Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Turns Five Years Old

Posted by CmdrTaco on from the edoc-eht-kaerb dept.

heydrick writes "The OpenSSH project is five years old. Project member Damien Miller writes, 'Five years ago, in late September 1999, the OpenSSH project was started. It began with an audit, cleanup and update of the last free version of Tatu Ylonen's legacy ssh-1.2.12 code. The project quickly gathered pace, attracting a portability effort and, in early 2000, an independent implementation of version 2 of the SSH protocol. Since then, OpenSSH has led in the implementation of proactive security techniques such as privilege separation & auto-reexecution.' Yaa for OpenSSH."

12 of 146 comments (clear)

  1. This story turns 8 months old by Anonymous Coward · · Score: 5, Informative

    And it's a dupe, too. Remember when editors actually read submissions?

  2. Actually.. by backslashdot · · Score: 5, Insightful

    Remember when editors actually read submissions?

    No.

    1. Re:Actually.. by KillShill · · Score: 3, Funny

      has anyone ever actually seen the editors?

      maybe they never existed...

      --
      Science : Proprietary , Knowledge : Open Source
  3. Thanks... by Anonymous Coward · · Score: 4, Insightful

    For the awesome tool. Ssh, scp, and ssh tunnels are an integral part of how I accomplish things at work, and how I bypass corporate firewalls to use bittorrent. Thanks for the outstanding work.

  4. 5 years since the first *release* by heatdeath · · Score: 5, Informative

    The project was first released as OpenSSH 5 years ago today. The project was started, however, much earlier than that.

    --
    I'm sorry. The number you have reached is imaginary. Please rotate your phone 90 degrees and try again.
  5. 5 years since OpenSSH 2.0 by ikkibr · · Score: 4, Informative

    From openssh.com: "With the OpenBSD 2.6 release out of the way, Markus Friedl decided to pursue SSH 2 protocol support. Slaving away for months, he managed to keep OpenSSH slim and lean, while at the same time managing to turn it into a single piece of software that could do both the SSH 1 and SSH 2 protocols. This version, called OpenSSH 2.0, shipped with OpenBSD 2.7 on June 15, 2000. Most of the checking of Markus' changes were done by Niels Provos and Theo de Raadt. Bob Beck is to be thanked for updating OpenSSL to a newer version."

  6. Re:Ettercap team claim SSH / SSL is easy crackable by AndreyF · · Score: 3, Interesting

    Remember when the US Federal Gov'nt was having a royal fit about encryption and then just kinda "gave up"? Unless they can crack it, they wouldn't have given up (use 4096 encryption, people!)

  7. They are also trying to get publicity. by Some+Random+Username · · Score: 4, Informative

    Yes, SSL and SSH are vulnerable to MITM attacks if used incorectly. This is not news, and has been known for years. Trying to pretend this is new and interesting and "easily crackable" is dishonest.

  8. Re:auto-reexecution? by slavemowgli · · Score: 4, Informative

    From the Changelog for OpenSSH 3.9:

    Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things.

    Hope this helps. :)

    --
    quidquid latine dictum sit altum videtur.
  9. Re:SSH is wonderful, and yet users still don't get by jd · · Score: 4, Insightful
    You think that's bad? Many Government places insist on using Telnet and RSH (with .rhosts files!) because "SSH isn't a FIPS standard".


    Never mind that telnet/rsh have no security at all, apparently if security exists, it has to be "approved". Now, I don't dispute the idea of having validated security, but I do dispute the claim that no security at all is preferable.


    It also neglects the fact that SSH is merely the program, that the encryption algorithm used is AES, which is most certainly a FIPS standard.


    In other words, it's not just that "users don't get it" - although that is often the case. The problem is also malignant attitudes in management that regard total insecurity as politically more acceptable.


    IMHO, if management enacts a policy that cripples security or eliminates it entirely, then management should be culpable. Encryption may be explicitly covered by FIPS, but that doesn't mean insecurity should be an acceptable standard for anyone.


    In the case described by the parent post, that of users not knowing how to use SSH, fine. Mandate that all computers use host-to-host IPSec. The users then don't need to know a damn thing, but the connections are just as secure.


    In other words, ignorance can sometimes be an excuse, but this isn't one of those times, as all it would take is ticking a checkbox under Windows and not doing a whole lot more under Linux. They can remain blissfully ignorant, continue to be stupid, but still remain perfectly safe.


    IPSec and SSH are not just good ideas, they SHOULD be the lore. (Not law, just lore. Though making telnet a crime might not be such a bad idea...)

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  10. Re:Ettercap team claim SSH / SSL is easy crackable by kasperd · · Score: 3, Informative

    Would it be practical to have a summetric cipher with 4094 bit encryption, or would that make things run a bit slow?

    256 bit AES use 14 rounds with a 128 bit key in each round. Rather than generating the 1792 bit keyschedule from the 256 bit key, you could just use a 1792 bit key. The speed would be the same as 256 bit AES. But don't expect it to be much more secure.

    Most likely the cipher isn't the weakest point anyway. If you want to have 256 bits of entropy in your password you need aproximately 42 random characters.

    --

    Do you care about the security of your wireless mouse?
  11. Re:SSH is wonderful, and yet users still don't get by NutscrapeSucks · · Score: 3, Insightful

    Personally, I think the "OMG Telnet!" thing has gone way overboard when you are talking about internal networks.

    Sure you _should_ use encrypted protocols, but when you look at a realworld network, it's full of NFS, SMB, FTP, SMTP, IMAP, HTTP, RPC, 5250/3270 and a gazillion other things that pass sensitive information in plaintext. Telnet is just the tip of the iceburg and the easiest to replace. Ultimate one should be looking at IPSec or VPN rather than making a big deal about SSH vs Telnet.

    Now, if you are typing a root password onto a Internet host, that's another story, but I sincerely hope you don't have thousands of developers with root access somewhere.

    --
    Whenever I hear the word 'Innovation', I reach for my pistol.