On Tue, Oct 03, 2006 at 11:38:36PM -0700, Russ Allbery wrote: > Sam and I, and I'm sure the security team as well, would love to get rid > of the separate ssh-krb5 package for etch now that the GSSAPI patch has > been incorporated into openssh. There are only a few small issues in the > way of doing this: > > * openssh-client doesn't default to attempting GSSAPI authentication. > There's no reason not to enable this by default; it is quietly skipped > if the user has no Kerberos ticket cache or if the remote host doesn't > advertise GSSAPI. Without this enabled, the upgrade from ssh-krb5 to > openssh-client would silently break GSSAPI authentication for users. > > * openssh-server doesn't enable GSSAPI by default. This is a reasonable > default and ideally should be a debconf prompt, but in the interim, > installing ssh-krb5 needs to result in a GSSAPI-enabled server. We > therefore need a transitional package that will do the right thing in > the configuration. > > * ssh-krb5 in sarge supports the GSSAPINoMICAuthentication configuration > option, which is no longer supported by the current GSSAPI code. This > option should therefore be removed from the sshd_config if seen there. > > Attached is a lightly tested patch that takes care of all of these issues > and adds an ssh-krb5 transitional package to the openssh package. I would > very much like to get this into etch; I'm sorry that it's taken me so long > to get around to writing it.
OK, sorry this took me so long. I've committed this to CVS now. I made a couple of additional changes, namely to turn /usr/share/doc/ssh-krb5 into a symlink to /usr/share/doc/openssh-client (like /usr/share/doc/ssh already is), to disable the ssh-krb5 init script on upgrade, and to guarantee never to add GSSAPI options to sshd_config more than once on repeated upgrades. This is all at least as lightly tested as your changes :-), but I think should be relatively straightforward. I'll upload this over the course of the next day. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
