Public bug reported:
Some shops use x.509 certificates to restrict access to openssh.
(In fact, one shop I know of says that's how they kept a penetration tester
from getting too far.)
Upstream openssh refuses to support that feature because they feel it would
increase their attack surface (see
http://lists.mindrot.org/pipermail/openssh-bugs/2008-June/006945.html ) and
they encourage users who need this feature to apply the patch from Roumen (
http://roumenpetrov.info/openssh/ ).
Perhaps Ubuntu can package openssh-x509 as a separate package, so users
who ask for normal openssh aren't subjecting themselves to the increased
attack surface, and users who need it can get it.
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/893735
Title:
native support for X.509 v3 certificates in openssh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/893735/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
