RFE: Portable OpenSSH

Dan Kaminsky dankamin at cisco.com
Wed Mar 28 11:59:36 EST 2001


> That depends on how it is linked. It may not be runtime for you, but it is
> for many (most?) other people.

Solaris 2.6 depends on:

libz
libsocket
libnsl
libc
libdl
libmp
libc_psr

Cygwin depnds on:

cygz.dll
cygwin1.dll

Linux does however indeed require libcrypto.  I stand corrected.

Any ideas what's going on, folks?

> > We have one major external dependancy, and that's Libz.  It can be
> > statically linked; prngd can't be.  So I'm arguing for *no*
dependancies,
> > which is a hell of alot easier to admin.
> >
> > We should dynamically link libz by default, of course.
>
> Why?

Binary size.  No reason to be redundant, unless such redundancy assists with
deployment.  If libz was less popular, I'd argue for a default-static.  It's
pretty widely deployed though, so the need for a static libz include isn't
universal.  Does show up in spots, though.

I probably wouldn't argue for libz include at all if, using it, we couldn't
(eventually) get to a build entirely dependent upon standard libraries.

> > > Chances are that these will have other uses on the system anyway.
> >
> > Uses, yes.  EGD has other uses; we used it for GPG as well.  Like I
said,
> > nobody adopted the package, and with good reason.
>
> Becuase it was a huge PERL daemon which could only really be used by one
> person at a time.

Damien, the only other clients that require some local daemon to be running
in order for them to work are GUI tools that everyone bitches about
*constantly*.  The things that are barely becoming annoying in SSH pretty
much define GNOME.

Name *one* command line client that requires anything else to run on the
command line.  NFS stuff is about all that comes to mind, and people bitch
about that too!

Speaking of one person at a time, you *still* haven't responded to the
security concerns or root dependencies.  You can't escape the fact that
prngd *either* leads to lots and lots of people running daemons they don't
need to be *or* leads to lots and lots of
people banging on the sysadmin's door to install a *client* tool as root.

Live, in-client execution of entropy gatherers does not a daemon make,
incidentally.

If the sysadmin *wants* to run prngd, and speed things up--great!  If he
doesn't, though--and come on, as you said, root app running lots of external
tools doesn't inspire confidence--I don't want the entire system to fall
over.  Graceful degradation is the goal.

I'll put together some compiletime->runtime patches; we'll continue this
discussion when that's available.

Yours Truly,

    Dan Kaminsky, CISSP
    http://www.doxpara.com





More information about the openssh-unix-dev mailing list