Support for merging LPK and hpn-ssh into mainline openssh?
Howard Chu
hyc at symas.com
Thu Sep 10 04:35:02 EST 2009
Damien Miller wrote:
> On Tue, 8 Sep 2009, Howard Chu wrote:
>
>>> My concern is more with the complexity and maintenance hassle of LDAP,
>>> not the run-time linkage.
>>
>> Could you elaborate on this comment? Most sysadmins are looking for this
>> feature precisely because it *reduces* the complexity and hassle of
>> maintaining user login info across large networks.
>
> Complexity and maintenance hassle _for the OpenSSH developers_.
>
>> Certainly the existing patch is pretty non-optimal, but the basic idea is
>> sound.
>
> If you want this, here is the path that I proposed to get it working:
>
>> I don't think there are any plans to merge the LPK patch. We really
>> don't want a dependency on LDAP libraries in sshd. Maybe if it were
>> abstracted into a helper app that sshd could consult to verify keys
>> then it would be more palatable, but even this is doubtful unless it
>> can be done in a way that avoids complexity - there is a lot that can
>> go wrong.
Hmm. Pushing this out to a separate process requires inventing yet another IPC
protocol, and adds one more moving piece that can break. How does this
approach avoid complexity? How is it any hassle to add libldap to the link
dependencies of sshd?
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the openssh-unix-dev
mailing list