Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH 4.2 released

Posted by Hemos on from the becoming-more-secure dept.

BSDForums writes "OpenSSH 4.2 has been released. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Changes since OpenSSH 4.1 include security bug fixes relating to GatewayPorts, and GSSAPI, which eliminates the risk of credentials being inadvertently exposed to an untrusted user/host. A new compression method, proactive changes for signed vs. unsigned integer bugs, and many additional bugfixes and improvements highlight this release."

9 of 183 comments (clear)

  1. Re:The new compression method is pretty fantastic. by nurb432 · · Score: 4, Insightful

    That might make remote X11 useable on a cable modem..

    --
    ---- Booth was a patriot ----
  2. Re:Why you shouldn't use OpenSSH by CyricZ · · Score: 5, Insightful

    There is no question that Mr. deRaadt is quite outspoken. But he can produce some damn fine and mighty secure code. I have nothing but the utmost respect for his coding abilities, even if his public relations skill are lacking.

    Frankly, I'd rather put up with arrogance and have access to amazing code, rather than dealing with a nice person who can't write code worthy of a cockfool.

    --
    Cyric Zndovzny at your service.
  3. Re:Why you shouldn't use OpenSSH by slavemowgli · · Score: 3, Insightful

    Admittedly, yes, Theo is (or at least can be) quite an asshole. But what does that have to do with the quality of OpenSSH (or OpenBSD)?

    Like him or not, but it's a great program, and not using it just because you don't like the lead developer, when there are no actual reasons not to, is stupid.

    --
    quidquid latine dictum sit altum videtur.
  4. Which idiot makes this insightfull? by Yaa+101 · · Score: 4, Insightful

    So we must stop using one of the worlds best security software because somebody does not like Theo de Raadt?

    Are you mod fucking insane?

  5. Re:It's our pleasure, Mr. Gates. by ArbitraryConstant · · Score: 4, Insightful

    The BSD licensing has made it possible for commercial OSes to have an SSH implementation by default. That ubiquity is what killed telnet. By helping companies like Microsoft, Sun, and Apple, the OpenSSH project has helped everyone.

    --
    I rarely criticize things I don't care about.
  6. Re:Why you shouldn't use OpenSSH by ArbitraryConstant · · Score: 3, Insightful

    I've met Stallman and de Raadt and they're both assholes. But the world needs a few people that are willing to be assholes.

    He gets results. For example, giving out contact information isn't the nicest way to get hardware docs and firmware, but it works.

    --
    I rarely criticize things I don't care about.
  7. Re:Please excuse my obvious ass-kissing by Kynde · · Score: 4, Insightful

    Bloody hell. I've been using openssh ever since it came out and quite a while the old Tatu Ylönen's ssh before that and type all those lengthy user@hostname.domainname.whatever: prefixes day in day out without knowing about those aliases.

    The fact is that in OSS world one should, atleast once a month raise fingers from the keyboard and stop to think "What am I missing from my daily environment? Are stupid, repetetive or borings things that I do all too frequently?". The odds are that I could easily fix most of them swiftly and the ones that might require moderate amounts of work to happen it's quite likely that someone hast stumbled on those very same issues before me and fixed them. (and experience in *nix world teaches me that frequently the fix is quite brilliant)

    --
    1 Earth is warming, 2 It's us, 3 it's royally bad, 4 we need to take action NOW
  8. Re:Slowing down dictionary attacks by RAMMS+EIN · · Score: 4, Insightful

    ``UNIX has had exponential backoffs forever. Mess up one time, you get a 1 second delay. Mess up twice, you get to wait 2 seconds, etc. I wonder why that couldn't be done in an ssh context.''

    This exponential backoff system works when you're trying to log in from a tty. When SSH, the system doesn't know whether this is the same user trying to authenticate. It's similar to sitting in front of a Linux box, trying to log in on VT 1, and when it backs off, switch to VT 2, and so on.

    The situation could be improved somewhat by sshd tracking failed logins by IP address, and disallowing that IP address from logging in for a while. However, this complicates sshd and isn't really bullet proof, what with NAT making any number of machines appear to have the same IP address.

    --
    Please correct me if I got my facts wrong.
  9. Re:Increased default key size. by h4rm0ny · · Score: 4, Insightful


    Cracking it on the first attempt and cracking it on the 10^50th attempt have equal probabilities.

    True, but both probabilities are minute. The median of that range is 5*10^49 meaning that's the average number of tries you need. If you got lucky and found it in the first 10%, that's 10^49. If someone wanting to spy on you can muster the resources to crack that in a human lifetime, you've made an enemy of God!

    Quantum computing opens up some interesting possibilities, but if a hypothetical Quantum computer in the year 2015 could search 1x10^23 keys per second (more than that massive distributed Internet project a while ago), it would still take millions of years on average.

    10^50 is a big number.

    --

    Aide-toi, le Ciel t'aidera - Jeanne D'Arc.