[OmniOS-discuss] openssh on omnios
Basil Crow
basil.crow at delphix.com
Thu Sep 10 23:47:55 UTC 2015
Hi Dan and Lauri,
On Thu, Sep 3, 2015 at 2:55 PM, Dan McDonald <danmcd at omniti.com> wrote:
> I knew Joyent was working on this. I hope they upstream it soon. I have 7.1p1 in the upcoming bloody, with only the light patching already in omnios-build, plus the recent Lauri T changes.
Joyent's patches to OpenSSH are here:
https://github.com/joyent/illumos-extra/tree/master/openssh/Patches
These patches make OpenSSH play nicer with the illumos PAM
implementation and privilege model and add backwards compatibility
with SunSSH, among other things.
I recently upgraded Delphix's illumos distribution to use the OpenSSH
package in OmniOS bloody. The transition hasn't been without some
pain. For example, we realized that older SunSSH clients can't connect
to modern OpenSSH servers with default settings (illumos issue #5283).
Joyent has a patch that uses the key exchange compatibility mechanism
to recognize old SunSSH versions and present a key exchange proposal
that always includes the dh-group14 and dh-group1 algorithms
(0031-Compatibility-for-SunSSH_1.5-should-include-old-DH-K.patch). We
also realized that some of our tests were relying on the old SunSSH
locale negotiation behavior to propagate locale settings from the SSH
client to the SSH server. Joyent has a patch that preserves most of
the old SunSSH locale negotiation behavior
(0032-Accept-LANG-and-LC_-environment-variables-from-clien.patch).
It would be great if some or all of Joyent's patches could be added to
the OpenSSH build scripts in bloody. The various PAM- and privilege-
related patches seem critical. While we can live without the backwards
compatibility patches (and have been fixing our ecosystem to not rely
on any SunSSH-specific functionality), having them would probably
significantly ease the migration for most users.
Basil
More information about the OmniOS-discuss
mailing list