LPK integration - summary and ideas

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jun 10 01:14:43 EST 2010


On 06/09/2010 04:22 AM, Dan Kaminsky wrote:
> There's long history of using external commands as an extensibility point
> (ProxyCommand for example) and, if there was going to be any way of linking
> LDAP in, this would almost certainly be the best way.

I agree with Dan here.  I'd rather see a general, out-of-process,
extensible framework put in place than see LPK integrated directly.

For the client side, something like KnownHostsCommand (by analogy with
KnownHostsFile) would be good.  I've just opened a ticket describing a
simple outline for that enhancement:

 https://bugzilla.mindrot.org/show_bug.cgi?id=1777

For the server side, it's a bit tricker to define an
AuthorizedKeysCommand (and to ensure that a blocked
AuthorizedKeysCommand does not hang the rest of the daemon), but it
would be useful too.  I've opened a ticket describing that option as
well (but it's not as well fleshed-out):

 https://bugzilla.mindrot.org/show_bug.cgi?id=1778

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20100609/3a72194a/attachment.bin>


More information about the openssh-unix-dev mailing list