diff options
-rw-r--r-- | debian/changelog | 8 | ||||
-rw-r--r-- | debian/control | 18 | ||||
-rw-r--r-- | debian/openssh-server.postinst | 14 | ||||
-rwxr-xr-x | debian/rules | 19 | ||||
-rw-r--r-- | debian/ssh-krb5.NEWS | 18 | ||||
-rw-r--r-- | debian/ssh-krb5.links | 1 | ||||
-rw-r--r-- | debian/ssh-krb5.postinst | 54 | ||||
-rw-r--r-- | debian/ssh-krb5.prerm | 14 | ||||
-rw-r--r-- | ssh_config | 2 |
9 files changed, 142 insertions, 6 deletions
diff --git a/debian/changelog b/debian/changelog index b01b5cab7..aa1403e67 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,8 +1,16 @@ | |||
1 | openssh (1:4.3p2-7) UNRELEASED; urgency=low | 1 | openssh (1:4.3p2-7) UNRELEASED; urgency=low |
2 | 2 | ||
3 | [ Colin Watson ] | ||
3 | * Ignore errors from usermod when changing sshd's shell, since it will | 4 | * Ignore errors from usermod when changing sshd's shell, since it will |
4 | fail if the sshd user is not local (closes: #398436). | 5 | fail if the sshd user is not local (closes: #398436). |
5 | 6 | ||
7 | [ Russ Allbery ] | ||
8 | * Create transitional ssh-krb5 package which enables GSSAPI configuration | ||
9 | in sshd_config. | ||
10 | * Default client to attempting GSSAPI authentication. | ||
11 | * Remove obsolete GSSAPINoMICAuthentication from sshd_config if it's | ||
12 | found. | ||
13 | |||
6 | -- Colin Watson <cjwatson@debian.org> Mon, 20 Nov 2006 14:57:16 +0000 | 14 | -- Colin Watson <cjwatson@debian.org> Mon, 20 Nov 2006 14:57:16 +0000 |
7 | 15 | ||
8 | openssh (1:4.3p2-6) unstable; urgency=low | 16 | openssh (1:4.3p2-6) unstable; urgency=low |
diff --git a/debian/control b/debian/control index adfeca226..0f77b73db 100644 --- a/debian/control +++ b/debian/control | |||
@@ -9,8 +9,8 @@ Uploaders: Colin Watson <cjwatson@debian.org> | |||
9 | Package: openssh-client | 9 | Package: openssh-client |
10 | Architecture: any | 10 | Architecture: any |
11 | Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0), passwd | 11 | Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0), passwd |
12 | Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 | 12 | Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7) |
13 | Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5 | 13 | Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5 (<< 1:4.3p2-7) |
14 | Suggests: ssh-askpass, xbase-clients | 14 | Suggests: ssh-askpass, xbase-clients |
15 | Provides: rsh-client, ssh-client | 15 | Provides: rsh-client, ssh-client |
16 | Description: Secure shell client, an rlogin/rsh/rcp replacement | 16 | Description: Secure shell client, an rlogin/rsh/rcp replacement |
@@ -39,8 +39,8 @@ Package: openssh-server | |||
39 | Priority: optional | 39 | Priority: optional |
40 | Architecture: any | 40 | Architecture: any |
41 | Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version}) | 41 | Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version}) |
42 | Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 | 42 | Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7) |
43 | Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5 | 43 | Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5 (<< 1:4.3p2-7) |
44 | Suggests: ssh-askpass, xbase-clients, rssh, molly-guard | 44 | Suggests: ssh-askpass, xbase-clients, rssh, molly-guard |
45 | Provides: ssh-server | 45 | Provides: ssh-server |
46 | Description: Secure shell server, an rshd replacement | 46 | Description: Secure shell server, an rshd replacement |
@@ -72,6 +72,16 @@ Description: Secure shell client and server (transitional package) | |||
72 | the OpenSSH server, which are now in separate packages. You may remove | 72 | the OpenSSH server, which are now in separate packages. You may remove |
73 | it once the upgrade is complete and nothing depends on it. | 73 | it once the upgrade is complete and nothing depends on it. |
74 | 74 | ||
75 | Package: ssh-krb5 | ||
76 | Priority: extra | ||
77 | Architecture: all | ||
78 | Depends: openssh-client, openssh-server | ||
79 | Description: Secure shell client and server (transitional package) | ||
80 | This is a transitional package depending on the regular Debian OpenSSH | ||
81 | client and server, which now support GSSAPI natively. It will add the | ||
82 | necessary GSSAPI options to the server configuration file. You can | ||
83 | remove it once the upgrade is complete and nothing depends on it. | ||
84 | |||
75 | Package: ssh-askpass-gnome | 85 | Package: ssh-askpass-gnome |
76 | Section: gnome | 86 | Section: gnome |
77 | Priority: optional | 87 | Priority: optional |
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index bd14ba66e..2d7dbc9ea 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst | |||
@@ -72,6 +72,17 @@ set_config_option() { | |||
72 | } | 72 | } |
73 | 73 | ||
74 | 74 | ||
75 | remove_obsolete_gssapi() { | ||
76 | grep -qi '^[ ]*GSSAPINoMICAuthentication' /etc/ssh/sshd_config \ | ||
77 | || return 0 | ||
78 | perl -pe 's/^(\s*GSSAPINoMICAuthentication)/\#$1/i' \ | ||
79 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
80 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
81 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
82 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
83 | } | ||
84 | |||
85 | |||
75 | host_keys_required() { | 86 | host_keys_required() { |
76 | hostkeys="$(get_config_option HostKey)" | 87 | hostkeys="$(get_config_option HostKey)" |
77 | if [ "$hostkeys" ]; then | 88 | if [ "$hostkeys" ]; then |
@@ -190,6 +201,9 @@ create_sshdconfig() { | |||
190 | move_subsystem_sftp | 201 | move_subsystem_sftp |
191 | fi | 202 | fi |
192 | 203 | ||
204 | # Remove obsolete GSSAPI options. | ||
205 | remove_obsolete_gssapi | ||
206 | |||
193 | return 0 | 207 | return 0 |
194 | fi | 208 | fi |
195 | fi | 209 | fi |
diff --git a/debian/rules b/debian/rules index 1ce189b6a..4404c28dd 100755 --- a/debian/rules +++ b/debian/rules | |||
@@ -166,7 +166,7 @@ install: build | |||
166 | install -m 755 build-udeb/ssh-keygen debian/openssh-server-udeb/usr/bin/ssh-keygen | 166 | install -m 755 build-udeb/ssh-keygen debian/openssh-server-udeb/usr/bin/ssh-keygen |
167 | 167 | ||
168 | # Build architecture-independent files here. | 168 | # Build architecture-independent files here. |
169 | binary-indep: binary-ssh | 169 | binary-indep: binary-ssh binary-ssh-krb5 |
170 | 170 | ||
171 | # Build architecture-dependent files here. | 171 | # Build architecture-dependent files here. |
172 | binary-arch: binary-openssh-client binary-openssh-server | 172 | binary-arch: binary-openssh-client binary-openssh-server |
@@ -244,6 +244,21 @@ binary-ssh: build install | |||
244 | dh_md5sums | 244 | dh_md5sums |
245 | dh_builddeb | 245 | dh_builddeb |
246 | 246 | ||
247 | binary-ssh-krb5: DH_OPTIONS=-pssh-krb5 | ||
248 | binary-ssh-krb5: build install | ||
249 | dh_testdir | ||
250 | dh_testroot | ||
251 | dh_installdocs | ||
252 | mv debian/ssh-krb5/usr/share/doc/ssh-krb5 debian/ssh-krb5/usr/share/doc/openssh-client | ||
253 | rm -f debian/ssh-krb5/usr/share/doc/openssh-client/copyright | ||
254 | dh_link | ||
255 | dh_compress | ||
256 | dh_fixperms | ||
257 | dh_installdeb | ||
258 | dh_gencontrol | ||
259 | dh_md5sums | ||
260 | dh_builddeb | ||
261 | |||
247 | binary-ssh-askpass-gnome: DH_OPTIONS=-pssh-askpass-gnome | 262 | binary-ssh-askpass-gnome: DH_OPTIONS=-pssh-askpass-gnome |
248 | binary-ssh-askpass-gnome: build install | 263 | binary-ssh-askpass-gnome: build install |
249 | dh_testdir | 264 | dh_testdir |
@@ -292,5 +307,5 @@ binary: binary-indep binary-arch | |||
292 | .PHONY: build clean binary-indep binary-arch binary install | 307 | .PHONY: build clean binary-indep binary-arch binary install |
293 | .PHONY: build-deb build-udeb | 308 | .PHONY: build-deb build-udeb |
294 | .PHONY: binary-openssh-client binary-openssh-server binary-ssh | 309 | .PHONY: binary-openssh-client binary-openssh-server binary-ssh |
295 | .PHONY: binary-ssh-askpass-gnome | 310 | .PHONY: binary-ssh-krb5 binary-ssh-askpass-gnome |
296 | .PHONY: binary-openssh-client-udeb binary-openssh-server-udeb | 311 | .PHONY: binary-openssh-client-udeb binary-openssh-server-udeb |
diff --git a/debian/ssh-krb5.NEWS b/debian/ssh-krb5.NEWS new file mode 100644 index 000000000..833c36328 --- /dev/null +++ b/debian/ssh-krb5.NEWS | |||
@@ -0,0 +1,18 @@ | |||
1 | ssh-krb5 (1:4.3p2-7) unstable; urgency=low | ||
2 | |||
3 | The normal openssh-server and openssh-client packages in Debian now | ||
4 | include full GSSAPI support, including key exchange. This package is | ||
5 | now only a transitional package that depends on openssh-server and | ||
6 | openssh-client and configures openssh-server for GSSAPI configuration | ||
7 | if it wasn't already. | ||
8 | |||
9 | You can now simply install openssh-server and openssh-client directly | ||
10 | and remove this package. Just make sure that /etc/ssh/sshd_config | ||
11 | contains: | ||
12 | |||
13 | GSSAPIAuthentication yes | ||
14 | GSSAPIKeyExchange yes | ||
15 | |||
16 | if you want to support GSSAPI authentication to your ssh server. | ||
17 | |||
18 | -- Russ Allbery <rra@debian.org> Tue, 03 Oct 2006 22:27:27 -0700 | ||
diff --git a/debian/ssh-krb5.links b/debian/ssh-krb5.links new file mode 100644 index 000000000..3334b9988 --- /dev/null +++ b/debian/ssh-krb5.links | |||
@@ -0,0 +1 @@ | |||
usr/share/doc/openssh-client usr/share/doc/ssh-krb5 | |||
diff --git a/debian/ssh-krb5.postinst b/debian/ssh-krb5.postinst new file mode 100644 index 000000000..989a66801 --- /dev/null +++ b/debian/ssh-krb5.postinst | |||
@@ -0,0 +1,54 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | set -e | ||
4 | |||
5 | action="$1" | ||
6 | oldversion="$2" | ||
7 | |||
8 | if [ "$action" = configure ] ; then | ||
9 | if dpkg --compare-versions "$oldversion" lt-nl 1:4.3p2-7; then | ||
10 | if [ ! -L /usr/share/doc/ssh-krb5 ]; then | ||
11 | rm -rf /usr/share/doc/ssh-krb5 | ||
12 | ln -s openssh-client /usr/share/doc/ssh-krb5 | ||
13 | fi | ||
14 | |||
15 | # Replaced by /etc/init.d/ssh. | ||
16 | if [ -f /etc/init.d/ssh-krb5 ]; then | ||
17 | mv /etc/init.d/ssh-krb5 /etc/init.d/ssh-krb5.dpkg-old | ||
18 | update-rc.d ssh-krb5 remove || true | ||
19 | fi | ||
20 | fi | ||
21 | |||
22 | if dpkg --compare-versions "$oldversion" ge 1:4.3p2-7 || \ | ||
23 | grep -qi '^[ ]*GSSAPI' /etc/ssh/sshd_config ; then | ||
24 | : | ||
25 | else | ||
26 | if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then | ||
27 | perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \ | ||
28 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
29 | chown --reference /etc/ssh/sshd_config \ | ||
30 | /etc/ssh/sshd_config.dpkg-new | ||
31 | chmod --reference /etc/ssh/sshd_config \ | ||
32 | /etc/ssh/sshd_config.dpkg-new | ||
33 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
34 | else | ||
35 | cat >> /etc/ssh/sshd_config <<EOF | ||
36 | |||
37 | # GSSAPI authentication | ||
38 | GSSAPIAuthentication yes | ||
39 | GSSAPIKeyExchange yes | ||
40 | EOF | ||
41 | fi | ||
42 | if [ -x /etc/init.d/ssh ] ; then | ||
43 | if [ -x /usr/sbin/invoke-rc.d ] ; then | ||
44 | invoke-rc.d ssh restart | ||
45 | else | ||
46 | /etc/init.d/ssh restart | ||
47 | fi | ||
48 | fi | ||
49 | fi | ||
50 | fi | ||
51 | |||
52 | #DEBHELPER# | ||
53 | |||
54 | exit 0 | ||
diff --git a/debian/ssh-krb5.prerm b/debian/ssh-krb5.prerm new file mode 100644 index 000000000..d3434e783 --- /dev/null +++ b/debian/ssh-krb5.prerm | |||
@@ -0,0 +1,14 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | case $1 in | ||
4 | upgrade) | ||
5 | if [ -L /usr/share/doc/ssh-krb5 ] && \ | ||
6 | dpkg --compare-versions "$2" lt-nl 1:4.3p2-7; then | ||
7 | rm -f /usr/share/doc/ssh-krb5 | ||
8 | fi | ||
9 | ;; | ||
10 | esac | ||
11 | |||
12 | #DEBHELPER# | ||
13 | |||
14 | exit 0 | ||
diff --git a/ssh_config b/ssh_config index a3cac0e4e..9a6614398 100644 --- a/ssh_config +++ b/ssh_config | |||
@@ -43,3 +43,5 @@ Host * | |||
43 | # PermitLocalCommand no | 43 | # PermitLocalCommand no |
44 | SendEnv LANG LC_* | 44 | SendEnv LANG LC_* |
45 | HashKnownHosts yes | 45 | HashKnownHosts yes |
46 | GSSAPIAuthentication yes | ||
47 | GSSAPIDelegateCredentials no | ||