From c5627b7bccd3e376e766678340bd445ab6520de2 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 5 Mar 2007 09:15:34 +0000 Subject: * Fix GSSAPIKeyExchange configuration file handling logic in ssh-krb5 (closes: #404863). --- debian/changelog | 5 +++++ debian/ssh-krb5.NEWS | 2 +- debian/ssh-krb5.postinst | 50 +++++++++++++++++++++++++++++++++++------------- 3 files changed, 43 insertions(+), 14 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 107aca11a..555b49d80 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,10 @@ openssh (1:4.3p2-9) UNRELEASED; urgency=low + [ Russ Allbery ] + * Fix GSSAPIKeyExchange configuration file handling logic in ssh-krb5 + (closes: #404863). + + [ Colin Watson ] * debconf template translations: - Add Norwegian Bokmål (thanks, Bjørn Steensrud; closes: #412330). diff --git a/debian/ssh-krb5.NEWS b/debian/ssh-krb5.NEWS index 833c36328..5a6433ab2 100644 --- a/debian/ssh-krb5.NEWS +++ b/debian/ssh-krb5.NEWS @@ -3,7 +3,7 @@ ssh-krb5 (1:4.3p2-7) unstable; urgency=low The normal openssh-server and openssh-client packages in Debian now include full GSSAPI support, including key exchange. This package is now only a transitional package that depends on openssh-server and - openssh-client and configures openssh-server for GSSAPI configuration + openssh-client and configures openssh-server for GSSAPI authentication if it wasn't already. You can now simply install openssh-server and openssh-client directly diff --git a/debian/ssh-krb5.postinst b/debian/ssh-krb5.postinst index b1bea1e29..89ef8d86e 100644 --- a/debian/ssh-krb5.postinst +++ b/debian/ssh-krb5.postinst @@ -14,27 +14,51 @@ if [ "$action" = configure ] ; then fi fi - if dpkg --compare-versions "$oldversion" ge 1:4.3p2-7 || \ - grep -qi '^[ ]*GSSAPI' /etc/ssh/sshd_config ; then + # Make sure that GSSAPI is enabled. If there is no uncommented GSSAPI + # configuration, uncomment any commented-out configuration if present + # (this will catch the case of a fresh install of openssh-server). + # Otherwise, add configuration turning on GSSAPIAuthentication and + # GSSAPIKeyExchange. + # + # If there is some configuration, we may be upgrading from ssh-krb5. It + # enabled GSSAPIKeyExchange without any configuration option. Therefore, + # if it isn't explicitly set, always enable it for compatible behavior + # with ssh-krb5. + if dpkg --compare-versions "$oldversion" ge 1:4.3p2-9; then : else - if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then - perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \ - < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new - chown --reference /etc/ssh/sshd_config \ - /etc/ssh/sshd_config.dpkg-new - chmod --reference /etc/ssh/sshd_config \ - /etc/ssh/sshd_config.dpkg-new - mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config + changed= + if grep -qi '^[ ]*GSSAPI' /etc/ssh/sshd_config ; then + if grep -qi '^[ ]*GSSAPIKeyExchange' /etc/ssh/sshd_config ; then + : + else + changed=true + cat >> /etc/ssh/sshd_config <> /etc/ssh/sshd_config < /etc/ssh/sshd_config.dpkg-new + chown --reference /etc/ssh/sshd_config \ + /etc/ssh/sshd_config.dpkg-new + chmod --reference /etc/ssh/sshd_config \ + /etc/ssh/sshd_config.dpkg-new + mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config + else + cat >> /etc/ssh/sshd_config <