From 716d1612afadf0cb0c11499261f68d364dd2879f Mon Sep 17 00:00:00 2001
From: Aneesh Agrawal <aneeshusa@gmail.com>
Date: Mon, 25 Dec 2017 14:51:40 -0800
Subject: openssh: Build with Kerberos by default

This can be disabled with the `withKerberos` flag if desired.
Make the relevant assertions lazy,
so that if an overlay is used to set kerberos to null,
a later override can explicitly set `withKerberos` to false.

Don't build with GSSAPI by default;
the patchset is large and a bit hairy,
and it is reasonable to follow upstream who has not merged it
in not enabling it by default.
---
 nixos/modules/misc/nixpkgs.nix            |  1 -
 pkgs/tools/networking/openssh/default.nix | 14 +++++---------
 pkgs/top-level/aliases.nix                |  1 +
 pkgs/top-level/all-packages.nix           |  3 ---
 4 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix
index 1793c1447d6..6eb42494124 100644
--- a/nixos/modules/misc/nixpkgs.nix
+++ b/nixos/modules/misc/nixpkgs.nix
@@ -69,7 +69,6 @@ in
           [ (self: super: {
               openssh = super.openssh.override {
                 hpnSupport = true;
-                withKerberos = true;
                 kerberos = self.libkrb5;
               };
             };
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 663e7be7e5f..1c135cd36f4 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -1,15 +1,12 @@
 { stdenv, fetchurl, fetchpatch, zlib, openssl, perl, libedit, pkgconfig, pam, autoreconfHook
 , etcDir ? null
 , hpnSupport ? false
-, withKerberos ? false
+, withKerberos ? true
 , withGssapiPatches ? false
 , kerberos
 , linkOpenssl? true
 }:
 
-assert withKerberos -> kerberos != null;
-assert withGssapiPatches -> withKerberos;
-
 let
 
   # **please** update this patch when you update to a new openssh release.
@@ -23,8 +20,6 @@ let
 in
 with stdenv.lib;
 stdenv.mkDerivation rec {
-  # Please ensure that openssh_with_kerberos still builds when
-  # bumping the version here!
   name = "openssh-${version}";
   version = if hpnSupport then "7.5p1" else "7.6p1";
 
@@ -47,7 +42,7 @@ stdenv.mkDerivation rec {
       # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
       ./dont_create_privsep_path.patch
     ]
-    ++ optional withGssapiPatches gssapiPatch;
+    ++ optional withGssapiPatches (assert withKerberos; gssapiPatch);
 
   postPatch =
     # On Hydra this makes installation fail (sometimes?),
@@ -59,7 +54,8 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ pkgconfig ];
   buildInputs = [ zlib openssl libedit pam ]
     ++ optional withKerberos kerberos
-    ++ optional hpnSupport autoreconfHook;
+    ++ optional hpnSupport autoreconfHook
+    ;
 
   preConfigure = ''
     # Setting LD causes `configure' and `make' to disagree about which linker
@@ -78,7 +74,7 @@ stdenv.mkDerivation rec {
     "--disable-strip"
     (if pam != null then "--with-pam" else "--without-pam")
   ] ++ optional (etcDir != null) "--sysconfdir=${etcDir}"
-    ++ optional withKerberos "--with-kerberos5=${kerberos}"
+    ++ optional withKerberos (assert kerberos != null; "--with-kerberos5=${kerberos}")
     ++ optional stdenv.isDarwin "--disable-libutil"
     ++ optional (!linkOpenssl) "--without-openssl";
 
diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix
index ef49fceab72..7d371881f94 100644
--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@@ -142,6 +142,7 @@ mapAliases (rec {
   rdmd = dtools;  # added 2017-08-19
   robomongo = robo3t; #added 2017-09-28
   rssglx = rss-glx; #added 2015-03-25
+  openssh_with_kerberos = openssh; # added 2018-01-28
   rubygems = throw "deprecated 2016-03-02: rubygems is now bundled with ruby";
   rxvt_unicode_with-plugins = rxvt_unicode-with-plugins; # added 2015-04-02
   samsungUnifiedLinuxDriver = samsung-unified-linux-driver; # added 2016-01-25
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index bd1855b0015..e3f51436b33 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -3882,15 +3882,12 @@ with pkgs;
   openssh =
     callPackage ../tools/networking/openssh {
       hpnSupport = false;
-      withKerberos = stdenv.isDarwin;
       etcDir = "/etc/ssh";
       pam = if stdenv.isLinux then pam else null;
     };
 
   openssh_hpn = pkgs.appendToName "with-hpn" (openssh.override { hpnSupport = true; });
 
-  openssh_with_kerberos = pkgs.appendToName "with-kerberos" (openssh.override { withKerberos = true; });
-
   opensp = callPackage ../tools/text/sgml/opensp { };
 
   opentracker = callPackage ../applications/networking/p2p/opentracker { };
-- 
cgit 1.4.1