ssh lacks gssapi support

The ssh client (and the server) lack GSSAPI support. There is a ssh-krb in
Universe, but it's an older version. Really, there's no reason to have a
separate package either - compile/install-time options are gross, and SSH
already gives you the ability to turn GSSAPI support on/off at runtime. GSSAPI
support should be compiled into the main ssh binaries.

The last time I asked Sam Hartman (who maintains ssh-krb5, and generally knows
far more about this than I do) about this shortly after OpenSSH 3.9p1 was
released, he said:

"I'd like to ask that you not enable gssapi support for the ssh package. The
problem is that there is a key exchange method that has not yet been accepted
upstream that you probably want if you want Kerberos support. Having the ssh
package do some but not all of the desired Kerberos support would be confusing
to users.

I'm not sure I know of anyone working on getting this patch accepted upstream.
All the involved parties are just too busy."

As such, I have so far refused to enable GSSAPI in the mainstream OpenSSH packages.

If this situation has changed, I'd be happy to enable it, but I'd rather discuss
it in Debian than here, since that's where the relevant experts are. The
appropriate Debian bug is #275472.

Message-Id: <20041008111844.CBD212AC91D3@nbmatthijs>
Date: Fri, 08 Oct 2004 13:18:44 +0200
From: Matthijs Mohlmann <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: Support for kerberos in ssh

Package: ssh
Version: 1:3.8.1p1-8
Severity: wishlist

In newer versions ssh has gssapi-with-mic implemented. When an older
client connects to the new server with a ticket he gets a failure
because the client has only gssapi. It would be nice if ssh compiled
with gssapi. Then also can ssh-krb5 merged with ssh. The OpenSSH
developers have merged the kerberos patch with ssh so there is also no
need for an extra package in sid.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=C, LC_CTYPE=C

Versions of packages ssh depends on:
ii adduser 3.59 Add and remove users and groups
ii debconf 1.4.38 Debian configuration management sy
ii dpkg 1.10.23 Package maintenance system for Deb
ii libc6 2.3.2.ds1-17 GNU C Library: Shared libraries an
ii libgssapi1-heimdal 0.6.3-2 Libraries for Heimdal Kerberos
ii libkafs0-heimdal 0.6.3-2 Libraries for Heimdal Kerberos
ii libkrb5-17-heimdal 0.6.3-2 Libraries for Heimdal Kerberos
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7d-5 SSL shared libraries
ii libwrap0 7.6.dbs-6 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.2-1 compression library - runtime

-- debconf information:
  ssh/insecure_rshd:
  ssh/ssh2_keys_merged:
  ssh/user_environment_tell:
* ssh/forward_warning:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: false

Message-ID: <email address hidden>
Date: Tue, 11 Jan 2005 01:07:01 +0000
From: Colin Watson <email address hidden>
To: Matthijs Mohlmann <email address hidden>, <email address hidden>
Cc: Sam Hartman <email address hidden>, <email address hidden>
Subject: Re: Bug#275472: Support for kerberos in ssh

On Fri, Oct 08, 2004 at 01:18:44PM +0200, Matthijs Mohlmann wrote:
> Package: ssh
> Version: 1:3.8.1p1-8
> Severity: wishlist
>
> In newer versions ssh has gssapi-with-mic implemented. When an older
> client connects to the new server with a ticket he gets a failure
> because the client has only gssapi. It would be nice if ssh compiled
> with gssapi. Then also can ssh-krb5 merged with ssh. The OpenSSH
> developers have merged the kerberos patch with ssh so there is also no
> need for an extra package in sid.

Even with OpenSSH 3.9p1 in experimental, the diff to openssh-krb5 seems
to be substantial. Sam, do you know what the current state of having all
this stuff merged upstream is?

Compiling with gssapi involves linking with some extra libraries, at
least one of which are not currently Priority: standard, and that would
inconvenience people who don't use Kerberos who are trying to build
small systems. I'm inclined to think that a separate build is still a
good idea for the moment.

Cheers,

--
Colin Watson [<email address hidden>]

Message-ID: <email address hidden>
Date: Tue, 11 Jan 2005 16:25:56 -0500
From: Sam Hartman <email address hidden>
To: Colin Watson <email address hidden>
Cc: Matthijs Mohlmann <email address hidden>,
 <email address hidden>, <email address hidden>
Subject: Re: Bug#275472: Support for kerberos in ssh

I'd like to ask that you not enable gssapi support for the ssh
package. The problem is that there is a key exchange method that has
not yet been accepted upstream that you probably want if you want
Kerberos support. Having the ssh package do some but not all of the
desired Kerberos support would be confusing to users.

I'm not sure I know of anyone working on getting this patch accepted
upstream. All the involved parties are just too busy.

The other option is to maintain the key exchange patch as a Debian
local patch. I think that's something to consider for the sarge+1
time frame, but I'd rather see how bad the openssh 3.9 port is before
deciding it will be easy to do and actually trying to convince you
that you want to maintain a patch that large.;)

Message-ID: <email address hidden>
Date: Sun, 7 Aug 2005 10:31:58 -0400
From: Stephen Frost <email address hidden>
To: <email address hidden>
Cc: Sam Hartman <email address hidden>
Subject: Kerberos keyex in ssh

Greetings,

  I'd like to follow-up on the idea of maintaining the key exchange
  patch as a local Debian patch to openssh. The current key exchange
  patch does not introduce any new config options, is much smaller than
  the older GSSAPI patches, and patches cleanly against current Debian
  sources (4.1p1-6). Debian 4.1p1-6+keyex also plays nicely with
  current ssh-krb5 (I've yet to run into any problems running a mixed
  environment).

  The current keyex patch is available here:
  http://www.sxw.org.uk/computing/patches/openssh-4.0p1-gssapikex.patch
  (From: http://www.sxw.org.uk/computing/patches/openssh.html)

   Many thanks,

  Stephen

Message-Id: <email address hidden>
Date: Wed, 14 Sep 2005 10:47:06 -0700
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: Bug#275472: fixed in openssh 1:4.2p1-2

Source: openssh
Source-Version: 1:4.2p1-2

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.2p1-2_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.2p1-2_powerpc.udeb
openssh-client_4.2p1-2_powerpc.deb
  to pool/main/o/openssh/openssh-client_4.2p1-2_powerpc.deb
openssh-server-udeb_4.2p1-2_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.2p1-2_powerpc.udeb
openssh-server_4.2p1-2_powerpc.deb
  to pool/main/o/openssh/openssh-server_4.2p1-2_powerpc.deb
openssh_4.2p1-2.diff.gz
  to pool/main/o/openssh/openssh_4.2p1-2.diff.gz
openssh_4.2p1-2.dsc
  to pool/main/o/openssh/openssh_4.2p1-2.dsc
ssh-askpass-gnome_4.2p1-2_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.2p1-2_powerpc.deb
ssh_4.2p1-2_all.deb
  to pool/main/o/openssh/ssh_4.2p1-2_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <email address hidden> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 14 Sep 2005 18:28:49 +0100
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.2p1-2
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
 openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server - Secure shell server, an rshd replacement
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh - Secure shell client and server (transitional package)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 152657 275472
Changes:
 openssh (1:4.2p1-2) unstable; urgency=low
 .
   * Annotate 1:4.2p1-1 changelog with CVE references.
   * Add remaining pieces of Kerberos support (closes: #152657, #275472):
     - Add GSSAPI key exchange support from
       http://www.sxw.org.uk/computing/patches/openssh.html (thanks, Stephen
       Frost).
     - Build-depend on libkrb5-dev and configure --with-kerberos5=/usr.
     - openssh-client and openssh-server replace ssh-krb5.
     - Update commented-out Kerberos/GSSAPI options in default sshd_config.
     - Fix HAVE_GSSAPI_KRB5_H/HAVE_GSSAPI_GSSAPI_KRB5_H typos in
       gss-serv-krb5.c.
Files:
 387c199fa406a76d94113a04134eabf0 966 net st...

ssh now supports GSSAPI.

This bug should be closed.