-
Notifications
You must be signed in to change notification settings - Fork 2k
Comments
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, so this is a lot of code, Aside from the questions of "does this need to be in SSH or in something external" - Right the claims to implement a subset of RFC7512. How about we be specific about what that subset is? Are we going to support piped arbitrary commands like is hinted to in there?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, so this is a lot of code
Its moving a lot of code around. And almost half of the code are tests.
does this need to be in SSH or in something external
We discussed this last year in Munich, but nobody in the room was very much in favor of going in this direction. Something external would be a pkcs11-provder. It would make a lot of things much easier, but would not play well with the other *SSL forks and would not play well with the process/address space separation implemented currently.
How about we be specific about what that subset is?
It can be clarified if needed. The idea was "the useful subset" without introducing too much complexity.
Are we going to support piped arbitrary commands like is hinted to in there?
I hope note.
This is a rebase of patch provided in #2817 by @Jakuje to OpenSSH 10.2/master branches.
The patch has been tested in RHEL/Fedora for a while and I'm not aware of any problems