Slashdot Mirror
OpenSSH Gets Even More Suspicious
If you remotely administer any computers, or need to check your email over an untrusted network, odds are you're already familiar with the wonders of OpenSSH. Markus Friedl yesterday posted a release announcement for the newest version, OpenSSH 3.3. Privilege separation in OpenSSH is now enabled by default, another sign of the entire OpenBSD project's appropriate paranoia.
The way I read the headline, "OpenSSH Gets Even More Suspicious", it sounded like we're supposed to be more suspicious of OpenSSH.
:P
What has the world come to, where we can't even trust OpenSSH?
Oh, OpenSSH is more suspicious of its environment! That makes more sense!
Open Source software continues to impress me after so many years. This again proves, how much better software can be, if you remove management, lawyers, sales department etc. and make good programmers work together without short-term profit in mind.
You mean they didn't accept the patch you wrote for them!? Ludicrous. Maybe they're too busy being whipped along by people who don't give anything back to the OS community to evaluate your code. ;) I mean... You obviously feel strongly about it so you HAVE to have written a patch, no?
If they KNOW about it, and I'm sure they do, then they'll patch it. They're not Microsoft, afterall. In the meantime, if you're not a developer, lay off the whip. Like you said- the bug is recent, if they let a few months fly by without doing anything then you can start complaining.
-Sara
Except telnet does zero encryption. It is a trivial matter to sniff passwords from an unencrypted link, and inserting data is not much harder. Changing passwords frequently is kind of pointless if you are setting your new password over an insecure link.
One-time passwords are better, but they are still vulnerable to TCP insertion attacks.
Yes, these things have been exploited in the wild. SSH exists for a reason.
If security problems in SSH itself worry you (and they should), privilidge-seperated ssh is the answer. By seperating the privilidged code from the code that talks to the client and defining a good interface between them, it limits the amount of stuff that can go wrong and the quantity of code that needs to be audited.
Who says the attack is local? Your packets cross from 5 to 20 hops before getting to their destination. Routers can be compromised, theough security weaknesses or through deliberate government interference. OpenSSH also allows for host authentication, so you know you are really talking to who you think you are. A secure transport is about more than some guy on your LAN sniffing your password.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
One issue with password cracking and sniffing is that it is critical to have a unique password for every site you have accounts at.
Under SSH, I can set up systems so that password logins only work on the physical console, not over the network. I can create a strong private key (passphrase protected) and install my public key on the remote servers, using the same key for many different servers without the security issues that come from using the same password across disparate sites.
I do not deploy Linux. Ever.
The usual complaint from people favoring the GPL is that it's not Copyleft, so it's free even for people not interested in freedom for anyone but themselves, but I think nobody - from the FSF to Microsoft - would say it is not free itself.
Programming can be fun again. Film at 11.
I agree. IP over SSH is a bad idea for the same reasons why TCP over TCP is a bad idea.
Code that's already out there will always be free to "roam the wild plains"
As someone who used to go around cracking *NIX systems, and sniffing out login/passwords with ridiculous ease back in the early to mid 90s, I can say yes SSH is a very good thing. It was good to see sysadmins shut down their telnet daemons for good and require that people download and use a SSH client to connect to systems.
Zoot!
Technically, you're correct, but in the larger view, there is a historical pattern where free code gets 'adopted' by a company, and the company adds lots of functionality to the free code, so that eventually the free code is no longer competitive, and everyone switches over to using the closed-source product. At that point, the code is no longer free (except for the "old" code which is no longer useful or used, and thus doesn't count). This is what happened to Unix in the 70's and 80's, leading to Unix's fragmentation and irrelevance as a platform. With GPL code, you don't have to worry so much about v2.0 coming out as closed-source, leaving you with a choice between staying with v1.0 or losing the benefits of open source.
I don't care if it's 90,000 hectares. That lake was not my doing.
It seems to me that the entire GPL vs BSD debate is nothing more than a pastime for those with nothing better to do. Just think about it, a bunch of non programmers standing around bickering about licenses they'll never put anything out under anyway. Arm-chair quarterbacking for geeks.
As for actual developers, well there too the debate, or at least an ongoing never-ending squabble, is essentially pointless. Each programmer or team of programmers is going to choose and use the license they like best for the reasons they consider important. They have EVERY right to make this choice as they are the one's doing the work. Whether anyone else likes it or not is completely irrelevant.
Personally I like both licenses, but for different reasons. I see the GPL as a munition, a weapon. Putting high quality implementations of key tools and programs out under the GPL makes sure that the Microsofts of the world play nice by not being too greedy and/or abusing their customers. The downside to the GPL is that you're not going to obtain any financial gain from the products you release under it. There are rare exceptions such as RedHat, but then that company's product is a delivery system for GPL's software more than the software itself. Ultimately the value of GPL'd software is strategic, not directly economic. The GPL is most suitable for fundamental technologies that NEED to be kept absolutely open to ensure that incompatibilities don't creep in due to proprietary implementations. The BSD license is good because the code can be included in commercial programs. Now some people might start foaming at the mouth at the mere mention of commercial software. Of course these same people are usually in high school, college, or 35 and still living in their parent's basement.
Commercial software is what makes products that don't enjoy a wide following possible. Open Source is like socialism in a way. (Actually I don't think that my comparing Open Source to socialism was a very polite thing to do. Socialism is a system by which the abilities of one person are forcibly exploited to fulfill the needs of another. It and communism are but two points along the same continuum.) The base needs of the many are fulfilled, but what about the needs of the few? Does it make sense to try and organize a project to create an open source program to track oil deposits? How about an open source medical imaging system? There are some products for which there is a very small need in terms of how many people need the product. These same people are more often than not willing and able to pay good money to see that these products get created however. Also there is the question of expertise. Programmers are not experts on the best way to do everything possible with a computer. Imagine if someone tried to create an open source implementation of SPSS. Now what if I told you that such a project existed (PSPP) and that it hasn't gone ANYWHERE. The reason is that programmers are not statisticians. Their ability to verify the correctness of their own software's out put is next to nil.
At the end of the day both the GPL and BSD licenses have a useful function to perform. So does commerical software. Anyone who continuously argues about the role these three should play doesn't understand them in the first place.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
Many of us who transfer large amounts of data over the internet (TBytes worth) don't care about people decrypting our files. (To you my files would like random numbers anyway.)
We only really care about safegaurding the authentication process. In fact I would love to see a feature in scp where only the authentication is encrypted and all other data transfers are not.