From 879756082fbdacc158ba04e8f770a1229c3daef4 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 6 Dec 2006 04:46:43 +0000
Subject: * Create transitional ssh-krb5 package which enables GSSAPI
 configuration   in sshd_config. * Default client to attempting GSSAPI
 authentication. * Remove obsolete GSSAPINoMICAuthentication from sshd_config
 if it's   found.

---
 debian/changelog               |  8 +++++++
 debian/control                 | 18 ++++++++++----
 debian/openssh-server.postinst | 14 +++++++++++
 debian/rules                   | 19 +++++++++++++--
 debian/ssh-krb5.NEWS           | 18 ++++++++++++++
 debian/ssh-krb5.links          |  1 +
 debian/ssh-krb5.postinst       | 54 ++++++++++++++++++++++++++++++++++++++++++
 debian/ssh-krb5.prerm          | 14 +++++++++++
 ssh_config                     |  2 ++
 9 files changed, 142 insertions(+), 6 deletions(-)
 create mode 100644 debian/ssh-krb5.NEWS
 create mode 100644 debian/ssh-krb5.links
 create mode 100644 debian/ssh-krb5.postinst
 create mode 100644 debian/ssh-krb5.prerm

diff --git a/debian/changelog b/debian/changelog
index b01b5cab7..aa1403e67 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,16 @@
 openssh (1:4.3p2-7) UNRELEASED; urgency=low
 
+  [ Colin Watson ]
   * Ignore errors from usermod when changing sshd's shell, since it will
     fail if the sshd user is not local (closes: #398436).
 
+  [ Russ Allbery ]
+  * Create transitional ssh-krb5 package which enables GSSAPI configuration
+    in sshd_config.
+  * Default client to attempting GSSAPI authentication.
+  * Remove obsolete GSSAPINoMICAuthentication from sshd_config if it's
+    found.
+
  -- Colin Watson <cjwatson@debian.org>  Mon, 20 Nov 2006 14:57:16 +0000
 
 openssh (1:4.3p2-6) unstable; urgency=low
diff --git a/debian/control b/debian/control
index adfeca226..0f77b73db 100644
--- a/debian/control
+++ b/debian/control
@@ -9,8 +9,8 @@ Uploaders: Colin Watson <cjwatson@debian.org>
 Package: openssh-client
 Architecture: any
 Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0), passwd
-Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5
-Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5
+Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7)
+Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5 (<< 1:4.3p2-7)
 Suggests: ssh-askpass, xbase-clients
 Provides: rsh-client, ssh-client
 Description: Secure shell client, an rlogin/rsh/rcp replacement
@@ -39,8 +39,8 @@ Package: openssh-server
 Priority: optional
 Architecture: any
 Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version})
-Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5
-Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5
+Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7)
+Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5 (<< 1:4.3p2-7)
 Suggests: ssh-askpass, xbase-clients, rssh, molly-guard
 Provides: ssh-server
 Description: Secure shell server, an rshd replacement
@@ -72,6 +72,16 @@ Description: Secure shell client and server (transitional package)
  the OpenSSH server, which are now in separate packages. You may remove
  it once the upgrade is complete and nothing depends on it.
 
+Package: ssh-krb5
+Priority: extra
+Architecture: all
+Depends: openssh-client, openssh-server
+Description: Secure shell client and server (transitional package)
+ This is a transitional package depending on the regular Debian OpenSSH
+ client and server, which now support GSSAPI natively.  It will add the
+ necessary GSSAPI options to the server configuration file.  You can
+ remove it once the upgrade is complete and nothing depends on it.
+
 Package: ssh-askpass-gnome
 Section: gnome
 Priority: optional
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index bd14ba66e..2d7dbc9ea 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -72,6 +72,17 @@ set_config_option() {
 }
 
 
+remove_obsolete_gssapi() {
+	grep -qi '^[ 	]*GSSAPINoMICAuthentication' /etc/ssh/sshd_config \
+		|| return 0
+	perl -pe 's/^(\s*GSSAPINoMICAuthentication)/\#$1/i' \
+		< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+
+
 host_keys_required() {
 	hostkeys="$(get_config_option HostKey)"
 	if [ "$hostkeys" ]; then
@@ -190,6 +201,9 @@ create_sshdconfig() {
 		    move_subsystem_sftp
 		fi
 
+		# Remove obsolete GSSAPI options.
+		remove_obsolete_gssapi
+
 		return 0
 	    fi
 	fi
diff --git a/debian/rules b/debian/rules
index 1ce189b6a..4404c28dd 100755
--- a/debian/rules
+++ b/debian/rules
@@ -166,7 +166,7 @@ install: build
 	install -m 755 build-udeb/ssh-keygen debian/openssh-server-udeb/usr/bin/ssh-keygen
 
 # Build architecture-independent files here.
-binary-indep: binary-ssh
+binary-indep: binary-ssh binary-ssh-krb5
 
 # Build architecture-dependent files here.
 binary-arch: binary-openssh-client binary-openssh-server
@@ -244,6 +244,21 @@ binary-ssh: build install
 	dh_md5sums
 	dh_builddeb
 
+binary-ssh-krb5: DH_OPTIONS=-pssh-krb5
+binary-ssh-krb5: build install
+	dh_testdir
+	dh_testroot
+	dh_installdocs
+	mv debian/ssh-krb5/usr/share/doc/ssh-krb5 debian/ssh-krb5/usr/share/doc/openssh-client
+	rm -f debian/ssh-krb5/usr/share/doc/openssh-client/copyright
+	dh_link
+	dh_compress
+	dh_fixperms
+	dh_installdeb
+	dh_gencontrol
+	dh_md5sums
+	dh_builddeb
+
 binary-ssh-askpass-gnome: DH_OPTIONS=-pssh-askpass-gnome
 binary-ssh-askpass-gnome: build install
 	dh_testdir
@@ -292,5 +307,5 @@ binary: binary-indep binary-arch
 .PHONY: build clean binary-indep binary-arch binary install
 .PHONY: build-deb build-udeb
 .PHONY: binary-openssh-client binary-openssh-server binary-ssh
-.PHONY: binary-ssh-askpass-gnome
+.PHONY: binary-ssh-krb5 binary-ssh-askpass-gnome
 .PHONY: binary-openssh-client-udeb binary-openssh-server-udeb
diff --git a/debian/ssh-krb5.NEWS b/debian/ssh-krb5.NEWS
new file mode 100644
index 000000000..833c36328
--- /dev/null
+++ b/debian/ssh-krb5.NEWS
@@ -0,0 +1,18 @@
+ssh-krb5 (1:4.3p2-7) unstable; urgency=low
+
+  The normal openssh-server and openssh-client packages in Debian now
+  include full GSSAPI support, including key exchange.  This package is
+  now only a transitional package that depends on openssh-server and
+  openssh-client and configures openssh-server for GSSAPI configuration
+  if it wasn't already.
+
+  You can now simply install openssh-server and openssh-client directly
+  and remove this package.  Just make sure that /etc/ssh/sshd_config
+  contains:
+
+    GSSAPIAuthentication yes
+    GSSAPIKeyExchange yes
+
+  if you want to support GSSAPI authentication to your ssh server.
+
+ -- Russ Allbery <rra@debian.org>  Tue, 03 Oct 2006 22:27:27 -0700
diff --git a/debian/ssh-krb5.links b/debian/ssh-krb5.links
new file mode 100644
index 000000000..3334b9988
--- /dev/null
+++ b/debian/ssh-krb5.links
@@ -0,0 +1 @@
+usr/share/doc/openssh-client usr/share/doc/ssh-krb5
diff --git a/debian/ssh-krb5.postinst b/debian/ssh-krb5.postinst
new file mode 100644
index 000000000..989a66801
--- /dev/null
+++ b/debian/ssh-krb5.postinst
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+set -e
+
+action="$1"
+oldversion="$2"
+
+if [ "$action" = configure ] ; then
+    if dpkg --compare-versions "$oldversion" lt-nl 1:4.3p2-7; then
+        if [ ! -L /usr/share/doc/ssh-krb5 ]; then
+            rm -rf /usr/share/doc/ssh-krb5
+            ln -s openssh-client /usr/share/doc/ssh-krb5
+        fi
+
+        # Replaced by /etc/init.d/ssh.
+        if [ -f /etc/init.d/ssh-krb5 ]; then
+            mv /etc/init.d/ssh-krb5 /etc/init.d/ssh-krb5.dpkg-old
+            update-rc.d ssh-krb5 remove || true
+        fi
+    fi
+
+    if dpkg --compare-versions "$oldversion" ge 1:4.3p2-7 || \
+       grep -qi '^[ 	]*GSSAPI' /etc/ssh/sshd_config ; then
+        :
+    else
+        if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
+            perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+            chown --reference /etc/ssh/sshd_config \
+                /etc/ssh/sshd_config.dpkg-new
+            chmod --reference /etc/ssh/sshd_config \
+                /etc/ssh/sshd_config.dpkg-new
+            mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+        else
+            cat >> /etc/ssh/sshd_config <<EOF
+
+# GSSAPI authentication
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+EOF
+        fi
+        if [ -x /etc/init.d/ssh ] ; then
+            if [ -x /usr/sbin/invoke-rc.d ] ; then
+                invoke-rc.d ssh restart
+            else
+                /etc/init.d/ssh restart
+            fi
+        fi
+    fi
+fi
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/ssh-krb5.prerm b/debian/ssh-krb5.prerm
new file mode 100644
index 000000000..d3434e783
--- /dev/null
+++ b/debian/ssh-krb5.prerm
@@ -0,0 +1,14 @@
+#!/bin/sh -e
+
+case $1 in
+	upgrade)
+		if [ -L /usr/share/doc/ssh-krb5 ] && \
+		   dpkg --compare-versions "$2" lt-nl 1:4.3p2-7; then
+			rm -f /usr/share/doc/ssh-krb5
+		fi
+		;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/ssh_config b/ssh_config
index a3cac0e4e..9a6614398 100644
--- a/ssh_config
+++ b/ssh_config
@@ -43,3 +43,5 @@ Host *
 #   PermitLocalCommand no
     SendEnv LANG LC_*
     HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
-- 
cgit v1.2.3