[needs-packaging] openssh-x509 - native support for X.509 v3 certificates in openssh

Reported by Dan Kegel on 2011-11-22
This bug report is a duplicate of:  Bug #719260: X509 support for openssh. Edit Remove
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Ubuntu
Wishlist
Unassigned

Bug Description

Some shops use x.509 certificates to restrict access to openssh.
(In fact, one shop I know of says that's how they kept a penetration tester from getting too far.)
Upstream openssh refuses to support that feature because they feel it would increase their attack surface (see http://lists.mindrot.org/pipermail/openssh-bugs/2008-June/006945.html ) and they encourage users who need this feature to apply the patch from Roumen ( http://roumenpetrov.info/openssh/ ).

Perhaps Ubuntu can package openssh-x509 as a separate package, so users who ask for normal openssh aren't subjecting themselves to the increased attack surface, and users who need it can get it.

Clint Byrum (clint-fewbar) wrote :

Hi Dan, this is a pretty interesting idea, thanks for bringing it up.

The best course of action would be to propose this as a package in Debian, and sign up to maintain it. This is a lot of delta from upstream that I don't think we'd want to carry in Ubuntu's main OpenSSH package, so it would need to be a forked package.

I suggest Debian, because there's no real reason this should only live in Ubuntu when some Debian users would benefit from it, and also would be able to help with the maintenance of it.

So, my recommendation would be to file a WNPP bug in Debian:

http://www.debian.org/devel/wnpp/

And then come back here and do an "Also Affects Distribution" with a link to that bug.

As it stands, I think this is most appropriately expressed in Ubuntu as a needs-packaging bug.

affects: openssh (Ubuntu) → ubuntu
Changed in ubuntu:
importance: Undecided → Wishlist
status: New → Confirmed
tags: added: needs-packaging
summary: - native support for X.509 v3 certificates in openssh
+ [needs-packaging] openssh-x509 - native support for X.509 v3
+ certificates in openssh
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers