From cbb2c36ba712f5f8cba3214a105cbaa4471b15e5 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 16 Oct 2017 10:32:24 +0100
Subject: Remove the decade-old ssh-krb5 transitional package; upgrades of
 openssh-server will preserve existing configuration, and new installations
 should just enable GSSAPIAuthentication and GSSAPIKeyExchange in sshd_config
 (closes: #878626).

---
 debian/changelog         |  9 +++++++
 debian/control           | 15 +-----------
 debian/ssh-krb5.NEWS     | 18 --------------
 debian/ssh-krb5.postinst | 61 ------------------------------------------------
 4 files changed, 10 insertions(+), 93 deletions(-)
 delete mode 100644 debian/ssh-krb5.NEWS
 delete mode 100644 debian/ssh-krb5.postinst

diff --git a/debian/changelog b/debian/changelog
index 869f89285..f7dcbda83 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openssh (1:7.6p1-3) UNRELEASED; urgency=medium
+
+  * Remove the decade-old ssh-krb5 transitional package; upgrades of
+    openssh-server will preserve existing configuration, and new
+    installations should just enable GSSAPIAuthentication and
+    GSSAPIKeyExchange in sshd_config (closes: #878626).
+
+ -- Colin Watson <cjwatson@debian.org>  Mon, 16 Oct 2017 10:30:50 +0100
+
 openssh (1:7.6p1-2) unstable; urgency=medium
 
   * Apply upstream patch to fix PermitOpen argument handling.
diff --git a/debian/control b/debian/control
index 6c0449c70..568080c74 100644
--- a/debian/control
+++ b/debian/control
@@ -164,24 +164,11 @@ Description: secure shell client and server (metapackage)
  and the OpenSSH server. It provides nothing in and of itself, so you
  may remove it if nothing depends on it.
 
-Package: ssh-krb5
-Section: oldlibs
-Priority: optional
-Architecture: all
-Depends: openssh-client (>= ${binary:Version}),
-         openssh-server (>= ${binary:Version}),
-         ${misc:Depends},
-Description: secure shell client and server (transitional package)
- This is a transitional package depending on the regular Debian OpenSSH
- client and server, which now support GSSAPI natively. It will add the
- necessary GSSAPI options to the server configuration file. You can
- remove it once the upgrade is complete and nothing depends on it.
-
 Package: ssh-askpass-gnome
 Section: gnome
 Priority: optional
 Architecture: any
-Depends: openssh-client | ssh (>= 1:1.2pre7-4) | ssh-krb5,
+Depends: openssh-client | ssh (>= 1:1.2pre7-4),
          ${misc:Depends},
          ${shlibs:Depends},
 Replaces: ssh (<< 1:3.5p1-3),
diff --git a/debian/ssh-krb5.NEWS b/debian/ssh-krb5.NEWS
deleted file mode 100644
index 5a6433ab2..000000000
--- a/debian/ssh-krb5.NEWS
+++ /dev/null
@@ -1,18 +0,0 @@
-ssh-krb5 (1:4.3p2-7) unstable; urgency=low
-
-  The normal openssh-server and openssh-client packages in Debian now
-  include full GSSAPI support, including key exchange.  This package is
-  now only a transitional package that depends on openssh-server and
-  openssh-client and configures openssh-server for GSSAPI authentication
-  if it wasn't already.
-
-  You can now simply install openssh-server and openssh-client directly
-  and remove this package.  Just make sure that /etc/ssh/sshd_config
-  contains:
-
-    GSSAPIAuthentication yes
-    GSSAPIKeyExchange yes
-
-  if you want to support GSSAPI authentication to your ssh server.
-
- -- Russ Allbery <rra@debian.org>  Tue, 03 Oct 2006 22:27:27 -0700
diff --git a/debian/ssh-krb5.postinst b/debian/ssh-krb5.postinst
deleted file mode 100644
index f799accfe..000000000
--- a/debian/ssh-krb5.postinst
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/bin/sh
-
-set -e
-
-action="$1"
-oldversion="$2"
-
-if [ "$action" = configure ] ; then
-    # Make sure that GSSAPI is enabled.  If there is no uncommented GSSAPI
-    # configuration, uncomment any commented-out configuration if present
-    # (this will catch the case of a fresh install of openssh-server).
-    # Otherwise, add configuration turning on GSSAPIAuthentication and
-    # GSSAPIKeyExchange.
-    #
-    # If there is some configuration, we may be upgrading from ssh-krb5.  It
-    # enabled GSSAPIKeyExchange without any configuration option.  Therefore,
-    # if it isn't explicitly set, always enable it for compatible behavior
-    # with ssh-krb5.
-    if dpkg --compare-versions "$oldversion" ge 1:4.3p2-9; then
-        :
-    else
-        changed=
-        if grep -qi '^[ 	]*GSSAPI' /etc/ssh/sshd_config ; then
-            if grep -qi '^[ 	]*GSSAPIKeyExchange' /etc/ssh/sshd_config ; then
-                :
-            else
-                changed=true
-                cat >> /etc/ssh/sshd_config <<EOF
-
-# GSSAPI key exchange (added by ssh-krb5 transitional package)
-GSSAPIKeyExchange yes
-EOF
-            fi
-        else
-            changed=true
-            if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then
-                perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b.*/$1 yes/i' \
-                    < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
-                chown --reference /etc/ssh/sshd_config \
-                    /etc/ssh/sshd_config.dpkg-new
-                chmod --reference /etc/ssh/sshd_config \
-                    /etc/ssh/sshd_config.dpkg-new
-                mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
-            else
-                cat >> /etc/ssh/sshd_config <<EOF
-
-# GSSAPI authentication (added by ssh-krb5 transitional package)
-GSSAPIAuthentication yes
-GSSAPIKeyExchange yes
-EOF
-            fi
-        fi
-        if [ -n "$changed" ]; then
-            invoke-rc.d ssh restart
-        fi
-    fi
-fi
-
-#DEBHELPER#
-
-exit 0
-- 
cgit v1.2.3