debian/ssh-krb5.postinst +++ b/debian/ssh-krb5.postinst | |||
| @@ -14,27 +14,51 @@ if [ "$action" = configure ] ; then | |||
| 14 | fi | 14 | fi |
| 15 | fi | 15 | fi |
| 16 | 16 | ||
| 17 | if dpkg --compare-versions "$oldversion" ge 1:4.3p2-7 || \ | 17 | # Make sure that GSSAPI is enabled. If there is no uncommented GSSAPI |
| 18 | grep -qi '^[ ]*GSSAPI' /etc/ssh/sshd_config ; then | 18 | # configuration, uncomment any commented-out configuration if present |
| 19 | # (this will catch the case of a fresh install of openssh-server). | ||
| 20 | # Otherwise, add configuration turning on GSSAPIAuthentication and | ||
| 21 | # GSSAPIKeyExchange. | ||
| 22 | # | ||
| 23 | # If there is some configuration, we may be upgrading from ssh-krb5. It | ||
| 24 | # enabled GSSAPIKeyExchange without any configuration option. Therefore, | ||
| 25 | # if it isn't explicitly set, always enable it for compatible behavior | ||
| 26 | # with ssh-krb5. | ||
| 27 | if dpkg --compare-versions "$oldversion" ge 1:4.3p2-9; then | ||
| 19 | : | 28 | : |
| 20 | else | 29 | else |
| 21 | if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then | 30 | changed= |
| 22 | perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \ | 31 | if grep -qi '^[ ]*GSSAPI' /etc/ssh/sshd_config ; then |
| 23 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | 32 | if grep -qi '^[ ]*GSSAPIKeyExchange' /etc/ssh/sshd_config ; then |
| 24 | chown --reference /etc/ssh/sshd_config \ | 33 | : |
| 25 | /etc/ssh/sshd_config.dpkg-new | 34 | else |
| 26 | chmod --reference /etc/ssh/sshd_config \ | 35 | changed=true |
| 27 | /etc/ssh/sshd_config.dpkg-new | 36 | cat >> /etc/ssh/sshd_config <<EOF |
| 28 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | 37 | |
| 38 | # GSSAPI key exchange (added by ssh-krb5 transitional package) | ||
| 39 | GSSAPIKeyExchange yes | ||
| 40 | EOF | ||
| 41 | fi | ||
| 29 | else | 42 | else |
| 30 | cat >> /etc/ssh/sshd_config <<EOF | 43 | changed=true |
| 44 | if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then | ||
| 45 | perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \ | ||
| 46 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
| 47 | chown --reference /etc/ssh/sshd_config \ | ||
| 48 | /etc/ssh/sshd_config.dpkg-new | ||
| 49 | chmod --reference /etc/ssh/sshd_config \ | ||
| 50 | /etc/ssh/sshd_config.dpkg-new | ||
| 51 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
| 52 | else | ||
| 53 | cat >> /etc/ssh/sshd_config <<EOF | ||
| 31 | 54 | ||
| 32 | # GSSAPI authentication | 55 | # GSSAPI authentication (added by ssh-krb5 transitional package) |
| 33 | GSSAPIAuthentication yes | 56 | GSSAPIAuthentication yes |
| 34 | GSSAPIKeyExchange yes | 57 | GSSAPIKeyExchange yes |
| 35 | EOF | 58 | EOF |
| 59 | fi | ||
| 36 | fi | 60 | fi |
| 37 | if [ -x /etc/init.d/ssh ] ; then | 61 | if [ -n "$changed" ] && [ -x /etc/init.d/ssh ] ; then |
| 38 | if [ -x /usr/sbin/invoke-rc.d ] ; then | 62 | if [ -x /usr/sbin/invoke-rc.d ] ; then |
| 39 | invoke-rc.d ssh restart | 63 | invoke-rc.d ssh restart |
| 40 | else | 64 | else |