[ssh_x509] please split up the x509 patch
ssh_x509 at roumenpetrov.info
ssh_x509 at roumenpetrov.info
Mon Feb 8 23:00:13 EET 2016
ssh_x509 at roumenpetrov.info wrote:
> the x509 patch has picked up a number of changes unrelated to x509.
> some quick, but certainly not complete, examples:
> - openssl configure flag deleted
PKIX-SSH requires openssl (or a fork). Is is useless to request support
X.509 public key algorithms without cryptographic library that could
Another point is configure script. Lets review option:
[ --without-openssl Disable use of OpenSSL; use only limited
internal crypto **EXPERIMENTAL** ],
[ if test "x$withval" = "xno" ; then
Unfortunately --with options support arguments and 90% of developers
miss this fact. Autoconf documentation is confusing as samples does t
not show that functionality.
What if user try to configure with --with-openssl=useit?
More correct is to use --disable-feature , i.e. macro AC_ARG_ENABLE.
I prefer to ignore(=remove) it instead to fix logic and to raise error
if is not yes.
It is expected in future option to be --with-crypto=<NAME> ...., but it
seems to me support of other libraries is not top priority.
> - ssh1 configure flag renamed
It is a long history of broken use of configure options(macros). OpenSSH
version 6.8 starts with options --without-sha1. So far so good but logic
was broken similarly as --without-openssl .
Even more with version 7.1 openssh release code that disable by default
ssh1 but options is called --without-ssh1!
I would like to propose you to apply modify openssh to use more precise
option - see attached file
"0003-configure.ac-use-enable-ssh1-instead-ambiguous-with-.patch" with patch
> - tcp-wrapper support re-added (after upstream dropped it)
It never was not default option so I'm not sure what is issue here.
> if you want to make changes to support more stuff, that's fine, but
> please release a "core" or "minimal" x509 patchset that *only* adds
> x509 features.
Release logic is changed with version 8.0. This version is first one
that distributes complete source package. There will be no more X.509
patch. For reference I will continue publish difference between PKIX-SSH
and OpenSSH using old file naming convention.
> we've been including x509 in Gentoo, but it's been painful, and it's
> only getting worse. our choices at this point are either:
> - drop it completely and make users figure things out
> - scrub/modify every x509 patch by hand, possibly screwing it up
> both of those options suck.
I would like to propose to you changes is build model to offer to users
which ssh implementation to use, instead to try to manage patches.
Anyway X.509 , HPN, LDAP and GSSAPI patches cannot be applied to one and
the same code base.
AuthorizedKeysCommand* obsoletes LDAP patch.
HPN and GSSAPI are not managed any more. Unfortunately I'm not able to
add some of functionality of those patches to PKIX-SSH.
Get SSH with X.509 certificate support
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1428 bytes
Desc: not available
More information about the ssh_x509