[OmniOS-discuss] Switching to OpenSSH
Garrett D'Amore
garrett.damore at dey-sys.com
Mon Jul 15 21:01:43 UTC 2013
On Jul 15, 2013, at 12:59 PM, "Paul B. Henson" <henson at acm.org> wrote:
> On 7/15/2013 11:31 AM, Eric Sproul wrote:
>
>> from illumos-gate. I'm not sure what other obstacles may lurk there
>> (integration with other major subsystems, like internationalization
>> maybe.)
>
> From what I recall, the differences between openssh and sunssh were:
>
> * privilege separation (I don't think there's any technical reason why one approach works better on Solaris than the other, or that one couldn't be dropped in to replace the other, it was more a matter of the Sun folk at the time didn't like the openssh approach)
The openssh approach didn't integrate well, IIRC, with Sun PAM, and I think privsep was part of the problem.
>
> * locale - sunssh supports language negotiation as defined in RFC 4253, I'm not sure if openssh does yet
>
> * sunssh is integrated into the Solaris auditing framework
>
> * sunssh uses the Solaris cryptographic framework rather than openssl, which historically gave it access to hardware acceleration that openssh didn't use, but I think openssl supports the same framework now
Actually, I'm pretty sure that sunssh was relying on Sun's openssl port to get this. I don't think sunssh calls directly into the crypto framework. (Could be mistaken, of course.)
>
> I think the only real killer would be the auditing support, if somebody was leveraging that.
That's probably a show-stopper.
I'd be very careful to make sure that OpenSSH works properly with Sun's PAM support. Probably that's where the auditing support is required as well.
- Garrett
>
> _______________________________________________
> OmniOS-discuss mailing list
> OmniOS-discuss at lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
More information about the OmniOS-discuss
mailing list