[ssh_x509] please split up the x509 patch

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Feb 8 23:00:13 EET 2016


Hi Mike,

ssh_x509 at roumenpetrov.info wrote:
> the x509 patch has picked up a number of changes unrelated to x509.
> some quick, but certainly not complete, examples:
>   - openssl configure flag deleted
PKIX-SSH requires openssl (or a fork). Is is useless to request support 
X.509 public key algorithms without cryptographic library that could 
manage them.

Another point is configure script. Lets review option:
....
openssl=yes
.....
AC_ARG_WITH([openssl],
     [  --without-openssl       Disable use of OpenSSL; use only limited 
internal crypto **EXPERIMENTAL** ],
     [  if test "x$withval" = "xno" ; then
         openssl=no
         ssh1=no
        fi
     ]
)
.....
Unfortunately --with options support arguments and 90% of developers 
miss this fact. Autoconf documentation is confusing as samples does t 
not show that functionality.
What if user try to configure with --with-openssl=useit?
More correct is to use --disable-feature , i.e. macro AC_ARG_ENABLE.

I prefer to ignore(=remove) it instead to fix logic and to raise error 
if is not yes.

It is expected in future option to be --with-crypto=<NAME> ...., but it 
seems to me support of other libraries is not top priority.


>   - ssh1 configure flag renamed
It is a long history of broken use of configure options(macros). OpenSSH 
version 6.8 starts with options --without-sha1. So far so good but logic 
was broken similarly as --without-openssl .

Even more with version 7.1 openssh release code that disable by default 
ssh1 but options is called --without-ssh1!

I would like to propose you to apply modify openssh to use more precise 
option - see attached file 
"0003-configure.ac-use-enable-ssh1-instead-ambiguous-with-.patch" with patch

>   - tcp-wrapper support re-added (after upstream dropped it)
It never was not default option so I'm not sure what is issue here.

> if you want to make changes to support more stuff, that's fine, but
> please release a "core" or "minimal" x509 patchset that *only* adds
> x509 features.
Release logic is changed with version 8.0. This version is first one 
that distributes complete source package. There will be no more X.509 
patch. For reference I will continue publish difference between PKIX-SSH 
and OpenSSH using old file naming convention.

> we've been including x509 in Gentoo, but it's been painful, and it's
> only getting worse.  our choices at this point are either:
>   - drop it completely and make users figure things out
>   - scrub/modify every x509 patch by hand, possibly screwing it up
> both of those options suck.
I would like to propose to you changes is build model to offer to users 
which ssh implementation to use, instead to try to manage patches.
Anyway X.509 , HPN, LDAP and GSSAPI patches cannot be applied to one and 
the same code base.

AuthorizedKeysCommand* obsoletes LDAP patch.
HPN and GSSAPI are not managed any more. Unfortunately I'm not able to 
add some of functionality of those patches to PKIX-SSH.

> -mike

Roumen


-- 
Get SSH with X.509 certificate support
http://roumenpetrov.info/openssh/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-configure.ac-use-enable-ssh1-instead-ambiguous-with-.patch
Type: text/x-diff
Size: 1428 bytes
Desc: not available
URL: <http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/attachments/20160208/ebe6add7/attachment-0001.bin>


More information about the ssh_x509 mailing list