Keith, I decided to use OpenSSH rather than SunSSH in my SmartOS zones because I couldn’t figure out how to enable chroot for sftp otherwise. Is there a way to do it with SunSSH?
Thanks, Chris Am 30.04.2014 um 18:18 schrieb Keith Wesolowski via smartos-discuss <[email protected]>: > On Wed, Apr 30, 2014 at 02:01:33AM +0000, Alain O'Dea via smartos-discuss > wrote: > >> The availability of ed25519 keys for SSH has raised the spectre of >> internal policy changing to disallow use of RSA and DSA keys: >> http://www.tedunangst.com/flak/post/new-openssh-key-format-and-bcrypt-pbkdf >> >> This is obviously impractical until our systems support it. >> >> In the mean time we can better protect our RSA keys: >> http://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html >> >> Is there a plan to support ECDSA, ed25519 and other stronger key >> formats in sshd? Would it make sense to switch from Sun_SSH to OpenSSH >> in SmartOS at some point? > > This is a FAQ, so hopefully answering it here will preserve it for > posterity. > > SunSSH has features not in OpenSSH. These features are in the areas of > auditing, RBAC support, and the alternate privilege separation model. > There may or may not be additional differences and no one has yet > undertaken a comprehensive inventory. > > There is no controversy around the idea of bringing SunSSH up to current > OpenSSH with respect to new cipher support, bug fixes, and so on. > Replacing it with OpenSSH would be highly controversial at best because > there are in fact people using the SunSSH features (in fact, I recall > one such customer in IRC recently who was using OpenSSH and found it did > not meet his needs; switching to SunSSH solved his problem). If someone > wants to take on the work of inventorying the changes, deciding whether > it would be easier to patch SunSSH with cumulative OpenSSH delta or > patch OpenSSH with SunSSH delta or some other approach, and actually > doing the merge, I am sure that work would be very welcome. At present, > I'm unaware of anyone having volunteered or actively working in this > area. > > > ------------------------------------------- > smartos-discuss > Archives: https://www.listbox.com/member/archive/184463/=now > RSS Feed: https://www.listbox.com/member/archive/rss/184463/24804823-eebbfb1e > Modify Your Subscription: https://www.listbox.com/member/?&; > Powered by Listbox: http://www.listbox.com ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
