[Bug 893735] [NEW] native support for X.509 v3 certificates in openssh
Dan Kegel
dank at kegel.com
Tue Nov 22 19:49:29 UTC 2011
Public bug reported:
Some shops use x.509 certificates to restrict access to openssh.
(In fact, one shop I know of says that's how they kept a penetration tester from getting too far.)
Upstream openssh refuses to support that feature because they feel it would increase their attack surface (see http://lists.mindrot.org/pipermail/openssh-bugs/2008-June/006945.html ) and they encourage users who need this feature to apply the patch from Roumen ( http://roumenpetrov.info/openssh/ ).
Perhaps Ubuntu can package openssh-x509 as a separate package, so users
who ask for normal openssh aren't subjecting themselves to the increased
attack surface, and users who need it can get it.
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/893735
Title:
native support for X.509 v3 certificates in openssh
Status in “openssh” package in Ubuntu:
New
Bug description:
Some shops use x.509 certificates to restrict access to openssh.
(In fact, one shop I know of says that's how they kept a penetration tester from getting too far.)
Upstream openssh refuses to support that feature because they feel it would increase their attack surface (see http://lists.mindrot.org/pipermail/openssh-bugs/2008-June/006945.html ) and they encourage users who need this feature to apply the patch from Roumen ( http://roumenpetrov.info/openssh/ ).
Perhaps Ubuntu can package openssh-x509 as a separate package, so
users who ask for normal openssh aren't subjecting themselves to the
increased attack surface, and users who need it can get it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/893735/+subscriptions
More information about the foundations-bugs
mailing list