Hi,
Am Mittwoch 14 März 2012, 08:59:33 schrieb Stephen Gallagher:
SSSD is designed to have support for multiple cryptography
libraries.
Originally we build in support for both Mozilla NSS and libcrypto.
However, over the last several releases, libcrypto support has fallen
by the wayside and there is now a notable feature disparity between
versions of SSSD built against Mozilla NSS and versions built against
libcrypto.
The basic functionality still works (we have support for caching
credentials using a SHA512 algorithm provided by either library), but
some of the more advanced features do not.
For example:
1. Support for obfuscated passwords in the sssd.conf requires Mozilla
NSS(*)
2. Support for centrally-managed SSH public keys requires a BASE64
encode/decode routine and in 1.8.2 wil add a SHA1 hash routine. There
is no equivalent available in libcrypto at this time.
Going forward, the core upstream for SSSD (all of whom run on Fedora
and RHEL systems which have been consolidated on Mozilla NSS for some
time) is planning to formally drop support for libcrypto. However,
we're certainly willing to continue supporting it if someone else is
willing to own the maintenance on it. Thus, I am CCing the maintainers
of SSSD in non-Fedora/RHEL distributions that I know of. If anyone
here is relying on libcrypto support and is willing to take over its
maintenance, please speak up.
As much as I like to have libcrypto support staying
in sssd, I currently
don't have any time left to work on this. So unless somebody else steps
up I guess I'll just have to live with that decision.
(*) I consider this a misfeature imposed upon us by incompetent
auditors, but it's still a checkbox on someone's list.
:) Agreed.
regards,
Ralf