Slashdot Mirror
OpenSSH Turns Five Years Old
heydrick writes "The OpenSSH project is five years old. Project member Damien Miller
writes, 'Five years ago, in late September 1999, the OpenSSH project was started. It began with an audit, cleanup and update of the last free version of Tatu Ylonen's legacy ssh-1.2.12 code. The project quickly gathered
pace, attracting a portability effort and, in early 2000, an independent
implementation of version 2 of the SSH protocol. Since then, OpenSSH
has led in the implementation of proactive security techniques such as
privilege separation & auto-reexecution.' Yaa for OpenSSH."
And it's a dupe, too. Remember when editors actually read submissions?
Five years? It's not September.... how is this news?
Remember when editors actually read submissions?
No.
Happy Birthday OpenSSH!! :D
And nothing. Maybe "daddy" should start wearing his "pants"?
For the awesome tool. Ssh, scp, and ssh tunnels are an integral part of how I accomplish things at work, and how I bypass corporate firewalls to use bittorrent. Thanks for the outstanding work.
The project was first released as OpenSSH 5 years ago today. The project was started, however, much earlier than that.
I'm sorry. The number you have reached is imaginary. Please rotate your phone 90 degrees and try again.
From openssh.com: "With the OpenBSD 2.6 release out of the way, Markus Friedl decided to pursue SSH 2 protocol support. Slaving away for months, he managed to keep OpenSSH slim and lean, while at the same time managing to turn it into a single piece of software that could do both the SSH 1 and SSH 2 protocols. This version, called OpenSSH 2.0, shipped with OpenBSD 2.7 on June 15, 2000. Most of the checking of Markus' changes were done by Niels Provos and Theo de Raadt. Bob Beck is to be thanked for updating OpenSSL to a newer version."
No link, no article, nothing?
Insightful you are not.
Wouldn't that be in 10 days? Clearly this was a mistake by Taco.
What site? Should I guess it is ettercap dot com, dot net, dot org, dot us, dot ru, dot hk, dot dot dot?
Newsforge interview
I hate to be a spelling nazi (kind of ;) but yaa? Is that supposed to be yay? Or yeah maybe?
Seriously, I can understand mispelling complicated words, but how do you not know how to spell yay?
(To be fair, "yea" is a different valid spelling that means something else.)
Thinkin' Lincoln - a web comic of presidential proportions
ssh -L 5902:happy:5901 birthday
Remember when the US Federal Gov'nt was having a royal fit about encryption and then just kinda "gave up"? Unless they can crack it, they wouldn't have given up (use 4096 encryption, people!)
Yes, SSL and SSH are vulnerable to MITM attacks if used incorectly. This is not news, and has been known for years. Trying to pretend this is new and interesting and "easily crackable" is dishonest.
In computer science 5 years is 2048 days, the closest power of two.
Anyone else notice how broken /. has been lately? Maybe it's just a false impression I'm getting based on a few incidents, or maybe I just notice it now. But it seems there's been a lot more duped stories, bot floods of comments, and entire discussions over mod points compared to even a month or two ago.
Bungo!
Someone care to explain what OpenSSH means by that? The only mention of it seems to be with OpenSSH, and I'm pretty sure I have never needed "auto-reexecution" in order to make anything secure so far...
I blame Zonk. Zonk posts a lot of dupes. While we lost michael's flamebait stories, we now see Zonk's "HEY I DON'T READ SLASHDOT, I JUST GET PAID TO CLICK BUTTONS" stories.
So hats off to OpenSSH, y'all. :)
Should I sue them for violating my stock service called SSHGuru(dot)com?
Yaa're completely right! ;)
Be quiet you heterophobe.
Thank god that OpenBSD cares enough to make the portable version of OpenSSH. I've used OpenSSH to make my machines more secure on everything from Solaris to Linux to *BSD.
Kudos!
The more you know, the less you understand.
I recently implemented OpenSSH for a remote access project and while I really like OSSH I have a few feature requests:
1) I wish I could control what fowarding can occur in the config file on the server. Access lists would be great here.
Currently I do this by having the system in the DMZ and applying an access list to the entire user population.
2) I wish I had the ability to log which users opened what tunnels where.
Even so this a great application and I use it every day.
Grats on making it 5 years with a quality application.
======== In the future, everything will be artificial. ========
CmdrTaco's boyfriend also turned 5 years old.
I think that means the end of its "Leakage and Puncture Warranty" then.
I love ssh. I use it everyday.
Where I used to work (I quit 2 months ago) it was a contant battle to get users to use ssh instead of telnet. Yes, that's right, telnet. When I first started working there, a little over a year ago, I was shocked to discover that thousands (no exageration) of developers were still using telnet to access unix hosts.
When I asked my manager about this, his explanations ranged from "that is how they have always worked" to "some of them just don't know how to use ssh."
When I spoke to the users themselves they just could not understand what is wrong telnet.
Of course, I should point out that this is also a company that suffered a massive data theft (something like 90,000 email addresses) last year...
Ask Slashdot: Where bad ideas meet poor googling skills.
Not even thirteen months, let alone thirteen years. "Weiner" is so appropriate.
Manager: "that is how they have always worked"
...
Manager: "some of them just don't know how to use ssh."
You: "{manager}, Telnet is a huge security risk and it is only a matter of time before we are screwed royally by this. I recommend that we plan on disabling telnet in the near future on all hosts. Before that time, I will send out an E-Mail to all affected staff with instructions for use and notification of when telnet services will be disabled. I think this is a good idea, what do you think?"
After that, your responsibility in the matter is moot.
You: Documents that you brought this issue up with your manager in the event that he/she decides not to pursue your idea, covering your ass and placing as much blame on your manager for any fuck ups that occur as a result of his/her stupidity.
If you weren't in a position to suggest such policy, then I pity you and am glad you got out of such a job.
Ok... more questions arose from one :(
What I use tunneling (putty) for is vnc and other services. I just tunnel my remote (login from) host ports through the login and into the localhost (login into).
Now what is SOCKS5 proxy, Dynamic tunneling?
Thx
On another similar topic. I been trying to tunnel on an old Mac 9.2. It has MacSSH. My ssh server uses SSH2. I can login to the server using putty, linux, and even Mac OS X. But even though I can login to the campus SSH2 (from there I can go to mine), I can't seem to get to my ssh2 directly. No matter what I try! Any Mac users out there?
Actually the name is Tatu Ylönen.
......
Here's some dots to use in the future:
What symmetric cipher, that ssh uses, even supports 4096 bit encryption? I thought bits that high were only supported for public/private keys but not the symmetric ciphers themself. According to the ssh manual page, it seems like the supported symmetric ciphers only go up to 256 bits.
Hm, I suppose I stand corrected. Would it be practical to have a summetric cipher with 4094 bit encryption, or would that make things run a bit slow?
If there was a general forum with no topic, then complaints could be discussed. Of course, then people could also complain about specific editors...
I have freaks! I did something right...
Telnet on BSD has had encryption for at lease ever since we started using it. I remember Linux did not a few years ago when we first changed to BSD but it appears that the recent Linux systems running on our ISP and on Sourceforge are now running the BSD telnet with encryption. ssh is still better because you can use dual public/private rsa/dsa keys and login without having to type a password, but as long as you are not telneting to/from a toy system that has no regard for security and does not support encryption, telnet is not so bad. We still use it a lot on our LAN. We are running all NetBSD and FreeBSD.
Never mind that telnet/rsh have no security at all, apparently if security exists, it has to be "approved". Now, I don't dispute the idea of having validated security, but I do dispute the claim that no security at all is preferable.
It also neglects the fact that SSH is merely the program, that the encryption algorithm used is AES, which is most certainly a FIPS standard.
In other words, it's not just that "users don't get it" - although that is often the case. The problem is also malignant attitudes in management that regard total insecurity as politically more acceptable.
IMHO, if management enacts a policy that cripples security or eliminates it entirely, then management should be culpable. Encryption may be explicitly covered by FIPS, but that doesn't mean insecurity should be an acceptable standard for anyone.
In the case described by the parent post, that of users not knowing how to use SSH, fine. Mandate that all computers use host-to-host IPSec. The users then don't need to know a damn thing, but the connections are just as secure.
In other words, ignorance can sometimes be an excuse, but this isn't one of those times, as all it would take is ticking a checkbox under Windows and not doing a whole lot more under Linux. They can remain blissfully ignorant, continue to be stupid, but still remain perfectly safe.
IPSec and SSH are not just good ideas, they SHOULD be the lore. (Not law, just lore. Though making telnet a crime might not be such a bad idea...)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Proactive?!! Others have done privsep years before OpenSSH finally got around to it, and that was only after a number of serious holes were found.
Would it be practical to have a summetric cipher with 4094 bit encryption, or would that make things run a bit slow?
256 bit AES use 14 rounds with a 128 bit key in each round. Rather than generating the 1792 bit keyschedule from the 256 bit key, you could just use a 1792 bit key. The speed would be the same as 256 bit AES. But don't expect it to be much more secure.
Most likely the cipher isn't the weakest point anyway. If you want to have 256 bits of entropy in your password you need aproximately 42 random characters.
Do you care about the security of your wireless mouse?
Personally, I think the "OMG Telnet!" thing has gone way overboard when you are talking about internal networks.
Sure you _should_ use encrypted protocols, but when you look at a realworld network, it's full of NFS, SMB, FTP, SMTP, IMAP, HTTP, RPC, 5250/3270 and a gazillion other things that pass sensitive information in plaintext. Telnet is just the tip of the iceburg and the easiest to replace. Ultimate one should be looking at IPSec or VPN rather than making a big deal about SSH vs Telnet.
Now, if you are typing a root password onto a Internet host, that's another story, but I sincerely hope you don't have thousands of developers with root access somewhere.
Whenever I hear the word 'Innovation', I reach for my pistol.
My strategy for getting rid of telnet has been to disable it on all new hosts (easy since it's disabled out of the box on new SuSE and RedHat installs. Then when people complain I go and show them how port forwarding works with X-windows and when they realize that they don't have to run xhost and set their display environment variable if they're using ssh -X they become ssh converts. This is good because it means that I haven't had to use my fallback position yet, which is to tell the users that we didn't have enough money to buy telnet and rsh licenses for new UNIX systems.
cheap labor conservatives - they want to keep you hungry enough to be thankful for minimum wage.
some of them just don't know how to use ssh
/usr/bin/ssh /usr/bin/telnet' without anybody noticing much. Sure there may be "power users" of telnet, but they probably already know how to use ssh.
Don't know how? You could probably 'ln -s
Seriously, instead of
telnet me@host
do
ssh me@host
For the trivial case it's a drop in replacement.
Why, o why must the sky fall when I've learned to fly?
What I want to know is: why is it that OpenSSH's chief dependency, OpenSSL, hasn't even reached 1.0 status over these past 5 years?
In the case described by the parent post, that of users not knowing how to use SSH, fine.
Isn't ssh almost exactly the same as telnet in terms of the interface?
I really don't see how anyone could claim that using one is harder than the other. Or that they don't want to learn something they already know.
Netbackup can be installed over ssh; it's a question of whether or not the rep doing the install wants to deal with it. I got asked to open telnet and rlogin and I stood my ground on that one. I told the rep that I'd be happy to create a temporary set of ssh keys so that he could call ssh like he'd use rlogin (and not have to use a passwd). He agreed, modified his install script, and installed. After he was done I removed the keys and everything was kosher.
I doubt that many users realize that you can pass in username to telnet like me@host; they just go "telnet host" and respond with username and login when asked. Still, I agree, it's not like the login style of ssh is difficult to get used to.
You might want to learn about secure telnet before you outlaw the protocol.
Kermit includes a secure telnet client. The same web page says Linux and Solaris ship secure telnet servers.
Complaining about how insecure telnet is without security enabled is like complaining about how insecure NFS is without security enabled.
Telnet doesn't copy any environment variables over, as it -is- a terminal emulator, and not a shell environment. SSH handles things like the display, but would be capable of passing any environment over.
SSH can be placed in the background - you are really not advised to do that with Telnet.
Last, but not least, telnet doesn't support anything similar to scp. Unless you count telnetting to the FTP server, and manually keying in the commands.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Sure you _should_ use encrypted protocols
No, you must use encryted protocols. Many corporate networks have thousands of users. Sniffing information on such networks is trivial. Do you really want other people reading your email? How about sending email from your account? Email is just the begining of what other people could get into.
End of Line.
You must, but hardly anyone does. Regardless, if your requirements that all communication must be encrypted, you should be doing it on the transport level with IPSec rather than hacking together application-level solutions like SSH, HTTPS, etc.
Whenever I hear the word 'Innovation', I reach for my pistol.
only one public remote root in 5 years!
The editors are on floor 500.
Just wait for your promotion.
Live today, because you never know what tomorrow brings
cheap labor conservatives - they want to keep you hungry enough to be thankful for minimum wage.
AFAIK, government might have a problem with SSH: It isn't FIPS standard and they might be afraid that there's some nice booby trap that sends their connection data to 3rd parties. Code audit isn't done by trusted (by government) side. I use SSH more than any other single program. Great way for 'screen -r' and then you have all your IM, IRC and mail program apps wherever you are. No problem with untrusted (even unencrypted) wireless networks as long as I have a laptop I can trust.
?SYNTAX ERROR
LoginFailureTracking On
LoginFailureAttempts 3
LoginFailureShell "/sbin/iptables -I INPUT -s %1 -j DROP"
Oh, I need this or something like:
InvalidUserLockoutCount 3
InvalidUserLockoutByIP yes
InvalidUserLockoutResetSeconds 120
Or, does anyone do something similar using a log watching program? I would really like to know, now that I have SSH firewalled off so restrictive and my open boxes get more than 1,000 invalid user hits per day.
Click here or here.
The Putty SSH client allows you to specify proxy settings. If you need a CLI, you can use Plink from the same set of tools.
/
http://www.chiark.greenend.org.uk/~sgtatham/putty
"You think that's bad? Many Government places insist on using Telnet and RSH (with .rhosts files!) because "SSH isn't a FIPS standard".
Never mind that telnet/rsh have no security at all, apparently if security exists, it has to be "approved". Now, I don't dispute the idea of having validated security, but I do dispute the claim that no security at all is preferable"
At the risk of sounding inflammatory, perhaps you "don't get it". It is preferable for the end-user to know that what they are using is definitely not secure, than to have misplaced trust in an unverified system that claims to be secure, but may not be. By mandating the use of telnet, it means that you are made aware of the necessity of assuring security by some other means, for example, by using an approved secure VPN.
Bah!
Security should, indeed, be verified and made safe, but that does not mean total insecurity at all levels should be accepted as the path of least resistance. When a bar has been raised, it is often easier and quicker to just walk round it and make no effort to raise your own standards.
When it is personal stuff, then that's a personal decision and that's fine. When it is a Government, dealing with the property and future of the nation - and therefore stuff that does not actually belong to the Government per se - I'm not sure it has any business being so casual.
Corporations dealing with their own data, again that's their affair. Likewise, when it comes to information that doesn't belong to it but is merely in their safekeeping, they are taking on a level of responsibility and should reflect that in their actions.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)