From 9e86984fe066c09236aa0acd09e23babb66292e8 Mon Sep 17 00:00:00 2001
From: Aneesh Agrawal <aneeshusa@gmail.com>
Date: Tue, 8 Mar 2016 15:14:25 -0500
Subject: [PATCH] openssh: decouple gssapi patch from kerberos

The GSSAPI patch is useful but maintained by Debian, not upstream, and
can be slow to update. To avoid breaking openssh_with_kerberos when
the openssh version is bumped but the GSSAPI patch has not been updated,
don't enable the GSSAPI patch implicitly but require it to be explicitly
enabled.
---
 pkgs/tools/networking/openssh/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 4a1efbb03356..054174393ec2 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -2,12 +2,13 @@
 , etcDir ? null
 , hpnSupport ? false
 , withKerberos ? false
-, withGssapiPatches ? withKerberos
+, withGssapiPatches ? false
 , kerberos
 , linkOpenssl? true
 }:
 
 assert withKerberos -> kerberos != null;
+assert withGssapiPatches -> withKerberos;
 
 let
 
@@ -24,6 +25,8 @@ let
 in
 with stdenv.lib;
 stdenv.mkDerivation rec {
+  # Please ensure that openssh_with_kerberos still builds when
+  # bumping the version here!
   name = "openssh-7.2p1";
 
   src = fetchurl {