Microsoft Releases a Preview of OpenSSH Client and Server For Windows 10

kriston (Slashdot user #7,886) writes: Microsoft released a preview of the OpenSSH server and client for Windows 10. Go to Settings, Apps & Features, and click "Manage optional features" to install them. The software only supports AES-CTR and chacha20 ciphers and supports a tiny subset of keys and KEXs, but, on the other hand, a decent set of MACs.

It also says that it doesn't use the OpenSSL library. That's the really big news, here. I understand leaving out arcfour/RC4 and IDEA, but why wouldn't MSFT include Blowfish, Twofish, CAST, and 3DES? At least they chose the CTR versions of these ciphers. (Blowfish isn't compromised in any practical way, by the way). I prefer faster and less memory- and CPU-intensive ciphers.

Still, it's a good start. The SSH server is compelling enough to check out especially since I just started using X2GO for remote desktop access which requires an SSH server for its file sharing feature.

We've already got PuTTY

It works well, it's been field proven for decades and it doesn't "call home" to Redmond.

Re:We've already got PuTTY

[OffTheLip]

PuTTY only provides half of a SSH solution, still need a server. Hopefully the Microsoft OpenSSH server will accept clients other than their's.

Re:We've already got PuTTY

Decades in use and the UI still still sucks ass. Its like its "designer" had never seen a gui application.

Re:We've already got PuTTY

Decades in use and the UI still still sucks ass. Its like its "designer" had never seen a gui application.

I'm sure someone out there can do like Mozilla and make it look like Chrome.

PS - noobs are the only ones who even notice the GUI. "Oh noes! This GUI is different from the others! I'm confoozed!"

Re:We've already got PuTTY

[Antique+Geekmeister]

Cygwin provides an SSH server, with current OpenSSH releases and a more powerf bash based local working environment. It does require additional non-Microsoft published binaries, and it has had issues operating with various anti-virus software packages. I admit that I'm very, very curious what shell and what capability for chroot sftp access may be available with the new Microsoft published server.

Activating that future could be very helpful for people who wish to safely upload, or download, more safely from what is already a publicly exposed Windows server.

Re:We've already got PuTTY

We're engineers, we don't want or need that cute CSS/animated JS eye candy.

Re:We've already got PuTTY

[greenwow]

The fork KiTTY is a little better:

http://www.9bis.net/kitty/

It stores its config in files so you can easily copy them to another machine or track them with Git. It still has the same bizarre starting interface to open and edit sessions and lacks a find feature.

Re: We've already got PuTTY

Only idiots use the term âoenoobâ. The PuTTY UI does indeed suck. Thatâ(TM)s unacceptable in 2017. Reality is a bitch. Deal with it.

Re:We've already got PuTTY

[Dog-Cow]

Me too. The "their is" client is the worst. Even worse than your grammar, believe it or not.

Re:We've already got PuTTY

[TechyImmigrant]

Decades in use and the UI still still sucks ass. Its like its "designer" had never seen a gui application.

I'm sure someone out there can do like Mozilla and make it look like Chrome.

PS - noobs are the only ones who even notice the GUI. "Oh noes! This GUI is different from the others! I'm confoozed!"

Works for me. Right click on the icon and the usual addresses pop up.

Re:We've already got PuTTY

[Dr.Dubious+DDQ]

"Hopefully the Microsoft OpenSSH server will accept clients other than their's."

It does - or at least it did last time I tried it.

This project appears to be the Powershell team doing an honest port of the "Portable OpenSSH" code to native Windows, apparently including legitimate efforts to upstream the port to the main "Portable OpenSSH" project, and it seems (or at least seemed) to be as compatible as one would expect.

When I last tried it, the only issue I ran into was oddities in the terminal emulation, due to Microsoft's shell environment being "special" (things like backspace/del behaving oddly etc.), but it otherwise seemed to work just the same as OpenSSH on my Linux boxen. It's probably been nearly a year since I tried to seriously play with it, so I imagine a lot of improvements have taken place since then.

One nice thing about this project is that there seem to be rumors that "Powershell remoting" will eventually use SSH as its authentication and transport mechanism, which is a major hole in the current port of Powershell to non-Windows platforms. (You *can* do "powershell remoting" from e.g. Linux to Windows, but *only* if you substantially downgrade the security on the Windows side to allow it, because apparently it currently depends on one of the many special "Windows-only" features in powershell to do otherwise. Switching to SSH for this would fix that problem.)

Re:We've already got PuTTY

[Hal_Porter]

PuTTY does ANSI terminal emulation. So can watch Star Wars by Telnet in color!

telnet towel.blinkenlights.nl

If everyone watched movies in the efficient open standard Telnet instead of the bloated and patent encumbered H.264 we'd save 52 Gigatonnes of CO2 per year.

Re:We've already got PuTTY

[ctilsie242]

If you want something that has a lot of configuration abilities, look at Remote Desktop Manager. It is a commercial utility, but has a free version. It handles not just SSH, but RDP, VNC, Apple Remote Access, and a ton of other protocols.

Re: We've already got PuTTY

why on earth would anyone want to use power shell on other platforms?

Re:We've already got PuTTY

Please lightly disassemble the MS code and tell us if STRCPY or STRNCPY was used. I suspect Microsoft MOM is another unwanted player. Having an HP like debugger included in the released code would also be a bad thing.

Re: We've already got PuTTY

[Dr.Dubious+DDQ]

why on earth would anyone want to use power shell on other platforms?

Well, I originally thought the answer would be "so that you can do some of the useful Special Windows Things (like WMI queries of Windows machines) from other platforms", but it turns out the "Special Windows Things" remain proprietary and not included in cross-platform Powershell port so...I'm not really sure. Besides "because Microsoft wants you to", I mean.

Powershell's actually got some neat tricks, and is really handy on Windows systems, but so far I feel like I'd rather just use Python instead, in general. Python's not installed by default on Windows, though...

Re:We've already got PuTTY

PuTTY only provides half of a SSH solution, still need a server. Hopefully the Microsoft OpenSSH server will accept clients other than their's.

But to what end?
Getting a shell where you can copy and remove files is great and all, but that isn't the feature that is missing from Windows.
While Windows file sharing is wonky it still works most of the time.

When people talk about reasons they still use Windows it is for programs that are a full GUI environment and installation from console may or may not work.
Even if you do, you aren't going to run the Office suite or Photoshop in a console. You are also not going to run your old legacy programs that manages some old machinery from the console.

I don't really see how this gives a benefit right now. The thing it will hopefully lead to is more console programs being developed for Windows so that those Windows-only programs written today can be controlled remotely.

Re: We've already got PuTTY

[jabuzz]

That was my thought too. I was particularly keen on being able to do queries against AD. I was mightily disappointed to find the Linux version of Powershell does not do all the cool AD stuff, then was even more disappointed to find it didn't do the WMI stuff either, and then gave up when the remoting didn't work without messing about on the Windows machine.

Re:We've already got PuTTY

[SCHecklerX]

I use a linux workstation at work. Having an SSH Server on windows would make life a lot easier for the rare occasion that I have to do something on a windows server.

Re:We've already got PuTTY

Finally a movie I can stream with my internet connection

Re:We've already got PuTTY

[pnutjam]

Use Mobaxterm, it's got the full ssh server/ client stack with port forwarding and all sorts of other goodies.

Re:We've already got PuTTY

Its like its "designer" had never seen a gui application.

Not surprising considering that the point of putty is exactly to run non-GUI stuff . . .

Err... have we not learned?

After Windows 10 turned out to be one OS-sized piece of spyware, why would any sane person use it for anything?

Time to kick that shit to the curb.

Anyways Linux and BSD both have much better SSH support, without the malware coming bundled with win10.

Re:Err... have we not learned?

Most people don't learn anything. They're too busy with "oooo shiny". And "I can't see it so it doesn't exist."

Re:Err... have we not learned?

You really can't trust these OS's, desktops or browsers any more. Practically, the only way to be safe is to have wireshark running 24 hours/day for each PC.

Re: Err... have we not learned?

[Zero__Kelvin]

I'm assuming this is an argument for using Linux, where OpenSSH server and client work out of the box and have been thoroughly tested by millions? Of course you wouldn't need or use SSH unless you were doing CLI, so it's pretty obvious that you are a clueless troll.

Re: Err... have we not learned?

[TheRealMindChild]

Of course you wouldn't need or use SSH unless you were doing CLI

What? Tunneling you can do just about anything.

Re:Err... have we not learned?

In my experience Linux "just works" out of the box, where Windows requires a huge effort of finding and installing drivers, figuring out where on the web to get all the tools like "git" that you need to make it usable, downloading and installing them, etc. From scratch it takes me minutes post-install to get a usable Linux system and hours post-install to get a usable Windows system.

Witness the OP's problems with SSH. OpenSSH "just works" in Linux.

Re: Err... have we not learned?

When you say âoemost of usâ, who are you speaking for? Not me.

Console averse people like yourself donâ(TM)t value repeatability. Without that, you will build systems that work inconsistently and cannot be reproduced in other environments.

Thatâ(TM)s okay, theyâ(TM)ll have to pay me to come clean up your mess.

Re: Err... have we not learned?

[Zero__Kelvin]

Don't confuse SSH with SSL. SSH is Secure Shell, which establishes an SSL connection for shells. Tunelling is done with SSL, though it is often done through the SSH tools. What is called *SSH* tunelling is actually just SSL tunelling over the SSH port.

Re:Err... have we not learned?

[thegarbz]

why would any sane person use it for anything [dailykos.com]?

People didn't care about Google.
People didn't care about Facebook.

What makes you think that people would care now?

Interesting that you question their sanity. What was the definition of insane? Seeing the same thing happen over and over again and expecting a different outcome!

Re: Err... have we not learned?

The systems you implement break often.

Re: Err... have we not learned?

Linux is the worst of the 3 major operating systems and itâ(TM)s not even close.

Re: Err... have we not learned?

[Barefoot+Monkey]

You're mistaken. SSH does not establish an SSL connection for shells or anything else. SSH is a cryptographic protocol in its own right, just like SSL and TLS. An "SSH tunnel" really is tunnelling through SSH, not some other protocol.

Amusingly enough, due to their respective places in the OSI model you're more likely to see SSL running on top of SSH than the other way around.

Re:Err... have we not learned?

Because that is what our companies require. That is what the products we dev and/or support require. Because we have to QA stuff on Win 10. Because because because.
Lots of us are reluctant users and it isn’t our decision and it is out of our control.

Re: Err... have we not learned?

[Zero__Kelvin]

You should probably read the summary, which talks about the protocols the Microsoft version does and doesn't support. You should probably get a basic level of education on why open*SSL* was required by OpenSSH until 2014.

Re: Err... have we not learned?

OpenSSL ia a confusingly named project. It implements both low level crypto primitives (e.g. AES), and high level protocols (SSL, TLS, ...).

OpenSSH really only cares about the part that has nothing to do with SSL

Re: Err... have we not learned?

90% of users would probably be better off with ChromeOS than any of the other operating systems. It's come a long way, and there are exciting features on the horizon.

For the remaining 10% of users, things depend a lot on why they need a more powerful environment. But yes, Linux might be the answer. There is a reason why in the server world, it's pretty much a Linux monoculture. All of the world's 500 fastest computers run Linux.

Re: Err... have we not learned?

[Zero__Kelvin]

Oh really? Then tell us, where are the specs for the SSH encryption mechanism?

Re: Err... have we not learned?

[Barefoot+Monkey]

You should probably read the summary, which talks about the protocols the Microsoft version does and doesn't support.

Those are cyphers.

You should probably get a basic level of education on why open*SSL* was required by OpenSSH until 2014.

OpenSSL has many components, including libssl (which provides SSL support for applications), libcrypto (providing a number of cryptographic functions) and some tools for working with certificates. OpenSSH's dependency on OpenSSL was because it used libcrypto for cyphers.

Re: Err... have we not learned?

[Zero__Kelvin]

Right. Thats what I just said. The sH is for shell, i.e. CLI. Tunelling happens at the SSL/TLS layer. SSH is a protocol that leverages SSL (old school) or TLS (new school) to perform the tunneling.

Re: Err... have we not learned?

I'm no expert at anything, but I know that's a fact."

Re: Err... have we not learned?

[Zero__Kelvin]

It is definitely a fact that you are no expert on the subject. Thanks for making that super double clear though!

Re: Err... have we not learned?

[Barefoot+Monkey]

Tunelling happens at the SSL/TLS layer. SSH is a protocol that leverages SSL (old school) or TLS (new school) to perform the tunneling.

Wrong. I've already told you that SSH doesn't use SSL or TLS at all. Encryption and tunnelling is all handled within the SSH protocol itself. Here is the RFC for the SSH transport layer protocol, which describes how it works.

Re: Err... have we not learned?

[Zero__Kelvin]

more often than not SSH uses SSL under the hood ... The rest of the time it uses TLS. I hope you decide to educate yourself someday!

Re: Err... have we not learned?

except heâ(TM)s not wrong so hereâ(TM)s a link talking about this.

https://utcc.utoronto.ca/~cks/space/blog/tech/SSHAndSSLAndHeartbleed

They say this

OpenSSH is one implementation of the SSH protocol. It uses various functions exported by OpenSSL for a lot of cryptography related things such as generating randomness, but it doesn't use the SSL/TLS portions of OpenSSL because SSH (the protocol) doesn't involve TLS (the protocol).

Re: Err... have we not learned?

[Zero__Kelvin]

If it says it on a blog it must be true!

Re: Err... have we not learned?

You used a blog, I used a blog!

Re: Err... have we not learned?

[Barefoot+Monkey]

Sorry, but that's not good enough. You linked to a brief article on differencebetween.net with nothing to support your claim other than the phrase "more often than not SSH uses SSL under the hood", with no elaboration on what that means and nothing to indicate that it's anything other than a naive assumption. And where does your claim "the rest of the time it uses TLS" come from? Pure guesswork? Did you even look at the RFC before replying?

If you want to convince me of your claim you should start by doing some research into whether or not it is actually true, and then provide some arguments as to why. Smug insults such as "You should probably read the summary", "You should probably get a basic level of education" and "I hope you decide to educate yourself someday!" are not convincing, and merely convey the impression that you are embarrassed about being caught out.

Re: Err... have we not learned?

[Zero__Kelvin]

I logged in. You are an AC following up on your post with misinformation. See the difference?

Re: Err... have we not learned?

[Zero__Kelvin]

Great. Now would be a good time to educate yourself. Your apology is accepted.

Re:Err... have we not learned?

For Christ's sake enough with the OS spyware hyperbole. Any anonymized telemetry data transmitted back to MS is hardly spyware unless your definition is so broad that the term becomes meaningless. Normal people do not run OS's they run applications. They have no time to sit around naval gazing and questioning the meaningless minutia that makes their applications work. Linux and BSD do not even come close to matching the number of applications that MS supports. And companies will need more than "MS SUX!" to change platforms. And a hell of a lot of people have no problem with MS automatically providing OS and security updates on their machines. The average user doesn't have time or interest to scour the web looking to see if any updates or patches for their specific flavor Linux and install them. And if you consider yourself a computer expert their are ways to prevent automatic updates and stop any outgoing telemetry data from being sent to anyone. I will give you a hint. Don't go to the Control Panel looking for configuration settings to accomplish this. Wait until you graduate from HS and see how the real world operates before you make more stupid comments. And for the record I have watched companies who wanted off the MS platform waste a shitload of money on project failures. In the end there are just too many specialized 3rd party solutions that are only MS compatible. Infrastructure and application components that may be small when compared to the entire platform but without them the project fails. Sure you can just develop your own replacements but how much time and money are you willing to invest? How much time and money are you prepared to spend re-architecting all the custom business applications that have been running under an MS OS for years? How much time and money are you willing to spend to re-train or replace all of your IT staff? How much time and money are you willing to spend to re-train your users? How much time and money are you willing to spend to converting all of your MS Word documents, Excel spread sheets, and PP presentations? And you may think you are saving money because you will no longer have to pay for any MS licenses but you will have to pay someone else to support your new OS and that is neither cheap or easy. Most companies do not have OS developers on staff to maintain their chosen OS. And OS development is an entirely different animal than application development. OS and application development are separate fields and have very little in common. Linux has it's place and is a good choice in certain areas such as the data centers but even there it is not the automatic or even best choice. Use the tool that best solves your problem. Orchestrating religious holy wars over OS's is idiocy. It rivals the Sunni-Shite schisms when it comes to making rational choices.

    You divulge more about yourself every time you run a search on Google. Of course you also divulge your precious privacy every time you login into Facebook, use Twitter, and download all the nifty eye candy applications that ask you to hand over access to every service running on your phone.

Re: Err... have we not learned?

Nope! But I do understand that you are wrong and dumb! Also you should suck my DAMN balls for being wrong and dumb! Also you should educate yourself on TLS/SSL bs SSH! Also you should understand that certs are used in many ways, and often things have similar handshakes but they arenâ(TM)t the same goddamn protocol

u moron lol

Re: Err... have we not learned?

[Zero__Kelvin]

Yeah. I wouldn't log in either if I were you.

Re: Err... have we not learned?

Tunneling doesn't require SSH dumbfuck. It relies on SSL, and TLS.

Re: Err... have we not learned?

What kind of idiot thinks certs are involved?

Re: Err... have we not learned?

Because it implements many crypto algorithms along with the ssl protocol implemention. You can use the former without using the later.

Re: Err... have we not learned?

[Barefoot+Monkey]

RFC 4253

Re: Err... have we not learned?

SSH does not use TLS. It uses the OpenSSL library and uses a transport layer (https://tools.ietf.org/html/rfc4253) that is similar to TLS which has caused some confusion. However the statement that SSH uses SSL internally is false, the two protocols look quite different on the wire.

Re:Err... have we not learned?

That kelvin zero idiot apparently, thatâ(TM)s the only reason he could be doing this.

and he doesnâ(TM)t understand client auth at all like the idiot shitfucker moron he is lol

Re: Err... have we not learned?

[Zero__Kelvin]

You should read it and understand it sometime. Again, tunneling doesn't require SSH, which stands for Secure SHell , a CLI protocol layered on top of a secure transport layer such as Secure Socket Layer (SSL), or Transport Security Layer (TLS). Off you go now moron ...

Re: Err... have we not learned?

lol weâ(TM)ve firmly established that it is indeed you that is the moron here

and Iâ(TM)ve firmly established a tunnel in ur moms backdoor lol

Re: Err... have we not learned?

[Zero__Kelvin]

It doesn't implement encryption algorithms. It is a layer above them.

Re:Err... have we not learned?

In the real world, people use Acrobat, Microsoft Office (not 99% compatible stuff that hoses up things at the worst time), Exchange/Outlook, and depending on establishment, Peachtree/QuickBooks/accounting software. Companies need to manage thousands of desktops. Windows is the only choice here. Yes, you can show 1000 Linux VMs under Puppet... but try dealing with 1000+ desktops with users of varying access (admin rights, no admin rights, etc.) Windows is the only OS that scales up.

With SCCM, I can show an auditor that every box is patched, and if not, why not. There is no equivalent for desktops (and I state desktops, because server side, it is a completely different story) on Linux and macOS.

Oh, try doing VDI with Linux. Luck++ at it, especially with how GPU heavy stuff like Unity and KDE Plasma is.

Re: Err... have we not learned?

[Barefoot+Monkey]

Click on the link. The title is "The Secure Shell (SSH) Transport Layer Protocol". That is the name if the secure transport layer that SSH uses. SSH uses SSH-TRANS as a transport layer, and doesn't use SSL or TLS for anything. You asked for the specs for the SSH encryption mechanism, and you got them, so don't complain.

Here's another link: RFC 4251 - The Secure Shell (SSH) Protocol Architecture. That explains how the various parts of SSH work together. Here's an excerpt:

1. Introduction

      Secure Shell (SSH) is a protocol for secure remote login and other
      secure network services over an insecure network. It consists of
      three major components:

        - The Transport Layer Protocol [SSH-TRANS] provides server
            authentication, confidentiality, and integrity. It may optionally
            also provide compression. The transport layer will typically be
            run over a TCP/IP connection, but might also be used on top of any
            other reliable data stream.

        - The User Authentication Protocol [SSH-USERAUTH] authenticates the
            client-side user to the server. It runs over the transport layer
            protocol.

        - The Connection Protocol [SSH-CONNECT] multiplexes the encrypted
            tunnel into several logical channels. It runs over the user
            authentication protocol.

      The client sends a service request once a secure transport layer
      connection has been established. A second service request is sent
      after user authentication is complete. This allows new protocols to
      be defined and coexist with the protocols listed above.

      The connection protocol provides channels that can be used for a wide
      range of purposes. Standard methods are provided for setting up
      secure interactive shell sessions and for forwarding ("tunneling")
      arbitrary TCP/IP ports and X11 connections.

Encryption is handled by the lowest layer of SSH, SSH-TRANS - the secure transport layer, which in turn is typically implemented directly on TCP. No SSL or TLS involved.

The highest later, SSH-CONNECT, is used for whatever kind of connection you want from SSH. This can be a command line, or you could remotely use graphical applications through X forwarding, or you could forward ports or tunnel pretty much and TCP stream.

Re:Err... have we not learned?

[Bert64]

You can show an auditor that every box *thinks* its patched...
But try scanning the boxes using nessus with admin creds, which will actually log in to all the boxes and check the individual files installed by patches rather than looking at the list of "installed" patches...
You will OFTEN have systems where a patch is registered as installed, but actually isn't.

Re: Err... have we not learned?

I was referring to the OpenSSL library. It implements many crypto algorithms. It's not unusual to use the OpenSSL library for these functions even if you don't need the TLS implementation. Eg package signing, etc.

Re: Err... have we not learned?

[syn3rg]

Wrong thread reply?

putty

[jmccue]

Windows 10 that may just see the retirement of Putty

I do not see that happening, most people I know who need to access UN*X systems via windows uses putty and hardly ever opens up a "DOS Box (? not sure what it is called now). Anyway putty is a nice tool for people who likes GUI type applications so it will still be around.

BTW, I tried to get a few of them to go to Linux (work allows one to use Linux), but without luck.

Re:putty

How does one run putty if not from the command line?

Re: putty

[Zero__Kelvin]

One double clicks on the PuTTY icon.

Re: putty

Runs in a window on my desktop.

Re:putty

[TheRealMindChild]

not sure what it is called now

Command prompt

Re:putty

[thegarbz]

I do not see that happening, most people I know who need to access UN*X systems via windows uses putty and hardly ever opens up a "DOS Box

Not entirely sure what a DOS Box has to do with it given both putty and openssh can most easily be run by start > run > "putty -s 192.blahblahblah". Now you just write ssh instead!

Also I'm sick of putty. It has so many problems with ncurses. There's no valid settings that make it work properly with a variety of software. If midnight commander renders correctly you know nmon won't, and vis-versa as just one example.

Personally when I want to access a Linux box from Windows 10, I start the command with start > run > 'bash -c "ssh 192.blahblahblah"'

Re:putty

[Antique+Geekmeister]

One installs "MRemoteNG", a very useful tab-based GUI for putty. I recommend it to all my Windows using colleagues who need SSH management. It's available at https://mremoteng.org/

Re:putty

[Dr.Dubious+DDQ]

Windows 10 that may just see the retirement of Putty

[...]a "DOS Box (? not sure what it is called now).[...]

In my experience, for masses of low-end Windows admins, it's called a "command prompt" (or "DOS Prompt" if the admin is old), and refers to that black-square icon you "run as administrator" in order to paste in the magic incomprehensible line of text that some website says fixes the problem you're trying to fix.

For more skilled Windows admins, it's a "powershell session", which, to be fair, also often is "that blue-square icon you 'run as administrator' in order to paste in the magic incomprehensible line of text that some website says fixes the problem you're trying to fix", but at this level there's at least a chance that the admin in question understands what the line of text is supposed to do...

Re:putty

You might want to try 'mobaxterm' instead.

Re: putty

There's an Icon?

Re:putty

[kriston]

I don't agree with the silly "retirement of PuTTY" sentiment in this article. Everyone knows that the console prompt won't meet the needs of even the most casual remote shell users.

The big news is that, in the future, there will be an officially-supported and NATIVE implementation of OpenSSH using the native Microsoft Windows crypto library instead of OpenSSL on the Windows platform.

That's worth the cost of admission, if you ask me.

Re: putty

[Zero__Kelvin]

Yes. You should select the option to place one on the Desktop next time you install it.

Re: putty

There's an installer?

Re:putty

[AmiMoJo]

It's called the console, and it changed a lot in Windows 10, breaking many apps.

Re:putty

[squiggleslash]

Windows 10 has both an officially supported Ubuntu bolt-on and, of course, the availability of Cygwin and MINGW. Putty is really only necessary if you don't have a *ix subsystem like one of those three installed, and I find it surprising so few Slashdotters actually want a *ix subsystem in Windows.

Cygwin was always a life saver for me, though I've always hated its package management system. The Ubuntu subsystem is great.

How long until Windows has become Linux?

Or BSD, of course.

Given an exponential curve, it can only be a few years now.

A crippled version without all the meaningful things that the average complete retard doesnâ(TM)t care about (because heâ(TM)s a retard), like freedom, open source, individual choice, and of course compatibility with what they originally embraced.

Because nobody has told them that they are't the all-powerful monopolist anymore, and so ... gotta still reach for step 2 and 3: extend, and extinguish.

"doesn't use the OpenSSL library."

[Chris+Mattern]

Then how is it 'OpenSSH"? If it isn't using the Open code, it's just SSH, right?

Re:"doesn't use the OpenSSL library."

No, it is a hunk of shit that is not suitable for any purpose.

Re:"doesn't use the OpenSSL library."

[ebob9]

Isn't it based off of this?
PowerShell/Win32-OpenSSH

Re: "doesn't use the OpenSSL library."

[Zero__Kelvin]

OpenSSH hasn't required OpenSSL since 2014. Of course that doesn't mean it is a good idea to just use any old SSL lib, and Microsoft has a long history of being unable to do encryption right going back at least to LANMAN incompetence, so you would be an incompetent fool to trust this implementation.

Re:"doesn't use the OpenSSL library."

[Barefoot+Monkey]

OpenSSL and OpenSSH are not really related. Neither is OpenGL, for that matter. They are different projects maintained by different people, and just happen to all have "Open" in their names. It is possible for OpenSSH to use OpenSSL for some cryptographic functions, but not necessary (at least not anymore - once upon a time OpenSSL was a dependency).

OpenSSH is the OpenBSD project's implementation of an SSH client, server and related utilities. If Microsoft is calling it "OpenSSH" then they must be using a port of OpenBSD's programs instead of creating their own. (In fact, Microsoft promised to port OpenSSH to Windows back in June 2015).

Re:"doesn't use the OpenSSL library."

[xtronics]

Most likely using alternate libs written by a three-letter-agency - I assume M$ gets paid large amounts to do such things.

So I would consider M$ version of "openSSH" to be similar to 'secure-boot' - names intended to mislead the general public.

Re:"doesn't use the OpenSSL library."

Not even close, Microsoft and SS*KABOOM*
See! they do NOT go together. EVER!

Re:"doesn't use the OpenSSL library."

[jabuzz]

No almost certainly using the Windows platform cryptography libraries, which is the sane thing to do on a Windows platform. It's also the state goal from back in 2015 when Microsoft announced the plan to port OpenSSH to Windows had been approved since Balmer had left and was no longer able to veto it.

Who cares about choice anyway?

Lifes too busy to think about what you want all the time. I dont care that I cant actually make anything on or program my iPhone X. My job is hard enough. I dont want to think in the little time that I have a choice for myself between 10pm and 1am.

The same way TransactSQL is transactional.

So you are fooled into thinking normal SQL isn't, and/or the MS thing is the real deal.

For the same reason that their media player is just called "media player".

That reason: EEE.

That's a big gap in time

[Gabest]

Between removing Telnet and adding SSH.

Re:That's a big gap in time

[thegarbz]

There's no gap at all. You can install telnet on Windows 10 exactly the same way as you would install this SSH client or server.

Microsoft didn't remove telnet, they just made it optional.

Re: That's a big gap in time

Telnet hasnâ(TM)t been removed. You just have to enable it. I think thats great, because its the easiest way to test whether a tcp port is open.

Re:That's a big gap in time

[kriston]

That's right. Most of us install the telnet client by habit when installing Windows.

Now we can install a native SSH client. If we want, we can install an SSH server, too.

Re:That's a big gap in time

[omnichad]

Microsoft didn't remove telnet, they just made it optional.

Which makes it completely useless for remote TCP troubleshooting - which is all I ever really used it for. If some random computer is going to have to load the Add/Remove Windows Components screen and take upwards of 5 minutes, it's no longer the quick and dirty tool it once was.

Re:That's a big gap in time

That's microsoft for you - randomly changing stuff for no particular reason. Don't like that? Go with linux where you don't have to change anything from year to year - unless you want to.

Re:That's a big gap in time

[thegarbz]

You inability to not install suitable software on a remote computer before you run into trouble is not Microsoft's concern.

You inability to continue not doing so since this version of SSH is delivered in the same way as the current telnet is (please try and follow the conversation rather than angry-ranting) still is not Microsoft's concern.

Re:That's a big gap in time

[omnichad]

You inability to not install suitable software on a remote computer before you run into trouble is not Microsoft's concern.

I frequently do remote support for people I've never had contact with before. Being Hiding a 129KB .exe with likely no dependencies is not really going to fix Microsoft's bloat problem.

The good news is that I have found a very fast way to install it
pkgmgr /iu:"TelnetClient"

OpenNSAbackoor?

No thanks.

Where's the source?

Thought so.

CPU intensive?

[thegarbz]

If your limiting factor is CPU in your OpenSSH sessions you're doing something very VERY wrong.

Re:CPU intensive?

Or you're moving a lot of data and your CPU can't keep up with the encryption. Just saying.

Re:CPU intensive?

[kriston]

Hahah, no, I'm not doing anything VERY wrong when I'm using this feature on a device that does not have hardware encryption and also has a weak CPU, like the Windows 10 IoT Core which is targetted at these devices.

Try again. And don't assume you know what the real-world implementation is.

Re:CPU intensive?

[thegarbz]

I'm impressed. You found something that runs Windows 10 IoT core but has trouble with your SSH session! As for weak CPU you really should qualify that. SSH hasn't been CPU bound for 20+ years, and the weakest of devices currently are faster than they were.

There's several manual steps to getting it working

[greenwow]

https://www.bleepingcomputer.com/news/microsoft/how-to-install-the-built-in-windows-10-openssh-server/

Are the best instructions I found. Also, you'll have to open port 22 in since the installer doesn't open it even if you use Microsoft's own firewall.

Any idea when this is coming to Server 2016?

It's about as secure as their VPN support etc.

e.g. it will suck up all your credentials and forward to Microsoft, and if someone manages to prove this from looking at the compressed and encrypted "telemetry data", they will blame it on an accidental programming error.

Re: Ban bump stocks if you want security

[hackwrench]

Every time you push a ban on bump stocks, God creates a mass shooter.

Expect from MS a

OpenSpyServerHellhole

Ubuntu for Windows WSL

[Billly+Gates]

That works much better and bash.exe and doing a apt-get install openssh gives you the full package

Re:Ubuntu for Windows WSL

[kriston]

Not really. That worked well in the past on the Windows Subsystem for Linux model, but this implementation is in native Windows, using native Windows crypto libraries.

It doesn't involve the WSL model at all.

That means remote access to PowerShell primitives without bothering with the extra layer of WSL.

first powershell now this

[aod7br7932]

It took Windows just 10 generations to follow unix!

Re:first powershell now this

You mean starting with Xenix?

3DES?

3DES is actually not secure any more, by the way. A succesful cryptoanalysis has been made for both DES and 3DES.

Re:There's several manual steps to getting it work

Wird Powershell oder CMD gestartet?

Will it do ...

[kamaaina]

ssh -X, ssh -R or ssh -L like openssh and putty?

If it does ssh -X natively without xming or whatever your preferred windows X server I will be impressed.

Mozilla going all spyware and MS doing ssh? Crazy.

I'm baffled by the insanity of whats been going on in GNU/Linux and Microsoft land. Both camps are behaving bizarrely. While I still don't trust Microsoft it blows my mind that after all these years they've finally adopted a secure replacement for telnet. At the same time it baffles me that Mozilla has begun bundling spyware with its browser. From Pocket and advertising on the main page to Mr. Robot. There are all sorts of things I have to go in and disable these days. It's no longer the case that I can just do a GNU/Linux install and be up and running in 10 minutes on a reasonably privacy friendly system.

Already deprecated algorithms

[twistedcubic]

....but why wouldn't MSFT include Blowfish, Twofish, CAST, and 3DES?...

Slashdot article: New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish

Bruce Schneier, the creator of Blowfish, long ago suggested people stop using it.

Re:Already deprecated algorithms

That covers why you shouldn't use Blowfish, and is yet another reason why you shouldn't use 3DES.

CAST has the problem of being somewhat old and uncommonly used (meaning it hasn't gotten a lot of academic attention.) But it's a 128/256-bit cipher, and AFAIK still regarded as secure; it was the default in gpg for a long time, and it's supported by older versions of openssh. That makes it a good candidate for a fallback algorithm (in case AES is discovered to be less secure than we thought, and there's a need - as there always is - to continue interoperating with older servers/clients.)

Twofish is a 128-bit cipher and an AES finalist, and very well regarded.

Re:Already deprecated algorithms

[kriston]

Thanks, I posted this without enough comment to avoid baiting this kind of comment.

Congratulations, you've taken the bait. He didn't really discourage its use, just that he was suprised that so many people still used it.

Re:Already deprecated algorithms

ok that explains Blowfish, now explain the ignorance of suggesting 3DES should be included?

Re:Already deprecated algorithms

Right he didn't "discourage" it's use. He just said you should use twofish instead. Dumbass.

Re: Ban bump stocks if you want security

I'm no expert at anything, but I know that's a fact.

Sorry I just had to ;)

OpenSSH for Windows

[fahrbot-bot]

OpenSSH for Windows

Compromised or not?

It is interesting that they left out so many commonly supported algorithms. It could be that they consider every addition to be another risk for a mistake. Or,

Microsoft is big enough to be "in the know" as to which algorithms have been broken and which will be broken. So, the question is, did they include only compromised algorithms or exclude the compromised algorithms. I can imagine business and other reasons for both.

Re: Ban bump stocks if you want security

Every time you push a ban on stump cocks, God creates an ass shooter.

A whacko loon's impersonating me

See subject: To whom it may concern - the freak I'm replying to has some dumb scheme in impersonating me folks - ignore him.

APK

P.S.=> You're a whackjob freak - no questions asked - this has to be the 10th time you've impersonated me this week alone! apk

Re:A whacko loon's impersonating me

Or maybe you're the impersonator.

No Such Option

I have no such option in Windows 10. Do they mean the Preview Alpha Version without saying so?

Note that the preview alpha version is NOT windows 10. It is the preview alpha version.

I make a SFTP Server...

[mcolgin]

Interesting. I make a SFTP Server for Windows, actually the first release was this month. While my classic ftp stuff is still going strong, despite IIS being out for decades. I wonder if their implementation will be complete and what kind of niche space will still be avail. I'm a little worried about MS releasing something that crushes my effort, but in the past, they kind of derp out on these efforts. While the Windows Linux Subsystem is certainly cool, it's also quite crippled and feels quit isolated on the system. Microsoft SSH server installs as a Windows System Service called "SshBroker" and "SshProxy"... you can check your system with "sc query | grep -i ssh" and then the subsequent detail query "sc query sshbroker". I had no idea it was running, until one day I mistyped and typed "ssh devhost" vs "sftp devhost" and it logged in a shell. Was hoping to run console mode programs from it, like my beloved Semware Editor, but no dice. You can execute programs like "explorer" from the command line, there are no errors, but they don't seem to spawn on taskmgr. Looking forward to finding out more about what you can do in Microsoft's SSH Server, my guess is "powershell" and command-line programs (gnu utils work great).

Re:Ban bump stocks if you want security

And all that in FAST kernel mode!

Did it just to add a telemetry point

That's it.

No, you're impersonating me

Only if you had a way to prove your identity... Like a GPG signature that you've used since days of yore on all your messages...

APK

P.S.=> this must be driving you crazier than your usual level

what year is this? Have then been forcing

How have users of Windows been remotely logging into the system all these years? Please don't tell me through RDP or some of other full blown GUI interface.

Version 0.0.1.0 ?!

They "released" version 0.0.1.0 (October 2016) when they're up to version 0.0.23.0 with a lot more bells and whistles.

Just wanted to say...

[101percent]

The slashdot community has so much bickering in this thread, it's no wonder we still haven't gotten a handle on security. Hardly anyone understands this stuff.