RFE: Portable OpenSSH

[Dan Kaminsky]

> > Why not include PRNGd source with OpenSSH, install it, and if sshd
> > fails to get any entropy, start PRNGd and try again?  It doesn't
> > work for client-only ssh usage (though if the ssh command is setuid,
> > it could, but that's probably a really bad idea for other reasons).
>
> Note that I really don't want to go down the road of including source
> to other programs in the portable tarball.

You're right, Damien.  Such a route diminshes the barrier between what we're
responsible for and what we're not.  I *could* envision a stripped down
OpenSSL distribution that only contained what OpenSSH requires being
included, but everything else indeed should remain separate from the
standard distribution.

Would you have any objection to openssh-full, a separately maintained but
equally available package that could portably exist on any machine and
successfully configure/make/make install on it?  The idea would be to
include those few libraries that actually made it into the OpenSSH codebase
(for legality or convenience) and have a meta-configure script that handled
them all "out of the box".

Again, I think you're absolutely right about keeping openssh itself
pure--but I also know, pragmatically, forcing people to slog through the
tarball equivalent of RPM Hell (slower, because you have to wait for
configure to fail to find out you need to configure libz, then wait again to
find out you need to configure SSL, etc.) is worse than what SSH1 required.

> BTW autoconf already detects the presence of a PRNGd socket and will
> try to use that.

Excellent!

--Dan