Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH 3.5 Released

Posted by timothy on from the vavavoom dept.

Dan writes "Markus Friedl announces that OpenSSH 3.5 has just been released with notable updates since 3.4. It will be available from the mirrors listed at http://www.openssh.com/ shortly. Enhancements include bug fixes, improved support for Privilege Separation (Portability, Kerberos, PermitRootLogin handling), RSA blinding in order to avoid timing attacks against the RSA host key and much more. Congratulations are in order for the OpenSSH team's hard work and efforts."

58 of 140 comments (clear)

  1. Check those MD5s! by egg+troll · · Score: 5, Informative

    Remember to check the MD5s of those downloads this time around!

    --

    C - A language that combines the speed of assembly with the ease of use of assembly.
    1. Re:Check those MD5s! by MrWa · · Score: 3, Insightful

      I know this is a good idea, but if someone were to put a trojan in the OpenSSH code...how much harder would it be to put an MD5 that matches the modified code?

    2. Re:Check those MD5s! by Chuuk+Noris · · Score: 3, Informative

      MD5 doesn't use public/private keys. It actually doesn't use any keys at all. It just produces a short checkum (a short string such as "aa44cfb..."), that you can compare with another checksum later, in order to tell if anything has changed.

      That said, it can still be useful-- for example if you get the MD5 checksums from the "main distribution site" or whatever, and then download the actual files from a mirror. That said, a (PGP|GPG) signature is still better.

      --
      -- "--," ?
    3. Re:Check those MD5s! by archen · · Score: 5, Funny

      easy, you check the md5 of the md5.

  2. carefull...Quote from site by L0gAn · · Score: 2, Informative

    ....trojan was discovered in the OpenSSH ftp distribution on August 1st. Anyone who upgraded between July 30 and then is encouraged to read the following advisory to learn how their system may have been compromised.

    At least one major security vulnerability exists in many deployed OpenSSH versions (2.3.1 to 3.3). Please see the ISS advisory, or our own OpenSSH advisory on this topic where simple patches are provided for the pre-authentication problem.

    1. Re:carefull...Quote from site by crimsun · · Score: 2

      Thanks.

      The MD5 checksums for the official and portable tarballs are provided in the announcement here.

  3. Debian by qortra · · Score: 2, Interesting

    I'm a dedicated Debian user; does anyone know the usual lag in getting a new version of OpenSSH into the mirrors (I'm guessing it would go into testing or unstable)?

    1. Re:Debian by dcstimm · · Score: 2, Funny

      Yeah debian isnt mainstream anymore, programs have to be stable to get into debian "unstable".... How smart are they?

      --
      keanmarine.com
    2. Re:Debian by crimsun · · Score: 4, Informative

      There's a fair amount of testing that takes place before the packages are updated. I wouldn't count on 3.5pX going into Sid for a while yet. The more critical fixes might be backported against 1:3.4p1-4, etc.

  4. Wait a while... by carlmenezes · · Score: 3, Insightful

    Wait a while to see if any errors/security holes pop-up. THEN go out and download it. Chances are you've already patched the version you have. Don't replace it with the new one until you're sure that's a good thing. It'll just save you a lot of extra work.

    --
    Find a job you like and you will never work a day in your life.
    1. Re:Wait a while... by zeekiorage · · Score: 2, Insightful

      With warnings like this, nobody will upgrade and no errors/security holes will come out ;).

      I think if you check the MD5/PGP signatures you should be fine.

    2. Re:Wait a while... by evilviper · · Score: 4, Insightful

      That is the most ridiculous philosophy...

      The S/Key exploit wasn't discovered until about 4 releases later. If a piece of software is exploitable, there's no magic formula that will result in you getting it after all the bugs have been fixed.

      It makes some sense for Windows, since everything is secret until a release, and is thrown upon the world in an instant, getting spread far and wide to different enwironments. So, bugs are found, but still doesn't help in the security department.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    3. Re:Wait a while... by dmiller · · Score: 2

      Chances are that this release has fewer security problems, rather than more. If it does have security problems, they are highly likely to affect older version as well - the amount of completely new code is not that great.

  5. Slow Down by Anonymous Coward · · Score: 4, Insightful

    If you do not have concerns with running the latest 3.4, do yourself a favor and let the 3.5 release wait for a few days. OpenSSH has actually become one of those apps I worry about now, joining the ranks of Sendmail and BIND. What a shame...when software designed solely for the purpose of increasing security cannot be trusted, what is left? Trust nothing I suppose.

    1. Re:Slow Down by erik+umenhofer · · Score: 4, Insightful

      It's not the software that having the security problem, it was a hacked server serving up the software and people not checking thier checksums. Don't blame the software when you didn't check your sum.

    2. Re:Slow Down by Anonymous Coward · · Score: 2, Interesting

      I beg to differ. Read the Security Notices and weep. I further contend that source of the compromise has nothing to do with the end result. As such, OpenSSH is officially on my "be wary of list" and will remain there. If not for the actual problems in OpenSSH itself, then simply because it is such a high value target.

    3. Re:Slow Down by pope+nihil · · Score: 2, Insightful

      I'd like to point out that the security record of OpenSSH is much better than sendmail or bind. Having a bug like this only once in a while is better than average.

    4. Re:Slow Down by evilviper · · Score: 2

      Because Privlidge Seperation is in there, even a serious bug will (now) only result in a compromise of a non-privlidged user account.

      That's enough to negate any concerns.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    5. Re:Slow Down by oh · · Score: 5, Insightful

      Because Privlidge Seperation is in there, even a serious bug will (now) only result in a compromise of a non-privlidged user account.

      That's enough to negate any concerns.


      I've heard this argument before, and I don't think it holds water.

      Firstly, do you patch all local privilege escalation vulnerabilities as quickly as you patch remote vulnerabilities? I know I don't.

      Even if there are no local vulnerabilities, they can still scan you system for useful information. They can then use you system to attack other systems from behind you firewall. Do you have a local firewall rule that disallows all outbound connections?

      We had a presentation from a (proxy) firewall vendor that used a hardened OS. They were very proud that each proxy ran in its own little sand-box. The mail outside mail daemon could only access port 25 on the outside NIC, and could only pass email to the inside daemon via a shared spool directory. Their OS prevented any other access from that process.

      Whenever we asked about a specific version of a daemon, they would refer to this sand-boxing and tell us that it wouldn't matter if a particular proxy was hacked out, there was no way the hacker could break through the firewall.

      The company I worked for ran one of the largest (top 10, maybe top 5) web sites in our country. There would have been maybe a dozen other websites with similar bandwidth, and maybe the same number of ISPs. We had to sit down an carefully explain to these sales people that even if the hacked proxy could only access one port on the outside NIC of the firewall, it could DOS almost any other site in the country.

      They left that presentation with worried looks on their faces, and promised to get back to us with the version numbers we were asking for.

      Moral of the story: Any malicious use of you systems is a bad thing. "Privilege Separation" may stop them from rooting the box running OpenSSH, but a malicious hacker could still do a lot of damage.

      --
      Democracy isn't about no one telling you what to do. It's about everyone telling you what to do.
    6. Re:Slow Down by dmiller · · Score: 5, Informative

      Firstly, do you patch all local privilege escalation vulnerabilities as quickly as you patch remote vulnerabilities? I know I don't.

      Please RTFM: An attacker breaking privsep will find themselves in an empty chroot jail with a unique, non-priviliged UID & GID. Leveraging such an attack to even read local files would be very difficult.

      Your points about a broken privsep being used to stage network-based attacks are valid.

    7. Re:Slow Down by EvilAlien · · Score: 3, Insightful

      The moment you start trusting without question is the moment you should give up paying attention to security. Trust is a vulnerability.

      --
      perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
    8. Re:Slow Down by oh · · Score: 2
      but I don't care about the security of your box, especially when compared to the security of my box


      Care. If you are in the US you are even more vulnrable to this then those of us in countires with a smaller internet presence.

      The site I worked for had enough bandwidth avaibale to take a noticable chunk out of the countries international links. If some one couldn't hack your site, but could hack a large site "close" to you then they could DOS you out of existance. They much not be able to hack you, but they can shut you down. For a home site, maybe you don't care? If you running a business off the web, its bad news.
      --
      Democracy isn't about no one telling you what to do. It's about everyone telling you what to do.
    9. Re:Slow Down by evilviper · · Score: 2
      Your points about a broken privsep being used to stage network-based attacks are valid.

      Don't agree with this point exactly... For one thing, many firewalls (I know PF does) have user/group based filtering... So you could block all outbound traffic from the sshd user. Besides that, a chroot can be created that gives the service NO space on the filesystem, meaning they can't even download an DOS tool if you haven't used the afore mentioned firewalling method. I personally use quota rules to make sure some services don't have the ability to write anywhere, even if they aren't chrooted.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    10. Re:Slow Down by evilviper · · Score: 2

      Umm, I should also have mentioned... Even if you take NO measures to secure your chroot, since it is not a root account, using it for DoSing wouldn't be (nearly as) useful, since you can not spoof the IP addresses. At that point, it is more useful to break in to Windows machines for the same purpose.

      Besides, what would you use instead? SSH.com's insecure version, which is known to be vulnerable, and doesn't provide priv. sep. at all?

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    11. Re:Slow Down by dmiller · · Score: 2

      That assumes the presence of outbound filter rules. (Your idea to filter the privsep user is an excellent one.)

      You wouldn't need filesystem space to launch an attack - you can upload code into the compomised process' address space, though getting this right would be tricky.

    12. Re:Slow Down by evilviper · · Score: 2
      That assumes the presence of outbound filter rules.

      What does? Spoofing? The privsep user is not root, and therefore does not have the proper permissions needed to stick forged packet directly on the wire.

      You wouldn't need filesystem space to launch an attack - you can upload code into the compomised process' address space, though getting this right would be tricky.

      Not only would it be tricky... It wouldn't allow for long-term situations-it will only be there until the machine is rebooted. That only gives the attacker a very small ammount of space to work with, and can be limited even further with login.conf / ulimit rules, giving the user access to only a very small portion of memory, swap, stack, etc.
      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  6. embedded ports for OpenSSH by gperry · · Score: 2, Interesting

    Has anyone worked on an embedded port of OpenSSH, specifically the AMD / Alchemy au1500 MIPS core or ARM9?

    1. Re:embedded ports for OpenSSH by Anonymous Coward · · Score: 2, Funny

      yeah, it's called the openssh portable release. to make it run on my arm9 sidewinder (linux), i had to do the following:

      untar it
      type ./configure
      make
      make install

      (remember, the order of the commands is important)

  7. My one bugbear by muzzmac · · Score: 5, Interesting

    Have they put in provisions to separate the SFTP and interactive shell or command execution protocols?

    Last time I tried to play with SFTP I could not get an external company to have SFTP access without a lot of shell level mucking around to stop them having access to log in via shells or rlogin style features.

    And yes I'm lazy, yes I should ask the question in the correct forum and yes I should probably contribute to the project but I am, I couldn't be bothered finding it again and I would be useless to them.

    Anyway congratulations and thinkyou for what is other than my stupid whinge a great product. (Opensource or otherwise)

    1. Re:My one bugbear by Big+Jason · · Score: 3, Informative

      You might want to check out scponly.

      Be aware of the colour scheme on that site though, it's hard on the eyes.

    2. Re:My one bugbear by Phibz · · Score: 4, Informative
      I've used the scp-wrapper perl script and it works excellently. I add a dsa key for the client and in the key in authorized_keys i add command="/usr/sbin/scp-wrapper" ......

      Basically what the script does is clean the environment. The requested command is stored in SSH_ORIGINAL_COMMAND environmental variable. Its checked to make sure it is in fact the command you intend. The options are then checked. Finally the script exec()'s the hardcoded path to the command with arguments supplied.

      Although it comes written for scp i've used it for securing an account so they can't log in, and they can only execute one or two commands of my choosing.

      from what i understand sftp just exec's /usr/libexec/sftp-server. i don't see why you couldn't alter the script to only allow that command.

      also you'll want to make sure the client's ~/.bash_profile, ~/.profile, etc.--all its login scripts--are empty and owned by root so that they don't upload their own "special" login script and undo all your work.

      scp-wrapper can be found here

      Phibz

  8. Hah, this is kinda funny... by coupland · · Score: 2, Troll

    That Linux trojan/virus writers have learned to aim at Linux sysadmins by taking control of very recent patches and adding trojan horses. Seems the best way to attack a Linux system is to try to interrupt the many vigilant admins as they faithfully download patches on the same day they're released... Windows trojans survive on the dearth of upgrades, not their spread...

  9. Re:Stupid question.. by Kwikymart · · Score: 5, Informative

    The same people that make OpenBSD make OpenSSH?

    Whenever some story about, say KDE, pops up everyone is like "this is the best thing for Linux since sliced bread". Reality check: not all people run KDE run it on Linux. I think the BSD people should be entitled to the same "This is what we do for everyone!" type of recognition as everyone else.

    --

    Buying a Dell computer is equivalent to dropping the soap in a prison shower.
  10. Re:Stupid question.. by Clover_Kicker · · Score: 3, Informative

    >What does this have to do with BSD, as opposed to
    >other Unixen?

    OpenSSH was written by folks who also work on OpenBSD.

    Of course, OpenSSH runs on many different *nix flavours.

  11. MD5 is just a hash... by Goonie · · Score: 3, Informative
    It's not (in itself) cryptographically signed.

    You could either GPG sign the MD5 hash of the tarball, or GPG sign the tarball itself to guarantee that the tarball was signed off by the appropriate person.

    --

    Any sufficiently advanced technology is indistinguishable from a rigged demo
    --Andy Finkel (J. Klass?)
    1. Re:MD5 is just a hash... by wirelessbuzzers · · Score: 5, Informative

      They do have a GPG detached sig. The portable version is signed by Damien Miller (and verified, and it matches the MD5), for example. But, on the other hand, Damien miller's key has no sigs on it, so there's no reason for us to believe that it really belongs to him...

      So, in the end, you're just going to have to trust that *somebody* isn't out to get you, unless you want to run through the source code line-by-line... ...Or, you can download it now, wait a few days (faster than examining the source), and see if they post "OpenSSL trojaned!!" to the front page of Slashdot, then install it. Take your pick.

      --
      I hereby place the above post in the public domain.
    2. Re:MD5 is just a hash... by jovlinger · · Score: 2

      heh.

      I'm smiling because that was the method of security that M$ use(s/d?) for activeX controls. Widely derided as unworkable, and prone to misuse (IIRC, someone got hold of a M$ private key, and they had to revoke it.)

      le plus ca change...

    3. Re:MD5 is just a hash... by kasperd · · Score: 2

      Damien miller's key has no sigs on it, so there's no reason for us to believe that it really belongs to him...

      Even before this trojan history I was pedantic about avoiding a trojaned version. I downloaded Damiens public key from every mirror and verified they were identical. I have kept this key around since then, so if anybody were to create a fake key for Damien, I would notice.

      --

      Do you care about the security of your wireless mouse?
    4. Re:MD5 is just a hash... by dmiller · · Score: 3, Insightful

      But, on the other hand, Damien miller's key has no sigs on it, so there's no reason for us to believe that it really belongs to him..

      The key has been pretty widely distributed and has been used to sign OpenSSH releases since nearly day 1 (I used a pgp2.6 key for some of the earlier releases IIRC).

      If the key were to suddenly change, it would be noticed (note that this is exactly the trust model that sshd host keys use).

      I would like to get some signatures on the key, but haven't had much opportunity. Hopefully I'll get off my behind and go to the next Asia-Pacific IETF conference and get some sigs there.

  12. No holes this time.. just minor fixes and upgrades by StupidKatz · · Score: 3, Informative

    There are numerous "fixes" which strengthen openssh in general, but there's no security hole mentioned. Looks like this is just something to do during the next weekend! That is, after everyone ELSE puts it on their production servers, heh heh.

  13. Why I Switched to OpenSSH by Anonymous Coward · · Score: 5, Funny

    OpenSSH gives me the flexibilty and versatility that I demand in mobile computing. As a professional freelance writer, I rely on OpenSSH to customize itself to the way I work to get my job done.

    Before I was using F-Secure SSH, and I always had problems with technical things my poor brain can't comprehend. Now I just tar zxvf openssh.tgz; ./configure; make; sudo make install and generate my public and private keys. It's so easy! OpenSSH gives me more power for less dough -- Girl Scout's honor!

    OpenSSH. It's about more and better.

  14. Re:Where is the public key to check the sig? by wirelessbuzzers · · Score: 2, Informative

    If you are referring to Damien Miller's public key, you can get it off the keyservers. Or, you can get it right here:

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: PGP 8.0 (Build 288) Beta

    mQGiBDqa5pwRBADJSEyXXsgXiyytN93prDPTPmrueRP9lQQf ga QvCvqK0bN0AF1Z
    Vxxk9wlSXQp3+Qw5+qqsN5ovzsn39r9pqG slfCqQn9ACTmsn42 +VCyW4hdwUGSBS
    5myh65ZJTK1ufWCZFssxQ0EiALagu4DlH6 Z2O7tFDnJNagF55v lnK0uMQwCg/8RU
    QYDmisEHjkarAapPaupxjhkD/j9riCVasW PYJwAuhiQWAKxGRw p/ZyTaWCSERUBR
    4Dg9QxpuwHKIT8BeDA3hJa/9Yxu5jec2NV KbtVSZvRkgUfRNOk rcH2eiY8Iz6est
    J64dGWuGMKQW0GEqW+OXpRTTPJZ0mgPmU1 6qDzLPdx6F3BAk2L G+TTwlKUPuGqOt
    6u2EA/4+1CBYZ8mXq9GJnLRBPAoYwSJJzb QnMm9Jat/yg9N6ni gSIiFyG8ixh167
    gGGKfzvpjY7DeJzDI0Cub+tRova8gFg+T1 5AcPMST5v7v6O/ug 9aYWERZ0zjUhRH
    ybtYLYhUUbdYM29PwGBNfZhGIOYwfFE9Up PS5LeXHs28oVLlH7 QuRGFtaWVuIE1p
    bGxlciAoUGVyc29uYWwgS2V5KSA8ZGptQG 1pbmRyb3Qub3JnPo hXBBMRAgAXBQI6
    muacBQsHCgMEAxUDAgMWAgECF4AACgkQzo 7LA4b/nEiDMgCZAU zKq241h5GTJxC0
    guS6ht9i9ZsAoL/oXCmFsofARehZF6AakI dasvS9uQINBDqa5t QQCADz/XnCcyle
    9hmxgyntr35ZQJKx9g6ftBw178JSwM3O7J NOGp398Eh4Q9rkEp 5NH1qVecG953Fu
    edT9IAXqr8pjp5tdqMYCcaKy+aJ0Sw1zVD 2VOY3h7SyfU25pcY iHEa1grfKPVoWm
    53IwWGVVtquF5dimAe75+D0aXyVCOv0Ez9 wgJR6H69lp4/cD2G yNaGarwY9HLvHF
    vXONY2qm/GV5OjyOUO41gmQ4pyXQh+gocF FHrM0AzveIswgNpJ 0xNWXX8iXGsr3Y
    Cvqm7JoIU9JKxDV+96bxDLfTdKpoLYKb68 WdtmAylsio5+iZfW tdOb/Xpk2Yx5Ld
    ady9/+n3m6cvAAURCACrvoVSbd0MR0FWX+ bBZ0NjScNBo3kPSS CnQ6jRHokkz55r
    +MHe7dqxCJ3pmu7aROl2fgug6wob+7+qXf Kke/TdT6wuCb4CdF S6tPgPrfYV+iwq
    2NB/BatePGg7Z6UALaULQ0m83DCEVLJNnj emEdIouShelikAAO 7QDKMr7vAjH8n0
    zwMpwRMXnvCM6zYlS9i1kOm8LVATk0Wyih pQGSaTukdPjKlG7s KwMu20ssK9DGVp
    PgulTZ7rHqXl4juY8LQ2j4dPNaPoKWG8Ju BVCsyf2D6GNW97Pf KQSkzFeZsbVB4S
    RQrVTchgBSYoxRVW3fLk/yc3TC5Abh6Gpj 4izawUiEYEGBECAA YFAjqa5tQACgkQ
    zo7LA4b/nEgftgCdHIZUDVAWDRa5siSi8A os+IiyAgAAn02wGO l1Wo/YJ+RY+c6K
    N58TmAPE
    =rCFY
    -----END PGP PUBLIC KEY BLOCK-----

    --
    I hereby place the above post in the public domain.
  15. Re:Wish list item by twistedcubic · · Score: 2, Interesting

    Maybe you could try rsync -e ssh. I've never tried it, but maybe it would just download the diff, which would just be the remainder of the file in this case. Just a random thought, which may not work :)

  16. Re:Wish list item by joe_bruin · · Score: 4, Funny

    your wish is granted. say you got the first half of pr0n.tar.bz2:

    $ ssh remotehost -c "tail --bytes=\`ls -l | awk '/pr0n.tar.bz2/ { print $5; }' - `ls -l | awk '/pr0n.tar.bz2/ { print $5; }'` | bc\`" > pr0n.tar.bz2

    now, you're smart enough to turn this into a shell script, right? there's a reason openbsd doesn't ship with a "watch" script.

    note that there is probably an error in that commandline since i never tested it. go ahead, post it.

  17. Sigh by starseeker · · Score: 5, Insightful

    I see some highly moderated comments that are saying that ssh is no longer to be trusted, and what's left now?

    My contention is that there NEVER WAS any software as secure as these people seem to have though ssh was, and there never will be. It's just too complex a game, and there are people who seem to live on nothing but attacking systems. Given that combination, there will be weaknesses found, as long as humans are a part of the development equation.

    The situation has been improperly defined by the assumptions we've apparently made. Don't expect UNCRACKABLE software - that's just silly. What we have seen with openssh/openssl is exactly what we should be seeing - inevitable problems being openly discussed and fixed quickly. What if someone were to put a trojaned MS update onto one of Microsoft's servers? Would we even know for months? This kind of crap happens. It's part of the cost and reality of using computers.

    Take the rash of reports of vulnerability as a GOOD thing - it's better to know and fix, than wait for a black hat to find it. Of course we try to code and design to avoid weeknesses, but the reality is that life doesn't work like that, and we need to be ready to handle the problems that crop up. Whether or not this is an indication of a design flaw in ssh doesn't really matter either - that can also be fixed. That's what ongoing development is all about.

    So don't diss SSH too much. Constructive discussion only, please. Remember, it's free, it helps, and it's only getting better. If you don't think it's good enough, help them! You can, you know - open source at it's best.

    --
    "I object to doing things that computers can do." -- Olin Shivers, lispers.org
    1. Re:Sigh by PigleT · · Score: 2

      "Don't expect UNCRACKABLE software - that's just silly."

      Agreed. Note also the move towards running fewer services and firewalling so that only ports 22 and 80 are open - and wide open, at that. It is my guess that we wouldn't see so many PHP scripting vulnerabilities on bugtraq if people wrote native applications instead of web-apps for e.g. calendaring, groupware, etc, but using their own custom port#s for the purpose instead of flattening everything onto 80.
      I'm not surprised that sort of thing has brought forth a rash of ssh updates.

      I'd also like an alternative to openssl and openssh, other than freessh and lsh which aren't all that well developed yet, but time will tell on that front.

      --
      ~Tim
      --
      .|` Clouds cross the black moonlight,
      Rushing on down to the circle of the turn
  18. Re:RSA by Permission+Denied · · Score: 5, Informative
    print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",
    )]}\EsMsK sN0[lN*1lK[d2%Sa2/d0

    NO CARRIER

    You again. Excellent troll, but you need to choose a different motif for your nicks.

    For the uninitiated: that is not perl. It is line noise with some perl operators, bundled into a cleverly-masked troll. This guy is an old sport at this, previously using the name "PhysicsGenius". Check his (short) user history, and this guy's posting history. I simply cannot believe that moderators would be so idiotic as to mod this stuff up, so my conjecture is that he has two accounts: one to troll, and another serious account with mod points. It may be interesting to correlate average time between mod points to his posting history.

    Relevant anecdote: the original OpenSSH sources had an "RSA in six lines of perl" in a comment of one of the source files. Theo removed that in some version. A little too much angst there, if you ask me - this stuff is supposed to be fun.

  19. Re:sweet by Anonymous Coward · · Score: 2, Informative

    why wait for apple? just compile it yourself....thats the beauty...

  20. Too much change? by timeOday · · Score: 2
    Today at work I got a phonecall. The admins portscanned the network, found out I was running OpenSSH, and made me remove it and install a precompiled F-Secure SSH. This bugs me because who knows what they might have implemented my new precompiled ssh?

    Anyways, I think they scanned for OpenSSH because of the recent problems. It seems they release a new version every couple of weeks. There are bound to be bugs. Now, I tend to think that closed-source software probably has more latent bugs and there's just no way to know, but the perception is that constant change means instability and insecurity.

    1. Re:Too much change? by PigleT · · Score: 2, Insightful

      Your sysadmins are obviously pillocks if they either (a) believe everything in a version banner or (b) don't understand that it's better to have a fixed bug than a multitude of unknown bugs.
      Time to update the CV...

      --
      ~Tim
      --
      .|` Clouds cross the black moonlight,
      Rushing on down to the circle of the turn
    2. Re:Too much change? by gol64738 · · Score: 3, Interesting

      it's likely that the sysadmins had you replace your open source products with a commercial one for blame/fault purposes.
      big corporation sysadmins like to point fingers when something fucks up..otherwise, it's their head.
      by sticking to commercial software, corporate sysadmins can keep that shitball rolling, all the way back to the product company.

  21. Re:Where is the public key to check the sig? by rweir · · Score: 3, Insightful

    If I'm paranoid enough to verify the signature, do you really think I'll be using the key someone posted on Slashdot?

  22. Re:Where is the public key to check the sig? by mmca · · Score: 4, Informative

    I agree. Look for djm@mindrot.org on your favorite keyserver. (I like the one below)

    http://pgp.mit.edu:11371/pks/lookup?op=get&searc h= 0x86FF9C48

    M

  23. compatible keys by snatchitup · · Score: 2

    I would like to see a version that create key files that are compatible with putty and securenetterm. Right now, if I want to use SecNetTerm, I've got to create the key on the Linux box with ssh-keygen, copy it to my pc, load it into putty to convert it, save it out, then move it over to SecNetTerm. Not only that, I couldn't find an easy HowTo that told me how to do this. It took several hours to figure this out.

    I shouldn't have to be a guru just to use SSH.

    1. Re:compatible keys by snatchitup · · Score: 2

      That's true. But consider that what www.OpenSS.org lists on its website at the top of it's page for alternative operating systems Windows & Mac.

      The following "free" clients are recommended for interoperating with OpenSSH from Windows machines:

      * PuTTY is an SSH1+SSH2 implementation. PSCP, an scp-style program for Windows, is also available.

      PuTTY is available under the MIT licence (BSD-like).

      "PuTTY is a free implementation of Telnet and SSH for Win32 platforms, written and maintained primarily by Simon Tatham, who lives in Great Britain."

      If you're going to recommend it, then why not right up front, give some pointers on how to get it up and running.

      Regards.... S

  24. Re:Stupid question.. by Clover_Kicker · · Score: 2

    >OpenSSH was ported to Linux??? Since when!?!?!?!?

    Very soon after the initial release for OpenBSD.

    There's a brief history of the project on the OpenSSH web site.

  25. GPG Verification by Kozz · · Score: 2

    I swear to God I'm not a newbie... I've been working with linux for a few years, and still learn something new every day. I tried to be a good boy and verify the gpg signature, but I couldn't figure out how to do it. Got a link for a how-to? Google doesn't turn up much of anything useful at openssh.com or gnupg.org.

    I've got GPG installed, a private/public keypair created for myself, now what?

    --
    I only post comments when someone on the internet is wrong.
  26. Re:Wish list item by joe_bruin · · Score: 2

    good point. make that > a >>