Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH No Longer Has To Depend On OpenSSL

Posted by Soulskill on from the like-independence-day,-but-for-communications-protocols dept.

ConstantineM writes: "What has been planned for a long time now, prior to the infamous heartbleed fiasco of OpenSSL (which does not affect SSH at all), is now officially a reality — with the help of some recently adopted crypto from DJ Bernstein, OpenSSH now finally has a compile-time option to no longer depend on OpenSSL. `make OPENSSL=no` has now been introduced for a reduced configuration OpenSSH to be built without OpenSSL, which would leave you with no legacy SSH-1 baggage at all, and on the SSH-2 front with only AES-CTR and chacha20+poly1305 ciphers, ECDH/curve25519 key exchange and Ed25519 public keys."

6 of 144 comments (clear)

  1. Vetting the replacement libraries? by mlts · · Score: 4, Insightful

    Now, here is the secondary question: How well vetted/audited will the replacement libraries end up? Disconnecting OpenSSH from OpenSSL does help isolate things, but it also means that there is twice the cryptographic code to sift through in order to ensure security.

    I trust the OpenBSD developers and Theo, so IMHO, this is a net security gain.

    Maybe for the lost ciphers, it might be good to implement LibreSSL?

  2. Good news! Now get it FIPS certified. by sinij · · Score: 3, Insightful

    Get this version of OpenSSH FIPS certified and it will be default industry standard for the next decade.

    1. Re:Good news! Now get it FIPS certified. by DougOtto · · Score: 5, Insightful

      While your points are certainly valid, they do little to mitigate the need for FIPS when dealing with things like FBI CJIS data. Either you're in compliance or they disconnect you. It's sort of like arguing with a TSA agent; it'll make you feel a little better but it won't actually change anything.

      --
      Solving Unix problems since 1989...
  3. Re:Nooooooooo by lgw · · Score: 5, Insightful

    DJB is the worst kind of asshole too: he's almost always right. So you shouldn't just ignore him. Meh, justified arrogance still annoys.

    Now, what we really need is a cage match between DJB and Theo de Raanter. I'd buy that on PPV!

    --
    Socialism: a lie told by totalitarians and believed by fools.
  4. Re:symbolism over substance in the realm of secury by Anonymous Coward · · Score: 2, Insightful

    I like it how you listed it as Obama's Legacy. TSA was put in under Bush's reign of stupidity and the NSA has been around since sometime after WWII.

  5. Re:He's right when he's driving in the UK by hangareighteen · · Score: 3, Insightful

    His goal seems to be to make rock solid software with well-considered security of design and operation, and that's about his only goal. Compliance with the LSB is nice and all, but it's not something that keeps me up at night. Hell, it's not even in the top ten; and while DJB's software can be a little rough around the edges, I'm more than happy to use it because I have a high level of confidence in the design and implementation of his ideas.