4 files changed, 10 insertions, 93 deletions
diff --git a/debian/changelog b/debian/changelog
index 869f89285..f7dcbda83 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openssh (1:7.6p1-3) UNRELEASED; urgency=medium
+  * Remove the decade-old ssh-krb5 transitional package; upgrades of
+    openssh-server will preserve existing configuration, and new
+    installations should just enable GSSAPIAuthentication and
+    GSSAPIKeyExchange in sshd_config (closes: #878626).
+ -- Colin Watson <cjwatson@debian.org>  Mon, 16 Oct 2017 10:30:50 +0100
 openssh (1:7.6p1-2) unstable; urgency=medium
  * Apply upstream patch to fix PermitOpen argument handling.
diff --git a/debian/control b/debian/control
index 6c0449c70..568080c74 100644
--- a/debian/control
+++ b/debian/control
@@ -164,24 +164,11 @@ Description: secure shell client and server (metapackage)
 and the OpenSSH server. It provides nothing in and of itself, so you
 may remove it if nothing depends on it.
-Package: ssh-krb5
-Section: oldlibs
-Priority: optional
-Architecture: all
-Depends: openssh-client (>= ${binary:Version}),
-         openssh-server (>= ${binary:Version}),
-         ${misc:Depends},
-Description: secure shell client and server (transitional package)
- This is a transitional package depending on the regular Debian OpenSSH
- client and server, which now support GSSAPI natively. It will add the
- necessary GSSAPI options to the server configuration file. You can
- remove it once the upgrade is complete and nothing depends on it.
 Package: ssh-askpass-gnome
 Section: gnome
 Priority: optional
 Architecture: any
-Depends: openssh-client | ssh (>= 1:1.2pre7-4) | ssh-krb5,
+Depends: openssh-client | ssh (>= 1:1.2pre7-4),
         ${misc:Depends},
         ${shlibs:Depends},
 Replaces: ssh (<< 1:3.5p1-3),
diff --git a/debian/ssh-krb5.NEWS b/debian/ssh-krb5.NEWS
deleted file mode 100644
index 5a6433ab2..000000000
--- a/debian/ssh-krb5.NEWS
+++ /dev/null
@@ -1,18 +0,0 @@
-ssh-krb5 (1:4.3p2-7) unstable; urgency=low
-  The normal openssh-server and openssh-client packages in Debian now
-  include full GSSAPI support, including key exchange.  This package is
-  now only a transitional package that depends on openssh-server and
-  openssh-client and configures openssh-server for GSSAPI authentication
-  if it wasn't already.
-  You can now simply install openssh-server and openssh-client directly
-  and remove this package.  Just make sure that /etc/ssh/sshd_config
-  contains:
-    GSSAPIAuthentication yes
-    GSSAPIKeyExchange yes
-  if you want to support GSSAPI authentication to your ssh server.
- -- Russ Allbery <rra@debian.org>  Tue, 03 Oct 2006 22:27:27 -0700
diff --git a/debian/ssh-krb5.postinst b/debian/ssh-krb5.postinst
deleted file mode 100644
index f799accfe..000000000
--- a/debian/ssh-krb5.postinst
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/bin/sh
-set -e
-action="$1"
-oldversion="$2"
-if [ "$action" = configure ] ; then
-    # Make sure that GSSAPI is enabled.  If there is no uncommented GSSAPI
-    # configuration, uncomment any commented-out configuration if present
-    # (this will catch the case of a fresh install of openssh-server).
-    # Otherwise, add configuration turning on GSSAPIAuthentication and
-    # GSSAPIKeyExchange.
-    #
-    # If there is some configuration, we may be upgrading from ssh-krb5.  It
-    # enabled GSSAPIKeyExchange without any configuration option.  Therefore,
-    # if it isn't explicitly set, always enable it for compatible behavior
-    # with ssh-krb5.
-    if dpkg --compare-versions "$oldversion" ge 1:4.3p2-9; then
-        :
-    else
-        changed=
-        if grep -qi '^[         ]*GSSAPI' /etc/ssh/sshd_config ; then
-            if grep -qi '^[     ]*GSSAPIKeyExchange' /etc/ssh/sshd_config ; then
-                :
-            else
-                changed=true
-                cat >> /etc/ssh/sshd_config <<EOF
-# GSSAPI key exchange (added by ssh-krb5 transitional package)
-GSSAPIKeyExchange yes
-EOF
-            fi
-        else
-            changed=true
-            if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
-                perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b.*/$1 yes/i' \
-                    < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
-                chown --reference /etc/ssh/sshd_config \
-                    /etc/ssh/sshd_config.dpkg-new
-                chmod --reference /etc/ssh/sshd_config \
-                    /etc/ssh/sshd_config.dpkg-new
-                mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
-            else
-                cat >> /etc/ssh/sshd_config <<EOF
-# GSSAPI authentication (added by ssh-krb5 transitional package)
-GSSAPIAuthentication yes
-GSSAPIKeyExchange yes
-EOF
-            fi
-        fi
-        if [ -n "$changed" ]; then
-            invoke-rc.d ssh restart
-        fi
-    fi
-fi
-#DEBHELPER#
-exit 0

diff --git a/debian/changelog b/debian/changelog index 869f89285..f7dcbda83 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,3 +1,12 @@
		1	openssh (1:7.6p1-3) UNRELEASED; urgency=medium
		2
		3	* Remove the decade-old ssh-krb5 transitional package; upgrades of
		4	openssh-server will preserve existing configuration, and new
		5	installations should just enable GSSAPIAuthentication and
		6	GSSAPIKeyExchange in sshd_config (closes: #878626).
		7
		8	-- Colin Watson <cjwatson@debian.org> Mon, 16 Oct 2017 10:30:50 +0100
		9
1	openssh (1:7.6p1-2) unstable; urgency=medium	10	openssh (1:7.6p1-2) unstable; urgency=medium
2		11
3	* Apply upstream patch to fix PermitOpen argument handling.	12	* Apply upstream patch to fix PermitOpen argument handling.


diff --git a/debian/control b/debian/control index 6c0449c70..568080c74 100644 --- a/debian/control +++ b/debian/control
@@ -164,24 +164,11 @@ Description: secure shell client and server (metapackage)
164	and the OpenSSH server. It provides nothing in and of itself, so you	164	and the OpenSSH server. It provides nothing in and of itself, so you
165	may remove it if nothing depends on it.	165	may remove it if nothing depends on it.
166		166
167	Package: ssh-krb5
168	Section: oldlibs
169	Priority: optional
170	Architecture: all
171	Depends: openssh-client (>= ${binary:Version}),
172	openssh-server (>= ${binary:Version}),
173	${misc:Depends},
174	Description: secure shell client and server (transitional package)
175	This is a transitional package depending on the regular Debian OpenSSH
176	client and server, which now support GSSAPI natively. It will add the
177	necessary GSSAPI options to the server configuration file. You can
178	remove it once the upgrade is complete and nothing depends on it.
179
180	Package: ssh-askpass-gnome	167	Package: ssh-askpass-gnome
181	Section: gnome	168	Section: gnome
182	Priority: optional	169	Priority: optional
183	Architecture: any	170	Architecture: any
184	Depends: openssh-client \| ssh (>= 1:1.2pre7-4) \| ssh-krb5,	171	Depends: openssh-client \| ssh (>= 1:1.2pre7-4),
185	${misc:Depends},	172	${misc:Depends},
186	${shlibs:Depends},	173	${shlibs:Depends},
187	Replaces: ssh (<< 1:3.5p1-3),	174	Replaces: ssh (<< 1:3.5p1-3),


diff --git a/debian/ssh-krb5.NEWS b/debian/ssh-krb5.NEWS deleted file mode 100644 index 5a6433ab2..000000000 --- a/debian/ssh-krb5.NEWS +++ /dev/null
@@ -1,18 +0,0 @@
1	ssh-krb5 (1:4.3p2-7) unstable; urgency=low
2
3	The normal openssh-server and openssh-client packages in Debian now
4	include full GSSAPI support, including key exchange. This package is
5	now only a transitional package that depends on openssh-server and
6	openssh-client and configures openssh-server for GSSAPI authentication
7	if it wasn't already.
8
9	You can now simply install openssh-server and openssh-client directly
10	and remove this package. Just make sure that /etc/ssh/sshd_config
11	contains:
12
13	GSSAPIAuthentication yes
14	GSSAPIKeyExchange yes
15
16	if you want to support GSSAPI authentication to your ssh server.
17
18	-- Russ Allbery <rra@debian.org> Tue, 03 Oct 2006 22:27:27 -0700


diff --git a/debian/ssh-krb5.postinst b/debian/ssh-krb5.postinst deleted file mode 100644 index f799accfe..000000000 --- a/debian/ssh-krb5.postinst +++ /dev/null
@@ -1,61 +0,0 @@
1	#!/bin/sh
2
3	set -e
4
5	action="$1"
6	oldversion="$2"
7
8	if [ "$action" = configure ] ; then
9	# Make sure that GSSAPI is enabled. If there is no uncommented GSSAPI
10	# configuration, uncomment any commented-out configuration if present
11	# (this will catch the case of a fresh install of openssh-server).
12	# Otherwise, add configuration turning on GSSAPIAuthentication and
13	# GSSAPIKeyExchange.
14	#
15	# If there is some configuration, we may be upgrading from ssh-krb5. It
16	# enabled GSSAPIKeyExchange without any configuration option. Therefore,
17	# if it isn't explicitly set, always enable it for compatible behavior
18	# with ssh-krb5.
19	if dpkg --compare-versions "$oldversion" ge 1:4.3p2-9; then
20	:
21	else
22	changed=
23	if grep -qi '^[ ]*GSSAPI' /etc/ssh/sshd_config ; then
24	if grep -qi '^[ ]*GSSAPIKeyExchange' /etc/ssh/sshd_config ; then
25	:
26	else
27	changed=true
28	cat >> /etc/ssh/sshd_config <<EOF
29
30	# GSSAPI key exchange (added by ssh-krb5 transitional package)
31	GSSAPIKeyExchange yes
32	EOF
33	fi
34	else
35	changed=true
36	if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
37	perl -pe 's/^\#(GSSAPI(Authentication\|KeyExchange))\b.*/$1 yes/i' \
38	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
39	chown --reference /etc/ssh/sshd_config \
40	/etc/ssh/sshd_config.dpkg-new
41	chmod --reference /etc/ssh/sshd_config \
42	/etc/ssh/sshd_config.dpkg-new
43	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
44	else
45	cat >> /etc/ssh/sshd_config <<EOF
46
47	# GSSAPI authentication (added by ssh-krb5 transitional package)
48	GSSAPIAuthentication yes
49	GSSAPIKeyExchange yes
50	EOF
51	fi
52	fi
53	if [ -n "$changed" ]; then
54	invoke-rc.d ssh restart
55	fi
56	fi
57	fi
58
59	#DEBHELPER#
60
61	exit 0