Slashdot Mirror

If you are this paranoid then you would already be using public key authentication.

I knew one manager who wanted to disable SSH and go back to telnet/ftp because of the SSH1 deattack vulnerability! Let us keep these things in perspective.

• Operating System: Although OpenBSD is generally regarded as the best Freenix in terms of security, GNU/Linux is under more active development, faster, more user friendly and supports far more software packages and types of hardware than OpenBSD (sorry Theo, much respect...). I, along with most of the other admins and users are more familiar with a GNU environment. The distribution we use is Debian. I chose Debian for several reasons: free (libre and gratis), strong package system and reliability. It hasn't let me down. I do prefer Slackware on my personal box, since the -current tree is more stable than Debian's unstable. However, Debian's package system is nicer and provides many things that Slackware lacks (I may abandon Slackware as soon as Debian supports XF4 and kernel 2.4 by default in stable). Debian also keeps up to date on security issues.
• Kernel: We now run a Linux 2.4 kernel. Although most security tools/patches are 2.2 only, the mature (READ: usable) ones have been ported to kernel 2.4. I'm confident that more will follow. 2.2 is dead. We have disabled modules entirely in our kernel to prevent hax0ring and to avoid using modules (does anyone else hate them?). We only have a few drivers enabled. Besides helping performance, this protects against hostile code injection into the kernel. It is possible for a clever coder to inject code into a non-modular kernel, but most rootkits use kernel modules. Not allowing kernel modules and using 2.4, prevents us from using some really cool security tools like LOMAC. However, I found that LOMAC did not play nicely with OpenWall's Secure Linux patch (or cron, or init or getty ...). When Lomac behaves nicer, it will be added (I'd also like to see it as a patch rather than a module). Currently, we are using the GetRewted.net patch which provides lots of security enhancements. We may be adding more secure kernel additions such as the NSA's Security Enhanced Linux. However, at this time, we feel that the current kernel security model is both secure and usable. If you have any neat kernel goodies we might like, tell us.
• Firewall: Note that we are NOT running any sort of real firewall. We feel that the extra kernel overhead of the firewall hurts performance and adds needless complexity to the server. Since we are NOT trusting local (ie: users with shell access) anyway, we feel that a firewall is basically useless since Linux's TCP/IP stack is already fault-tolerant, mature and robust. We augmented the TCP/IP stack with this shell script to limit our vulnerability to DoS attacks. Firewalling services should not be needed if your services are secure (run with minimal priviliges and SECURE by design and condiguration). Eventually we may drop an OpenBSD or Linux 2.4 firewall in front of the server as a measure for restricting local users ability to portscan, DoS and exploit remote hosts.
• Authentication / Login: Remote interactive sessions are only supported over ssh (and we run OpenSSH). Telnet is not allowed. Rhosts authentication is not allowed. I've looked at forcing people to use S/Keys, but it is a real pain in the ass on both ends. We are currently allowing FTP in. When I'm confident that all the users can get a good graphical scp/sftp client for their platform, I'll kill FTP. Since I'm not relying on trusting local users anyway, this is more a security concern for individual users. I'm considering locking some users who don't use their shells out of real shell access.
• Users: I only make accounts for people I know personally. I also monitor user login s and their activity using whowatch and process accounting. I'm suspicious of logins from weird hosts. I also use PAM to set resource limits.
• Monitoring: We watch out for network nastiness with Snort which is an AWESOME IDS. We monitor its logs and other system activity with Psionic's LogCheck. Occasionally, I'll audit the machines for weird ports using nmap and Nessus, both of which are REALLY nice. I'll also routinely verify system integrity using a combination of Tripwire and chkrootkit, on a system booted from a known CLEAN floppy containing the tools.

Looks like someone from monkey.org (big OpenBSD lovers) is starting up a new project. If it follows in the history of other OpenBSD alternatives it will be about 30 times better than the original and have some cute Blowfish/Daemon shirt. Damn OpenBSD people! They're beating the other BSD's simply through how cool their t-shirts are! :) xm@jolt:~$ whois openipf.org

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.

Domain Name: OPENIPF.ORG
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: www.opensrs.org
Name Server: NS1.FRIES.NET
Name Server: NS0.FRIES.NET
Updated Date: 25-may-2001


>>> Last update of whois database: Wed, 30 May 2001 02:01:56 EDT The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars.
Found InterNIC referral to whois.opensrs.net.

Registrant:
OpenBSD
600 N. Chowning Avenue
Apt. W110
Edmond, OK 73034-5110
VI

Domain Name: OPENIPF.ORG

Administrative Contact:
Fries, Todd todd@fries.net
600 N. Chowning Avenue
Apt. W110
Edmond, OK 73034-5110
VI
405-715-4168 Technical Contact:
hostmaster, monkey.org hostmaster@monkey.org
PO box 2031
ann arbor, mi 48106-2031
US
734 623 0456

Billing Contact:
Fries, Todd todd@fries.net
600 N. Chowning Avenue
Apt. W110
Edmond, OK 73034-5110
VI
405-715-4168


Record last updated on 29-May-2001.
Record expires on 25-May-2002.
Record Created on 25-May-2001.

Domain servers in listed order:
NS0.FRIES.NET 206.30.141.10
NS1.FRIES.NET 208.128.7.232

I wholeheartedly agree with Mandrake's policy of not installing them by default, but having SSH instead.

--

An interesting thing is that Todd Fries bought the openipf.org domain on May 25.
Todd contributes to many opensource projects, like OpenSSH .
So maybe it means that IPF have the same future than SSH : a really free implementation will follow.
At the same time, Linux Netfilter is growing. While it's not as mature as IPFilter, it's definitely featureful, and going in the right direction.
So maybe the BSD folks can work with the Netfilter dudes instead of reinventing the wheel. We would get only one free packet filtering system, but common to many system, with many developpers, and that would beat everything.
Porting Netfilter to BSD systems is not impossible. Internal socket structures are different, but the way protocols are analyzed can be left unchanged. And it should be also easy to code a parser that would rewrite IPF rules into Netfilter rules, so that people would be able to easily migrate.

There are several programs for this.

lbxproxy works with X. Part of it actually comes with XFree86.

DXPC is an oldie but goodie. It requires you to use it on both server and client end though.

And good old SSH compression is usually good enough. Turn on X forwarding, turn up the compressiona and usually you're good to go.

I haven't found VNC to be very good for bandwidth, but you might want to try a VNC compressor like this.

- Serge Wroclawski

For the curious, the license is available at http://www.openssh.com/LICENCE. Don't blame me, I didn't misspell LICENSE.

The "standard" tarball linked under "getting source" on the OpenSSH page is for OpenBSD and does not have a configure script, just a installer.

If you download OpenSSH for a non OpenBSD box, make sure you pick the portable version. (under operating systems click on your operating system, or go to: http://www.openssh.com/portable.html).

It's a distro aimed at servers. Servers that like lpd, ftpd, and r-services perhaps.

Any admin that installs a server and leaves the r-services enabled (with extremely few specific exceptions) should be tarred and feathered.

This takes care of both rcp and rlogin quite nicely. There's really no reason not to use it instead of the old, horribly insecure r-services.

--

The questioner completely glosses over this, as if he thinks they are the same. They are not. The BSD license allows you to rip their code for any purpose whatsoever. OpenSSH is under the BSD license, not the GPL, so that answers the question.

Which doesn't mean you should do what you are talking about, only that you can.

Damn, people. It's not like OpenSSH is a big secret.

I still say that backbone providers should throw all port 23 traffic on the floor just on principle. It's no different than hiding your friend's car keys until he sobers up.

If he disabled telnet, he did you a favor. Telnet is a sucking chest wound of a security hole. Install OpenSSH.

Leknor

*) telneting as root is considered bad. Please replace telnet with OpenSSH. It encrypts thing so that people can't spy on your sessions. If you want an example, learn how to use tcpdump, and see what happens. It's also a good idea to not ssh as root so that it requires another level of passwords to get total control over your box.

*) Nobody is a generic dummy account on most UNIX systems. Its purpose is to allow you to run various daemons under the lowest priviledges possible (that of a user which can't login and doesn't own any files). A better practice is to create on user account per daemon, and have it own only the files it requires to write to.

*) -- MARK -- is a generic placeholder put there every n amount of time (the default is 20 minutes.. man syslogd for more information).

*) DENY and REJECT act slightly differently. If you are going to utterly blackhole a machine, or simply want to eat packets coming in, DENY is the option you want. REJECT simply sends back a connection refused packet (for TCP, UDP and other protocols have slighty different packets). If you're going to be filtering TCP ports, use REJECT -- DENY will show up as 'filtered' on nmap and any other quality scanner which notes the lack of a reply packet (despite the host being up).

*) OpenBSD is an audited branch of the BSD family tree. This code can trace its lineage back to the original UNIX code. For many people, it's a great replacement for Linux on their firewalls because it's simple to setup, and secure out of the box. If you require SMP, or are going to be doing things like high volume web traffic, you may want to review the performance of it vs. Linux, or combine them via firewall + proxy network setup.

If you have any other questions, head to #kuro5hin on slashnet (or irc.kuro5hin.org if you don't know what slashnet is ;)). We'll help you out.
--

In Summary: Man in the middle attacks are a tough problem, but solvable so long as the end user pays attention

To summarize the summary: use OpenSSH ;)

(OpenSSH by default refuses to let you attach to a changed server key by default, causing you to either disable that behavior (bad), pull the old key out of your known_hosts (bad but usually tolerable), or verify the new server key OOB (good))

Your Working Boy,

Actually Kurt is actually quite on target here. He's _not_ being overly paranoid; after all, most of us are "system administrators" and need to be more overtly cautious. The X-Files has it right: "Trust no one."

With that I advocate OpenSSH, the development of which Kurt takes an active part in (read the openssh-unix-dev@mindrot.org mailing list!).

There is also a project underway to allow OpenSSH to use keys distributed by DNSSEC.

This attack then comes back to user apathy (i.e not bothering to verify key fingerprints). An alternative (not yet implemented) is some form of PKI, which has its own problems (complexity, centralised trust, revocation issues).

Only the ssh.com implementation.

OpenSSH supports SSH2 for free (beer and speech).

First, who said you need a big budget for "proper software"?

I don't know how many people think of it but I've become very comfortable editing html over a telnet session with vi[m]. SSH with compression turned on is even better then telnet.

• Get vim and force yourself to learn what seems to be a weird interface, once you learn it it is very powerful: http://www.vim.org
• OpenSSH: http://www.openssh.com
• If you need a cross platform SSH Client, MindTerm is rather good despite the java bloat: http://www.mindbright.se/mindterm/
• If your using php and have more cpu cycles then bandwidth then my gzip code is a quick fix: http://Leknor.com/code/

Also, sed, ps, find, grep are great little utils. I recently relized I could write quick shell scripts on the command line like this:
$ for x in `ls *.html`; do echo $x; done
I know that is very simple but it gives you an idea where to start.

Leknor

If you don't want a normal modem link, you can get digital data service on a GSM phone. With a vibrating phone/battery, you can get paged by the phone. Then to call back you connect the iPAQ to the phone (wire or IR).

You've already got the hard part taken care of. If you have SSH1 on the Palm working on a wireless connection, you've conquered all the major obstacles, and all that you really need to do is setup OpenSSH on the server in question (with OpenSSL as a dependency). Version 2.3.0p1 (not to be confused with SSH2 2.3.0) was released recently, and it has full compatability, including transparent X forwarding with both SSH versions 1.x and 2.x. Give it a try!

Relevant URLs:
Dan Bernstein's page. Home of Qmail and djbdns.
The OpenBSD and OpenSSH home pages are full of useful information.
PuTTY, a free Windows SSH client Great for on road trips, internet cafe's, consulting, etc.
Mutt, the One True mail client. Takes some getting used to, a good .muttrc doesn't hurt either.

People seem to overlook qmail when setting up a reliable, secure system. Having dealt with Sendmail and Qmail, I would suggest the latter to anyone who cares about security or performance. The same logic applies to BIND vs. djbdns.

but until everything I need can be done from where I am, I will always need telnet.

YM ssh. Telnet sends your login password in plaintext to anyone who's sniffing your connection.

Symantec & Lotus: They already sold out, or have been crushed by Microsoft. Much more worrisome.

The following Symantec products serve to correct or work around design flaws of Windows/DOS or MacOS:

• Norton AntiVirus -- While viruses running under Linux have been created as experiments, the Linux platform does not suffer from the promiscuous vulnerability to machine-code viruses of unprotected platforms. Nor do Linux's popular applications suffer from unprotected scripting systems vulnerable to viruses.
• Norton CleanSweep -- Almost all Linux-based OSes use package-management systems such as dpkg and rpm, which permit the clean uninstallation of programs.
• Norton Speed Disk -- ext2fs, the current standard filesystem for Linux, does not suffer from the severe fragmentation problems of FAT, nor from the somewhat lesser but noticeable ones of FAT's successors and MacOS's HFS.

The following Symantec products serve purposes already filled by existing free software:

• Mail Gear -- The foremost mail daemons for Linux (such as sendmail, postfix, and qmail) already support the filtration of mail. Users can use procmail recipes or other tools to accomplish the task at their level.
• Norton Ghost -- Virtually every Linux-based OS ships with backup/recovery and disk-imaging tools such as dump, tar, and dd. There are even X-based versions such as guiTAR available.
• Norton Internet Security (firewall portion) -- Firewall capability is built into the Linux kernel. Several popular free packages exist to do rule-based intrusion detection, such as snort.
• Norton Utilities -- Though ext2fs is more robust than FAT or HFS, it can suffer from disk hosement in certain situations (such as loss of power); in these cases, Linux already has fsck. (Norton Utilities also contains tools that belong in the previous category, such as software to prevent program crashes from bringing down the whole OS.)
• pcAnywhere -- Linux has ssh and X for secure remote login and display.
• Procomm Plus -- The last thing Linux needs is another terminal emulator.
• Retriever -- Port-scanning software is hardly anything new to Unix; for network security mapping try SATAN or one of its derivatives such as SAINT.
• WinFax PRO -- The Hylafax system supports the sending and receiving of faxes under Linux (and other Unices) as well as network-based faxing.

The following Symantec products serve political purposes not in tune with many or most Linux users; specifically, they are parental or office censorware:

• I-Gear
• Norton Internet Security (censorware portion)

The following Symantec products are potentially useful under a Linux-based OS:

• Expert -- From the blurb, this sounds like an attempt at implementing Bruce Schneier's model of analyzing security as a business risk. (I am not convinced that Schneier is right, nor do I claim that Symantec Expert is a good implementation of his ideas ... but that's another story.)
• Mobile Essentials -- While one could well keep several versions of /etc in tarballs and untar the right one for each location, I imagine laptop users would like a clean way to switch from one set of settings to another.
• TalkWorks PRO -- The last time I looked into the matter, there didn't seem to be any reasonably advanced voice-mail or answering-machine packages for Linux.

(Mobile WinFax is not counted as it runs on the PalmOS, not a conventional OS. Norton SystemWorks is not counted because it is a bundle of several packages listed above.)

In short, it is not to be taken as a surprise that Symantec, and other "utility software" companies, see themselves as not having anything to offer the Linux community -- they don't.

I don't believe ssh is related to the RSA. Regardless, it's quite easy to get OpenSSH which is free, and compatible with standard ssh clients.

Chris Hagar

I've been using OpenBSD; the focus on security and the excellent docs make it my OS of choice. I'm glad to see FreeBSD taking the cue and incorporating OpenSSH. It is a great improvement over connecting through telnet, especially if you need to go SU occasionally.

FreeBSD sounds tempting, though, especially for my laptop (where speed is probably more important to me than security.) One security feature I'd miss, though, is encrypted file system features; does anybody know what's available for FreeBSD? I am going to check it out; I really want more experience with the various BSD flavors.

Look; not only are the FBI monitoring your network traffic, so are the Internet pedophile police, your ISP, the ACLU, Russian spy satellites, the National Baseball League, and my Aunt Bonnie.

So please, all you sysadmins and DSL-packin' home-web-server 'l33t out there, please try to learn about the benefits of retiring legacy protocols like Telnet and FTP (which happen to send your password in plain-text), in favor of newer, robust, secure data types like SSH, scp, IPsec, and PGP.

And if you're really gonna get all worked up about "ooh, the FBI is spying on me using meat-eating computers co-located at my ISP", then consider using a secure operating system.

For MacOS, there's NiftyTelnetSSH, which includes SCP support. (and decent, fast terminal emulation, unlike NCSA telnet.)

All these programs are gratis, but NiftyTelnet might not be libre. (PuTTY and pscp are.)

For Unix, of course, there's OpenSSH.

For VMS, there's an FAQ, which recommends a server and a client.
#define X(x,y) x##y

A replacement for telnet, it encrypts all your transmissions making sniffing of passwords, connection hijacking and all those other tricks impossible (or at least extremely difficult). If you want to get it (and you SHOULD) go to www.openssh.com for those guys from OpenBSD's implemetation. It's free, and has lots of kickass features for us Open Source folks (like all those nasty algorithms that are patented so we can't use 'em removed).

pppd pty 'ssh -t user@host pppd notty'

--

Doesn't this already happen with cryptography...

Open source projects like gnupg make sure that all of their content is created and distributed outside the U.S. The OpenBSD project and the OpenSSH project have their ftp servers outside the U.S. so they'll not have to deal with U.S. laws regarding encryption. Not really new news, just a new application what other people have been doing for a long time.

Recently, I started a small SourceForge project (erm... my project's not much yet, I'll talk about it more later...), and to administer the project, I finally had to get around to downloading OpenSSH ( the Linux Port ), and felt a strange feeling as I watched it compile... the thrill of the would-be forbidden... that which the Powers-That-Be fought tooth and nail to supress.

Finally, after logging into SourceForge with SSH, a profound realization hit me: no third party can intercept my communications. Even if they did, it'd all be gobbledlygook to them. I laughed. True privacy, the most wonderful feeling in the (online) world...

After that, I can't wait until strong encryption becomes ubiquitously integrated into all communications software, (and all new Linux distributions! ;-).

The day when every person can communicate freely, without being spied upon from above, or snooped on from below, will be the greatest day in a very long time.

And don't give me that crap about "criminals" using it to coordinate terrorism. Any serious organized criminal or terror group in all probability has strong crypto, as well as countless other safeguards. Although, I'm not an authority on the subject. (Like Nixon, IANAC ;-)

A leg up on OpenBSD?! OpenBSD already has OpenSSH and IPsec. And yes, during install you can choose the US or International crypto, but OpenBSD is done out of the US, so lame-laws need not directly hinder it. Its more an issue being a US business and wanting to pay or not pay RSA lisc. fees.
OpenBSD and its dev's played a big role in OpenSSH.

OpenBSD places alot of importance on security and doing it right. Read all about it and get facts.
http://www.OpenBSD.org
http://www.openssh.com

• A domain squatter.
  
• eMail hijacker.
  
• Intellectual Property theif.
  

Big deal. Now he links to plenty of (more or less) open ssh implementations, and anyone that visits www.openssh.org can easily find a link to www.openssh.com. Who says they are more official open than him?

Come on, why don't we get an interview with the ".org" man and the ".com" guys here on /. (or geeks in space ?) - Let them discuss it ?

On a side note, maybe the free-software community should offer to buy www.open.org and use it as a central link point to every major open/gnu/free/bsd project?

Big deal. Now he links to plenty of (more or less) open ssh implementations, and anyone that visits www.openssh.org can easily find a link to www.openssh.com. Who says they are more official open than him?

Come on, why don't we get an interview with the ".org" man and the ".com" guys here on /. (or geeks in space ?) - Let them discuss it ?

On a side note, maybe the free-software community should offer to buy www.open.org and use it as a central link point to every major open/gnu/free/bsd project?

Well, this is a refreshing way to look at the Free Software community. Get that knee-jerk reaction we are so known for, and put it to your use. Now, I'd like to look at Mr. Bertrand's letter.

The name was taken by a someone not affiliated with the OpenSSH development team when news of OpenSSH was first leaked to the community.

Hmm, "when news of OpenSSH was first leaked." Let's look at those seven words, shall we? When was this news leaked?

Performing a search on this here web site (Slashdot for those not in the know) for "openssh" yieds two results. This very article, and one from November 18, 1999, entitled, "OpenSSH Project Now at openssh.com."

Next I moved to LinuxTod ay.com. They have articles for everything under the sun. Their first article mentioning OpenSSH is one at Security Portal dated October 27, 1999.

I search Google (both plain Google and the Linux subsearch), and they have never heard of openssh.

Finally, I visted the very site for this project, openssh.com. Looking for an "about this project" sort of link, I clicked on the Project Goals link right up at the top of the left column of links. What's that it says at the very bottom? "OpenBSD: goals.html,v 1.4 1999/11/17 14:14:15 provos Exp $" That looks much like a cvs (or related) entry. That date is November 11, 1999. I also visited the link to the devel mail list archives, and the earliest date there is November 16, 1999.

Looking at all these, I'd guess their formal announcement was around November 17. But the "leak" award goes to Security Portal on October 27, 1999. I'm sure they got their information from somewhere else, but I'm tired of searching. :) Back on track, when did openssh.org register it's domain? Whois gives me the date of November 4, 1999. I count eight days from that "leak." That's not an extremely brief time, but it is before their formal announcement.

Back to the letter, Mr. Bertrand says, "The OpenSSH developers wanted to register under the .ORG top level domain,[...] but the name had already been taken. They settled for the .COM in the interim."

Ok. Well that sure sounds unfortunate. Let's take a look at when they registered openssh.com, shall we? Returning to my favorite domain searching services, whois, it yields October 25, 1999, as the date the record was created. What's this, I see? That looks a lot like a date before the openssh.org was registered. It's even two days before the slight mention by Security Portal. So, they "settled" on the COM top level domain ten days before the ORG one was "taken by a someone not affiliated with the OpenSSH development team." Uh huh, sure thing buddy.

Next Mr. Burtrand discusses the owner of openssh.org, "Mr. de Joode has repeatedly refused requests to sell or turn the .ORG name over to the OpenSSH developers.

Since when must anyone turn over a domain to anyone who asks for it? In my book, domain names are a first-come, first-served service. The OpenSSH group had plenty of time to register any domains they wanted. What if the real SSH group wants the openssh.com domain? Would you, Mr. Bertrand, be so giving and just surrender it?

Now comes the discussion of openssh.org's web site, "The OpenSSH.ORG web site currently is a blank page with a link to the official site."

Ok, this is somewhat true. Going to openssh.org, you are presented with a link to www.openssh.org. But Mr. Bertrand, did you really stop reading there and not see a few blank lines below (9 lines if you telnetted to port 80)? From openssh.org's page I quote, "For information about OpenBSD' OpenSSH implementation please goto..." and they link to the OpenSSH group's web site, openssh.com. This ommission is purely ridiculous, Mr. Bertrand.

Finally, Mr. Bertrand pushes one of the hottest buttons in the community, privacy. "This is more than just a request to boycott: there could be privacy issues, possibly data mining or building a mailing list of security conscious users. We simply don't know Mr. de Joode's motives, and we recommend caution." Hmm, a very strong accusation. None of us like being spammed, tracked where we go, etc. So, I asked myself, "What data mining is openssh.org doing?"

Let's take a gander at the HTML source code. This site is afterally a mere two pages. There could be some JavaScript performing some hidden actions users won't see when just using Netscape (or other JavaScript enabled browsers). And there it is, plain HTML. What?! No fancy, shmancy Netscape Composer, FrontPage or other editor META tags? No META tags at all to con search engines to pointing to them instead of openssh.com. I find it refreshing that someone else codes HTML in plain, simple HTML. But I see nothing hidden here.

Ok, but I have my Netscape set to just accept all cookies. I could have been slipped one of those and now they have access to my whole hard drive, right (I'm kidding, of course)? Let's give the Netscape cookies file a good grepping, shall we?

316-1 Mon/11:55pm ~> grep -i ssh .netscape/cookies
317-1 Mon/11:56pm ~>

Hmm, exactly zero references to anything SSH related. I still haven't found any maliciousness. What about the "building a mailing list" bit? I've seen many sites with "Click here to receive our free newsletter" sort of links. No doubt many of them then give out your email address to every spammer in the universe. Is there any similar line in these web pages? Not that I can see, the bottom of the second page does contain a simple "For more information about freessh.org, please contact:" mailto link. I haven't sent an email to that address yet, so I can't say if it's a secret email net. But since I'm sending this analysis to Mr. Bertrand, I'll send one to that address as well with a brand new email address. If I get spammed there, I'll know who's to blame. If openssh.org really is using this link to catch people for a spam list, I must sahe's doing a poor job of it. At least claim you can get free porn if you send an email. ;)

In closing, as Mr. Bertrand says "Any help or suggestions in breaking the deadlock are appreciated.", so I say, Mr. Bertrand, I sincerely hope you recosider your position, because well, it has no leg to stand on. A) You registered the .COM ten days prior to Mr. de Joode registered the .ORG one. That is a right-out lie, never a good thing to have right out the starting gate. I will ask, how do you base your allegation of data mining and mail list gathering? If it is also a lie, that's doubly bad. B) Openssh.org is not using the domain for squatting (there isn't a "Pay $10,000US if you want this domain" message like we've all seen so many times). It is about free SSH programs, perfectly reasonable and on target. C) Mr. de Joode provides links on both of it's web pages to openssh.com. Any users looking for it will easily see that and go to the appropriate web site.

If a reasonable agreement between these two parties is made, that's great, but to seek out the outrage of the free software communities by deceiving them like this is not the way to go about it. I sincerely hope you reconsider your position Mr. Bertrand.

Thank you.
John Corey

Copies sent to both Mr. Bertrand and Mr. de Joode.

Well, this is a refreshing way to look at the Free Software community. Get that knee-jerk reaction we are so known for, and put it to your use. Now, I'd like to look at Mr. Bertrand's letter.

The name was taken by a someone not affiliated with the OpenSSH development team when news of OpenSSH was first leaked to the community.

Hmm, "when news of OpenSSH was first leaked." Let's look at those seven words, shall we? When was this news leaked?

Performing a search on this here web site (Slashdot for those not in the know) for "openssh" yieds two results. This very article, and one from November 18, 1999, entitled, "OpenSSH Project Now at openssh.com."

Next I moved to LinuxTod ay.com. They have articles for everything under the sun. Their first article mentioning OpenSSH is one at Security Portal dated October 27, 1999.

I search Google (both plain Google and the Linux subsearch), and they have never heard of openssh.

Finally, I visted the very site for this project, openssh.com. Looking for an "about this project" sort of link, I clicked on the Project Goals link right up at the top of the left column of links. What's that it says at the very bottom? "OpenBSD: goals.html,v 1.4 1999/11/17 14:14:15 provos Exp $" That looks much like a cvs (or related) entry. That date is November 11, 1999. I also visited the link to the devel mail list archives, and the earliest date there is November 16, 1999.

Looking at all these, I'd guess their formal announcement was around November 17. But the "leak" award goes to Security Portal on October 27, 1999. I'm sure they got their information from somewhere else, but I'm tired of searching. :) Back on track, when did openssh.org register it's domain? Whois gives me the date of November 4, 1999. I count eight days from that "leak." That's not an extremely brief time, but it is before their formal announcement.

Back to the letter, Mr. Bertrand says, "The OpenSSH developers wanted to register under the .ORG top level domain,[...] but the name had already been taken. They settled for the .COM in the interim."

Ok. Well that sure sounds unfortunate. Let's take a look at when they registered openssh.com, shall we? Returning to my favorite domain searching services, whois, it yields October 25, 1999, as the date the record was created. What's this, I see? That looks a lot like a date before the openssh.org was registered. It's even two days before the slight mention by Security Portal. So, they "settled" on the COM top level domain ten days before the ORG one was "taken by a someone not affiliated with the OpenSSH development team." Uh huh, sure thing buddy.

Next Mr. Burtrand discusses the owner of openssh.org, "Mr. de Joode has repeatedly refused requests to sell or turn the .ORG name over to the OpenSSH developers.

Since when must anyone turn over a domain to anyone who asks for it? In my book, domain names are a first-come, first-served service. The OpenSSH group had plenty of time to register any domains they wanted. What if the real SSH group wants the openssh.com domain? Would you, Mr. Bertrand, be so giving and just surrender it?

Now comes the discussion of openssh.org's web site, "The OpenSSH.ORG web site currently is a blank page with a link to the official site."

Ok, this is somewhat true. Going to openssh.org, you are presented with a link to www.openssh.org. But Mr. Bertrand, did you really stop reading there and not see a few blank lines below (9 lines if you telnetted to port 80)? From openssh.org's page I quote, "For information about OpenBSD' OpenSSH implementation please goto..." and they link to the OpenSSH group's web site, openssh.com. This ommission is purely ridiculous, Mr. Bertrand.

Finally, Mr. Bertrand pushes one of the hottest buttons in the community, privacy. "This is more than just a request to boycott: there could be privacy issues, possibly data mining or building a mailing list of security conscious users. We simply don't know Mr. de Joode's motives, and we recommend caution." Hmm, a very strong accusation. None of us like being spammed, tracked where we go, etc. So, I asked myself, "What data mining is openssh.org doing?"

Let's take a gander at the HTML source code. This site is afterally a mere two pages. There could be some JavaScript performing some hidden actions users won't see when just using Netscape (or other JavaScript enabled browsers). And there it is, plain HTML. What?! No fancy, shmancy Netscape Composer, FrontPage or other editor META tags? No META tags at all to con search engines to pointing to them instead of openssh.com. I find it refreshing that someone else codes HTML in plain, simple HTML. But I see nothing hidden here.

Ok, but I have my Netscape set to just accept all cookies. I could have been slipped one of those and now they have access to my whole hard drive, right (I'm kidding, of course)? Let's give the Netscape cookies file a good grepping, shall we?

316-1 Mon/11:55pm ~> grep -i ssh .netscape/cookies
317-1 Mon/11:56pm ~>

Hmm, exactly zero references to anything SSH related. I still haven't found any maliciousness. What about the "building a mailing list" bit? I've seen many sites with "Click here to receive our free newsletter" sort of links. No doubt many of them then give out your email address to every spammer in the universe. Is there any similar line in these web pages? Not that I can see, the bottom of the second page does contain a simple "For more information about freessh.org, please contact:" mailto link. I haven't sent an email to that address yet, so I can't say if it's a secret email net. But since I'm sending this analysis to Mr. Bertrand, I'll send one to that address as well with a brand new email address. If I get spammed there, I'll know who's to blame. If openssh.org really is using this link to catch people for a spam list, I must sahe's doing a poor job of it. At least claim you can get free porn if you send an email. ;)

In closing, as Mr. Bertrand says "Any help or suggestions in breaking the deadlock are appreciated.", so I say, Mr. Bertrand, I sincerely hope you recosider your position, because well, it has no leg to stand on. A) You registered the .COM ten days prior to Mr. de Joode registered the .ORG one. That is a right-out lie, never a good thing to have right out the starting gate. I will ask, how do you base your allegation of data mining and mail list gathering? If it is also a lie, that's doubly bad. B) Openssh.org is not using the domain for squatting (there isn't a "Pay $10,000US if you want this domain" message like we've all seen so many times). It is about free SSH programs, perfectly reasonable and on target. C) Mr. de Joode provides links on both of it's web pages to openssh.com. Any users looking for it will easily see that and go to the appropriate web site.

If a reasonable agreement between these two parties is made, that's great, but to seek out the outrage of the free software communities by deceiving them like this is not the way to go about it. I sincerely hope you reconsider your position Mr. Bertrand.

Thank you.
John Corey

Copies sent to both Mr. Bertrand and Mr. de Joode.

Well, this is a refreshing way to look at the Free Software community. Get that knee-jerk reaction we are so known for, and put it to your use. Now, I'd like to look at Mr. Bertrand's letter.

The name was taken by a someone not affiliated with the OpenSSH development team when news of OpenSSH was first leaked to the community.

Hmm, "when news of OpenSSH was first leaked." Let's look at those seven words, shall we? When was this news leaked?

Performing a search on this here web site (Slashdot for those not in the know) for "openssh" yieds two results. This very article, and one from November 18, 1999, entitled, "OpenSSH Project Now at openssh.com."

Next I moved to LinuxTod ay.com. They have articles for everything under the sun. Their first article mentioning OpenSSH is one at Security Portal dated October 27, 1999.

I search Google (both plain Google and the Linux subsearch), and they have never heard of openssh.

Finally, I visted the very site for this project, openssh.com. Looking for an "about this project" sort of link, I clicked on the Project Goals link right up at the top of the left column of links. What's that it says at the very bottom? "OpenBSD: goals.html,v 1.4 1999/11/17 14:14:15 provos Exp $" That looks much like a cvs (or related) entry. That date is November 11, 1999. I also visited the link to the devel mail list archives, and the earliest date there is November 16, 1999.

Looking at all these, I'd guess their formal announcement was around November 17. But the "leak" award goes to Security Portal on October 27, 1999. I'm sure they got their information from somewhere else, but I'm tired of searching. :) Back on track, when did openssh.org register it's domain? Whois gives me the date of November 4, 1999. I count eight days from that "leak." That's not an extremely brief time, but it is before their formal announcement.

Back to the letter, Mr. Bertrand says, "The OpenSSH developers wanted to register under the .ORG top level domain,[...] but the name had already been taken. They settled for the .COM in the interim."

Ok. Well that sure sounds unfortunate. Let's take a look at when they registered openssh.com, shall we? Returning to my favorite domain searching services, whois, it yields October 25, 1999, as the date the record was created. What's this, I see? That looks a lot like a date before the openssh.org was registered. It's even two days before the slight mention by Security Portal. So, they "settled" on the COM top level domain ten days before the ORG one was "taken by a someone not affiliated with the OpenSSH development team." Uh huh, sure thing buddy.

Next Mr. Burtrand discusses the owner of openssh.org, "Mr. de Joode has repeatedly refused requests to sell or turn the .ORG name over to the OpenSSH developers.

Since when must anyone turn over a domain to anyone who asks for it? In my book, domain names are a first-come, first-served service. The OpenSSH group had plenty of time to register any domains they wanted. What if the real SSH group wants the openssh.com domain? Would you, Mr. Bertrand, be so giving and just surrender it?

Now comes the discussion of openssh.org's web site, "The OpenSSH.ORG web site currently is a blank page with a link to the official site."

Ok, this is somewhat true. Going to openssh.org, you are presented with a link to www.openssh.org. But Mr. Bertrand, did you really stop reading there and not see a few blank lines below (9 lines if you telnetted to port 80)? From openssh.org's page I quote, "For information about OpenBSD' OpenSSH implementation please goto..." and they link to the OpenSSH group's web site, openssh.com. This ommission is purely ridiculous, Mr. Bertrand.

Finally, Mr. Bertrand pushes one of the hottest buttons in the community, privacy. "This is more than just a request to boycott: there could be privacy issues, possibly data mining or building a mailing list of security conscious users. We simply don't know Mr. de Joode's motives, and we recommend caution." Hmm, a very strong accusation. None of us like being spammed, tracked where we go, etc. So, I asked myself, "What data mining is openssh.org doing?"

Let's take a gander at the HTML source code. This site is afterally a mere two pages. There could be some JavaScript performing some hidden actions users won't see when just using Netscape (or other JavaScript enabled browsers). And there it is, plain HTML. What?! No fancy, shmancy Netscape Composer, FrontPage or other editor META tags? No META tags at all to con search engines to pointing to them instead of openssh.com. I find it refreshing that someone else codes HTML in plain, simple HTML. But I see nothing hidden here.

Ok, but I have my Netscape set to just accept all cookies. I could have been slipped one of those and now they have access to my whole hard drive, right (I'm kidding, of course)? Let's give the Netscape cookies file a good grepping, shall we?

316-1 Mon/11:55pm ~> grep -i ssh .netscape/cookies
317-1 Mon/11:56pm ~>

Hmm, exactly zero references to anything SSH related. I still haven't found any maliciousness. What about the "building a mailing list" bit? I've seen many sites with "Click here to receive our free newsletter" sort of links. No doubt many of them then give out your email address to every spammer in the universe. Is there any similar line in these web pages? Not that I can see, the bottom of the second page does contain a simple "For more information about freessh.org, please contact:" mailto link. I haven't sent an email to that address yet, so I can't say if it's a secret email net. But since I'm sending this analysis to Mr. Bertrand, I'll send one to that address as well with a brand new email address. If I get spammed there, I'll know who's to blame. If openssh.org really is using this link to catch people for a spam list, I must sahe's doing a poor job of it. At least claim you can get free porn if you send an email. ;)

In closing, as Mr. Bertrand says "Any help or suggestions in breaking the deadlock are appreciated.", so I say, Mr. Bertrand, I sincerely hope you recosider your position, because well, it has no leg to stand on. A) You registered the .COM ten days prior to Mr. de Joode registered the .ORG one. That is a right-out lie, never a good thing to have right out the starting gate. I will ask, how do you base your allegation of data mining and mail list gathering? If it is also a lie, that's doubly bad. B) Openssh.org is not using the domain for squatting (there isn't a "Pay $10,000US if you want this domain" message like we've all seen so many times). It is about free SSH programs, perfectly reasonable and on target. C) Mr. de Joode provides links on both of it's web pages to openssh.com. Any users looking for it will easily see that and go to the appropriate web site.

If a reasonable agreement between these two parties is made, that's great, but to seek out the outrage of the free software communities by deceiving them like this is not the way to go about it. I sincerely hope you reconsider your position Mr. Bertrand.

Thank you.
John Corey

Copies sent to both Mr. Bertrand and Mr. de Joode.

Right on! Not to mention the fact that if you read the OpenSSH.ORg web page you will note that it states 'free ssh implementations go to www.freessh.org' and stating "OpenBSD' OpenSSH implementation goto www.openssh.com"

.... now you tell me .. what is that implying to you? Ironically, the most freely available OpenSSH license can be found at www.OpenSSH.com.

Can someone explain to me this doesn't mean what it implies?

Right on! Not to mention the fact that if you read the OpenSSH.ORg web page you will note that it states 'free ssh implementations go to www.freessh.org' and stating "OpenBSD' OpenSSH implementation goto www.openssh.com"

.... now you tell me .. what is that implying to you? Ironically, the most freely available OpenSSH license can be found at www.OpenSSH.com.

Can someone explain to me this doesn't mean what it implies?

I don't know about anyone else, but i don't have a huge problem with this case. If the site is a legitamate site with crypto information i don't see any reason why he should HAVE to give it up. By all means, i think that he should sell the domain for registration fees, but by no means should he be forced to give it up. As the site is now (it's simply 2 links, one to FreeSSH and one to OpenSSH. To me, that's simply a waste. If he wants to make a site on cryptography, take openSSH.com in place of openSSH.org, or better yet, just drop the whole thing because there isn't even a semblence of a page up there now. That's just my opinion, I may be wrong.
------------------------------------------------ ------

SSH and (IIRC) IPsec use two-party authentication. That means anyone can talk to anyone else, but as another article pointed out it also opens the door to "man-in-the-middle" attacks.

Both SSH and IPsec also include mechanisms for prevention of MITM attacks. SSH uses RSA host keys which can be pre-exchanged (OpenSSH extends this to include PGP-style key fingerprints), IPsec can use a variety of methods including preshared symmetric or PK keys or certificates for various forms (OpenPGP, X509, DNSSEC).

It's not complete, and it's not meant to be.

Maybe this will help make it more so: homepages for some of the software you discuss.

• OpenSSH - http://www.openssh.com/
• [Commercial] SSH - http://www.ssh.com/
• Kerberos Network Authentication - http://web.mit.edu/kerberos/www/
• ENskip - http://www.tik.ee.ethz.ch/~skip/
• Linux FreeS/WAN - http://www.xs4all.nl/~freeswan/

Anyone interested in the software mentioned above, or even just general UNIX security, would do good do take a gander at OpenBSD (http://www.openbsd.org). It's based on 4.4 BSD, like most of the Freenixes, and is designed with security foremost in mind. Think of it as FreeBSD after reading "1984". ;-)

It comes with OpenSSH. And Kerberos.

Ooh, and also... stickers! Put them on your box, and maybe the MiBs that break into your house while you're at work won't even bother trying to crack yer system.

Remember: paranoia is good. Anyone with doubts regarding the truth of that statement should check out the Echelon links that have been appearing here lately.

Ciao.

I am the Lord.

From OpenSSH History and Credits:
Rapidly after the 1.2.12 release, newer versions bore successively more restrictive licenses. Earlier restrictive licenses forbade people from making a Windows or DOS version. Later licenses (read - v2.x) restricted the use of ssh in a commercial environment, instead requiring companies to buy an expensive version from Datafellows.

Its availible to non-us citizens too. Lots of info on it can be found at the url above, but basically, its a good thing(tm).

Subject: Re: Security Advisory: Buffer overflow in RSAREF2
From: Niels Provos
Date: 1999-12-04 22:45:20

In message , Gerardo Richarte writes:

To make this clear: in combination with the buffer overflow in rsaglue.c this makes possible to get a remote shell on a machine running sshd AND it also makes possible to use a reverse exploit to gain access on clients' machines, using malicious sshd.

I fear that this posting should have been even clearer. To sum the problem up more clearly:

ssh-1.2.27 (if compiled with RSAREF2) is vulnerable. Attackers can obtain a shell on the machine running sshd. The exploit uses buffer overflows in the RSAREF2 implementation AND in the rsaglue.c file in ssh-1.2.27. I am surprised that there wasnt a bigger outrage on the mailing list about this, it is quite serious!!!

On the other hand, OpenSSH is not vulnerable to this remote exploit. Since rsaglue.c was rewritten, OpenSSH does stricter parameter checking than ssh-1.2.27 and these recent problems in ssh-1.2.27 did NOT affect OpenSSH.

Nonetheless, OpenSSH users in the USA that use OpenSSL compiled with RSAREF2 should update their ssl library (since isakmpd or httpd may be affected), see previous postings on Bugtraq, and http://www.openbsd.org/errata.html#sslUSA

Another thing is worth mentioning, RSA could use the buffer overflow in RSAREF2 to scan machines in the USA for RSA license violation. For example, sshds that do not use RSAREF2 do will behave differently than those that do.

Information on OpenSSH can be found at http://www.openssh.com/
Information on OpenSSL can be found at http://www.openssl.org/

Subject: Re: Security Advisory: Buffer overflow in RSAREF2
From: Niels Provos
Date: 1999-12-04 22:45:20

In message , Gerardo Richarte writes:

To make this clear: in combination with the buffer overflow in rsaglue.c this makes possible to get a remote shell on a machine running sshd AND it also makes possible to use a reverse exploit to gain access on clients' machines, using malicious sshd.

I fear that this posting should have been even clearer. To sum the problem up more clearly:

ssh-1.2.27 (if compiled with RSAREF2) is vulnerable. Attackers can obtain a shell on the machine running sshd. The exploit uses buffer overflows in the RSAREF2 implementation AND in the rsaglue.c file in ssh-1.2.27. I am surprised that there wasnt a bigger outrage on the mailing list about this, it is quite serious!!!

On the other hand, OpenSSH is not vulnerable to this remote exploit. Since rsaglue.c was rewritten, OpenSSH does stricter parameter checking than ssh-1.2.27 and these recent problems in ssh-1.2.27 did NOT affect OpenSSH.

Nonetheless, OpenSSH users in the USA that use OpenSSL compiled with RSAREF2 should update their ssl library (since isakmpd or httpd may be affected), see previous postings on Bugtraq, and http://www.openbsd.org/errata.html#sslUSA

Another thing is worth mentioning, RSA could use the buffer overflow in RSAREF2 to scan machines in the USA for RSA license violation. For example, sshds that do not use RSAREF2 do will behave differently than those that do.

Information on OpenSSH can be found at http://www.openssh.com/
Information on OpenSSL can be found at http://www.openssl.org/