Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Turns Five Years Old

Posted by CmdrTaco on from the edoc-eht-kaerb dept.

heydrick writes "The OpenSSH project is five years old. Project member Damien Miller writes, 'Five years ago, in late September 1999, the OpenSSH project was started. It began with an audit, cleanup and update of the last free version of Tatu Ylonen's legacy ssh-1.2.12 code. The project quickly gathered pace, attracting a portability effort and, in early 2000, an independent implementation of version 2 of the SSH protocol. Since then, OpenSSH has led in the implementation of proactive security techniques such as privilege separation & auto-reexecution.' Yaa for OpenSSH."

8 of 146 comments (clear)

  1. This story turns 8 months old by Anonymous Coward · · Score: 5, Informative

    And it's a dupe, too. Remember when editors actually read submissions?

  2. Actually.. by backslashdot · · Score: 5, Insightful

    Remember when editors actually read submissions?

    No.

  3. Thanks... by Anonymous Coward · · Score: 4, Insightful

    For the awesome tool. Ssh, scp, and ssh tunnels are an integral part of how I accomplish things at work, and how I bypass corporate firewalls to use bittorrent. Thanks for the outstanding work.

  4. 5 years since the first *release* by heatdeath · · Score: 5, Informative

    The project was first released as OpenSSH 5 years ago today. The project was started, however, much earlier than that.

    --
    I'm sorry. The number you have reached is imaginary. Please rotate your phone 90 degrees and try again.
  5. 5 years since OpenSSH 2.0 by ikkibr · · Score: 4, Informative

    From openssh.com: "With the OpenBSD 2.6 release out of the way, Markus Friedl decided to pursue SSH 2 protocol support. Slaving away for months, he managed to keep OpenSSH slim and lean, while at the same time managing to turn it into a single piece of software that could do both the SSH 1 and SSH 2 protocols. This version, called OpenSSH 2.0, shipped with OpenBSD 2.7 on June 15, 2000. Most of the checking of Markus' changes were done by Niels Provos and Theo de Raadt. Bob Beck is to be thanked for updating OpenSSL to a newer version."

  6. They are also trying to get publicity. by Some+Random+Username · · Score: 4, Informative

    Yes, SSL and SSH are vulnerable to MITM attacks if used incorectly. This is not news, and has been known for years. Trying to pretend this is new and interesting and "easily crackable" is dishonest.

  7. Re:auto-reexecution? by slavemowgli · · Score: 4, Informative

    From the Changelog for OpenSSH 3.9:

    Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things.

    Hope this helps. :)

    --
    quidquid latine dictum sit altum videtur.
  8. Re:SSH is wonderful, and yet users still don't get by jd · · Score: 4, Insightful
    You think that's bad? Many Government places insist on using Telnet and RSH (with .rhosts files!) because "SSH isn't a FIPS standard".


    Never mind that telnet/rsh have no security at all, apparently if security exists, it has to be "approved". Now, I don't dispute the idea of having validated security, but I do dispute the claim that no security at all is preferable.


    It also neglects the fact that SSH is merely the program, that the encryption algorithm used is AES, which is most certainly a FIPS standard.


    In other words, it's not just that "users don't get it" - although that is often the case. The problem is also malignant attitudes in management that regard total insecurity as politically more acceptable.


    IMHO, if management enacts a policy that cripples security or eliminates it entirely, then management should be culpable. Encryption may be explicitly covered by FIPS, but that doesn't mean insecurity should be an acceptable standard for anyone.


    In the case described by the parent post, that of users not knowing how to use SSH, fine. Mandate that all computers use host-to-host IPSec. The users then don't need to know a damn thing, but the connections are just as secure.


    In other words, ignorance can sometimes be an excuse, but this isn't one of those times, as all it would take is ticking a checkbox under Windows and not doing a whole lot more under Linux. They can remain blissfully ignorant, continue to be stupid, but still remain perfectly safe.


    IPSec and SSH are not just good ideas, they SHOULD be the lore. (Not law, just lore. Though making telnet a crime might not be such a bad idea...)

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)