Wandering Thoughts archives

2016-09-27

WhySwitchToOpenSSH

Why we're going to switch from SunSSH to OpenSSH on our fileservers

For a long time, the version of SSH in Illumos (and almost all derived versions) has been a version that Sun branched from OpenSSH years ago. This has various drawbacks, including that no one was working on it any more. Recently, Illumos removed SunSSH (in Illumos #7293) in favour of a more or less current version of OpenSSH that the community was already packaging and supporting. One of the pieces of fallout from this is that we are planning to switch our fileservers over from SunSSH to OpenSSH.

In theory this is unnecessary. We're running OmniOS r151014, which is just new enough to have support for switching to OpenSSH at all but which isn't (or wasn't) new enough to have OpenSSH as the default. SunSSH itself is only disappearing in the next version of OmniOS. And we really don't like changing the fileservers (we mostly consider them appliances), plus we have a mount authentication system built on top of ssh. Nominally we could keep running our systems just as they are.

In practice we consider this too risky. If there ever is any real security issue in SunSSH (assuming that there isn't already one), we expect the OmniOS response to be 'switch to OpenSSH, it's supported and basically a transparent shift'. This is perhaps against the spirit of a long term support release, but at the same time we can't expect miracles (especially as non-paying non-customers). It's clear that SunSSH is abandoned software and abandoned software just doesn't get maintenance. So we'd rather go through a planned and carefully tested shift now rather than be forced to make a sudden shift in an emergency, even if we'd sort of rather leave the whole situation alone.

(I admit that I'm looking forward to the various improvements we'll get with the shift. SunSSH is old enough that it can't talk to stock modern OpenSSH servers because OpenSSH has deprecated even the best key exchange algorithms SunSSH supports. I'm also hopeful that the OmniOS version of OpenSSH will have the significant performance improvements I saw in the Linux version the last time I tested the speeds here. And I plain like ED25519 keys, for various reasons.)

(One comment.)
solaris/WhySwitchToOpenSSH written at 00:18:08; Add Comment

(Previous day | Next day)
By day for September 2016: 2 3 4 5 6 8 9 10 11 12 13 14 15 16 17 18 19 20 22 23 25 27 28 29 30; before September; after September.

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.