[OmniOS-discuss] openssh on omnios

Gary Gendel gary at genashor.com
Fri Sep 11 17:12:11 UTC 2015 

Alex,

A very sane response.  Thanks.

Gary

On 09/11/2015 12:49 PM, Alex Wilson wrote:
> Basil Crow <basil.crow at delphix.com> wrote:
>> These patches make OpenSSH play nicer with the illumos PAM
>> implementation and privilege model and add backwards compatibility
>> with SunSSH, among other things.
>>
>> I recently upgraded Delphix's illumos distribution to use the OpenSSH
>> package in OmniOS bloody. The transition hasn't been without some
>> pain. For example,... <snip>
>>
>> It would be great if some or all of Joyent's patches could be added to
>> the OpenSSH build scripts in bloody.
> While OmniOS is perfectly welcome to grab our patches, I want to make sure I
> share this warning with everyone: we are still ironing out all the problems
> with these patches at the moment, and they can change fairly rapidly. If you
> don’t want to come along for the whole ride with us (and update it a lot),
> I’d probably recommend holding off for a SmartOS release cycle or two (i.e.,
> about a month or so)
>
> At that time we’d like to start a conversation about upstreaming with
> Illumos anyway, and what the picture going forwards should be for SSH in the
> Illumos gate. But I want to head into that conversation with a patched
> OpenSSH that works and does what we need it to do.
>
> As noted in the README in illumos-extra, there are a few of the patches that
> I would like to clean up and propose to upstream OpenSSH for integration,
> too (such as dropping Illumos/Solaris privileges where appropriate).
>
>> The various PAM- and privilege-related patches seem critical. While we can
>> live without the backwards compatibility patches (and have been fixing our
>> ecosystem to not rely on any SunSSH-specific functionality), having them
>> would probably significantly ease the migration for most users.
> In a lot of ways the other distros have an easier time with these
> compatibility problems than SmartOS. Because we boot as a read-only live
> image we don’t currently have any means to perform config migration or give
> users information while they upgrade — and it’s unclear what upgrade
> actually means, because users are largely used to being able to just boot
> onto whatever platform image they downloaded, whether older or newer.
>
> OmniOS probably doesn’t necessarily need as strict a religion of config
> backwards-compat as that which we’re subscribing to at the moment. I think
> the rest of the distro maintainers are also going to have other opinions
> about which parts of the compatibility problem they want to deal with and
> which parts they do not — and this is why I think the model going forwards
> should be distros providing SSH and not the Illumos-gate.
>
> But I think we can have more of that conversation after everything is
> working and well-tested.
> _______________________________________________
> OmniOS-discuss mailing list
> OmniOS-discuss at lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3699 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://omniosce.org/ml-archive/attachments/20150911/c5e27fd7/attachment.bin>

More information about the OmniOS-discuss mailing list