On Wed, Apr 30, 2014 at 02:01:33AM +0000, Alain O'Dea via smartos-discuss wrote:
> The availability of ed25519 keys for SSH has raised the spectre of > internal policy changing to disallow use of RSA and DSA keys: > http://www.tedunangst.com/flak/post/new-openssh-key-format-and-bcrypt-pbkdf > > This is obviously impractical until our systems support it. > > In the mean time we can better protect our RSA keys: > http://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html > > Is there a plan to support ECDSA, ed25519 and other stronger key > formats in sshd? Would it make sense to switch from Sun_SSH to OpenSSH > in SmartOS at some point? This is a FAQ, so hopefully answering it here will preserve it for posterity. SunSSH has features not in OpenSSH. These features are in the areas of auditing, RBAC support, and the alternate privilege separation model. There may or may not be additional differences and no one has yet undertaken a comprehensive inventory. There is no controversy around the idea of bringing SunSSH up to current OpenSSH with respect to new cipher support, bug fixes, and so on. Replacing it with OpenSSH would be highly controversial at best because there are in fact people using the SunSSH features (in fact, I recall one such customer in IRC recently who was using OpenSSH and found it did not meet his needs; switching to SunSSH solved his problem). If someone wants to take on the work of inventorying the changes, deciding whether it would be easier to patch SunSSH with cumulative OpenSSH delta or patch OpenSSH with SunSSH delta or some other approach, and actually doing the merge, I am sure that work would be very welcome. At present, I'm unaware of anyone having volunteered or actively working in this area. ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
