Support for merging LPK and hpn-ssh into mainline openssh?

Howard Chu hyc at
Thu Sep 10 04:35:02 EST 2009

Damien Miller wrote:
> On Tue, 8 Sep 2009, Howard Chu wrote:
>>> My concern is more with the complexity and maintenance hassle of LDAP,
>>> not the run-time linkage.
>> Could you elaborate on this comment? Most sysadmins are looking for this
>> feature precisely because it *reduces* the complexity and hassle of
>> maintaining user login info across large networks.
> Complexity and maintenance hassle _for the OpenSSH developers_.
>> Certainly the existing patch is pretty non-optimal, but the basic idea is
>> sound.
> If you want this, here is the path that I proposed to get it working:
>> I don't think there are any plans to merge the LPK patch. We really
>> don't want a dependency on LDAP libraries in sshd. Maybe if it were
>> abstracted into a helper app that sshd could consult to verify keys
>> then it would be more palatable, but even this is doubtful unless it
>> can be done in a way that avoids complexity - there is a lot that can
>> go wrong.

Hmm. Pushing this out to a separate process requires inventing yet another IPC 
protocol, and adds one more moving piece that can break. How does this 
approach avoid complexity? How is it any hassle to add libldap to the link 
dependencies of sshd?

   -- Howard Chu
   CTO, Symas Corp. 
   Director, Highland Sun
   Chief Architect, OpenLDAP

More information about the openssh-unix-dev mailing list