[Bug 893735] [NEW] native support for X.509 v3 certificates in openssh
Dan Kegel
dank at kegel.com
Tue Nov 22 19:49:29 UTC 2011
Public bug reported:
Some shops use x.509 certificates to restrict access to openssh.
(In fact, one shop I know of says that's how they kept a penetration tester from getting too far.)
Upstream openssh refuses to support that feature because they feel it would increase their attack surface (see http://lists.mindrot.org/pipermail/openssh-bugs/2008-June/006945.html ) and they encourage users who need this feature to apply the patch from Roumen ( http://roumenpetrov.info/openssh/ ).
Perhaps Ubuntu can package openssh-x509 as a separate package, so users
who ask for normal openssh aren't subjecting themselves to the increased
attack surface, and users who need it can get it.
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/893735
Title:
native support for X.509 v3 certificates in openssh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/893735/+subscriptions
More information about the Ubuntu-server-bugs
mailing list