There’s quite a lot of programs that make use of XDG_CONFIG, with the default set to .config in most distros. However, there’s also quite a few programs that have rejected this, sticking with a format that is not XDG-conforming.

One such example is OpenSSH, as can be seen in the following page - it makes use of the ~/.ssh directory. Why is that OpenSSH does not conform to this specification? Are there any security vulnerabilities? If so, then shouldn’t there be another specification by Freedesktop.org, which allots a secure directory for the same?

  • OsrsNeedsF2P@lemmy.ml
    76·
    1 year ago

    So the Arch Linux Wiki page you shared actually had a source, but the OpenSSH maintainers hid it because it got brigaded (if I had to guess, by this Hacker News post). Anyways, here’s the latest archive (I also edited the wiki to include it), it’s a BS reason: https://web.archive.org/web/20190925004614/https://bugzilla.mindrot.org/show_bug.cgi?id=2050

    Please support FreeDesktop.org XDG basedir specification for openssh

    No.

    OpenSSH (and it’s ancestor ssh-1.x) have a 17 year history of using ~/.ssh. This location is baked into innumerable users’ brains, millions of happily working configurations and countless tools.

    Changing the location of our configuration would require a very strong justification and following a trend of desktop applications (of which OpenSSH is not) is not sufficient.

    Please notice that backward compatibility can be preserved by continue to use ~/.ssh if it exits but using/creating XDG dirs if it is not exist.

    So tools and users need to hunt in two places for configuration that has security ramifications? That makes it even less palatable…

    • Draghetta@sh.itjust.works
      201·
      1 year ago

      They are not BS reasons, they are just reasons you don’t like. The OpenBSD team - those behind OpenSSH - are very conservative to the point of being almost reactionary, and that’s great for the kind of software they make. OpenBSD defines itself as “boring”, in a good way.

      Coming from a Linux world it may seem weird, as around Linux innovation is praised more than improvement so we end up with a bunch of shiny new software with a lot of growing pains, while BSDs tend to be avantgarde on some technical aspects but at the same time very wary of novelty. OpenBSD in particular takes this to the next level with most of development still happening on CVS and many other quirks that would baffle most Linux users.

      To each their own. Personally when it’s security stuff I like it boring. I’ve been using openssh since version 2.x and the muscle memory built 20 years ago is still serving me.

      Edit: just to be clear, for ssh Linux is a second class citizen. On our distros we run a special (less secure) “portable” version of ssh that they release for us poor peasants. OpenSSH is an OpenBSD tool first, everything else after.