OpenSSH 8.9p1 deprecated variants cleanup feedback request

Fri Mar 18 17:44:28 UTC 2022

Having also spent time with the OpenSSH port to add Fido support we should
just drop the hard-to-maintain variants is my view.

On Wed, Mar 16, 2022 at 3:54 PM Clemens Lang <cal at macports.org> wrote:

> On Mon, Mar 14, 2022 at 10:14:05PM +0000, grey wrote:
> > What do others think? Feedback is welcome! I didn't mean to harsh on
> > Renee in the PR comments either, but Renee was pretty up front about
> > not actually using the OpenSSH port, so I would mostly appreciate
> > perspective from individuals who do actually use the OpenSSH port and
> > have some "skin in the game" as the idiomatic expression goes.
> >
> > For the life of me, I can't really see much good coming from the
> > +gsskex/GSSAPI variant, but I also do not presently administer any
> > Kerberos related infrastructure at the moment (thankfully, if slightly
> > tangentially, I also do not administer any yp related infrastructure
> > these days anymore and can blissfully only recall them and their
> > associated security holes with ypcat abuses as distant early 1990s
> > memories now).
>
> As somebody who's done a few openssh Portfile updates in the past, the
> gsskex and hpn patches have always been a pain, and I've been in favor
> of dropping them before. Maybe now the time has finally come to get rid
> of them.
>
> I happen to have access to a few Kerberos-enabled SSH servers, and can
> report that the existing +kerberos5 variant is sufficient to allow
> connecting using an existing kerberos ticket.
>
> The only benefits provided by the gsskex patch on top of that are:
>  - no trust on first use for the hostkey, since the server is
>    authenticated during the kerberos exchange
>  - credential delegation (basically SSH agent forwarding for Kerberos)
> I believe people used to claim a speed advantage, but I'm not sure
> that's a big reason anymore these days, considering ECDH is fast and
> widely available.
>
> Other distributions [1] seem to still be shipping the patch, but they
> may have more manpower to maintain it. I'll try to remember to ask the
> authors of RFC 8732 for their opinion on this tomorrow.
>
> Overall, I'm in favor of dropping this. A kerberos corner case used by
> very few people should not block us from applying security updates for
> the majority of the users, but that is what has happened multiple times
> now. Additionally, the patch does not provide a lot of additional value,
> IMO, since kerberos auth still works without it. If somebody wants to
> step up to maintain a copy of openssh with the gsskex patch, they can
> submit a separate Portfile.
>
> [1]:
> https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh.spec#_137
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20220318/20161335/attachment.htm>