Public bug reported: Some shops use x.509 certificates to restrict access to openssh. (In fact, one shop I know of says that's how they kept a penetration tester from getting too far.) Upstream openssh refuses to support that feature because they feel it would increase their attack surface (see http://lists.mindrot.org/pipermail/openssh-bugs/2008-June/006945.html ) and they encourage users who need this feature to apply the patch from Roumen ( http://roumenpetrov.info/openssh/ ).
Perhaps Ubuntu can package openssh-x509 as a separate package, so users who ask for normal openssh aren't subjecting themselves to the increased attack surface, and users who need it can get it. ** Affects: openssh (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/893735 Title: native support for X.509 v3 certificates in openssh To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/893735/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs