[OmniOS-discuss] openssh on omnios

[Alex Wilson]

Basil Crow <basil.crow at delphix.com> wrote:
> These patches make OpenSSH play nicer with the illumos PAM
> implementation and privilege model and add backwards compatibility
> with SunSSH, among other things.
> 
> I recently upgraded Delphix's illumos distribution to use the OpenSSH
> package in OmniOS bloody. The transition hasn't been without some
> pain. For example,... <snip>
> 
> It would be great if some or all of Joyent's patches could be added to
> the OpenSSH build scripts in bloody.

While OmniOS is perfectly welcome to grab our patches, I want to make sure I
share this warning with everyone: we are still ironing out all the problems
with these patches at the moment, and they can change fairly rapidly. If you
don’t want to come along for the whole ride with us (and update it a lot),
I’d probably recommend holding off for a SmartOS release cycle or two (i.e.,
about a month or so)

At that time we’d like to start a conversation about upstreaming with
Illumos anyway, and what the picture going forwards should be for SSH in the
Illumos gate. But I want to head into that conversation with a patched
OpenSSH that works and does what we need it to do.

As noted in the README in illumos-extra, there are a few of the patches that
I would like to clean up and propose to upstream OpenSSH for integration,
too (such as dropping Illumos/Solaris privileges where appropriate).

> The various PAM- and privilege-related patches seem critical. While we can
> live without the backwards compatibility patches (and have been fixing our
> ecosystem to not rely on any SunSSH-specific functionality), having them
> would probably significantly ease the migration for most users.

In a lot of ways the other distros have an easier time with these
compatibility problems than SmartOS. Because we boot as a read-only live
image we don’t currently have any means to perform config migration or give
users information while they upgrade — and it’s unclear what upgrade
actually means, because users are largely used to being able to just boot
onto whatever platform image they downloaded, whether older or newer.

OmniOS probably doesn’t necessarily need as strict a religion of config
backwards-compat as that which we’re subscribing to at the moment. I think
the rest of the distro maintainers are also going to have other opinions
about which parts of the compatibility problem they want to deal with and
which parts they do not — and this is why I think the model going forwards
should be distros providing SSH and not the Illumos-gate.

But I think we can have more of that conversation after everything is
working and well-tested.