Bug 187211
Summary: | RFE: Include GSSAPI Key Exchange support in OpenSSH RPM | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Simon Wilkinson <simon> |
Component: | openssh | Assignee: | Jan F. Chadima <jchadima> |
Status: | CLOSED UPSTREAM | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | abo, Colin.Simpson, init, k.georgiou, zing |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.sxw.org.uk/computing/patches/openssh.html | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-04-28 08:02:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 195605 |
Description
Simon Wilkinson
2006-03-29 09:11:14 UTC
This is interesting enhancement request however we generally prefer keeping our packages as close to upstream as possible. Was this patch submitted upstream to the openssh development mailing lists or bugzilla.mindrot.org? If yes what was the upstream developers' reaction? It was pushed upstream at the same time as the GSSAPI user authentication code. After a considerable amount of discussion, the OpenSSH folks elected to take only the user authentication code. Upstream were concerned about the complexity of the entire GSSAPI patch drop. A number of things got cut in order to simplify the code to meet their requirements (decent error reporting, for one) Unfortunately, they also couldn't be convinced of key exchange's benefits for those sites running Kerberos infrastructures. Well if they were concerned about the complexity of the entire GSSAPI patch maybe they could accept the key exchange patch now that the client authentication part of the patch is already there for a long time. Could you try to resubmit the patch to bugzilla.mindrot.org so it can be reconsidered? I have also one question - how can I disable the key exchange on the client side so the server is verified by the normal public key method? I have a patch which I'll be submitting following the forthcoming 4.4 release. The new GSSAPI key-exchange patch includes support for the 'GSSAPIKeyExchange' option on the client, as well as the server, which should solve your second issue. I'll leave updating the 'I am providing the requested information' box until I have a bugzilla.mindrot.org bug to reference here. I've added the patch to bugzilla.mindrot.org. In the hope of making it acceptable to them, its a minimalist version of the patch I distribute from my website, without the other features that patch includes, which I'm breaking out into individual bugs, on bugzilla.mindrot.org Can I Second this request? It makes total sense for large sites. If you want to lobby somewhere for this feature, please do that in the upstream bugzilla.mindrot.org. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. If this is again being considered can the "Cascading Credentials" part of the "Key Exchange" patch be considered at the same time. http://www.sxw.org.uk/computing/patches/openssh.html Both look right the correct thing to do particularly in a IPA environment. We believe that it is more appropriate for this issue to be resolved upstream. Red Hat will continue to track the issue in the centralized upstream bug tracker, and will review any bug fixes that become available for consideration in future updates. Thank you for the bug report. |