I was directed to the following site by one of our customers regarding
a keyserver built into openssh. There's a patch for 3.4p1 on their
site, but the license isn't very clear, nor is it clear if they have
approached the openssh team regarding the inclusion of this subsystem
into openssh proper.
I've been asked to patch Mandrake's openssh with this feature, but
I'm
hesitant until I know what others think and, primarily, whether or not
they have even contacted people like Markus or Theo about this. The
RFC is written by them, and it looks like they sell some commercial
software around this idea as well.
Here is links to more info:
http://www.vandyke.com/download/os/pks_ossh.html
http://www.vandyke.com/technology/draft-ietf-secsh-publickey-
subsystem.txt
The idea of it sounds interesting, but I would really like to know if
they have approached anyone regarding having it included in openssh
proper.
Thanks.
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx - source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021010/7c0dd9aa/attachment.bin
It is a subsystem. It is not modifying the OpenSSH code at all, and the
licensing in publickey-server.c is BSD two clause licence. Which is what
we encourage.
However this bugs me:
RCSID("$OpenBSD: publickey-server.c,v 1.33 2002/06/30 00:00:00 markus Exp
$");
This is not a valid RCSID for OpenBSD. Which IMNSHO is very poor manors.
Leave the RCSID alone or remove them. Don't randomly change them.
Looks like it based on sftp-server.c
<shrug> In general if I follow the code and RFC it is just a way of
managing 'authorized_keys' It even is wrong since we no longer support
authorized_keys2.
I've never seen it submited to inclusion. I'd have to look closer at
it
to make any good or bad comments.
- Ben
On Thu, 10 Oct 2002, Vincent Danen wrote:
> I was directed to the following site by one of our customers regarding
> a keyserver built into openssh. There's a patch for 3.4p1 on their
> site, but the license isn't very clear, nor is it clear if they have
> approached the openssh team regarding the inclusion of this subsystem
> into openssh proper.
>
> I've been asked to patch Mandrake's openssh with this feature, but
I'm
> hesitant until I know what others think and, primarily, whether or not
> they have even contacted people like Markus or Theo about this. The
> RFC is written by them, and it looks like they sell some commercial
> software around this idea as well.
>
> Here is links to more info:
>
> http://www.vandyke.com/download/os/pks_ossh.html
> http://www.vandyke.com/technology/draft-ietf-secsh-publickey-
> subsystem.txt
>
> The idea of it sounds interesting, but I would really like to know if
> they have approached anyone regarding having it included in openssh
> proper.
>
> Thanks.
>
> --
> MandrakeSoft Security; http://www.mandrakesecure.net/
> "lynx - source http://linsec.ca/vdanen.asc | gpg --import"
> {FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
>
hm, at least i don't remember. On Thu, Oct 10, 2002 at 12:44:43PM -0600, Vincent Danen wrote:> I was directed to the following site by one of our customers regarding > a keyserver built into openssh. There's a patch for 3.4p1 on their > site, but the license isn't very clear, nor is it clear if they have > approached the openssh team regarding the inclusion of this subsystem > into openssh proper. > > I've been asked to patch Mandrake's openssh with this feature, but I'm > hesitant until I know what others think and, primarily, whether or not > they have even contacted people like Markus or Theo about this. The > RFC is written by them, and it looks like they sell some commercial > software around this idea as well. > > Here is links to more info: > > http://www.vandyke.com/download/os/pks_ossh.html > http://www.vandyke.com/technology/draft-ietf-secsh-publickey- > subsystem.txt > > The idea of it sounds interesting, but I would really like to know if > they have approached anyone regarding having it included in openssh > proper. > > Thanks. > > -- > MandrakeSoft Security; http://www.mandrakesecure.net/ > "lynx - source http://linsec.ca/vdanen.asc | gpg --import" > {FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
> Nor has it shown up on the SECSH-WG alias yet. I don't remeber any traffic > about this draft. Note that the date is October 2002 so it is very new.It was initially proposed as a channel to the IETF working group as an individual draft in November of 2000. At that time, there was quite a bit discussion on the public key channel. The consensus was that it should be a subsystem. A new draft has been submitted. It isn't yet clear whether it will be a working group draft or an individual draft. I've contacted the chairman of the WG, but haven't heard back.> However this bugs me: > > RCSID("$OpenBSD: publickey-server.c,v 1.33 2002/06/30 00:00:00 markus Exp $"); > > This is not a valid RCSID for OpenBSD. Which IMNSHO is very poor manors. > Leave the RCSID alone or remove them. Don't randomly change them.The RCSID was an oversight. We don't use RCS, it was leftover from something... My apologies to Marcus.> <shrug> In general if I follow the code and RFC it is just a way of > managing 'authorized_keys' It even is wrong since we no longer support > authorized_keys2.This is clearly a mistake. We will work on getting an update to the distribution that addresses this. With regards to including it in the OpenSSH distribution, we'd like to see that happen. We were hoping by releasing it as a patch, we could assess the interest and if there was sufficient interest, it would be included. The early interest seems promising. Markus, please let us know if there is anything we can do to make this happen sooner rather than later :-) Jeff P. Van Dyke jpv at vandyke.com