Howard Chu
2009-Sep-08 20:04 UTC
Support for merging LPK and hpn-ssh into mainline openssh?
> From: Damien Miller <djm () mindrot ! org> > Date: 2009-02-17 4:22:05 > Message-ID: alpine.BSO.2.00.0902171519190.1946 () fuyu ! mindrot ! org> On Tue, 17 Feb 2009, Peter Lambrechtsen wrote: > >> On Tue, Feb 17, 2009 at 3:18 PM, Damien Miller <djm at mindrot.org> wrote: >> > I don't think there are any plans to merge the LPK patch. We really >> > don't want a dependency on LDAP libraries in sshd. Maybe if it were >> > abstracted into a helper app that sshd could consult to verify keys >> > then it would be more palatable, but even this is doubtful unless it >> > can be done in a way that avoids complexity - there is a lot that can >> > go wrong. >> >> Yes, the OpenLDAP+OpenSSL dependencies can make it a challenge to >> compile. However if it was not a default module, and when compiling >> OpenSSH you could add --with-ldap=/ldap/shared/libs then that would >> give end-users the option to build OpenSSH with LDAP support or not. > > My concern is more with the complexity and maintenance hassle of LDAP, > not the run-time linkage.Could you elaborate on this comment? Most sysadmins are looking for this feature precisely because it *reduces* the complexity and hassle of maintaining user login info across large networks. Certainly the existing patch is pretty non-optimal, but the basic idea is sound. What specific problems are you concerned about? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Damien Miller
2009-Sep-09 17:00 UTC
Support for merging LPK and hpn-ssh into mainline openssh?
On Tue, 8 Sep 2009, Howard Chu wrote:> > My concern is more with the complexity and maintenance hassle of LDAP, > > not the run-time linkage. > > Could you elaborate on this comment? Most sysadmins are looking for this > feature precisely because it *reduces* the complexity and hassle of > maintaining user login info across large networks.Complexity and maintenance hassle _for the OpenSSH developers_.> Certainly the existing patch is pretty non-optimal, but the basic idea is > sound.If you want this, here is the path that I proposed to get it working:> I don't think there are any plans to merge the LPK patch. We really > don't want a dependency on LDAP libraries in sshd. Maybe if it were > abstracted into a helper app that sshd could consult to verify keys > then it would be more palatable, but even this is doubtful unless it > can be done in a way that avoids complexity - there is a lot that can > go wrong.Patches welcome. -d