[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-devel
Subject:    Re: Debian openssh option review: considering splitting out GSS-API key exchange
From:       RL <richard.lewis.debian () googlemail ! com>
Date:       2024-04-02 13:19:07
Message-ID: 861q7nc378.fsf () simplex ! rtf ! org ! uk
[Download RAW message or body]

Colin Watson <cjwatson@debian.org> writes:

> GSS-API key exchange
> ====================

> However, OpenSSH upstream has long rejected it

> All the same, I'm aware that some people now depend on having this
> facility in Debian's main openssh package


> How does this rough plan sound?
>
>  * for Debian trixie (current testing):
>
>    * add dependency-only packages called something like
>      openssh-client-gsskex and openssh-server-gsskex, depending on their
>      non-gsskex alternatives
>    * add NEWS.Debian entry saying that people need to install these
>      packages if they want to retain GSS-API key exchange support
>    * add release note saying the same

happy to help on release-notes.

Think you've got two audiences:

- people who rely on gss, who may be upgrading over ssh and need to know
  how to avoid being locked out (eg: make sure to install gsskex
  recommended packages before reboot?)

- people who dont use gss, and want to remove it asap: as well as
  removing the gsskex packages would they need to edit sshd_config or
  ssh_config etc -- these can currently contain things like
  'GSSAPIAuthentication no' which would (i assume) stop working (and
  cause sshd to not start) once the gss support is removed(?)

[prev in list] [next in list] [prev in thread] [next in thread]