Support for merging LPK and hpn-ssh into mainline openssh?
hyc at symas.com
Wed Sep 9 06:04:11 EST 2009
> From: Damien Miller <djm () mindrot ! org>
> Date: 2009-02-17 4:22:05
> Message-ID: alpine.BSO.2.00.0902171519190.1946 () fuyu ! mindrot ! org
> On Tue, 17 Feb 2009, Peter Lambrechtsen wrote:
>> On Tue, Feb 17, 2009 at 3:18 PM, Damien Miller <djm at mindrot.org> wrote:
>> > I don't think there are any plans to merge the LPK patch. We really
>> > don't want a dependency on LDAP libraries in sshd. Maybe if it were
>> > abstracted into a helper app that sshd could consult to verify keys
>> > then it would be more palatable, but even this is doubtful unless it
>> > can be done in a way that avoids complexity - there is a lot that can
>> > go wrong.
>> Yes, the OpenLDAP+OpenSSL dependencies can make it a challenge to
>> compile. However if it was not a default module, and when compiling
>> OpenSSH you could add --with-ldap=/ldap/shared/libs then that would
>> give end-users the option to build OpenSSH with LDAP support or not.
> My concern is more with the complexity and maintenance hassle of LDAP,
> not the run-time linkage.
Could you elaborate on this comment? Most sysadmins are looking for this
feature precisely because it *reduces* the complexity and hassle of
maintaining user login info across large networks.
Certainly the existing patch is pretty non-optimal, but the basic idea is
sound. What specific problems are you concerned about?
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the openssh-unix-dev