OpenSSH Going Strong After 10 Years With Release of v5.3

An anonymous reader writes "OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. It encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. Version 5.3 marks the 10th anniversary of the OpenSSH project."

I know I'm not alone in this...

[93+Escort+Wagon]

Thank you to everyone that's worked on OpenSSH over its lifetime - it's certainly made my (working) life easier.

And, unlike the Slashdot submission system, OpenSSH pretty much always works!

Re:I know I'm not alone in this...

[e9th]

Please consider buying one or more of their so-ugly-they're-cute T-shirts.

Re:I know I'm not alone in this...

[BikeHelmet]

You noticed that too, huh?

I was going to make a "First Post - after 2 hours!" joke, but the submission error prevented me.

Congrats, OpenSSH team! I think anyone that has used linux has probably used SSH, intentionally or not!

Re:I know I'm not alone in this...

[the_humeister]

I'd rather just donate the money directly to the project. I have enough nerdy t-shirts.

Re:I know I'm not alone in this...

Hey, that's even better! Of course, then the coolness of owning a Puffy tee is missing.

Re:I know I'm not alone in this...

[grub]

Slashdot is a news site. We don't need to be notified every time something exists for 10 years. Unless this "encrypting traffic" thing is new in OpenSSH v5.3

It's not new to OpenSSH but OpenBSD's default disabling of telnet (when everyone used it) and pushing OpenSSH helped make secure connections the standard.

Re:I know I'm not alone in this...

[nametaken]

Or donate some decent t-shirt designs. :/

Re:I know I'm not alone in this...

[velen]

Life with openssh is hard to imagine. We use it without a second thought these days. A very big thank you to all those who contributed to it.

Re:I know I'm not alone in this...

First time posting on slashdot, I just want to say thanks to the OpenSSH people in case one of them read these comments. I use SSH daily to access my work computer, it certainly makes life easier. Cheers and thanks for keeping it free!

Re:I know I'm not alone in this...

[moon3]

Having a normal PayPal donation button would be much more convenient for me.

Re:I know I'm not alone in this...

[TheRaven64]

OpenSSH is developed by OpenBSD. They accept PayPal donations via the link on this page.

Re:I know I'm not alone in this...

But I will refuse until they get serious about integrating http://www.psc.edu/networking/projects/hpn-ssh/ patches. At least the part not about 'none' cipher. Security you gave me, now give performance - it's not like you have to implement it, it's already there. Or reimplement it your own way - i don't care, just acknowledge that performance too IS IMPORTANT!

Re:I know I'm not alone in this...

I prefer tee-shirts with puffies inside them.

Re:I know I'm not alone in this...

[dmiller]

You do realise that we implemented quite a few speedups for high bandwidth x delay networks already. The remaining "HPN" patches make marginal difference for most networks, other than the patch to allow deactivation of encryption that we refuse to merge at all.

Re:I know I'm not alone in this...

[e9th]

Thank you for all your hard work, and thanks for declining to open the NONE cipher can-of-worms.

Happy birth-day OpenSSH

[La+Gris]

This wonder-full versatile tool shaped the world of remote administration or the other way round.

Would you ?

1) Abandon SSH or OpenSSH
2) Loose an arm
3) I'm a snake
4) Telnet everywhere
5) I live in a data-center

Re:Happy birth-day OpenSSH

[CSMatt]

3) I'm a snake
5) I live in a data-center

Huh?

Re:Happy birth-day OpenSSH

You know.......For the kids!

Re:Happy birth-day OpenSSH

[dragonturtle69]

I think something was lost in the translation in that post, French to English.

Re:Happy birth-day OpenSSH

[holloway]

3) I'm a snake

Huh?

Step 4 ????
Step 5 Badger badger badger badger badger

Re:Happy birth-day OpenSSH

[Derleth]

6) My toad loves cheese

7) I live with two mimes, and I cannot scream

8) Loose a thumb, but only on Thursdays

9) I'm a wallaby. Mooo!

10) Unicorn. Love. Hate.

11) Understanding you'r Swede

Re:Happy birth-day OpenSSH

[Derleth]

Has anyone really been far even as decided to use even go want to do look more like?

MEOW! MEOW! MEOW!

La Lune Noir! Noir! Chat!

Re:Happy birth-day OpenSSH

[kdemetter]

12) Profit ?

Re:Happy birth-day OpenSSH

[ncc74656]

12) I cannot buy this record. It is scratched.

Re:Happy birth-day OpenSSH

[MrMr]

Exactly, point 3 was actually:
Mon aeroglisseur est plein d'anguilles.

Re:Happy birth-day OpenSSH

[laejoh]

I have had it with these motherfucking snakes in this motherfucking data-center!

Re:Happy birth-day OpenSSH

Szeretné, hogy térjen vissza hozzám, goromba goromba?

Re:Happy birth-day OpenSSH

Snakes don't have arms, and if you live in a data center chances are you don't need ssh, just log in physically at the machine in question if it has a keyboard and screen attached, or at the terminal server (assuming real data centers have serial consoles attached to all machines via a terminal server, of course).

Re:Happy birth-day OpenSSH

[expat.iain]

12) I will not buy this tobacconist. It is scratched.

Fixed.

Re:Happy birth-day OpenSSH

[n1ckml007]

It's a snake!

Re:Happy birth-day OpenSSH

[tom17]

Mushroom muuushrooom!

Re:Happy birth-day OpenSSH

3) I'm a snake

Huh?

Step 4 ????
Step 5 Badger badger badger badger badger

Step 6 Mushroom

Re:Happy birth-day OpenSSH

[badkarmadayaccount]

Those are some good shrooms.

And best of all...

[Timothy+Brownawell]

...it remembers what key goes with what server, rather than unconditionally giving each of a few dozen outside groups the ability to tell it that yes, your secure server really did just get a new key (so that new Russian IP address must be correct).

but does it...

[postmortem]

run on iPhone?

Nope, it does not without unlocking the phone from Apple to you.

Re:but does it...

[MichaelSmith]

It does run on the openmoko.

Re:but does it...

[stinkytoe]

Ditto for android.

Re:but does it...

run on iPhone?

It sure does. TouchTerm, for example, uses OpenSSH.
http://jbrink.net/touchterm/

Re:but does it...

[MichaelSmith]

run on iPhone?

It sure does. TouchTerm, for example, uses OpenSSH.
http://jbrink.net/touchterm/

Not the server though.

Re:but does it...

[tlhIngan]

run on iPhone?

It sure does. TouchTerm, for example, uses OpenSSH.
http://jbrink.net/touchterm/

Not the server though.

Jailbreak it. OpenSSH is a package available via Cydia, including the server.

localhost:~ mobile$ uname -a
Darwin localhost 9.4.1 Darwin Kernel Version 9.4.1: Sat Nov 1 19:09:48 PDT 2008
; root:xnu-1228.7.36~2/RELEASE_ARM_S5L8900X iPhone1,1 arm M68AP Darwin
localhost:~ mobile$ ps auxwww | grep sshd
mobile 565 6.0 0.5 273304 644 s001 R+ 9:01PM 0:00.04 grep sshd
 
root 559 0.0 0.0 0 0 ?? 9:00PM 0:00.00 (sshd)
localhost:~ mobile$

Just remember to install bsd-utils and change the password for root and mobile.

Re:but does it...

[icebike]

Seriously, how did parent get modded flamebate?

You Apple fanboys have to back off a little bit. Apple is a big company, they don't need you to rush to their defense every time some one posts a disparaging word.

And the truth, as the parent posted, can not be a flame.

Re:but does it...

might consider installing sbsettings as well and add the ssh on off button to the swipe out panel. only turn it on when you intend to connect to it. Even more secure that way. Plus you can have swipe access to brightness, radio on/off switches, and more.

Re:but does it...

The only thing worse than a lobbyist is their volunteer workers. Apple consumers truly disgust me.

Thanks OpenBSD

[Spit]

For the rest as well.

Re:Thanks OpenBSD

[atheistmonk]

They really are a gift that keeps giving. I'm not really much of an OpenBSD user... I don't always like that Theo de Raadt assumes he knows what's best for me. Unfortunately... He's probably right. May it live forever and spawn more and more secure and useful tools for the F/OSS world.

Re:Thanks OpenBSD

MOD PARENT UP. Thanks Theo.

Re:Thanks OpenBSD

[JackieBrown]

What is interesting is how secure and easy it is to use.

I use it with fuse to mount my networked partitions. It involved no work and the fact that it is secure is just a bonus since there is no noticable speed loss for my transfers

Re:Thanks OpenBSD

[Dadoo]

I'd like to thank the OpenBSD project, as well, but I'd also like to point out a few issues.

OpenSSH still won't work with certificates signed by a CA.

OpenSSH doesn't allow an unencrypted connection (after authentication). Not all CPUs can encrypt/decrypt at 1Gbps.

OpenSSH doesn't work - as advertised - with an exclamation point in a "Match" statement.

Other than that, OpenSSH is possibly one of the most capable and reliable pieces of software I've ever had the privilege to use.

Re:Thanks OpenBSD

Theo de Raadt is not all powerful. The project is stagnating now in some areas in spite of him being the leader. However nobody can deny he and his team are some of the best programmers around.
OpenBSD source code is the best I have ever seen and the first thing I do on any new Linux installation is to install OpenBSD tools.
Really if someone is reading this and wants to flee the Linux gulag, OpenBSD is a system to check. It is not the fastest, it is not the smallest, but it is the most secure and consistent.

Re:Thanks OpenBSD

[TheRaven64]

You use OpenBSD with FUSE? How do you do that?

Re:Thanks OpenBSD

1. OpenSSH is not OpenSSL
2. OpenSSH is not Telnet
3. (?)

I don't think these are issues. They sound more like feature requests - something that OpenBSD devs usually receive with less-than-Open ARMs.

Re:Thanks OpenBSD

[impaledsunset]

> OpenSSH doesn't allow an unencrypted connection (after authentication).

A secure shell doesn't support insecure connections? How could that be? Have you considered that probably SSH isn't the right tool for the job then? Making insecure connections possible with SSH sounds like a rather bad idea. The purpose of SSH *is* to maintain a secure connection, if you want an insecure one you might consider something else. Anyone using OpenSSH would be expecting that the connections they make *are* secured, adding support for insecured ones is a big huge fucking no.

My SSH documentation doesn't mention the exclamation point feature, I couldn't find it mentioned on openssh.com, are you by any chance confusing Match in sshd_config with Host in ssh_config?

Support for CAs might be a nice feature, but I wouldn't call it an issue. If you really need it, what happened when you tried to contribute it, or at least request it?

Re:Thanks OpenBSD

A slight correction:
1. OpenSSH is not OpenSSL. Fortunately.
2. OpenSSH is not Netcat. Fortunately.
3. OpenSSH is not a psychic and doesn't read Dadoo's mind. Thank God!

Re:Thanks OpenBSD

[Chris+Pimlott]

OpenSSH doesn't allow an unencrypted connection (after authentication). Not all CPUs can encrypt/decrypt at 1Gbps.

I believe there is a compile-time option to include a noop cipher as a run-time option, it's just not included by default.

Re:Thanks OpenBSD

[impaledsunset]

That would make the connection unencrypted during the authentication, and would need to be manually enabled on all sites where you would use it. Not that it matters, it would be an anti-feature anyway.

Re:Thanks OpenBSD

Now if the OpenBSD project would just start doing something with the clean-room reverse engineered binary blobs for wireless cards that we've been sending them for the past three years...

Great firewalls, great routers, good servers, but crap for everything else.

Re:Thanks OpenBSD

Secure FTP. Now fuck off.

Re:Thanks OpenBSD

[Hatta]

OpenSSH provides a lot more than just security. Sometimes I'd just like it to forward X over my LAN. In that case, encryption is completely unnecessary. Yeah, I could do it the old fashioned way, but it's been so long I've forgotten how.

Re:Thanks OpenBSD

[gad_zuki!]

>Not all CPUs can encrypt/decrypt at 1Gbps.

FTPS does this. You can disable/enable encryption on the fly. I believe this functionality is disable in filezilla by default, but other servers support it.

Re:Thanks OpenBSD

[jc42]

Other than that, OpenSSH is possibly one of the most capable and reliable pieces of software I've ever had the privilege to use.

Oh, I dunno about that. Right now, I've again been seeing an OpenBSD/OpenSSH failure mode that has plagued a bunch of us for years, and nobody seems to be able to find a clue about what's wrong.

The scenario is a flock of unix/linux machines of various makes, models and release numbers, with ssh/scp/... used between them. All of the machines work together pairwise, except for when one of the pair is the FreeBSD machine. With that one, an ssh or scp gets through just fine, and works for a while, but then it simply hangs, and neither end gets any more traffic for hours. There's lots of evidence that the problem is in SSL on the FreeBSD machine. One bit of evidence is that I often have connections to it from several different machines, and all of them hang at the same time. While they're hung, I can make a new ssh connection, which works fine, and I can verify that 1) the processes on that end are all still running, but 2) they're not receiving data or errors from the SSL link. Also, killing the processes on either end of the connection has no effect on the other end. But it's not the machine's low-level networking that's at fault, because other kinds of connections survive the event without problems. Turning ssh's debug level way up doesn't help; neither end sees any problems during the hang. It's not a Comcast-like blocking from the ISP, because links via different ISPs hang simultaneously.

Questions about this on various forums have gotten no replies other than "You must have something configured wrong" without any hints as to what config error might produce such problems. And it doesn't help that the problem isn't reliably reproducible. Sometimes things will work for weeks. Then, as happened in an ssh session from this Macbook just before I hit Reply here, the connection will suddenly hang in the middle of typing a command to the remote shell, and a quick check (in a couple of other windows ssh'd to the same FreeBSD machine) will show that they're all hung, too, including the one that was running a "top" command that halted during the same second.

Anyone here know if this problem has been successfully diagnosed anywhere? Google doesn't seem to be our friend this time, e.g., "ssh hangs" gets some 8 million hits, but they all seem to be about hangs during initialization or exit. This hang is during routine use, usually noticed when the echoing stops while typing something. Adding other keywords for google doesn't seem to help, because what are the right keywords to describe a hang that appears randomly during routine use and isn't related to anything you can name?

It is impressive that we haven't been able to get this particular misbehavior on any of the other OSs that we have available. We've only seen it when one end is FreeBSD, and it survives upgrades of the OS and OpenSSH. It has been around for a while, though. On one of the FreeBSD systems where it happens, "ssh -v" gives "OpenSSH_4.2p1 FreeBSD-20050903, OpenSSL 0.9.7e-p1 25 Oct 2004", so the problem has been around at least that long. It happened a few days ago with a new FreeBSD installation on another machine in the lab.

Note that this hang isn't a failure to connect or disconnect. Those work fine. It happens "for no apparent reason", during an ssh or scp (or rsync) session that has been working fine up to that point. And it appears to happen to all SSL-based connections to the FreeBSD system at the same time, to within a second or so.

Actually, what would be really useful is a technique for asking google (or some other fine search site) about this topic, and not get buried by millions of comments about similar problems during the connect or disconnect phase. The problem with search sites is that there seem to be an uncountable number of different keywords used to talk about startup/shutdown or login/logout or connect/exit/ or whatever, and no matter how many of t

Re:Thanks OpenBSD

"Theo de Raadt is not all powerful."

All unbelievers will be cast into a lake of unsupported hardware for eternity.

"The project is stagnating now in some areas"

Serious? Development has slowly increased over the last decade by any measurement I can think of.

Re:Thanks OpenBSD

So you want them to add a whole new feature to OpenSSH just to save you one simple Google search?

Re:Thanks OpenBSD

[Hatta]

Well it's not just that. There's rsync over a LAN, or sshfs. Or then there are the times when you're forwarding all your network traffic over SSH anyway, and there's really no need to encrypt it twice.

Again, I could use rsh. I could use CIFS. I could use netcat. But SSH has all these great features in one, and is really easy to use. Being able to use a null cipher would be awfully convenient.

Re:Thanks OpenBSD

[Drinking+Bleach]

Have you tried telling the OpenSSH and/or FreeBSD mailing lists about your issue? They might not even be aware of the bug, if you've only been posting about it on random forums...

Re:Thanks OpenBSD

[Ant+P.]

apt-get install sshfs-fuse

Re:Thanks OpenBSD

[Ant+P.]

That would make the connection unencrypted during the authentication

Er... no it doesn't. You don't know what you're talking about - until you do, stop trying to sound clever.

Re:Thanks OpenBSD

No idea, but here's a couple I found after a quick google:

http://lists.freebsd.org/pipermail/freebsd-i386/2007-March/005177.html

http://www.mail-archive.com/freebsd-questions@freebsd.org/msg95551.html

I didn't look closely, so might be worthless. Good luck.

- T

Re:Thanks OpenBSD

[dmiller]

Use arcfour256 as your cipher and umac-64@openssh.com as your MAC (ssh -oCiphers=arcfour256 -oMACs=umac-64@openssh.com ...). Between these, CPU is usually not the bottleneck anymore.

We don't support the none cipher because "secure networks" often aren't, and there are already tools that are insecure and go fast.

Re:Thanks OpenBSD

[dmiller]

Nope. Not without 3rd party patches anyway.

Re:Thanks OpenBSD

[dmiller]

I'd like to thank the OpenBSD project, as well, but I'd also like to point out a few issues.

OpenSSH still won't work with certificates signed by a CA.

Quite right, and we have no intention of incorporating x.509 support. X.509 parsing and verification exposes a large amount of attack surface and all of it is, by necessity, pre-authentication too (the type which, if buggy, allows worms). Read Peter Gurmann's X.509 style guide and see if you ever want to go near this horror again. We have actually written our own minimal RSA verification code to avoid the sort of ASN.1 parsing that is necessary to deal with X.509, and it has saved us from at least seven bugs - some probably exploitable for authentication bypass or remote code execution.

OpenSSH doesn't allow an unencrypted connection (after authentication). Not all CPUs can encrypt/decrypt at 1Gbps.

Yep, we are a _secure_ shell and we take a mildly patriarchal attitude to adding options that can lead to insecure use of OpenSSH. Note that the actual bottleneck in most cases is not the crypto anyway (at least when using arcfour256 as your cipher) but the MAC, and you wouldn't want to switch that off. We do have a very fast MAC though: umac-64

OpenSSH doesn't work - as advertised - with an exclamation point in a "Match" statement.

File a bug, we'll fix it.

Other than that, OpenSSH is possibly one of the most capable and reliable pieces of software I've ever had the privilege to use.

Thanks :)

Re:Thanks OpenBSD

[TheRaven64]

You use apt-get on OpenBSD? How do you do that?

Re:Thanks OpenBSD

[welsh+git]

I don't have ftpd on my systems, or rsh and telnetd etc.

I use "scp -R" to transfer lots of files neatly from place to place.

Sometimes I do it from one machine on my local lan to another machine on my local lan, less than 2 feet away. It would be nice in these circumstances to disable encryption, simply to speed up transfer.

Re:Thanks OpenBSD

[cthulhu11]

SSH-HPN.

Nice project, but it'd be more useful were it merged into the stock OpenSSH. I experimented with it once -- speed gains from the window/buffer patches and the multi-core cipher were modest, and I never did get the poorly-documented "none" cipher to work.

Re:Thanks OpenBSD

[dmiller]

Most of the speed gains for high bandwidth x delay networks have been realised in stock OpenSSH already. HPN still does better on very fast long distance networks though.

Re:Thanks OpenBSD

[mvdwege]

This sounds a bit like an empty entropy pool, with all the crypto functions hanging on a blocked read on the FreeBSD equivalent of /dev/random.

I'm a bit puzzled why a new connection would go through though.

Mart

How was life possible without it?

[stox]

To think we used to use telnet and rlogin to access everything.

OpenSSH is a far more significant technology than it has gotten credit for.

Re:How was life possible without it?

[the_humeister]

Same with zippers. What would life be like without zippers?

Re:How was life possible without it?

Except OpenSSH really shouldn't get the credit. Tatu Ylönen created ssh, not OpenBSD. The original OpenSSH implementation was based on Tatu's code. I'm not arguing that OpenSSH isn't useful, or that they haven't done good work, but it is not the origin of the technology.

Re:How was life possible without it?

[InsaneMosquito]

Same with zippers. What would life be like without zippers?

A lot more drafty?

Re:How was life possible without it?

[grub]

What would life be like without zippers?

I'd have far fewer painful memories of getting wang-skin caught in them.
R

Re:How was life possible without it?

[evil_aar0n]

Just a suggestion, but maybe you should wear underwear... Of course, there are situations where you have to zip-and-dash, like when your girlfriend's husband walks in, unannounced - the nerve... - but, generally, I've found that the judicious use of Underoos helps prevent biting zip-ups.

Re:How was life possible without it?

[grcumb]

Same with zippers. What would life be like without zippers?

I have 4 pairs of Levi 501s, you insensitive clod!

(And one pair of 504s - endlessly and sometimes comically confusing, especially in crucial moments.)

Re:How was life possible without it?

[evilviper]

The original OpenSSH implementation was based on Tatu's code.

Yes it was. But Tatu's SSH was the old, insecure protocol.

And there were many secure remote access tools before it. kerberized telnet, telnet/ftp over SSL, and limitless others.

It's not the magical protocol (which is quite similar to SSL plus RSH/RCP), or the initial few lines of code that got it started. It's the fact that it was open, secure, widely available, and being pushed by the OpenSSH folks to be used as the default form of remote access on Unix systems.

Tatu didn't have anything to do with it. He was too busy commercializing it, and repeatedly threatened, and then suing the OpenSSH project for all their hard work. If he had chosen to keep SSH open, we'd have been a LOT further along. As other posters correctly remember, support for SSH very nearly died with that step. Many programs included SSHv1 support, and then just stagnated and let the code rot. If not for OpenSSH, it would be another relic of secure telnet protocols tried and failed, not having gone anywhere, and we'd go merrily along, using telnet and rsh, bemoaning the fact that it's so insecure, and that nothing better ever came along.

Re:How was life possible without it?

[wastedlife]

I have a pair of 404s, but I can never find them.

Re:How was life possible without it?

[david+duncan+scott]

Zippers may be the only thing that separates us from the great apes.

Re:How was life possible without it?

[melikamp]

Like this.

Re:How was life possible without it?

[mlts]

The only other protocol available at the time that might have even approached SSH would be a SSL based telnet. I'm not sure how rlogin would have been secured (because it is UDP based), but it likely would be nowhere near as elegant as what ssh offers.

To boot, neither telnet or rlogin offered port forwarding (which meant an easy way to use X clients over an insecure network), variable security methods (so you wouldn't need to worry about a password, but could use a private .identity key), multiple encryption algorithms (in v2.)

So overall, even with the hurdle of the ssh/openSSH mess in the early part of the decade and the re-implementation of v1 and v2 of the protocol, ssh is as part of daily life for almost any admin as DHCP is, perhaps more so since a lot of admins use static IPs.

Re:How was life possible without it?

[RzUpAnmsCwrds]

I have a pair of 413s, but they are too big to fit me.

Re:How was life possible without it?

[Alioth]

Not only that, but telnet and rlogin over 10base2 thin-net or 10baseT with a hub rather than a switch, so anyone on your LAN segment could see your passwords going by...

Re:How was life possible without it?

[mftb]

umm

http://en.wikipedia.org/wiki/Great_ape

Re:How was life possible without it?

Version 2 of the SSH protocol was also developed by Tatu YlÃnen and his company SSH Communication Security. It was just that they when they made the new, improved protocol they also switched to a proprietary license with SSH v2. It took a couple of years before the OpenBSD folks had developed the open source SSH v1 code to the point where it supported all features of the SSH v2 protocol. The two implementations of v2 still aren't fully compatible on client-side stuff like key storage, but nowadays it is the proprietary SSH that is considered the odd one out.

I don't consider Tatu YlÃnen here as a bad guy. What he has given to the world free of charge is 1) the SSH v1 protocol specification, 2) the SSH v1 open source implementation, and 3) the SSH v2 protocol specification. On top of that he has managed to make a living off of the SSH v2 code, and he certainly has the right to do that.

Re:How was life possible without it?

[GingaNutz]

Posting to undo missclick!

Re:How was life possible without it?

[AliasMarlowe]

I have a pair of 404s, but I can never find them.

You can get as many 419s as you can handle from my colleague, until recently the Esteemed Excellency of Nigeria's Department of Overseas Resource Depletion, and now with a large number of undocumented 419s at his disposal. Please reply with banking details, home address and SIN, and all other useful information such as drivers license and credit card numbers.

Re:How was life possible without it?

[maxume]

You better hope it is a sturdy tent.

Re:How was life possible without it?

Such a missed opportunity. You should have said your penis was to big to fit in the 413s.

Re:How was life possible without it?

[cerberusss]

Of course, there are situations where you have to zip-and-dash, like when your girlfriend's husband walks in, unannounced

Why first zip? Just run, man! Swing that sword!

Re:How was life possible without it?

I have a pair of 419s, and any day now my close friend in guinea basso will be sending me a whole shipload of them that had to be smuggled out of the country! I only had to pay a few thousand in administration fees first.

Re:How was life possible without it?

[noidentity]

Same with zippers. What would life be like without zippers?

Indeed... pk-zip, gzip, 7-zip are daily essentials.

Re:How was life possible without it?

[geminidomino]

I love my ratty, old, broken-in 403s, but my girlfriend won't let me wear them anymore...

Re:How was life possible without it?

[jc42]

I don't consider Tatu YlÃnen [sic] here as a bad guy. What he has given to the world free of charge is 1) the SSH v1 protocol specification, 2) the SSH v1 open source implementation, and 3) the SSH v2 protocol specification. On top of that he has managed to make a living off of the SSH v2 code, and he certainly has the right to do that.

Presumably the problem is the thing about trying to use the legal system to stop OpenSSH. If he had cooperated with the open branch, while building a private company to sell the closed branch, most people would have probably accepted it without comment. After all, there's a portion of the market who believe that closed, proprietary software is more secure than open software. It's quite appropriate to make a closed, proprietary version of any open software to satisfy them.

One could argue that it's better if both branches are in fact identical, so that they interoperate well and there's reason to expect that the closed version doesn't contain any backdoors. But that's probably being too trusting, and the closed branch should always be treated with suspicion by knowledgeable people. "What are they hiding in it that they don't want us to know about?" But we know that there are a lot of people in management who don't trust anything that's open, and rather than seeing them use some separate package that probably contains all kinds of undiagnosable holes, it's better if a closed-source edition can be made available just for them.

It's also appropriate to market an expensive edition of the closed version, specially tailored for that part of the market who believe "You get what you pay for". ;-)

Re:How was life possible without it?

[jpate]

ask the amish?

Re:How was life possible without it?

[Limburgher]

Or springs? http://www.youtube.com/watch?v=ngBNklagsHQ

Re:How was life possible without it?

Unfortunately, my girlfriend only wears 403s.

Re:How was life possible without it?

[evilviper]

It took a couple of years before the OpenBSD folks had developed the open source SSH v1 code to the point where it supported all features of the SSH v2 protocol.

OpenSSH had the bulk of SSHv2 features in no time. Yes, it took quite some time for the final bits and pieces. But NOBODY was using SSHv2 at that point, anyhow. See above for the reasons.

The two implementations of v2 still aren't fully compatible on client-side stuff like key storage,

That goes back to the SSL thing. OpenSSH keys are really OpenSSL keys, as found on the many millions of Apache servers. Frankly, I think it was stupid of SSH.com to go in the incompatible direction (just one of many), and I wouldn't expect OpenSSH to follow them down that dead end.

but nowadays it is the proprietary SSH that is considered the odd one out.

That's one hell of an understatement. SSH.com/Tectica would hardly even appear on a graph of SSH protocol versions. It was below 3% market share quite some time ago, and has been on a long decline. It's market share may well be statistically insignificant noise at this point. (Yeah, I'm a bit pissed-off dealing with Tectica's quirks and bugs).

On top of that he has managed to make a living off of the SSH v2 code, and he certainly has the right to do that.

Yes, but I was pointing out that it was *in spite of him*, most certainly not because of him, that SSH has taken the world by storm. Just as I wouldn't want to see Microsoft praised for giving us a great piece of software like Samba...

10 years of fear reading sec lists

[VonGuard]

No matter the OS, no matter the exploit, that name alone in the title of an email to bugtraq can send shivers down the spine.

Re:10 years of fear reading sec lists

yes, OpenSSH is very cool, but for a couple years it was the exploit of the month.

Uh, update every OpenSSH install to latest version x.y.z , we cannot tell you why, you MUST update NOW, across every OS, across every server, NOW. Within two days, do regression tests on all versions of your OS and distribute updates to all your clients, and have them update NOW. Sorry, cannot tell you why though.

For a while I had telnet open (for local connects across my LAN) because I would have to disable openssh from the world, except for telnet from my two remote locations. Yea, good times....

Re:10 years of fear reading sec lists

[_Sprocket_]

I remember more rumors of vulnerabilities than vulnerabilities. Not that there weren't any - there have been more than a dozen vulnerabilities over the last decade. But the fear of an exploit seemed to be the exploit as often as an actual bug discovery.

Re:10 years of fear reading sec lists

And looking at the press page, we can even see that they are celebrating the 5th birthday of the project! :)
http://openssh.com/press.html

i dont need ssh

[digitalsushi]

i dont need ssh... for some reason inetd was installed with a call to bash, running as root. i can just telnet right in. it actually saves me a ton of time, since lately i can't even seem to remember what my password is.

Re:i dont need ssh

[dazjorz]

Interesting. Would you mind telling me what host and port this is, so I can.. um... diagnose the uh.. problem?

Re:i dont need ssh

[iammani]

Sure, I will help you with that. Its 127.0.0.1 and any port

Re:i dont need ssh

[MichaelSmith]

All that gives me is a web page with tentacle porn....

Re:i dont need ssh

[David_W]

since lately i can't even seem to remember what my password is

It's hunter2.

Re:i dont need ssh

[glittalogik]

Live action or animated? Normally I wouldn't pry but my genitals wanted me to ask.

Re:i dont need ssh

Can you type that again? All I see are asterisks!

Re:i dont need ssh

For the young folk who are scratching their heads...

http://www.bash.org/?244321

Re:i dont need ssh

How did you know his password?

Re:i dont need ssh

[noidentity]

"since lately i can't even seem to remember what my password is"

It's hunter2.

That's odd; it just appears as ******* to me. Is that because it only shows up for the person whose password it is? Cool.

Re:i dont need ssh

[AragornSonOfArathorn]

My password is just the letter a.

Re:i dont need ssh

Hey asshole, thanks. There went my morning.

Re:i dont need ssh

[Jean-Luc+Picard]

Silly, an asterisk isn't a letter

Apt....

I wonder how long until this makes its way down the pipes into the apt for Debian...

You mean...

...the Feds have allowed OpenSSH to keep going "strong" after 10 years.

Re:You mean...

[palegray.net]

Read the source.

Re:You mean...

That's just what they want you to do!

Re:You mean...

[mlts]

The Feds need security too. I'm sure, if there is any weaknesses (and this is theory mind you, not anything based in fact), it likely would be the larger organizations having knowledge (or specialized hardware like a TWIRL device which is just theory as of now) of how to factor public keys faster than conventional brute force ways. I'm pretty sure a lot of machines out there (especially ssh v1 boxes) still have 512 bit keys as their host key, and if someone targeted that box specifically, they could obtain the key, then try to insert themselves into the network stream for a MITM attack against people logging on via remote.

The SSH v2 protocol by itself has proven quite strong, and is one of the two bigger protocols for sending encrypted data over the Internet with decent security. Perhaps three, factoring in PPTP.

Re:You mean...

[Sloppy]

The Feds need security too.

The thing about security is that it can be subjective. If I dream myself your master, then your security is my insecurity. The Feds want to be able to intercept communications, Apple want to control the iPhone experience, etc. Goals can be incompatible enough that for someone to win, someone else has to lose.

I think that's why the GP finds it remarkable that we, the users, won this small part of the crypto war. Most of use still don't encrypt our email or voice conversations, but we do have some of the transports locked down fairly well.

Re:You mean...

I think one reason why we "won" the SSH race is because SSH isn't used to communicate between different users. As of now, user to user communication is still notoriously insecure. E-mail is still for the most part sent in plaintext (even with S/MIME available in modern E-mail clients and pgp usable as an add-on). Social networking sites have little to no facility for encrypted messaging between user to user.

Pretty much, the only way to ensure some type of secure communication without taking the time to set up and exchange public keys is to either have users on the same Exchange server, or use a service like Hushmail which keeps all mail encrypted, only decrypting it on the Java client. And even then, if some LEO wanted the information enough, they can still find a way to get it by demanding the owner of the messaging server find a method of decryption.

One of the few Mega-Tools

[gweihir]

No idea what I would do without it.

Re:One of the few Mega-Tools

[slim]

No idea what I would do without it.

rsh over stunnel?

Is OpenSSH still speed limited?

[TheSlashaway]

Did OpenSSH ever fix the performance limitation on fast networks (>100Mbps)? They have static internal flow buffers that prevent fast scp/ssh! HPN has a patch but OpenSSH has to my knowledge never adopted it. http://www.psc.edu/networking/projects/hpn-ssh/

Re:Is OpenSSH still speed limited?

I regularly see 50MB/sec on my cluster using scp... sometime it spikes to 66MB/sec

Re:Is OpenSSH still speed limited?

[TheSlashaway]

Ummmm. 300Mbps ? What kind of network do you have? Anyways, my original question is still to be answered...

Re:Is OpenSSH still speed limited?

cluster interconnect is a Cisco Catalyst 4503 Layer 2/3 network switch.

Re:Is OpenSSH still speed limited?

[0123456]

Yeah, scp gets about 55MB/sec between Linux systems at work with gigabit LAN.

Re:Is OpenSSH still speed limited?

[Techman83]

I find I'm pushing Disk/CPU/Network rather then limitations with SCP. I figure the encryption is causing the CPU load, the rest is obvious.

Re:Is OpenSSH still speed limited?

[WuphonsReach]

Like the other poster, I've see 30-50 MB/s (300-500 Mbps) over a gigabit network when copying between boxes using scp. The limitations were more the frame size (not using jumbo frames on that network) along with the read/write speeds of the system on each end.

So, it's no slouch and better then SMB/CIFS.

Re:Is OpenSSH still speed limited?

In actual answer, no, the performance is not fixed at all, unfortunately. It is quite bad, for many cases. Fast networks are not the most significant problem - it is high-latency networks. A Boston-Seattle connection can be 100x slower than it should be, easily.

A tweaked SSH client is enough to fix most of this, even without modifying the server. A tweaked server helps a little more. (Unfortunately again, both client and server in OpenSSH are rather antiquated in design, and quite awkward to make portable, instead of being installed to fixed paths systemwide.)

I am surprised how many people will post without understanding the issue or having anything to contribute.

Re:Is OpenSSH still speed limited?

Like the other poster, I've see 30-50 MB/s (300-500 Mbps) over a gigabit network when copying between boxes using scp. The limitations were more the frame size (not using jumbo frames on that network) along with the read/write speeds of the system on each end.

So, it's no slouch and better then SMB/CIFS.

On the other hand, I see unencrypted NFS achieve > 90 MB/s over TCP on my gigabit networks, about 2 to 3 times faster. This is without using jumbo frames.

The tiny, statically sized 64 KB send buffer that OpenSSH limits itself to really does hurt, even on low latency networks.

Check out the graph comparing unmodified OpenSSH (red) with a version patched to use larger buffers (blue) on the Pittsbugh Supercomputing Center site mentioned above:
        http://www.psc.edu/networking/projects/hpn-ssh/hpn-v-ssh-tput.jpg
        http://www.psc.edu/networking/projects/hpn-ssh/

Re:Is OpenSSH still speed limited?

[TheRaven64]

Out of interest, what kind of CPU load do you see with that speed? Even 2MB/s is CPU-bound on my old laptop and my new one can only handle about 10MB/s. Or do you use a dedicated crypto accelerator?

Re:Is OpenSSH still speed limited?

A byte is 8 bits, not 10. 30-50 MB/sec = 240-400Mb/sec

Re:Is OpenSSH still speed limited?

A byte is 8 bits, not 10.

But can be (is often?) approximated as 10 for such discussions, as a hand-wavy approximation of the lower protocols' overheads.

Re:Is OpenSSH still speed limited?

[WuphonsReach]

One box was an Athlon64 X2 4600+ (2.4GHz), the other is a Opteron 2210 HE (1.8GHz) based system. Both have Intel PRO/1000 NICs. Running CentOS 5.x 64-bit on both systems. Probably both connected to the same 3com gigabit switch (1U rackmount, 24 ports, one of the early baseline business-class models).

I remember double-digit CPU usage in "atop" (10-20%), but don't remember that being the bottleneck. Might have even been eating up most of a CPU core.

It's been a month or two since I did those multi-gigabyte transfers. We were migrating our SVN repositories between boxes. Really though, I'm content with 20 MB/sec or better on gigabit networks.

Our nightly backups are one with rsync or rdiff-backup over SSH. Which are typically disk-bound.

Re:Is OpenSSH still speed limited?

Are you talking SSH or SCP? SCP has terrible latency sensitivity because much like recursive FTP or HTTP tools it does not pipeline. So walking a tree of smaller files will have many stream stalls while another file is requested.

Rsync over SSH, on the other hand pipelines beautifully. I've used it on international transfers with nearly 1 second RTT ping time and saturated my link where other tools barely worked. However, my link was pretty slow GPRS/EDGE as a bottleneck so I never could compare something like gigabit connectivity and such high latency.

Re:Is OpenSSH still speed limited?

Doesn't matter. I am talking about, say, single files of 100GB or more. Although I have certainly experimented with both SCP and SSH alone. I am only talking about the transfer speed.

Granted, this is a high-performance situation. I don't think most stock linux installations even have the sysctl settings to get top-level throughput in high latency cases with decent bandwidth. But, for specifics, with a 60ms ping time, I have seen standard SSH speeds top out at perhaps 0.8 MB/sec, while I can get 100MB/sec with a tweaked client. (If your case was the former anyway, you probably wouldn't see any additional impact.)

I don't see how people don't see such issues. Doesn't anyone here have data centers on each coast?

(If you try to build a portable client, you will see the problem with the somewhat outdated nature. Both client and server rely on config files, and you can't compile in different defaults. The client tools, even, rely on hard-coded absolute paths, including even for scp to locate ssh. Making a portable ssh client that you can just drop in is mostly possible, and worth it, but quite awkward.)

Oh, a similar bandwidth limit comes up even on low-latency networks when using compression. Some of this is due to the effect of a tiny window, which also affects the compression. There is also a problem, though, in that there is no high-speed compression method available, and it is not pluggable. Also, the compression is not multithreaded or even performed on a background thread.

Re:Is OpenSSH still speed limited?

[Kazoo+the+Clown]

I don't see how people don't see such issues. Doesn't anyone here have data centers on each coast?

I certainly have seen it-- but it does seem that many people are either in denial about it or simply resort to "use Rsync." It's my experience that SFTP works just fine as long as you don't have all that much data to transfer.

We're working with a data warehouse system where we nightly need full database exports (multi-GB) transferred from the (Windows-based) production server to the data warehouse system (also Windows-based). The two systems are sitting next to each other with a 1G network connection. SFTP has proven to be 30x slower than FTP. Consequently, we continue to use FTP, as otherwise 2-hour overnight transfers take days.

And every time I look into Rsync, I run into a couple of issues that seem to stall my understanding of it's utility in our case-- 1) limited documentation, especially regarding its use over SSH on Windows systems, and 2) whether its even applicable given we aren't trying to "sync" files that have blocks in common with existing files, but simply need to copy files that are likely to be too different to take advantage of partial-file "sync" operation (on the other hand, depending on how smart it is, it could be a big benefit-- if it uses a diff-like technique rather than a block-by-block comparison it might be of interest). And frankly, the fact there seems to be no native Windows port (everything is cygwin based), doesn't inspire a lot of favor. So, as I said, we still use FTP. I haven't been able to convince anyone here that spending time to develop a custom SSH client for it is time well spent (I disagree, but I don't get to decide-- it seems to me that I'm the only one who seems to either be aware of, or care the slightest about, the fact that FTP sends its data and its passwords in the clear).

Re:Is OpenSSH still speed limited?

[denmon]

Another speed boost option that doesn't require patches is to specify on the commandline a cipher that has a lower CPU impact. I did some testing and found that on my systems, I could get 2-3 times the throughput on gigabit Ethernet when using arcfour instead of the default.

It's very easy; just use the -c switch, like this:

$ scp -c arcfour source destination

Note that arcfour is less secure that the default cipher, but for internal networks or traffic over VPN tunnels you may decide the speed increase is worth it.

Re:Is OpenSSH still speed limited?

[badran]

1. Slap an extra network card on each server.
2. Connect them together.
3. Profit. ;)

This will be cheaper then programming anything custom. And faster then what is available. It will be secure, as long as no one puts a hub between them.

Re:Is OpenSSH still speed limited?

[Kazoo+the+Clown]

Yeah, well, that's what we'd do if this was an isolated instance of the program, but not all of our customers sit the two systems next to each other, and in fact, some of the production systems are Linux and not Windows, so FTP is seen as the best "general" solution for us at present.

Re:Is OpenSSH still speed limited?

[drsmithy]

Did OpenSSH ever fix the performance limitation on fast networks (>100Mbps)?

This problem isn't relevant to high-speed networks, it's relevant to high-speed, high-latency networks (ie: 50Mb+ WANs). On a Gb LAN, it's not going to meaningfully bottleneck you.

(It affects us quite badly, since we shuffle around about 500GB/day between our US, Australian and Europe offices - though we actually get around it with dmscp2, not the patch linked above.)

Re:Is OpenSSH still speed limited?

[ion.simon.c]

*blink*

If you're copying over internal networks or a VPN, why not use Kerberized rsh and avoid the additional processing required for SSH?

Re:Is OpenSSH still speed limited?

The limitations were more the frame size (not using jumbo frames on that network) along with the read/write speeds of the system on each end.

Umm... probably not. Jumbo frames aren't a panacea, and rarely help much in practice. Our own internal benchmarking showed jumbo frames providing at most a 10% boost in TCP throughput for iSCSI/GbE. Since enbaling Jumbo end-to-end in a large network comes with significant configuration and testing costs, it's really not worth the hassle.

To the best

[Powys]

My hats off to probably the best open source package ever made

Re:To the best

[turing_m]

Have you checked out my package?

Re:To the best

[Rennt]

Why, is it open source?

Re:To the best

[alx5000]

Is open sores close enough?

Re:To the best

Have you checked out my package?

Yes, and I found the open sores somewhat unappealing.

Re:To the best

[hiekka]

Have you checked out my package?

Wow, is that bzipped? How large is it uncompressed?

Re:To the best

[sFurbo]

He wrote "open SOURCE", not "open SORES".

Re:To the best

[turing_m]

Wow, is that bzipped? How large is it uncompressed?

Of course it's bzipped - but I'm not sure what the compression ratio is for Python. I'd appreciate it if you wouldn't fork it. And be careful when examining the Python, it has been known to generate streams of Perl. You'd rather not get it on you - it is, after all, a glue language.

Re:To the best

Is it open source?

Re:To the best

[sorak]

Please don't open your source.

Re:To the best

[turing_m]

Yes, and I found the open sores somewhat unappealing.

Only somewhat?

Re:To the best

[Hurricane78]

Is it open source? Can I compile my own?

Re:encrypted port forwarding

[slack_justyb]

Yeap that will about do it for any geek. I mean my definition of computer porn is heading over to newegg. Does any one else feel there's a Futurama quote somewhere in there?

I remember switching to openSSH.

[Vellmont]

It was likely not far after openSSH became available, and the original SSH was starting to get less and less friendly. The great thing about SSH is is all started out free and open. Early on it was experimental (though very cool). This later changed when the original SSH became commercialized, and the licensing started closing up (thus my switching to openSSH). This was back in the days when an ssh client was something you had to hunt around for and much of the time all that was available was cruddy ssh1 clients.

We've come a long way since then. These days putty and SCP are available for any platform. I haven't even thought about the original ssh from Tatu for years, though I certainly used it so many years ago.

Re:I remember switching to openSSH.

I haven't even thought about the original ssh from Tatu for years, though I certainly used it so many years ago.

Software business is so strange and special...

For endusers the software really has to be free. Nobody gives credit (at least by buying the software or even thinking of paying for the software) for the original inventor and the company that developed the protocol and the software. Commercializing software is seen like a hostile activity within the enduser community. Copycatting the ideas for software solutions and releasing them opensource is seen as a favorable action. Almost the same story is if enduser's computer breaks or the configurations are wrong, then someone should fix it and set up it for free, no enduser would be willing to pay anything to fix this.

Is this just some strange thing in IT business or are there examples of this also in other areas of business or life? Who is the sucker, Really, who is it? In other areas of business or life, do you get anything for free or are there really some suckers that are delivering and doing their work of services for free?

Re:I remember switching to openSSH.

[Vellmont]

In other areas of business or life, do you get anything for free or are there really some suckers that are delivering and doing their work of services for free?

Are you kidding? I've got a neighbor who sometimes blows the snow out many other neighbors sidewalks after it snows. Obviously nobody is paying him to do this, he just enjoys it. If you have people over for dinner there's no expectation of payment even though preparing a meal is labor intensive and ingredients aren't free. Many people perform music on street corners for free. (Nobody is forcing you to put any money in the hat). Plenty of people donate their expertise to charitable organizations. Plenty of people are known to even donate MONEY to charity! The exact opposite of getting paid for work. Do you really think all these people are suckers?

If you really think that the only reward people receive for doing work is money, you either haven't thought about the problem very much or you're a selfish bastard. You also don't really understand the open source community very well. There's plenty of developers who are paid to write open source code (i.e. they don't work for free).

No, the idea that software is somehow different from everything else is silly. There's plenty of free things around the world, you just may not be aware of them.

Love SSH

[kokoko1]

SSH makes my sysadmin works easier. Great work OpenSSH folks and keep it up.

License

[MichaelSmith]

The openssh web page says:

Please take note of our Who uses it page, which list just some of the vendors who incorporate OpenSSH into their own products -- as a critically important security / access feature -- instead of writing their own SSH implementation or purchasing one from another vendor. This list specifically includes companies like Cisco, Juniper, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).

Not wanting to troll but, you know, if openssh was GPL licensed said commercial vendors would have to release the source for openssh with their products, including any modifications they made. The project could also offer LGPL or BSD licensed versions in exchange for cold, hard, cash.

Re:License

[Yosho]

Not wanting to troll but, you know, if openssh was GPL licensed said commercial vendors would have to release the source for openssh with their products, including any modifications they made. The project could also offer LGPL or BSD licensed versions in exchange for cold, hard, cash.

You're assuming that the commercial vendors would still use OpenSSH if it was GPLed. What makes you think they wouldn't either roll their own SSH server or use some other proprietary implementation?

Re:License

[MichaelSmith]

Not wanting to troll but, you know, if openssh was GPL licensed said commercial vendors would have to release the source for openssh with their products, including any modifications they made. The project could also offer LGPL or BSD licensed versions in exchange for cold, hard, cash.

You're assuming that the commercial vendors would still use OpenSSH if it was GPLed. What makes you think they wouldn't either roll their own SSH server or use some other proprietary implementation?

It would come down to economics. Is an LGPL version of openssh cheaper than commercial implementation X? This approach works for adacore.

But for sure, fewer products would contain openssh if it was GPLed. But with more money it might be a better product, so there might be a net iimprovement in security that way.

Re:License

No. One of the main reasons for a really free OpenSSH and OpenBSD is that Corporations have shown that they will choose a product they can keep closed if they ever distribute anything(Even if they only plan to use it internally!) than a superior product.

OpenSSH is already the superior product, It being a bit superior wouldn't improve the situation much. Companies using their own MSSH, iSSH, SunSH, GSSH, etc. would only result in worse security, because you know, you don't live alone in this world. If your client/server is very secure but the other end is pwned *YOU* lose.

Re:License

[Secret+Rabbit]

I do believe that you've entirely missed the point of that paragraph. They still wouldn't have to pay a dime. As in, who cares if they would have to offer the source to something where the source is already available.

The GPL is not the godsend that many people believe it to be. In fact, if looking at current (and past) business practice is any indication, the GPL would have actually hindered OpenSSH's adoption, not promoted it. Businesses really hate that viral open source thing in the GPL regardless of whether there code actually touches the GPL'd code. Just not worth the risk for many (most?).

Re:License

[Secret+Rabbit]

Throwing money at security won't make something more secure. That's really up to who is doing the programming i.e. how competent they are. Just look at all the security products out there that have massive security holes in them regardless of whether they are commercial or open-source.

Re:License

[onefriedrice]

Not wanting to troll but, you know, if openssh was GPL licensed said commercial vendors would have to release the source for openssh with their products, including any modifications they made. The project could also offer LGPL or BSD licensed versions in exchange for cold, hard, cash.

Instead they do the noble thing and release their hard work without strings attached. They understand the alternatives but actively choose to stick with a license that doesn't childishly punish those who cannot or won't return the favor. They do what they do not to "stick it" to corporations but rather because they love to code and love when their code is used to improve peoples' lives. They even love it when somebody is able to take what they've done and build off of it or incorporate it into a product. It's a matter of love, and love must be given without strings and viral conditions. It's true charity, and charity is for the giver as much as the receiver. It's the BSD philosophy, and it's not often understand by the GNU herd. But that's okay, because the software we write is for them, too. And we love it even if they don't understand why.

Thanks OpenBSD. You're awesome. I hope a lot of people today make good use of this link.

Re:License

[rtfa-troll]

Businesses really hate that viral open source thing in the GPL

You seem to think that we're on some ideological crusade to take over everything. In the real world, we just don't care at all about anything which is not "core business". The GPL is an excellent thing since we can give back source code without much need to think. The business justification is one check box (because we have to) rather than weeks of meetings about whether this feature is strategic. When you somehow end up giving away a feature to a GPL app, you know that even if the competition gains the same, they still have to make any fixes they make available to other people.

Speaking for most "businesses" everywhere.

Re:License

[rohan972]

The constant pissing match between GPL and BSD advocates is a bit silly IMO. It seems to me (not being a programmer but being a user of BSD and GPL licensed software) that each licence is appropriate for difference circumstances, according to the desires of the author.

It's like arguing that knives are superior to forks, so I only eat with knives! Licenses are a tool, each suitable for it's purpose.

I don't agree that the GPL "childishly punishes" anyone, nor that it is viral. It is copyright that provides the "virality" (virusness?), not the GPL, and even BSD has the requirement of attribution making it just as viral (through copyright) though with less onerous conditions.

Re:License

[Kjella]

Meh, check out Theo's wikiquote page:
"So the HP guy comes up to me (at the Melbourne conference) and he says, 'If you say nasty things like that to vendors you're not going to get anything'. I said 'no, in eight years of saying nothing, we've got nothing, and I'm going to start saying nasty things, in the hope that some of these vendors will start giving me money so I'll shut up'."

Doesn't sound much like "love" or "charity" to me. Sounds to me like a man that's tried of giving and giving and giving and never getting anything back, yet refuses to acknowledge that as long as the license doesn't require anyone to give anything back, corporations don't. Their obligations are to the stockholders, not to fair dealings. Squeeze your costs as much as possible, get as much money as possible out of your customers, turn a big profit. That's what drives most companies all the time and all companies most of the time. Theo seems to be going by much the same drive as Linus, he wants to do this "right", he wants to make the best possible product. But unlike Linus, he hasn't gotten everyone else on board.

It's possible what is in OpenBSD is better, per se. But compared to Linux it's like an obscure niche site compared to wikipedia, it's where everyone contributes and it's huge, hard to manage but ends up being so much more useful. You got people working on Linux to make it run better on everything from cell phones to supercomputers. You got people working on getting all sorts of wierd hardware work. You got people working on desktop responsiveness and heavy server workloads. You got all sorts of research work, build farms and regression tests being run all over the place. OpenSSH may be a polished gem, but it's only the front door lock. But for everything else if you're relying on the masses to develop your OS, I'm going where the masses are. That is in no small part the license, though I know there's also other reasons...

Re:License

Please take note of our Who uses it page, which list just some of the vendors who incorporate OpenSSH into their own products ... In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).

There are companies listed on both the users and donations page, so presumably that statement isn't exactly correct.

Re:License

[TheRaven64]

Not wanting to troll but, you know, if openssh was GPL licensed said commercial vendors would have to release the source for openssh with their products, including any modifications they made

And, given that all of the listed companies ship the stock SSH just built for their platform, do you really think that they'd have paid anything if this were the case?

Re:License

[lisaparratt]

Some of us do it for the love of coding, rather than as blatant self promotion.

Re:License

Not wanting to troll but, you know, if openssh was GPL licensed said commercial vendors would have to release the source for openssh with their products, including any modifications they made. The project could also offer LGPL or BSD licensed versions in exchange for cold, hard, cash.

What's there for them to release? We already have an awesome client (OpenSSH), with a lot more other implementations available. The entire protocol is also documented in RFCs.

What exactly are we losing out on?

Re:License

So if OpenSSH where GPLed I couldn't use it as often, but when I can it would be superior?

Well, I don't believe OpenSSH could be this much better to make this tradeoff worthwhile.

Fast, Weak sshfs

[Doc+Ruby]

I find sshfs to be a much easier to use ad-hoc network fileystem mounter than the other popular alternatives. And it's secure by default.

But it's too secure. Or rather, there are scenarios in which the network transfer doesn't need the ssh security, but encrypting it takes too long (or too much CPU from other tasks, especially on dinky embedded network devices). Is there a way to force sshfs to use a much less compute intensive encryption, or maybe even a null crypto module? Without hacking the source directly, that is - like an execution option, a compile option, a config rule, etc.

Re:Fast, Weak sshfs

[someSnarkyBastard]

I might be off-base here but if I remember correctly, in one of the ssh config files, there is a section where you can specify what crypto systems your server would accept. That said, i never knew there was such a thing as "too secure", besides, these days a lot of chips include at least some hardware crypto functions to speed things up because crypto is so integral to online communication.

Re:Fast, Weak sshfs

Indeed, the notion of a null crypto method does exist in the form of separate patches. The OpenSSH folks refuse to include this in their source tree.

On the other hand, after waiting 9 of the last 10 years OpenSSH's server implementation now provides the (obvious) chroot jail of shell sessions.

Re:Fast, Weak sshfs

[Rennt]

A null-crypto secure-shell file-system?

Two thoughts spring to mind - "Why?" and "NFS"

Re:Fast, Weak sshfs

[Father+Dupuis]

This should work for you: sshfs -o ssh_command="ssh -c arcfour -o Compression=no" user@remote.host /your/mountpoint

Re:Fast, Weak sshfs

[buchner.johannes]

Wait, you want ssh to not be secure? wtf! Just use cifs if you don't like the encryption.

Re:Fast, Weak sshfs

[Kjella]

I don't think the OpenSSH guys want to add it, and I agree with them. It's a tool used by so many that understand so little, but at least they've sorta understood that SSH = secure. They'd still fall for any certificate trickery because they don't really understand, but I digress. The point is that once sshfs means maybe secure, maybe not secure you can bet idiots will do stuff like disable crypto and go "Hey look, it's still ssh, it's still secure, and it's 100x faster" and completely ignore all the blinkenlights.

If you don't want SSH, what's wrong with NFS/FTP and remote telnet/X? You're going naked anyway, there's no point to pretend you're even remotely secure. That'd be a pathetic attempt at security by obscurity since the source is out there and any "weak mode" crypto would be a plugin in the hacker tools in no time. I think it's fairly proven now that insecure crypto is probably the worst of all worlds, not being secure yet people mindlessly using it as if it were. So no crypto and then there's really no point in calling it ssh either. The notsshfs, perhaps.

Re:Fast, Weak sshfs

[shish]

"Why?" and "NFS"

Each of those are the answer to the other -- NFS is the only real alternative, and it is awful; SSHFS is simpler to set up, simpler to use, more reliable, more flexible, more secure (even when I'm on a LAN and don't want encryption, I still want authentication), etc...

Re:Fast, Weak sshfs

[shish]

Wait, you want ssh to not be secure? wtf! Just use cifs if you don't like the encryption.

What if you don't like the encryption, but you do like the ease of setup, ease of use, flexibility, reliability, etc?

Re:Fast, Weak sshfs

[rohan972]

That said, i never knew there was such a thing as "too secure"

You've never lost the key to the blast proof underground safe you keep your asthma medication in obviously.

Re:Fast, Weak sshfs

you can set the option '-o Ciphers=arcfour' to lower the encryption.

arcfour is a LOT faster, its what I use with sshfs on my eee!

Re:Fast, Weak sshfs

[Rennt]

Simple to set-up? NFS is about as simple as it gets in UNIX. You honestly find SSHFS easier? OK

Simple to use? NFS is completely transparent to the user.

Reliability? NFS is used for mission-critical services and five-nines access to massive storage arrays. SSHFS is not even the same class.

Flexibility? We may have different ideas about what this means. SSHFS isn't so much as flexible as convenient. NFS is much better for building services around.

Authentication? NFS + LDAP. Granted, it's more involved to set up, but scalability and manageability makes it a much better tool for the job.

I'm not trolling here, but saying "NFS is awful" just kind of sounds like you don't know what you are talking about. Reminds me of the "X11 is broken" crowd.

Re:Fast, Weak sshfs

[TheRaven64]

NFS4 is starting to be quite well supported (Linux, Solaris, FreeBSD and - I think - OS X now implement it) and supports encryption. It uses a very different model to things like CIFS and SSHFS though. NFS is designed for sharing filesystems to computers, while CIFS and SSHFS are designed for sharing filesystems to users. This is a critical distinction. A user can mount a remote share using one of these protocols, with their own credentials, and use it. NFS (or AFS and derivatives) requires the administrator to set up the mounts and make sure authentication between the two machines (Kerberos or similar) works, but then it's completely transparent to users. The others are much easier for ad-hoc shares.

Re:Fast, Weak sshfs

[cerberusss]

I second this. The speed difference is remarkable. On a 1Gbit network, the transfer speed jumps from 2.2 MB/s (using AES encryption) to 7.7 MB/s (using Arcfour).

Re:Fast, Weak sshfs

[Doc+Ruby]

Thanks, that is evidently exactly right: selecting the weakest but fastest encryption. I can appreciate that ssh requires some encryption, as a practical matter to protect ssh's reputation if nothing else, but I'd think a symmetric key simply XOR'ed with the data would be the fastest.

And congratulations for the only reply that actually answers my question, rather than trying to force me to ask a different one with an answer they like better.

Re:Fast, Weak sshfs

[Father+Dupuis]

Thank you. I use those options all the time for large file transfers on my internal networks. You can use them with rsync as well: check out the "-e" option.

Re:Fast, Weak sshfs

[Doc+Ruby]

Yeah, I wrap scp in rsync, too, and this throughput enhancement will really help. Thanks again.

Re:Fast, Weak sshfs

sshfs -o Ciphers=arcfour .....

Re:Fast, Weak sshfs

[cenc]

I don't get the distinction. I can do the exact same thing for computers using SSHFS mounts and cron or a script to mount it on boot with shared keys.

Re:Fast, Weak sshfs

[TheRaven64]

You can mount a remote filesystem using sshfs and have UIDs correctly mapped between users on the local and remote filesystem? For example, user A creates a file, user B can then not access this file unless user A sets the permissions to make it world-readable?

Re:Fast, Weak sshfs

[shish]

Simple to set-up? NFS is about as simple as it gets in UNIX. You honestly find SSHFS easier? OK

It requires explicit listing of what's shared and who can access it; sshfs uses the standard unix permissions to give people access remotely to whatever they have access to locally, ie if you already have a local system set up, sshfs server side setup is zero. Then on the client side, compare either running a one-line command or adding one line to fstab vs adding a line to fstab, installing some daemons, fiddling with the firewall...

Simple to use? NFS is completely transparent to the user.

Once the user has connected, yes; but initial config can be a pain (yay installing NFS without installing portmap, and having the system lock up next time it boots...)

Reliability? NFS is used for mission-critical services and five-nines access to massive storage arrays. SSHFS is not even the same class.

I've seen the linux in-kernel and userspace daemons crash repeatedly, unkillably locking up any processes using the shares on client PCs. I've tried the alternative mount settings and found that they had downsides too. In contrast I've never had openssh crash, and disconnections / reconnections are handled gracefully. Also anecdotally, I was there when dreamhost were throwing millions of dollars at their NFS-based storage problems, and eventually decided that the reliability of local disks outweighed all the advantages of shared storage.

Flexibility? We may have different ideas about what this means. SSHFS isn't so much as flexible as convenient. NFS is much better for building services around.

Point taken, though I'm sure one could build services around sshfs if there was sufficient need for it (at home I have some scripts hacked together to use it as a system service in the context where nfs is normally used, but "hacky" is very much the word to describe them)

Authentication? NFS + LDAP. Granted, it's more involved to set up, but scalability and manageability makes it a much better tool for the job.

Last I checked, server-side security for NFS was severely lacking, to the point that root access on a local box gave you root access to the shared files (unless you disabled root access, in which case you only had access to all the users' data individually) -- I had seen plans for decent security, but that was always "in the next version"...

I'm not trolling here, but saying "NFS is awful" just kind of sounds like you don't know what you are talking about. Reminds me of the "X11 is broken" crowd.

TBH, I'm speaking from possibly outdated personal experience rather than a position of enlightenment :-P

Re:Fast, Weak sshfs

[dmiller]

Faster still (and a better cipher):

ssh -o Compression=no -o Ciphers=arcfour256 -o MACs=umac64@openssh.com ...

The umac-64 MAC is only supported by OpenSSH AFAIK (though the spec is available to anyone else who wants to). It is faster and has a better security guarantee than HMAC-MD5 (and is way faster than HMAC-SHA1).

tunneling

[buchner.johannes]

I love that they implemented multiplexing channels ... -R and -L are just awesome.

Re:tunneling

[TheRaven64]

There are a few features in ssh related to that that a lot of people seem to be completely unaware of. The -D option runs a SOCKS4/5 proxy on a given port, which can dynamically forward things for you. As long as your client app supports SOCKS proxies, it will work transparently through this, forwarding ports as required. The -w option lets you set up the tun(4) device for forwarding. You can use this to forward at the IP or Ethernet layer. It gives you a virtual network device that forwards every frame or packet (depending on whether it's L2 or L3) to the matching interface on the other machine. You can use this to set up VPNs quite easily.

Re:tunneling

However, that will be VPN over TCP which has many bad performance corner cases. Setting up OpenVPN securely, while different concepts to learn, is not really any more difficult than setting up OpenSSH VPNs securely. And OpenVPN has proper tunneling over UDP so you do not get those strange corner cases like application UDP or TCP congestion control stalling on top of the tunnel's TCP congestion control.

what is this 'ssh'?

[dogganos]

is it better than telnet?????

rsync over SSH for backups

[Cato]

One of the best things about SSH is rsync - you only need an SSH enabled login on a machine, with a copy of rsync, to be able to efficiently copy data with block-level incremental efficiency. Even better, there are excellent backup tools such as rsnapshot that build on rsync to store multiple versions of a file in the backup file tree, using hard links to avoid storing the same version twice - so every backup is a full backup in terms of easy recovery, but an incremental backup in terms of network and storage efficiency.

See http://slashdot.org/comments.pl?sid=1371703&cid=29451267 for more about rsnapshot and friends.

Re:rsync over SSH for backups

[Hurricane78]

Have you tried doing that with a real version management system? I instantly liked that idea, and now am using git, which is pretty cool.

Who doesn't know about OpenSSH

[cecom]

The fact that the editors thought that Slashdot needed an explanation of what OpenSSH is makes me feel dirty. It is like explaining what H2O is. If you don't know what OpenSSH is you should not be reading Slashdot, you bastards!

Re:Who doesn't know about OpenSSH

No. It does mean the reader should not post comments to /. if they do not know what is OpenSSH. They are still allowed to read /. to be wiser on future ;)

Re:Who doesn't know about OpenSSH

[maxume]

Is this some fun game where if it had not been explained you would complain about that?

Fixed the root exploit?

[shish]

Did they fix the hole that allowed imageshack and such to get hacked a while back? Did they ever even find out what that hole was?

(The hackers claim 5.2 is safe, but for all we know, that could be a trick to make us upgrade to an even buggier version... the hack was in the name of avoiding full disclosure, so we'll probably never know exactly what they did, and thus not be sure it's fixed, and thus the incredibly anti-full-disclosure people demonstrate exactly why full disclosure is a good thing :-/ )

Re:Fixed the root exploit?

[Slashcrap]

Did they fix the hole that allowed imageshack and such to get hacked a while back? Did they ever even find out what that hole was?

(The hackers claim 5.2 is safe, but for all we know, that could be a trick to make us upgrade to an even buggier version... the hack was in the name of avoiding full disclosure, so we'll probably never know exactly what they did, and thus not be sure it's fixed, and thus the incredibly anti-full-disclosure people demonstrate exactly why full disclosure is a good thing :-/ )

You are quite incredibly stupid. Does that answer your question?

Re:Fixed the root exploit?

[arndawg]

And you're an internet super hero!

Re:Fixed the root exploit?

[shish]

You are quite incredibly stupid. Does that answer your question?

I've been modded troll for a genuine question, which suggests that I've been misunderstood; thus while normally I'd disregard you as a troll, I will instead presume that you've misunderstood too -- please explain why is it stupid to ask if this, which allegedly caused this has been fixed?

Still no tunneling on OSX

[chrysalis]

Unfortunately, on OSX, while the option (-w) is documented, OpenSSH still doesn't support tunneling, even after installing tuntap.

Re:Still no tunneling on OSX

[BlackPignouf]

I'm not sure what you look for, but wouldn't -L or -R do the trick?
Like, tunnel port 3000 of localhost to port 80 of server?

Re:Still no tunneling on OSX

[pjt33]

Have you tried fink's build?

Re:Still no tunneling on OSX

[TheRaven64]

The -w option creates a virtual network adaptor and forwards IP packets or Ethernet frames over it. If you use it in Layer 3 (IP) mode then it will forward TCP, UDP, SCTP, and any other IP protocol. If you use it in Layer 2 mode then it will also work with non-IP protocols, such as AppleTalk. -L and -R, in contrast, only work with TCP. Both of these support routing, so your client can connect to any arbitrary server on any port and have packets passed along the encrypted connection as the first hop. This allows you to set up a VPN quite trivially. For example, you can use ssh with -w between two machines in different LANs, configure forwarding between their tun device and their physical Ethernet device, and have things like AppleTalk printers on one LAN accessible to the other. p. A half-way step is -D, which sets up a SOCKS proxy on the client machine, forwarding connections to the server. This requires the client to support SOCKS proxies, but a lot of things do these days.

Re:Still no tunneling on OSX

[mftb]

If appropriate, try using -D.

Re:Still no tunneling on OSX

Or sftp support newer than protocol version 3 (for all platforms)..

Leap of faith not resolved after all these years?

I refuse to just sit here and praise OpenSSH when the inherit leap of faith weakness in the system has essentially been ignored year after year for no reason.

SRP and similiar technology have been available for a number of years. These systems have the capability of establishing secure sessions using common credential knowledge to establish trust -- yet the same inherit weakness continues its insane march into the future.

I feel safter using RDP to a vista/2008 system than I do using SSH.

Surely not!

"OpenTelnet is a 100% complete Clear-text protocol version 1.3, 1.5 and 2.0 implementation and includes ftp client and server support. It sends in clear-text all traffic (including passwords) to effectively ease eavesdropping, connection hijacking, and other attacks. Additionally, OpenTelnet provides insecure tunneling capabilities and a single authentication method, and supports all Clear-text protocol versions. Version 5.3 marks the 30th anniversary of the OpenTelnet project."

Beware of Linux-induced vulnerabilities

[fialar]

http://lwn.net/Articles/354891/

Otherwise, OpenSSH is fantastically secure. :)

Actually, OpenSSH is unavailable to GPL devs

[Rix]

OpenSSH is one of the few (only?) BSD projects that still use a license incompatible with the GPL.

Expired password with sftp...

[Nick0001]

When will we be able to tell that our password expired when connecting with sftp?

Does it run...

[Aladrin]

Yes but, does it run on Windows 7?

I tried installing sshwindows on Win7 the other day and the service wouldn't start. As far as I can tell, openssh has never officially supported Windows and never will.

Sure, it's useful for 'nix to 'nix connections, but I need my Windows PC in on the action, too.

Re:Does it run...

[tokul]

Yes but, does it run on Windows 7?

http://cygwin.com/

"The Cygwin DLL currently works with all recent, commercially released x86 32 bit and 64 bit versions of Windows, with the exception of Windows CE."

Re:Does it run...

[cs96and]

Use cygwin

Re:Does it run...

[Blakey+Rat]

There's Services For Unix from Microsoft: http://www.microsoft.com/downloads/details.aspx?FamilyID=896c9688-601b-44f1-81a4-02878ff11778&DisplayLang=en

Disclaimer: Windows 7 isn't listed on the compatibility list, so I can't guarantee it'll work. Should though.

Re:Does it run...

[shutdown+-p+now]

The separate "Services for Unix" is for Win2003 and below. In Win2003 R2, they were shipped together with the OS, but still under the same name.

For Vista/2008/7, the thing has been rebranded "Subsystem for Unix Applications" (SUA), and is distributed with the OS as one of its component (i.e. you go to "Install Windows features" dialog to enable it) - but you need Vista/7 Enterprise or Ultimate to have it, as it's excluded from Home/Professional. Win2008 has it for all versions.

It's actually a pretty neat thing because it truly is a separate NT subsystem that builds directly on the NT kernel and its core APIs - unlike Cygwin, which wraps Win32 (which is itself an NT subsystem). The problem with the latter approach is that Win32 actually hides some of the features that NT is otherwise capable for, and which allow more efficient implementation of POSIX (e.g. a better fork).

Re:Does it run...

[Blakey+Rat]

Ah, thanks for the clarification.

Re:Does it run...

[jabelli]

I have been using this for a while. I have not tested it on Win7 yet, but I would expect it to work, as long as you don't install under "C:\Program Files".

Sure.

[Pegasus]

Install cygwin or Microsoft'w own SFU (services for unix). They give you sshd under windows, init scripts, NFS mounting etc. SFU is actually based on openbsd userspace.

Vulgar lie.

[jotaeleemeese]

"Businesses really hate that viral open source thing in the GPL"

You meant to say

"Unscrupulous lechers, that wont pay for commercial software neither will contribute to community developed software, hate that viral open source thing in the GPL"

As for serious companies, you know, like multinational banks, oil companies, software developers, IT consultancies and the like, they all have embraced the GPL with open arms. (unless the Linux licence changed in the last 10 minutes).

For bunnies sakes...

[jotaeleemeese]

You sound like one of those people living in abusive relationships, which after being badly beaten by their abusive partner will be the first one to defend him.

Honestly, read your elegy again....

Oh, no worries.

[jotaeleemeese]

Microsoft will release a version soon.

10 years and still no smart card/pkcs#11 support!

OpenSSH is nice, but how come there is no way to use anything else than software keys in a sensible manner with OpenSSH? Hardware tokens, HSM accelerators, smart cards? Where is PKCS#11 support in OpenSSH?

Shame, especially because there are patches available for years to do this. Check out https://bugzilla.mindrot.org/show_bug.cgi?id=1371

Thanks but i switched to dropbear

[mAriuZ]

seems to be better on my netbook (smaller and faster anyway)

Still has some problems

[GoNINzo]

The sad part is that it still has some problems.

For instance, if you want a chroot jail to terminate in a subsection, for example /export/home/sftp/username1, you would normally do /export/home/sftp/./username1 as username1's path. Reading that, where should the chroot jail be? Well, it's the user's full path.

Based on reading that, shouldn't it be at /export/home/sftp/ as the chroot jail, and in the user's directory? That would seem to be correct, however, this isn't out openssh does it.

I know they are just trying to protect their users, but it is at the cost of flexibility.