Support for merging LPK and hpn-ssh into mainline openssh?

Howard Chu hyc at
Wed Sep 9 06:04:11 EST 2009

> From:       Damien Miller <djm () mindrot ! org>
> Date:       2009-02-17 4:22:05
> Message-ID: alpine.BSO.2.00.0902171519190.1946 () fuyu ! mindrot ! org

> On Tue, 17 Feb 2009, Peter Lambrechtsen wrote:
>> On Tue, Feb 17, 2009 at 3:18 PM, Damien Miller <djm at> wrote:
>> > I don't think there are any plans to merge the LPK patch. We really
>> > don't want a dependency on LDAP libraries in sshd. Maybe if it were
>> > abstracted into a helper app that sshd could consult to verify keys
>> > then it would be more palatable, but even this is doubtful unless it
>> > can be done in a way that avoids complexity - there is a lot that can
>> > go wrong.
>> Yes, the OpenLDAP+OpenSSL dependencies can make it a challenge to
>> compile.  However if it was not a default module, and when compiling
>> OpenSSH you could add --with-ldap=/ldap/shared/libs then that would
>> give end-users the option to build OpenSSH with LDAP support or not.
> My concern is more with the complexity and maintenance hassle of LDAP,
> not the run-time linkage.

Could you elaborate on this comment? Most sysadmins are looking for this 
feature precisely because it *reduces* the complexity and hassle of 
maintaining user login info across large networks.

Certainly the existing patch is pretty non-optimal, but the basic idea is 
sound. What specific problems are you concerned about?

   -- Howard Chu
   CTO, Symas Corp. 
   Director, Highland Sun
   Chief Architect, OpenLDAP

More information about the openssh-unix-dev mailing list