[OE-core] [PATCH 1/2] [oe-core] openssh: make OpenSSL optional
Max Kellermann
max+openembedded at blarg.de
Thu Sep 20 14:22:15 UTC 2018
On 2018/09/20 16:11, Alexander Kanavin <alex.kanavin at gmail.com> wrote:
> I don't object to the patch (except it would need to be rebased on top
> of the openssl 1.1 patch), but I would like to know a bit more.
Ok, I'll do that once that one is merged.
> What is ed25519? Can a client that supports only that connect to most
> or all servers? Can a server that supports only that accept
> connections from most or all clients? Are any features lost?
It is a newer public key type, supported since OpenSSH 6.5
(https://www.openssh.com/txt/release-6.5). The crypto math behind it
was designed by Daniel Bernstein (https://ed25519.cr.yp.to/).
Usually, OpenSSH uses OpenSSL for some of its crypto, but it can use
ed25519 natively without OpenSSL. This means you can eliminate
OpenSSL completely in some images, without having to omit OpenSSH as
well.
The downside is that a binary compiled without OpenSSL understands
only ed25519 keys, and nothing else. That means the server will only
be able to accept ed25519 public keys, but no RSA/DSA. That's ok for
some people who will only use ed25519 anyway (like me). For others,
it might be a good reason to switch to ed25519 (which is allegedly
more secure than RSA).
Max
More information about the Openembedded-core
mailing list