Re: Debian openssh option review: considering splitting out GSS-API key exchange

[RL <richard.lewis.debian@googlemail.com>]

Colin Watson <cjwatson@debian.org> writes:

> GSS-API key exchange
> ====================

> However, OpenSSH upstream has long rejected it

> All the same, I'm aware that some people now depend on having this
> facility in Debian's main openssh package


> How does this rough plan sound?
>
>  * for Debian trixie (current testing):
>
>    * add dependency-only packages called something like
>      openssh-client-gsskex and openssh-server-gsskex, depending on their
>      non-gsskex alternatives
>    * add NEWS.Debian entry saying that people need to install these
>      packages if they want to retain GSS-API key exchange support
>    * add release note saying the same

happy to help on release-notes.

Think you've got two audiences:

- people who rely on gss, who may be upgrading over ssh and need to know
  how to avoid being locked out (eg: make sure to install gsskex
  recommended packages before reboot?)

- people who dont use gss, and want to remove it asap: as well as
  removing the gsskex packages would they need to edit sshd_config or
  ssh_config etc -- these can currently contain things like
  'GSSAPIAuthentication no' which would (i assume) stop working (and
  cause sshd to not start) once the gss support is removed(?)