On May 26, 2008, at 4:56 AM, Jan Pechanec wrote: > On Fri, 23 May 2008, Henry B. Hotz wrote: > >> Has anyone built and used Sun SSH on any other platforms? (I'm >> wondering it it would be easier to get RedHat to switch than to get >> them to take Simon's patches.) > > hi Henry, I don't know what patches you are talking about
http://www.sxw.org.uk/computing/patches/openssh.html > but I > haven't heard about anybody porting SunSSH to other platforms. > What's more, > it would need more work in the future *bleah* > considering that, for example, X.509 > support that we are working on will use KMF which is Solaris specific. Just my opinion, but I don't think X509 technology is appropriate for this context. Of course I don't think it's appropriate for Web, either, so that says how much my opinion matters. > I > guess that even existing PAM differences might not be easy to > overcome. I > expect more things like that in the current code. > > cheers, J. > > -- > Jan Pechanec The issue comes up every year at the AFS&Kerberos Best Practices Workshop: How can we get OpenSSH to support gssapi-keyex the way SunSSH and most OS vendors do? The two solutions always proposed are a) fork the code and create our own version, and b) just use SunSSH (since Nico is doing a pretty good job). Nobody really wants to fragment the world more than needed. Unfortunately your answer makes it seem unlikely that the latter is a viable approach. With the recent OpenSSL problem in Debian, the likelihood of getting security-related patches like Simon's accepted seem even more remote that ever. In fact some people question whether the current OpenSSH maintainers understand the code well enough to evaluate patches like Simon's at all. Anyway, thanks for the feedback. ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
