[needs-packaging] openssh-x509 - native support for X.509 v3 certificates in openssh
Bug #893735 reported by
Dan Kegel
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Some shops use x.509 certificates to restrict access to openssh.
(In fact, one shop I know of says that's how they kept a penetration tester from getting too far.)
Upstream openssh refuses to support that feature because they feel it would increase their attack surface (see http://
Perhaps Ubuntu can package openssh-x509 as a separate package, so users who ask for normal openssh aren't subjecting themselves to the increased attack surface, and users who need it can get it.
To post a comment you must log in.
Hi Dan, this is a pretty interesting idea, thanks for bringing it up.
The best course of action would be to propose this as a package in Debian, and sign up to maintain it. This is a lot of delta from upstream that I don't think we'd want to carry in Ubuntu's main OpenSSH package, so it would need to be a forked package.
I suggest Debian, because there's no real reason this should only live in Ubuntu when some Debian users would benefit from it, and also would be able to help with the maintenance of it.
So, my recommendation would be to file a WNPP bug in Debian:
http:// www.debian. org/devel/ wnpp/
And then come back here and do an "Also Affects Distribution" with a link to that bug.
As it stands, I think this is most appropriately expressed in Ubuntu as a needs-packaging bug.