[Bug 893735] Re: native support for X.509 v3 certificates in openssh

Clint Byrum clint at fewbar.com
Tue Nov 22 20:02:02 UTC 2011 

Hi Dan, this is a pretty interesting idea, thanks for bringing it up.

The best course of action would be to propose this as a package in
Debian, and sign up to maintain it. This is a lot of delta from upstream
that I don't think we'd want to carry in Ubuntu's main OpenSSH package,
so it would need to be a forked package.

I suggest Debian, because there's no real reason this should only live
in Ubuntu when some Debian users would benefit from it, and also would
be able to help with the maintenance of it.

So, my recommendation would be to file a WNPP bug in Debian:

http://www.debian.org/devel/wnpp/

And then come back here and do an "Also Affects Distribution" with a
link to that bug.

As it stands, I think this is most appropriately expressed in Ubuntu as
a needs-packaging bug.

** Package changed: openssh (Ubuntu) => ubuntu

** Changed in: ubuntu
   Importance: Undecided => Wishlist

** Changed in: ubuntu
       Status: New => Confirmed

** Tags added: needs-packaging

** Summary changed:

- native support for X.509 v3 certificates in openssh
+ [needs-packaging] openssh-x509 - native support for X.509 v3 certificates in openssh

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/893735

Title:
  [needs-packaging] openssh-x509 - native support for X.509 v3
  certificates in openssh

Status in Ubuntu:
  Confirmed

Bug description:
  Some shops use x.509 certificates to restrict access to openssh.
  (In fact, one shop I know of says that's how they kept a penetration tester from getting too far.)
  Upstream openssh refuses to support that feature because they feel it would increase their attack surface (see http://lists.mindrot.org/pipermail/openssh-bugs/2008-June/006945.html ) and they encourage users who need this feature to apply the patch from Roumen ( http://roumenpetrov.info/openssh/ ).

  Perhaps Ubuntu can package openssh-x509 as a separate package, so
  users who ask for normal openssh aren't subjecting themselves to the
  increased attack surface, and users who need it can get it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/893735/+subscriptions

More information about the foundations-bugs mailing list