Slashdot Mirror
OpenSSH Now Supports SSH2
Anonymous Coward writes: "The OpenSSH project released version 2.1 earlier this month. It now supports the SSH2 protocol. SSH2 is regarded by many as a more secure protocol (but was for a long time only supported in a restricted license implementation)." Nice work, guys. I'm downloading the
source,
I'm buying a
T-shirt,
life is good.
You can use OpenSSH as a a wrapper around any TCP connection, including FTP (although) i don't know if it handles data ports right). Of course, there is a nice little thing called scp.
I also struggled with TeraTerm.
why don't you check out 'PuTTY' it's a telnet/ssh/raw client:
http://www.chiark.greenend.org.u k/~sgtatham/putty/
it works great !
(plus it has basic xterm mouse-handling !!! so you can just cut'n'paste between Windows and the terminal with your mouse-buttons !!!)
--
Dutch Linux Users Group
--
Ehm... I'm not very creative
There's a .spec file buried in the openssh tarball, which you can use to build your RPMs. It's not a very "high-quality" .spec file, but should be good enough to put together a basic package with all the defaults.
Last year I mailed the maintainer a far more robust spec file, which I use, but, as typical with most OSS developers, the mail simply vanished into a black hole. Screw 'em.
Does it have zmodem support? The last time I checked, no. SCRT has it though. :)
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I keep wanting to use OpenSSH,but it only supports Kerberos IV authentication. It ought to be easy to hack in GSSAPI or Kerb V, but there seems to be some political issue with protocol numbering that keeps this from happening. Search deja for openssh + Kerberos to see what I'm talking about.
Are you sure? Or do you want to catch the /. kiddies out in not being too knowledgeable?
>Number two is that scp2 doesn't quite work, because it uses a proprietary protocol, although you can use scp1 over ssh2 fine.
scp uses ssh to transfer files. ssh supports the version 2 protocol - this is clearly documented and not "proprietary" as you claimed. What is proprietary is the sftp protocol used by ssh.com's commercial server. Is this what you mean?
.my 2p
Dont forget that OpenSSH is also bundled as part of the forthcoming OpenBSD 2.7, which is due to be released on the 15th June.
.. I always had the impression of OpenBSD as lacking in features and friendliness compared to the other *nices, but after using Linux as a stepping stone to learn my way around, I cant wait to really sink my teeth into OpenBSD 2.7!
:D
I just installed OpenBSD-current for the first time from anoncvs to test it out, as part of a migration from Linux to OpenBSD, and it utterly rocks so far! The huge difference is just the fact that it is secure out of the box, and comes with a wealth of audit scripts that scan the box every day and mail you with automated changelogs and security alerts. I can easily believe their claim that they have not had any remote exploits for over 2 years.
Big kudos to the OpenSSH and OpenBSD teams
PS: No affiliation to openbsd myself; I visited the webpage for the first time 3 days ago
--
Anil Madhavapeddy, anil@recoil.org
Is sftp a priority in the TODO list ?
wolruf@gmail.com
umm...
:-)?
.0 programs. I wouldn't probably put it on any production-secure servers, but I'll probably be watching and helping shake it out on non-production machines.
a) openssh has been out for some time (though this ssh2 protocol stuff is new)
b) c'mon, this is the openbsd team. You think they'd jeapordize their record
you've got a point, but this is probably a lot better than most other
The Matrix is going down for reboot now! Stopping reality: OK. The system is halted.
umm.. those links just go to other pages on openssh.com
there are two development groups (from what I see on the page), a core openssh group (which handles openbsd) and a porting group. While a little bit unusual, I don't really see how the org structure harms that much (or maybe it's just a personal thing among developers, I wouldn't know about that).
The Matrix is going down for reboot now! Stopping reality: OK. The system is halted.
I had the same problem getting 'password incorrect' every time I tried to log in to my Slackware machine. After reading the FAQ, I found the solution. You have to link OpenSSH with libcrypt:
./configure [options]
LIBS=-lcrypt
Works perfectly for me now.
Well, it might be more secure, but openssh has the ssh-agent for RSA keys, so it seems that it just hasn't gotten DSA keys yet.
Unfortunately, a new version of openssl is required and rpms for it seem harder to find (no luck at freshmeat or rpmfind).
The good news is that the old openssh/linux site (which seems to be in the process of being phased out) still exists and has links. Here is a list of mirrors completely distinct from those listed at www.openssh.com. Start with one of them to get the openssh rpms. Then look in the "support" subdirectory to get openssl-0.9.5a-1.
Let's hope that these other openssh mirrors continue to exist!!
Read the README.openssh2 file. It talks all about generating DSA keys, and converting to and from commercial ssh2 key format.
To get something done, a committee should consist of no more than three persons, two of them absent.
1) I never claimed to be involved with Theo's OpenSSH Project.
2) there is no competing project.
3) there is no FUD [*1]
4) actually I offered it again, this time to Markus Friedl, who does most of the work. [*2]
[*1]
Actually Markus thought the same, after I explained some things to him, the structure of the OpenSSH Project suddenly was changed, (which is Good [TM]) there now is a 'OpenBSD' and a 'Ported' version of SSH. The websites are also merged.
So if you feel some of the stuff on the site is FUD you have to realise that it was written before the OpenSSH Project addressed the issues I raised.
[*2] ..
Markus hasn't decided if he wants to accept the offer
Your score: 1 correct fact, 1 incorrect suggestion, 3 incorrect facts, 1 useless 'what if'.
--
--
Exit! Stage Left!
C'mon, this is free software, the openssh team don't control its distribution and can't rescind its license. Wheras the non-free ssh2 is in the hands of a single company who can pretty much stop all development for a given platform whenever they please. Is it really sensible to give the proprietory version more weight because a few people may have moronic streaks?
perl -e 'fork||print for split//,"hahahaha"'
There are still a couple of holes in the support. Number one on my annoyance list is that the agent does not yet support DSA keys, so you have to type in a password whenever you connect to an ssh2 host. (Unless I've missed something somewhere.)
Number two is that scp2 doesn't quite work, because it uses a proprietary protocol, although you can use scp1 over ssh2 fine.
Otherwise, it works great. There's a tool to convert ssh2 keys into a form ossh understands, and I had no problem using it.
From ssh-keygen man page: (my emphasis)
:-)
-x This option will read a private OpenSSH DSA format file and print a SSH2-compatible public key to stdout.
-X This option will read a SSH2-compatible public key file and print an OpenSSH DSA compatible public key to stdout.
Am I the only one who finds this a little strange?
Maybe that's why they call them asymmetric ciphers
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
--
A while ago Slashdot had an article on the OpenSSH dot org controversy. Emmet would write a follow up to it. But it never came. I would very much like to know how it ended and if the openbsd com site now finally supports other platforms (like GNU/Linux) or links to other free implementations.
For those of us who still have to suffer with modems, SSH version 2 is absolute crap. Sessions are extremely slow, and often halt for no reason. When both sides are on modems, results are even worse. It is absolutely impossible to do anything that requires frequent keypresses (try editing a file, its horrible) because of the extreme latency.
SSHv1 and the old OpenSSH have none of these problems. SSHD2 with fallback to SSHD1 still has all these problems, even though it is using the SSH1 client.
I always loved the fact that SSHv2 had bad licensing, so most people didn't use it. Now with this, more intelligent people will be using version 2 daemons, which means the rest of us who aren't lucky enough to have fast connections will suffer.
--- Free Dynamic DNS http://www.staticky.com/
I run a 'dual-platfom' shop (bread and butter boxes are HPUX, my desktop & primary mail reflector are linux) and was quite pleased to discover this Thursday. Built openssh for both platforms but only installed on the linux machine. I've since run into the problem of the old ssh clients (ssh-1.2.7) not consistently connecting to the new ssh (openssh) server using protocol v1. Things work fine after daemon init, but falter after some time. Forcing a ssh2/dsa connection is a little more reliable.
This really hurts me with scp stuff back and forth.
Problem manifests itself as a 'password incorrect' error. Nothing obvious when using -v at the client & debug/nodaemon flags at the server.
I've not fully digested this problem yet so I haven't majorly pursued this (or filed any bug report). I want to make sure it's not MY fault. If you have a sizable ssh1 implementation you may want to stick this on a single box & watch it a day or two. I plan to upgrade ALL my unix boxes.. but will still need some ssh1 support as my PD win (HUSH) ssh clients only support ssh1.
Thx to the OpenSSH team for 'helping' us with that goofyass ssh2 license problem the 'other' product has.
-'fester
Okay, so it wasn't that much hassle installing both versions, but the OpenSSH way is a neater solution.
Now the real question -- apparent minor lack of functionality aside -- is: how long before we're all happy to chuck out our official copies of both SSH 1 and 2 and start using OpenSSH instead? How long do people wait before deciding "It's been out long enough that it's probably as secure as the alternative"? (It being something of a faith issue for those of us who don't have the time or skill to do a full audit of the code.)