Hi Jan, > Jan Vlach <[email protected]> wrote: > > So I grabbed OpenSSH 6.9 via pkgin and have some observations: > 1. sshd method -c does not really generate keys if sshd uses default > paths (i.e. HostKey is hashed out - doesn't tell a thing if the key is > enabled or disabled) If the keys are enabled, it generates only dsa and > rsa keys (ignores ecdsa and ed25519)
Right -- SunSSH only supports RSA and DSA keys (no support for ECDSA or ED25519), so this is basically "as designed". The ssh-keygen -A option is available in modern OpenSSH which is a better option for this, as it automatically generates all of the types of keys that are enabled by default. SunSSH is way too ancient to have this option. Most of its code was forked back in around 2002 to 2003 and has not been updated very much since (with some notable exceptions for bugfixes and feature backports, but certainly no new ciphers). > > 2. svcadm restart openssh kills all sessions - I have no idea why, > alpine linux and openbsd uses HUP to restart the daemon and sessions do > stay alive. It seems that this is because of privsep not being > used/compiled ... This is because of the lack of correct contracts support, not because of privsep. Re: privsep in general, the SunSSH privsep model was changed to their "altprivsep" one, and the ps output you've pasted shows it functioning as they designed it to. I wish I was kidding, but the altprivsep model actually does involve parsing all of the preauth traffic in a process running as root. You can read the README.altprivsep file if you want to know more about what they did, but IMHO anyway they never really managed to explain why it was a good idea (except apparently it avoids the monitor process being a "key oracle" -- but in the code, I don't see how it does: you can still send it arbitrary data if you want, you just have to dress it up a bit). > > Are there any plans to switch from SunSSH to OpenSSH in base zone image and > in hypervisor? Yes, actually. It's not quite as straightforward as one would like, however. If you had continued to test further you would have noticed some issues with OpenSSH on Illumos -- including it not dropping custom privileges for users properly upon login, and allowing logins to roles which should not be allowed to log in at all. Turns out our PAM is not actually compatible with RedHat's PAM for Linux, and openssh-portable's PAM support is written for RedHat's bugs. I've been working for the last few weeks on a stack of patches based on Oracle's patchset for S11 (which they released under BSD) which make OpenSSH 6.9 or 7.0 able to entirely replace the SunSSH in base, with full backwards compatibility (including parsing SunSSH's custom config options). If you're interested I have built some draft images of SmartOS with this which you can try out if you'd like to. I'll reply shortly with some links. ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
