Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Turns Five Years Old

Posted by CmdrTaco on from the edoc-eht-kaerb dept.

heydrick writes "The OpenSSH project is five years old. Project member Damien Miller writes, 'Five years ago, in late September 1999, the OpenSSH project was started. It began with an audit, cleanup and update of the last free version of Tatu Ylonen's legacy ssh-1.2.12 code. The project quickly gathered pace, attracting a portability effort and, in early 2000, an independent implementation of version 2 of the SSH protocol. Since then, OpenSSH has led in the implementation of proactive security techniques such as privilege separation & auto-reexecution.' Yaa for OpenSSH."

3 of 146 comments (clear)

  1. Actually.. by backslashdot · · Score: 5, Insightful

    Remember when editors actually read submissions?

    No.

  2. Thanks... by Anonymous Coward · · Score: 4, Insightful

    For the awesome tool. Ssh, scp, and ssh tunnels are an integral part of how I accomplish things at work, and how I bypass corporate firewalls to use bittorrent. Thanks for the outstanding work.

  3. Re:SSH is wonderful, and yet users still don't get by jd · · Score: 4, Insightful
    You think that's bad? Many Government places insist on using Telnet and RSH (with .rhosts files!) because "SSH isn't a FIPS standard".


    Never mind that telnet/rsh have no security at all, apparently if security exists, it has to be "approved". Now, I don't dispute the idea of having validated security, but I do dispute the claim that no security at all is preferable.


    It also neglects the fact that SSH is merely the program, that the encryption algorithm used is AES, which is most certainly a FIPS standard.


    In other words, it's not just that "users don't get it" - although that is often the case. The problem is also malignant attitudes in management that regard total insecurity as politically more acceptable.


    IMHO, if management enacts a policy that cripples security or eliminates it entirely, then management should be culpable. Encryption may be explicitly covered by FIPS, but that doesn't mean insecurity should be an acceptable standard for anyone.


    In the case described by the parent post, that of users not knowing how to use SSH, fine. Mandate that all computers use host-to-host IPSec. The users then don't need to know a damn thing, but the connections are just as secure.


    In other words, ignorance can sometimes be an excuse, but this isn't one of those times, as all it would take is ticking a checkbox under Windows and not doing a whole lot more under Linux. They can remain blissfully ignorant, continue to be stupid, but still remain perfectly safe.


    IPSec and SSH are not just good ideas, they SHOULD be the lore. (Not law, just lore. Though making telnet a crime might not be such a bad idea...)

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)