Re: hostbased authentication in libssh

[Aris Adamantiadis <aris@xxxxxxxxxxxx>]

Hi,

I'm not sure how ssh-keysign works, but I'm sure you could make it work
with ssh-agent, that libssh currently supports.
Whatever external or internal support tool you're using, there is no
licensing issue because a/ libssh is LGPL which is very open to linking
against closed source software b/ it wouldn't even be linked with
ssh-keysign c/ GPL/LGPL and BSD go well together.
ssh-keysign is totally not part of the standards. I suspect the OpenSSH
devs are not very fond of host-based authentication.

Regards,

Aris


On 15/02/17 19:52, DeJager, Christopher Alan wrote:
> Andreas,
>
> I looked into implementing hostbased authentication in libssh. For now I
> am going to take a different route for our project but I do have a
> comment/question, in case I or someone else gets around to it.
>
> Hostbased authentication depends on the private host keys which a user
> program cannot read. Openssh¹s client execs a binary called ssh-keysign
> which has the SUID bit set and then authenticates with the help of that
> program. Could libssl be dependent on the system binary for ssh-keysign or
> would a LGPL2 version of ssh-keysign need to be written to be packaged
> with libssl?
>
> Unfortunately this might be out of the scope of libssl because I don¹t
> know of a neat solution. Relaying on ssh-keysign is questionable because I
> have not looked to see if that is a standard interface in ssh or if it is
> just the whim of openssh and could change, I suspect it is the latter. If
> libssh includes a ssh-keysign like binary then the binary would need to
> installed in a known location on the system for the library to be fully
> functional.
>
> Thank you,