OpenSSH 8.9p1 deprecated variants cleanup feedback request

Clemens Lang cal at macports.org
Wed Mar 16 22:54:05 UTC 2022 

On Mon, Mar 14, 2022 at 10:14:05PM +0000, grey wrote:
> What do others think? Feedback is welcome! I didn't mean to harsh on
> Renee in the PR comments either, but Renee was pretty up front about
> not actually using the OpenSSH port, so I would mostly appreciate
> perspective from individuals who do actually use the OpenSSH port and
> have some "skin in the game" as the idiomatic expression goes.
> 
> For the life of me, I can't really see much good coming from the
> +gsskex/GSSAPI variant, but I also do not presently administer any
> Kerberos related infrastructure at the moment (thankfully, if slightly
> tangentially, I also do not administer any yp related infrastructure
> these days anymore and can blissfully only recall them and their
> associated security holes with ypcat abuses as distant early 1990s
> memories now).

As somebody who's done a few openssh Portfile updates in the past, the
gsskex and hpn patches have always been a pain, and I've been in favor
of dropping them before. Maybe now the time has finally come to get rid
of them.

I happen to have access to a few Kerberos-enabled SSH servers, and can
report that the existing +kerberos5 variant is sufficient to allow
connecting using an existing kerberos ticket.

The only benefits provided by the gsskex patch on top of that are:
 - no trust on first use for the hostkey, since the server is
   authenticated during the kerberos exchange
 - credential delegation (basically SSH agent forwarding for Kerberos)
I believe people used to claim a speed advantage, but I'm not sure
that's a big reason anymore these days, considering ECDH is fast and
widely available.

Other distributions [1] seem to still be shipping the patch, but they
may have more manpower to maintain it. I'll try to remember to ask the
authors of RFC 8732 for their opinion on this tomorrow.

Overall, I'm in favor of dropping this. A kerberos corner case used by
very few people should not block us from applying security updates for
the majority of the users, but that is what has happened multiple times
now. Additionally, the patch does not provide a lot of additional value,
IMO, since kerberos auth still works without it. If somebody wants to
step up to maintain a copy of openssh with the gsskex patch, they can
submit a separate Portfile.

[1]: https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh.spec#_137

More information about the macports-dev mailing list