SSSD is designed to have support for multiple cryptography libraries. Originally we build in support for both Mozilla NSS and libcrypto. However, over the last several releases, libcrypto support has fallen by the wayside and there is now a notable feature disparity between versions of SSSD built against Mozilla NSS and versions built against libcrypto.
The basic functionality still works (we have support for caching credentials using a SHA512 algorithm provided by either library), but some of the more advanced features do not. For example: 1. Support for obfuscated passwords in the sssd.conf requires Mozilla NSS(*) 2. Support for centrally-managed SSH public keys requires a BASE64 encode/decode routine and in 1.8.2 wil add a SHA1 hash routine. There is no equivalent available in libcrypto at this time. Going forward, the core upstream for SSSD (all of whom run on Fedora and RHEL systems which have been consolidated on Mozilla NSS for some time) is planning to formally drop support for libcrypto. However, we're certainly willing to continue supporting it if someone else is willing to own the maintenance on it. Thus, I am CCing the maintainers of SSSD in non-Fedora/RHEL distributions that I know of. If anyone here is relying on libcrypto support and is willing to take over its maintenance, please speak up. (*) I consider this a misfeature imposed upon us by incompetent auditors, but it's still a checkbox on someone's list.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel