Slashdot Mirror

you try finding every hole in millions of lines of code

That would be a hell of a lot easier to do if I had access to the code.
Lots of people do it constantly!

FreeBSD is worth advocating, but I bet the avergage BSD connoisseur can come up with better arguments. The article is full of stereotypes and garbage. I really wonder if the author really took an hour to visit the WEBSITES, let alone experimenting with the systems by himself:

The new FreeBSD 5 branch offers some exciting technology, generally regarded as comparable with or superior to what is offered in Linux...while plans for FreeBSD 4.12 are on the backburner should FreeBSD 5 not achieve -STABLE status by the fourth quarter of 2005.

What a fair comparison, let's benchmark STABLE technology available in Linux by the end of 2004 with technology that might be stable in FreeBSD by the end of 2005!

[NetBSD] it's currently at version 2.6.1, with aggressive testing on the new NetBSD 2.0 promising fruition by the first half of 2005...Those familiar with NetBSD swear by it, though its use in serious environments is limited.

OK, first of all, NetBSD is at version 1.6.2, not 2.6.1, and if you are looking for "serious environments", what if I tell you that the world's fastest computer is running NetBSD? Maybe NASA's Lewis Research Center, NEC Europe and Sony Japan do not count as "serious environments". http://www.netbsd.org/gallery/research.html.

Forking from NetBSD in 1995 after a very heated -- and embarrassing -- personal argument, OpenBSD's one and only focus is to offer security. Every line of code is hand-audited and, as the site claims, there hasn't been a hole in the default install in over seven years. Striking a balance in hardware support somewhere between FreeBSD and NetBSD, OpenBSD runs on very few platforms and even then only in single-processor mode.

I don't know who got embarrassed w/ that argument, but certainly not Theo since he keeps a record of it in his own personal website for visitors to see:http://zeus.theos.com/deraadt/coremail.html. There hasn't been a hole in the default install in over EIGHT years, not seven.

OpenBSD runs on very few platforms and even then only in single-processor mode

OpenBSD runs in more platforms than FreeBSD!!! http://www.openbsd.org/plat.html

OpenBSD isn't acceptable as a desktop system or 3D workstation, however...One factor that mars OpenBSD's fair weather is its primary developer, Theo de Raadt...developers may wish to remain wary of this platform and its creator.

What a bunch of nonsense! I've been using OpenBSD in my desktop for years, and had developers listened to you, OpenSSH wouldn't exist, nor have over 88 percent of the SSH server market!http://www.openssh.com/press.html

I could go on and on, but I got tired already. I wonder why you guys promote these articles.

OpenSSH is a great utility and an example of free software development at its best. the openSSH history

On word: OpenSSH.

He did not write it alone, one must not forget the work of Tatu Ylonen but singlehandledly wrote the SSH2 support integrated in the same daemon (ssh.com one forks a different daemon based on the protocol) in a very short time, making it the best SSH implementation around.

1. VIM
2. OpenSSH
3. Cronhttp://www.unixgeeks.org/security/newbie/unix/ cron-1.html
4. Bash
5. Perl
6. TightVNC

1. Dev Todo is a wonderful outliner and task manager. Today I ported it to win32 using mingw to use at work (it pisses me off that windows dropped ANSI color support in their crappy CMD! I knew it was bad, but I still use it more than msys or cygwin because it is quicker on my slow box). Dev Todo stores everything in beautiful XML. I intend to make a filter for XSLT for my biweekly progress reports. My boss wants me to list things I've gotten done & what I plan to do & this great app can store all of that.
2. Pine-I don't care if RMS doesn't consider it free. It is the best IMAP client. I do like Mulberry as well, though.
3. GNU Screen-I mostly just detach/reattach. I'd like to learn to use it more.
4. VIM-My editor. Again, need to learn it better.
5. Lynx on windows and ELinks on Linux for browsing.
6. I have aliased "fuck" to use cowsay to tell me to calm down. Great stress relief.
7. GPG
8. LaTeX. I hesitated to include this, but I use it on both linux and windows & it is technically interactive. I have started using it more than standard word processors (WordPerfect>OpenOffice>MS Word) and I want to use it instead of impress/powerpoint/whatever.
9. OpenSSH because my box is so much better than the one I use at work
10. NcFTP best ftp client I found, though I have been having much less need to use it.

At the time of the original announcement it was specified that there was a way to mitigate the problem (Privilege Separation) and at least some of the criticism was because PrivSep didn't work on all platforms.

The patch was released early because the discoverer released the announcement early. I don't know if there were exploits available at that time.

Disclosure: I'm one of the OpenSSH developers, but I wasn't at the time, so I only know what was made public.

Of course I don't. I simply pointed out that for all your hyperbole you don't, either.

Apt-get updates work for me

I'm sure they do. They also work for me. Assuming I knew I had been rooted. It took the GNU folks a couple of months to figure it out. Or did you miss that too?

I did not notice the SSH problem, would you mind pointing it out to me?

Sure, why not.

Show me yourself[...] so I think that you are full of shit.

http://slashdot.org/article.pl?sid=03/12/09/173322 1

You are free to extrapolate this and try to imagine how many instances of this are out there, but without a guru sysadmin behind the keyboard to actually notice and sound the bell.

It's not because of "market share" because free software runs most of the net. It's because free software is not using retarded "easy" autoload methods to handle content sent by strangers across the network

Heh. Most worms work through social engineering, not by vulnerabilities. You just wait until you can prove your "market share is not the reason" when Linux becomes mainstream and easy enough to use by Joe Bob. The fact that I have to set an execute bit on a Python script or ELF binary means absolutely nothing if the user is stupid and determined enough to see those cool pics of Christina Aguilera naked they got from awekeowthdl@123.com

They never made changes, they never fixed anything and their trust is broken

I could say the same thing about this or any other crack I find in Linux or any other popular package, except that it wouldn't matter because nobody uses it. But if I were to listen to people like you, I'd be inclined to believe that things like those are absolutely impossible.

Not to mention, console, ssh and snmp work just fine. -- Curtman

And how do you plan to manage those OpenBSD (or whatever) boxes evenly distributed around the globe?

Wow, there are certainly no tools at all that I could think of that would help me do that...

To quote one of my favorite legendary assholes: "This is unix. Stop acting so helpless."

(In all seriousness: yes, there are probably plenty of cases where there's no business case to be made for rolling your own system, and where Checkpoint's management console or a similar tool is probably a good choice.)

What if you add VPN to the soup?

Using Checkpoint? I'd say that you now have a pressing need for an aspirin. YMMV.

Have YOU already patched your OpenSSH and OpenSSL packages and sealed the latest holes ?

If not, do it now, PLUIIISE ;-)

To say the security of X is horrible because silly people have done "xhost +" is ridiculous! Doing "xhost +" should make absolutely no difference to your computer's security with respect to network attacks because your computer should have a firewall which (at least) blocks incoming and outgoing X11 connections. Anyway, if you want to run X applications on remote computers, the best way to do so is to use ssh for securely forwarding the X11 connections to/from the remote computers., e.g.

ssh -X -l login_name remote_computer

or

ssh -X -l login_name remote_computer X_program

Advisory

Subject: Portable OpenSSH Security Advisory: sshpam.adv

This document can be found at: http://www.openssh.com/txt/sshpam.adv

1. Versions affected:

Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs
is remotely exploitable (under a non-standard configuration,
with privsep disabled).

The OpenBSD releases of OpenSSH do not contain this code and
are not vulnerable. Older versions of portable OpenSSH are not
vulnerable.

2. Solution:

Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM
support ("UsePam no" in sshd_config).

Due to complexity, inconsistencies in the specification and
differences between vendors' PAM implementations we recommend
that PAM be left disabled in sshd_config unless there is a need
for its use. Sites only using public key or simple password
authentication usually have little need to enable PAM support.

http://www.openssh.com/txt/sshpam.adv

Here are a few. I've used lsh myself, and found it quite nice.

http://readme.gzipped.org/~max/debian.html

Choose one of the sources.list lines depending on your CPU, insert it into your sources.list, update, upgrade, and you're safe.

I applied the patch from http://www.openssh.com/txt/buffer.adv to the original 3.6 Debian package from testing.

Sorry for the German text, I shared this repository of Debian Packages (unstable packages ported to Woody, compiled with gcc-3.2 and CPU optimizations) only with my German friends till now...

There's a patch here

A patched ssh package is already available in Debian stable.

-K

> I just made RH9/8/7.3 RPMS since RH hasn't released any yet...

You can get RH9 RPMs from a mirror at http://www.openssh.com/portable.html, and presumably kits for other non-BSD systems as well. They don't have RPMs for older RH out (at least not on the mirror I looked at), but they do have the SRPMs if you want to build your own.

An OpenSSH Security Advisory was just posted about this.

How about https on tcp/443? I doubt they'd block this as many things these days require it (FAFSA comes to mind).

If they don't block it (try a few random banks' homebanking sign-on page to see if you can connect), then use proxytunnel to pass ssh via tcp/443 and you can then portforward to a home proxy server.

Best of all, it's all encrypted and they can see none of it other than the ssh connection to your home server which is encrypted (as would be any https tcp/443 traffic).

Good points, but I would prefer a combination of SquirrelMail (or SSH / PuTTY & Mutt) and a dynamic DNS domain over a "freemail provider". :)

Why are there so many variants of crypto key formats?

Not only the PKCS series, but also the various encoding methods. And clearly these are inadequate for everyone, so we get PGP formats, SSH/OpenSSH/PuTTY formats, etc.

If there had been a much smaller, more universal set of key formats, interoperable crypto would have been far easier.

On my paranoid days, I begin to suspect the TLA agencies on the standards committees deliberately introduced complexity to limit take-up.

Late posting moderation multiplier=2

The portable page claims the portable version of OpenSSH will run on Cygwin.

The BIND that comes with OpenBSD is an audited V 4.x IIRC. That should suffice for many many users, those that need 8.x or 9.x can find it them the ports tree. The sendmail is locked down as well and doesn't accept connections by default.

Why ship with BIND and Sendmail when they are known to be buggy and insecure? There are alternatives available that are secure (such as qmail and djbdns). So Sendmail is OK if you never need to accept mail? What if you actually want to accept mail?

Nice FUD otherwise.

Then explain how this happened.

Whatever will the terrorists
do?

Seriously though, the advent of projects like Freenet makes this legislation a complete farce. ANY subversive and violent organization who wants to communicate securely and confidentially over the Internet can do so, in a myriad number of ways, with a little bit of research, and have a fairly high chance of escaping detection by a Carnivore-type system.

There's only two possible explanations for this bill: 1) Ignorance on the part of those drafting the legislation, and 2) Terrorism being used as a pretext to clamp down on other criminal activity that would otherwise be difficult to investigate and prosecute, due to Fourth Amendment restrictions.

I don't know which explanation worries and frightens me more.

$ ftp ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
220-
220- Welcome to SunSITE Alberta
220-
220- at the University of Alberta, in Edmonton, Alberta, Canada

[SNIP]

>OpenSSH was ported to Linux??? Since when!?!?!?!?

Very soon after the initial release for OpenBSD.

There's a brief history of the project on the OpenSSH web site.

I beg to differ. Read the Security Notices and weep. I further contend that source of the compromise has nothing to do with the end result. As such, OpenSSH is officially on my "be wary of list" and will remain there. If not for the actual problems in OpenSSH itself, then simply because it is such a high value target.

This is like saying that since you wouldn't lend me your car for my upcoming vacation, I "incurred substantial cost" renting one.

Linux uses clear text for authentication

Linux supports many kinds of authentication via PAM.

I think the complaint about "configurations of individual permissions" refers to some additional refinement of permissions in Windows. In reality, the Unix permissions scheme adapts fairly well to real-world issues, providing good security without too much inconvenience. The Windows permission scheme, in contrast, appears over-complicated, poorly understood by Windows admins, and frequently ignored/bypassed.

http://www.openssh.com/press.html

Both OpenSSH and SSH are industry proven and supported software. SSH is supported by the original author of the protocol, Tatu Ylonen, among others. OpenSSH is supported by acknowleged Open Source security experts including Markus Friedl, Dug Song, and Theo de Raadt.

The version of SSH that Sun is shipping with Solaris is in fact OpenSSH. Sun is not trying to hide this, they are proud of shipping it because it is an excellent program.

Most major insurance companies run SSH (if they are Microsoft shops) or OpenSSH (if they are not). Most hospitals run OpenSSH.

I use both products. Support is superb for both; but SSH.com has friendly, personable phone support while the OpenSSH support comes mostly from Usenet and Email (and can be fiery if you ask exceptionally stupid questions). OpenSSH fixes bugs faster than SSH.Com, but both products have had about the same number of problems, and all have been quickly and effectively resolved.

Popular clients for windows include putty and Teraterm SSH. Make sure you get a recent version, however, older versions of those programs use versions of SSH ( v 1.5) that have known bugs.

If you are dealing with a company that thinks commercial software is "better" than "freeware" you should be careful how you approach this project. If there is a single person who has created this mindset, that person is likely to be both powerful and not very analytical - a dangerous combination.

If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.

These requirements must be satisfied even if you do not intend to utilize the privilege separation feature. The daemon fails to start without them.

If you're upgrading remotely, you can kill the sshd listening process without killing your login session. OpenSSH normally has a file like /var/run/sshd.pid that contains the PID of the "main" sshd process. Kill that one, start up your new sshd, make sure you can log in, then you can close your existing login session and not worry about being locked out.

P.S. If you're not sure of the correct method for creating the new sshd user and group, the OpenSSH page at http://www.openssh.com/openbsd.html has some straightforward directions that aren't specific to OpenBSD, as long as your OS has vipw (just a special vi for editing your password file).

So a portable device has to be a phone. It also has to be (across the same cellphone link) a web browser - a web browser complying with normal Web standards, not a WAP device. And it has to be able to run something equivalent to VNC over SSH across the same link.

What does it look like? It needs to be small, to fit comfortably in a pocket. But at the same time to have the largest possible display. Provided the display is touch sensitive, it doesn't need any keyboard, jog-wheel, cursor keys or whatever implemented in hardware - all these can be soft. Handwriting recognition would be good, but isn't critical. It may be a one-piece unit with a flip-over keypad like the Sony/Ericsson P800; it could even be a clamshell like the Nokia 9120; but frankly it doesn't need either.

And the good news is that thanks to those very clever people in Scandinavia, it's all available now.

ssh
gpg
https://
webdavs://
imaps://
...

Big Brother can watch all they want, but they'll only see my random bits.

Use the excellent rsync from Paul Makerras (of pppd fame) and Andrew Tridgell (samba team) in combination with OpenSSH and SSH for windows (both based on Tatu Ylonen's work; OpenSSH is maintained by and expert team including Markus Friedl and the recently monkey-cracked Dug Song, among others).

Set up your accounts to rsync-upload changes to whichever server is most secure when you log out, and use a cron job on that server to rsync-download to all the other servers nightly. You can make a tar backup part of the system also.

You will have to remember what's going on so you don't modify the same file differently on two different systems within 24 hours. If you want to overcome that shortcoming by making this work on an immediate sync basis rather than periodically, you'll need something like SGI's fam (included with recent linux distros) to trigger the updating processes.

You should already be 90% there if you have your ssh keys set up for passwordless login. Passwordless PKI logins are not significantly less secure than passworded logins in most situations (granted hostile system management can get you, but the BOFH can trojan your login anyway).

Lots of people use this technique to sync CVS trees over slow links. Rsync is very efficient for that kind of thing (large volume of files, low number of changed bytes).

Those security holes you are speaking of are only found in the free software version of SSH, OpenSSH, hacked together by Theo de Rat and his National Socialist friends.

The commercial version of SSH by Tatu Ylönen, OTOH, is completely secure and bugfree.

If only the rest of the world realized this and used commercial software instead of open source...

Teraterm is an excellent open-source terminal emulator for Windows machines, which Robert O'Callahan has extended to incorporate SSH.

The two problems with TeraTerm are:
1) the weird license prohibits distributing any fixes to the core code (you can only distribute add-ons, which it supports). Luckily the core is not buggy, it's just got some areas where improvements could be made.
2) it reportedly compiles best under Watcom C/C++, which was (until now) a rare beasty.

We've had a problem for YEARS with our legal beagles and the openSSH licence because the author thought he/she was being cute.

Are you sure you're talking about OpenSSH? These were certainly problems with Tatu Ylonen's SSH back in 1995. However, the OpenSSH team has made a significant point of taking patent-encumbered and otherwise problematic code out of the OpenSSH code base. For more information, see the OpenSSH FAQ.

FYI, Here is OpenSSH's list of free recommended clients for interoperating with OpenSSH from Windows machines.

FYI, Here is OpenSSH's list of free recommended clients for interoperating with OpenSSH from Windows machines.

If the same error existed in Commercial SSH, someone stole some code.

Not nesessarly true: OpenSSH and Commercial SSH have the same roots - http://www.openssh.com/history.html

It was released today according to the OpenSSH website.go and pound the mirror sites

I've got my own ircd which I require the clients to use stunnel or an ssl-enabled client to connect. Soon, I can limit access purely by accepted certs, thereby keeping lusers out.

Of course the same can be done with OpenSSH. I use that at work to bypass my office firewall and use my home cable connection for a proxy to usenet, email, and other service. The best part of this is I can bypass my ofice proxy so they don't record where I netsurf. it looks a lot like a bunch of ftp and telnet to them.

Be a smart man: ssh.

While I agree that it is vitial that people contact their representatives with their concerns and support organizations like the ACLU and the EFF, another thing you can do to defy mass survailance efforts like Carnivore is to use encryption whenever possible online. I'm sure there are other /.ers out there who know a lot more about the subject (please speak up!), but I wanted to add what information I can for those who might not already know. Here are a few suggestions of ways I know to use encryption:

• Email

• You can encrypt your email communications with others who are also willing to get the right tools. Probably the easies tool is PGP (there's also an international page), or for the free software crowd GPG. PGP makes this pretty easy to use under windows with almost any program with its encrypt clipboard contents feature, but there are also plugins for verious email programs.

• Terminal Sessions/Telent

• Most people probably know about it, but there's ssh, openssh, and if you're using Windows check out Tera Term and its ssh extension.

• Instant Messaging

• My appologies to the *nix crowd, but I don't yet know much about instant messaging on those platforms (soon); however, if you use windows I have seen several instant messaging clients that support encrypted chatting. I suggest Trillian, which is awsome anyway, free, and has encryption features. As far as *nix goes, I'd check out the big ones (e.g. Jabber) and if it isn't in there by default, look for plugins.

This certainly doesn't solve all the problems. The biggest is web browsing. You can use anonymous web browsing tools such as Anonymizer, but that is admittedly kind of a pain. I don't have any good suggestions there. I'd be interested in any other ways others have found to incorperate encryption into their online communications.

Unfortunately, it also blocks all Debian users. At least it looks like somebody *finally* packaged ssh2 for woody

• ssh - OpenSSH port of BSD's version of ssh that branched off the last free version of ssh put out by ssh's original developers. It has supported ssh protocol version 2 since roughly August of 2000, and versions supporting ssh2 made it into Debian soon there after. Currently version 3.01p is in Debian, and I think its pretty much equivalent to to the non-free ssh3.
• ssh-nonfree - non-free version of ssh from its original developers. It only supports ssh protocol version 1.
• ssh2 - Version of ssh supporting ssh protocol 2 from the makers of ssh-nonfree. License is more restrictive than ssh-nonfree's license.
• ssh3 - As far as i can tell its not packaged yet. Is the license more restrictive than ssh3? Regardless, there is no ssh protocol version 3.

sftp clients? For Windows check out Putty. So you want a *nix client then of course Openssh is available. I agree with your statement that anything plugged into a network is not bulletproof but some systems have proven themselves to be much stronger than others.

Enough Said.

• For anonymous ftp, I'd recommend looking at publicfiles by D.J Bernstein. I haven't used it, but he's serious about security.
  
• For file transfer amongst a community where you can enforce client choice, use scp/sftp, as provided by OpenSSH (or commercial SSH, I guess - ssh inc. has a nice windows ssh/sftp client if you need that, and it works with the free OpenSSH server).
  
• If you must use an ftpd with non anonymous logins (not recommended in a time of freely available packet sniffers), I'd look long and hard to find anything BUT wu-ftpd.
  

Whoops - Here's the correct link: sftp-server

:)