Slashdot Mirror

Your an idiot. Linux is Easy to use. Problem is lack of software. I can't use any OS that doesn't have putty.

"Your" either trolling, misinformed or just stupid. https://www.ssh.com/ssh/putty/...

Bull crap - there are plenty of non OSS/FSF licensed SSH implementations, go to freaking SSH.Com if you don't believe me. What I think you *meant* was, "its unlikely that they were able to give the box ssh ability without using any of the FSF copyrighted material" and still keep it at a price palatable to the mass market. These companies all want the convenience of a closed license without the cost.

http://www.ssh.com/support/downloads/secureshellwks/non-commercial.html

This is the answer to your problems.

This SSH client comes with bot the standard terminal program for SSHing and getting a shell, but it also comes with an SCP component. It looks like most FTP clients I've seen - Click a button to open a connection, in the resulting dialogue box, put in the server to connect to and the username to use to connect, click connect, type in password when prompted, and then Voila', you're given on the Left-hand side of the program, a list of your local files, and on the right side of the program, a list of the remote computer's files. To upload or download, drag and drop (from either inside the program from the left to right or right to left; or drag and drop works from the Windows explorer).

See? Encrypted (it's ssh). FTP-like. Keeps security in mind without jailing users, at the same time that it keeps their passwords safe, at the expense of a little speed.

~Wx

And in addition to that, would even the laws themselves ever be approved if they weren't enforced selectively? If developing file sharing apps is now criminal, they should start their lawsuits here.

I wonder what they'll try to pull when everyone switches to encrypted and friend-routed sharing...

Consider the following:
One must be mindful of what one stores on encrypted volumes and drives and files.
I have considered for quite some time that this type of spam may just be a setup for the cryptanalysis attack.
Viva la paranoia, the fix to this issue is simple, wrap your spam in tin foil and DOD flush before committing changes permanently to disk.

Credit for the definitions below to http://www.ssh.com/support/cryptography/introducti on/cryptanalysis.html
Known-plaintext attack: The attacker knows or can guess the plaintext for some parts of the cipher text. The task is to decrypt the rest of the cipher text blocks using this information. This may be done by determining the key used to encrypt the data, or via some shortcut.
One of the best known modern known-plaintext attacks is linear cryptanalysis against block ciphers.

Chosen-plaintext attack: The attacker is able to have any text he likes encrypted with the unknown key. The task is to determine the key used for encryption.
A good example of this attack is the differential cryptanalysis which can be applied against block ciphers (and in some cases also against hash functions).
Some cryptosystems, particularly RSA, are vulnerable to chosen-plaintext attacks. When such algorithms are used, care must be taken to design the application (or protocol) so that an attacker can never have chosen plaintext encrypted.

ElCryptito

Nothing l337 about it. check out port forwarding with ssh:
http://www.ssh.com/support/documentation/online/ss h/adminguide/32/Port_Forwarding.html

There is a myriad of guides on how to do this. The setup doesn't come from within your VNC apps, but from ssh.

Set up your ssh server and clients. Use public key cryptography instead of a password. Run your VNC server and make sure it is accessable from the machine that is running your ssh server. It can be the same machine, but it doesn't have to be. Don't forward your VNC server port over the internet at the firewall. Just forward your ssh server port.

Now from your client, simply activate the port forwarding. You will be forwarding ports on the local (client) machine that are accessable by your VNC client. I start with 5902:

ssh sshserverurl -L 5902:vncserver:5900

note that vncserver only needs to be resolved by the ssh server, it could easily be an internal ipaddress, or even localhost if your ssh server and vnc server are on the same machine.

Once the connection is established, open your VNC client and connect like this:

localhost:2

That tells it to connect to a vncserver running on the client machine at port 5902 (VNC ports start at 5900 as default and go up from there, the :# identifies the port)

The local port 5902 is encrypted and forwarded by ssh over the secure tunnel to your ssh server, and there it is unencrypted and forwarded to your vnc server.

It takes a bit to figure it all out for the first time, but after that it is pretty simple. You can forward multiple ports to multiple remote machines, even forward ports from remote machines TO your client machine. You can use dynamic forwarding to utlize a remote socks proxy for your browser to sidestep your local firewall. The possibilites are endless. Now you can only open one well secured port to the public, and still access all of your services.

Use a MUD client. MUD clients use telnet. They have aliases (for MUDding, but, you can use them for other purposes). You can even set triggers & crap to capture information.

If you need SSH, just have SSH forward a port for the MUD client to use.

There are tons of free MUD clients, Google for them. Tinyfugue, MudMaster, zMUD, whatever you want to use.

what is so 'enterprise' about it that OpenSSH doesn't have?

Yeah but read the license agreement (available if you put in fake info for a trial download on http://www.ssh.com/support/downloads/tectia-client /evaluation.mpl). It clears them of pretty much everything. IANAL, but I don't think this is any more or less protection than what you get from most typical OSI licenses.

8. WARRANTY

LICENSOR EXPRESSLY DISCLAIMS, TO THE EXTENT PERMITTED BY APPLICABLE LAW, ALL WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS, AND ANY WARRANTY THAT MAY ARISE BY REASON OF TRADE USAGE, CUSTOM OR COURSE OF DEALING. LICENSOR DOES NOT WARRANT THAT THE SOFTWARE WILL BE FREE FROM BUGS OR THAT ITS USE WILL BE UNINTERRUPTED NOR THAT THE SOFTWARE WILL OPERATE WITH ANY HARDWARE AND/OR OTHER SOFTWARE OR REGARDING THE USE, OR THE RESULTS OF THE USE, OF THE SOFTWARE OR DOCUMENTATION IN TERMS OF CORRECTNESS, ACCURACY, RELIABILITY OR OTHERWISE. WITHOUT LIMITING THE FOREGOING, YOU ACKNOWLEDGE THAT THE SOFTWARE IS PROVIDED "AS IS," WITHOUT WARRANTY OF ANY KIND.

9. LIMITATION OF LIABILITY

THE ENTIRE RISK AS TO RESULTS AND PERFORMANCE OF THE SOFTWARE IS ASSUMED BY YOU. ANY LIABILITY OF LICENSOR WITH RESPECT TO THE SOFTWARE, THE PERFORMANCE THEREOF OR DEFECTS THEREIN, OR UNDER THIS AGREEMENT, UNDER ANY WARRANTY, NEGLIGENCE, STRICT LIABILITY OR OTHER LEGAL THEORY SHALL BE LIMITED EXCLUSIVELY TO PRODUCT REPLACEMENT OR, IF REPLACEMENT IS INADEQUATE AS A REMEDY, OR, IN LICENSOR'S SOLE OPINION, IMPRACTICAL, TO A REFUND OF THE ACTUAL AMOUNT PAID BY YOU TO LICENSOR, IF ANY, FOR THE SOFTWARE OR SERVICES GIVING RISE TO THE CLAIM.

10. DISCLAIMER OF DAMAGES

UNDER NO CIRCUMSTANCES WILL LICENSOR OR ITS LICENSORS BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES OF ANY KIND OR NATURE WHATSOEVER, WHETHER BASED ON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, ARISING OUT OF OR IN ANY WAY RELATED TO THE SOFTWARE, THIS AGREEMENT, WHETHER DUE TO A BREACH OF LICENSOR'S OBLIGATIONS HEREUNDER OR OTHERWISE, EVEN IF LICENSOR OR ITS LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE OR IF SUCH DAMAGE COULD HAVE BEEN REASONABLY FORESEEN, AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY EXCLUSIVE REMEDY PROVIDED IN THIS AGREEMENT. SUCH LIMITATION ON DAMAGES INCLUDES, BUT IS NOT LIMITED TO, DAMAGES FOR LOSS OF GOODWILL, LOST PROFITS, LOSS OF DATA OR SOFTWARE, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION OR IMPAIRMENT OF OTHER GOODS. IN NO EVENT WILL LICENSOR OR ITS LICENSORS BE LIABLE FOR THE COSTS OF PROCUREMENT OF SUBSTITUTE SOFTWARE OR SERVICES.

YOU ACKNOWLEDGE THAT THIS SOFTWARE IS NOT DESIGNED OR LICENSED FOR USE IN ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS SUCH AS OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR CONTROL, OR LIFE-CRITICAL APPLICATIONS. LICENSOR EXPRESSLY DISCLAIMS ANY LIABILITY RESULTING FROM USE OF THE SOFTWARE IN ANY SUCH ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS AND ACCEPTS NO LIABILITY IN RESPECT OF ANY ACTIONS OR CLAIMS BASED ON THE USE OF THE SOFTWARE IN ANY SUCH ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS BY YOU. FOR PURPOSES OF THIS PARAGRAPH, THE TERM "LIFE-CRITICAL APPLICATION" MEANS AN APPLICATION IN WHICH THE FUNCTIONING OR MALFUNCTIONING OF THE SOFTWARE MAY RESULT DIRECTLY OR INDIRECTLY IN PHYSICAL INJURY OR LOSS OF HUMAN LIFE.

Are you referring to SSH Communications' *free* client? I am a user of both versions of OpenSSH (FreeBSD) and SSH Communications (Windows), and I've not have any problems with both. OpenSSH's version is command-line based and works great on Unix, while on Windows, it's preferable to use a GUI version, which is what SSH Communcations distributes for free. Their client (SshClient.exe) is easy to use and doesn't get in the way. I'm not sure what you are talking about, but SshClient.exe has never crashed on me. Plus, instead of command-line scp, they have a GUI version much like FileZilla, accessible through SshClient.exe /f. While I haven't used much server side SSH on both Open and Communications (besides some OpenSSH sshd configs on FreeBSD), I don't find your argument again buggy software on SSH Communications part justifiable. The only unfornate case is that it seems Communcations has stopped updating their free client version since March 2004 (it was updated pretty often before).

THE PRESS RELEASE FROM http://www.ssh.com/

On May 10, 2005, The New York Times published an article concerning a breach at Cisco System, in which an intruder seized programming instructions for many of the computers that control the flow of Internet traffic. The attention was focused on a 16-year-old in Uppsala, Sweden, who was charged in March with breaking into university computers in his hometown. The crucial element in the attack that provided access at Cisco and elsewhere was the intruder's use of a vulnerable version of Secure Shell software.

Should organizations using Secure Shell become worried? Is this something that could also happen in your network?

SSH1 vs. SSH2
There are two versions of the Secure Shell protocol. The current version, Secure Shell version 2 (SSH2) introduced by SSH Communications Security in 1998 provides several security improvements compared to the original Secure Shell version 1 (SSH1). SSH Communications Security considers SecSh v1 vulnerable and does not recommend its use. The first step in eliminating vulnerabilities in your Secure Shell environment would be to upgrade all SSH1 to SSH2.

Security Maintenance Challenge
But it is not just environments running old SSH1 protocol versions that may be vulnerable against known exploits that can result in similar incidents like the one mentioned in The New York Times article.

For example, several vulnerabilities have been discovered over recent years in the widely used open-source implementation of Secure Shell protocol, OpenSSH.

Keeping OpenSSH environments secure requires constantly updating the environment with latest security patches. However, updating OpenSSH servers involves an extremely laborious and time-consuming process of source-code compilation, testing, installation, and configuration. In large-scale environments this leads to a heavy administrative burden and increased costs. As a result, during the times of constrained IT budgets many organizations have been forced to neglect frequent security patches and software updates making them vulnerable.

Even if organizations are willing to go through the costly process of manually maintaining the software on a regular basis, lack of centralized management can still present a risk. The New York Times writes:

"Government investigators and other computer experts watched helplessly while monitoring the activity, unable to secure some systems as quickly as others were found compromised."

Given the increased use of automation and sophistication of attacks, the window of opportunity for reacting to new security threats is becoming smaller. Therefore, centralized, real-time management of security systems is a critical building block in comprehensive enterprise security.

Solution - SSH Tectia
SSH Communications Security, the original developer of the Secure Shell protocol, provides end-to-end communications security solutions specifically for the enterprise. Its SSH Tectia solution has been developed to overcome the security and manageability issues of large-scale Secure Shell environments.

By standardizing on SSH Tectia throughout heterogeneous enterprise networks, including Windows, Unix, Linux, and IBM mainframes, organizations can cost-effectively implement secure practices for maintaining and using Secure Shell.
The key features and benefits of SSH Tectia for ensuring secure operation include:

Centralized Secure Shell software management enabling real-time updates to a large number of hosts and reducing the window of opportunity for exploits.

Centralized Secure Shell monitoring allowing fast identification of system anomalies.

Enterprise-class support and maintenance services including 24x7 support option enabling fast problem resolution.

FIPS 140-2 certification of cryptographic libraries serving as a proof of reliable implementation of cryptographic functions.

The enterprise-proven Secure Shell code of SSH Tectia is based on the 10 years to in-depth experience of the original development team of secure shell, and based fully on the secure, industry-proven SSH2 protocol.

- Net sales reported for January - June totaled EUR 2.8 million, down 33.1 percent year on year (EUR 4.2 million in Q1-Q2/2004). [...]
- Operating loss was EUR 3.5 million (Q1-Q2/2004: a loss of EUR 3.8 million).

SSH

Yloni? You must mean Ylonen.

The reality is that almost no other commercial software vendor will provide you with updates if you aren't current on maintenance, let alone pirated the software in the first place.

Ehh, what? Seems like a CLEAR MANDATE to me!

I used TeraTerm for years. An excellent product, and I like some parts better then PuTTY.

However I stopped using the product because, TeraTerm's SSH extension doesn't support SSH v2.

There are many security problems with SSH v1. Nobody should use it anymore.

Check it out
It is "Feature-limited version for evaluation, non-commercial and educational use. No license file required."
All the features of SecureCRT at no cost.

Check out the Tectia product family from SSH.com. They offer centrally managed ssh-access which can authenticate from various systems. Sounds like your kind of stuff..

• SSH for Windows - works great for terminal access and secure file transfers.
• Teraterm - network device access via either telnet or serial port. There is an SSH add-on, but I prefer the "real" SSH client above.
• TightVNC - for your Windows boxes
• Superscan - great port scanner and all around TCP/IP utility
• Cygwin - for all your real *nix shell and utility needs

Jason

Start method is rexec

A better ssh client than PuTTY (IMO) which is free for "non comercial use" is SSH Secure Shell.

Is F-Secure SSH 3.2.5 vulnerable?

... on the Nokia 9210 (or 9290 for those in the US) for some time... both VNC and SSH ports have been available for (as far as I remember) over a year... ssh.com used to do a client too, but I can't see it on their site any more... I've found the ssh client very useful, e.g. it means I can set a task (e.g. a long compile) going, leave, then check up on it later from wherever I happen to be...

Oh! And SSH. Don't forget SSH. Or free, at OpenSSH.org.

You don't need open source to get the features of OpenSSH and VNC.

You could use the commercial SSH rather thann OpenSSH and something like Windows Terminal Services or Exceed in place of VNC.

Almost no home users have control of their reverse DNS (and most of those who do don't know how to configure it).

This kind of "hope nobody does a man-in-the-middle attack when i connect for the first time" thing has been done before (perhaps better, juding by the brief description) in SSH Sentinel.

FreeS/WAN's idea is a good one, DNS is just a bad way to make it happen currently. Maybe there should be a separate simple key exchange protocol for this (based on JFK perhaps?)

See www.ssh.com. The Win32 SSH.com client supports SFTP in a most beautiful way.

Why are there so many variants of crypto key formats?

Not only the PKCS series, but also the various encoding methods. And clearly these are inadequate for everyone, so we get PGP formats, SSH/OpenSSH/PuTTY formats, etc.

If there had been a much smaller, more universal set of key formats, interoperable crypto would have been far easier.

On my paranoid days, I begin to suspect the TLA agencies on the standards committees deliberately introduced complexity to limit take-up.

Late posting moderation multiplier=2

gftp in linux supports sftp. For windows there's SSH.com's workstation, which is free for non-commercial use has a nice sftp GUI. There's also FileZilla for windows, which does both ftp and sftp. They all work quite well and have GUI goodness.

IPsec here.
And here.
And you can even check out the sexy girl in the ad for SSH here.

If your mail server has inbound ssh access, you can tunnel POP over it. If your workstation is running Linux, it's:

ssh -L 110:mailhost:110 -l user -N mailhost

And if your workstation is running Windows, it can be done with the SSH client from ssh.com.

Have you actually tried running them together? Like configuring PGPfire to block everything that wasn't authenticated in PGPvpn. You can't do it. There is no interaction between PGPvpn and PGPfire.

SSH Sentinel isn't sold as a firewall, just a VPN solution, but it allows you to block any traffic that you don't have a VPN definition for. I'll take SSH any day over PGP, and it's also free for non commercial use.

According the the link provided:

SSH Secure Shell for Windows Servers provides strong Secure Shell version 2 connectivity, encryption and authentication for servers running Windows NT 4.0, 2000 and XP.

I would just like to point that the roots of SSH go to SSH Communications Security - and more specifically to Mr. Ylönen, the CTO of the company. I consider their implementation the best as they have the most knowledge of the product and they have very skilled programmers.

As quoted from "In 1995, Mr. Ylönen invented Secure Shell for remote logins. From that time, Secure Shell has been available to download from the Internet and free for noncommercial use. The program became immediately very popular."

,gr8guy

Both OpenSSH and SSH are industry proven and supported software. SSH is supported by the original author of the protocol, Tatu Ylonen, among others. OpenSSH is supported by acknowleged Open Source security experts including Markus Friedl, Dug Song, and Theo de Raadt.

The version of SSH that Sun is shipping with Solaris is in fact OpenSSH. Sun is not trying to hide this, they are proud of shipping it because it is an excellent program.

Most major insurance companies run SSH (if they are Microsoft shops) or OpenSSH (if they are not). Most hospitals run OpenSSH.

I use both products. Support is superb for both; but SSH.com has friendly, personable phone support while the OpenSSH support comes mostly from Usenet and Email (and can be fiery if you ask exceptionally stupid questions). OpenSSH fixes bugs faster than SSH.Com, but both products have had about the same number of problems, and all have been quickly and effectively resolved.

Popular clients for windows include putty and Teraterm SSH. Make sure you get a recent version, however, older versions of those programs use versions of SSH ( v 1.5) that have known bugs.

If you are dealing with a company that thinks commercial software is "better" than "freeware" you should be careful how you approach this project. If there is a single person who has created this mindset, that person is likely to be both powerful and not very analytical - a dangerous combination.

Both OpenSSH and SSH are industry proven and supported software. SSH is supported by the original author of the protocol, Tatu Ylonen, among others. OpenSSH is supported by acknowleged Open Source security experts including Markus Friedl, Dug Song, and Theo de Raadt.

The version of SSH that Sun is shipping with Solaris is in fact OpenSSH. Sun is not trying to hide this, they are proud of shipping it because it is an excellent program.

Most major insurance companies run SSH (if they are Microsoft shops) or OpenSSH (if they are not). Most hospitals run OpenSSH.

I use both products. Support is superb for both; but SSH.com has friendly, personable phone support while the OpenSSH support comes mostly from Usenet and Email (and can be fiery if you ask exceptionally stupid questions). OpenSSH fixes bugs faster than SSH.Com, but both products have had about the same number of problems, and all have been quickly and effectively resolved.

Popular clients for windows include putty and Teraterm SSH. Make sure you get a recent version, however, older versions of those programs use versions of SSH ( v 1.5) that have known bugs.

If you are dealing with a company that thinks commercial software is "better" than "freeware" you should be careful how you approach this project. If there is a single person who has created this mindset, that person is likely to be both powerful and not very analytical - a dangerous combination.

If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.

If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.

If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.

If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.

If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.

If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.

If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.

Here is the extra link to the parent. SSH Client for Windows
Whoops ;)

~Shane

There are several options for commercial SSH vendors. I found myself in a similar position a couple of years ago. I worked at a company that provided 24/7 security support to hundreds of companies, and _had_ to have a commercially supported SSH for both insurance and customer relation purposes. We started out using F-Secure, but the licensing and support was terrible. On top of that we found out that F-Secure simply licensed SSH.com's code and rebranded it. We worked a fantastic deal with ssh.com that allowed us to deploy SSH enterprise wide. On top of the good deal, we found the support to be excellent. At one point we needed some LDAP integration done and SSH.com had it done by the next release. I have also found SSH.com to be better security wise (since they do this to make money) than OpenSSH, check their track record. Anyhow, F-Secure, SSH.com and a couple of other companies offer SSH commercially. Good luck.

So if you really want to you can pay for it.
ssh.com

Yes, it does (Google is your friend :-)


F-Secure's version exists and there's also
(not so suprisingly SSH's version.

Ville

Use the excellent rsync from Paul Makerras (of pppd fame) and Andrew Tridgell (samba team) in combination with OpenSSH and SSH for windows (both based on Tatu Ylonen's work; OpenSSH is maintained by and expert team including Markus Friedl and the recently monkey-cracked Dug Song, among others).

Set up your accounts to rsync-upload changes to whichever server is most secure when you log out, and use a cron job on that server to rsync-download to all the other servers nightly. You can make a tar backup part of the system also.

You will have to remember what's going on so you don't modify the same file differently on two different systems within 24 hours. If you want to overcome that shortcoming by making this work on an immediate sync basis rather than periodically, you'll need something like SGI's fam (included with recent linux distros) to trigger the updating processes.

You should already be 90% there if you have your ssh keys set up for passwordless login. Passwordless PKI logins are not significantly less secure than passworded logins in most situations (granted hostile system management can get you, but the BOFH can trojan your login anyway).

Lots of people use this technique to sync CVS trees over slow links. Rsync is very efficient for that kind of thing (large volume of files, low number of changed bytes).

PuTTY looks like it was designed by cavemen. If you want a decent GUI app for the 21st century, get the SSH Secure Shell Client from ssh.com. It's free, and it runs circles around PuTTY.

Anonymous? Nobody's anonymous on the Internet!