Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Releases a Preview of OpenSSH Client and Server For Windows 10 (servethehome.com)

Posted by EditorDavid on from the OpenSSH-without-OpenSSL dept.

kriston (Slashdot user #7,886) writes: Microsoft released a preview of the OpenSSH server and client for Windows 10. Go to Settings, Apps & Features, and click "Manage optional features" to install them. The software only supports AES-CTR and chacha20 ciphers and supports a tiny subset of keys and KEXs, but, on the other hand, a decent set of MACs.

It also says that it doesn't use the OpenSSL library. That's the really big news, here. I understand leaving out arcfour/RC4 and IDEA, but why wouldn't MSFT include Blowfish, Twofish, CAST, and 3DES? At least they chose the CTR versions of these ciphers. (Blowfish isn't compromised in any practical way, by the way). I prefer faster and less memory- and CPU-intensive ciphers.

Still, it's a good start. The SSH server is compelling enough to check out especially since I just started using X2GO for remote desktop access which requires an SSH server for its file sharing feature.

21 of 144 comments (clear)

  1. We've already got PuTTY by Anonymous Coward · · Score: 2, Insightful

    It works well, it's been field proven for decades and it doesn't "call home" to Redmond.

    1. Re:We've already got PuTTY by OffTheLip · · Score: 2

      PuTTY only provides half of a SSH solution, still need a server. Hopefully the Microsoft OpenSSH server will accept clients other than their's.

    2. Re:We've already got PuTTY by Antique+Geekmeister · · Score: 4, Informative

      Cygwin provides an SSH server, with current OpenSSH releases and a more powerf bash based local working environment. It does require additional non-Microsoft published binaries, and it has had issues operating with various anti-virus software packages. I admit that I'm very, very curious what shell and what capability for chroot sftp access may be available with the new Microsoft published server.

      Activating that future could be very helpful for people who wish to safely upload, or download, more safely from what is already a publicly exposed Windows server.

    3. Re:We've already got PuTTY by Anonymous Coward · · Score: 2, Informative

      We're engineers, we don't want or need that cute CSS/animated JS eye candy.

    4. Re:We've already got PuTTY by greenwow · · Score: 2

      The fork KiTTY is a little better:

      http://www.9bis.net/kitty/

      It stores its config in files so you can easily copy them to another machine or track them with Git. It still has the same bizarre starting interface to open and edit sessions and lacks a find feature.

    5. Re:We've already got PuTTY by Dr.Dubious+DDQ · · Score: 4, Informative
      "Hopefully the Microsoft OpenSSH server will accept clients other than their's."

      It does - or at least it did last time I tried it.

      This project appears to be the Powershell team doing an honest port of the "Portable OpenSSH" code to native Windows, apparently including legitimate efforts to upstream the port to the main "Portable OpenSSH" project, and it seems (or at least seemed) to be as compatible as one would expect.

      When I last tried it, the only issue I ran into was oddities in the terminal emulation, due to Microsoft's shell environment being "special" (things like backspace/del behaving oddly etc.), but it otherwise seemed to work just the same as OpenSSH on my Linux boxen. It's probably been nearly a year since I tried to seriously play with it, so I imagine a lot of improvements have taken place since then.

      One nice thing about this project is that there seem to be rumors that "Powershell remoting" will eventually use SSH as its authentication and transport mechanism, which is a major hole in the current port of Powershell to non-Windows platforms. (You *can* do "powershell remoting" from e.g. Linux to Windows, but *only* if you substantially downgrade the security on the Windows side to allow it, because apparently it currently depends on one of the many special "Windows-only" features in powershell to do otherwise. Switching to SSH for this would fix that problem.)

      --
      Hacker Public Radio is our Friend
    6. Re:We've already got PuTTY by Hal_Porter · · Score: 4, Funny

      PuTTY does ANSI terminal emulation. So can watch Star Wars by Telnet in color!

      telnet towel.blinkenlights.nl

      If everyone watched movies in the efficient open standard Telnet instead of the bloated and patent encumbered H.264 we'd save 52 Gigatonnes of CO2 per year.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  2. Err... have we not learned? by Anonymous Coward · · Score: 3, Insightful

    After Windows 10 turned out to be one OS-sized piece of spyware, why would any sane person use it for anything?

    Time to kick that shit to the curb.

    Anyways Linux and BSD both have much better SSH support, without the malware coming bundled with win10.

    1. Re: Err... have we not learned? by Zero__Kelvin · · Score: 2

      I'm assuming this is an argument for using Linux, where OpenSSH server and client work out of the box and have been thoroughly tested by millions? Of course you wouldn't need or use SSH unless you were doing CLI, so it's pretty obvious that you are a clueless troll.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    2. Re: Err... have we not learned? by Zero__Kelvin · · Score: 2

      You should probably read the summary, which talks about the protocols the Microsoft version does and doesn't support. You should probably get a basic level of education on why open*SSL* was required by OpenSSH until 2014.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    3. Re: Err... have we not learned? by Barefoot+Monkey · · Score: 2

      You should probably read the summary, which talks about the protocols the Microsoft version does and doesn't support.

      Those are cyphers.

      You should probably get a basic level of education on why open*SSL* was required by OpenSSH until 2014.

      OpenSSL has many components, including libssl (which provides SSL support for applications), libcrypto (providing a number of cryptographic functions) and some tools for working with certificates. OpenSSH's dependency on OpenSSL was because it used libcrypto for cyphers.

    4. Re: Err... have we not learned? by Barefoot+Monkey · · Score: 2

      RFC 4253

    5. Re: Err... have we not learned? by Barefoot+Monkey · · Score: 2

      Click on the link. The title is "The Secure Shell (SSH) Transport Layer Protocol". That is the name if the secure transport layer that SSH uses. SSH uses SSH-TRANS as a transport layer, and doesn't use SSL or TLS for anything. You asked for the specs for the SSH encryption mechanism, and you got them, so don't complain.

      Here's another link: RFC 4251 - The Secure Shell (SSH) Protocol Architecture. That explains how the various parts of SSH work together. Here's an excerpt:

      1. Introduction

            Secure Shell (SSH) is a protocol for secure remote login and other
            secure network services over an insecure network. It consists of
            three major components:

              - The Transport Layer Protocol [SSH-TRANS] provides server
                  authentication, confidentiality, and integrity. It may optionally
                  also provide compression. The transport layer will typically be
                  run over a TCP/IP connection, but might also be used on top of any
                  other reliable data stream.

              - The User Authentication Protocol [SSH-USERAUTH] authenticates the
                  client-side user to the server. It runs over the transport layer
                  protocol.

              - The Connection Protocol [SSH-CONNECT] multiplexes the encrypted
                  tunnel into several logical channels. It runs over the user
                  authentication protocol.

            The client sends a service request once a secure transport layer
            connection has been established. A second service request is sent
            after user authentication is complete. This allows new protocols to
            be defined and coexist with the protocols listed above.

            The connection protocol provides channels that can be used for a wide
            range of purposes. Standard methods are provided for setting up
            secure interactive shell sessions and for forwarding ("tunneling")
            arbitrary TCP/IP ports and X11 connections.

      Encryption is handled by the lowest layer of SSH, SSH-TRANS - the secure transport layer, which in turn is typically implemented directly on TCP. No SSL or TLS involved.

      The highest later, SSH-CONNECT, is used for whatever kind of connection you want from SSH. This can be a command line, or you could remotely use graphical applications through X forwarding, or you could forward ports or tunnel pretty much and TCP stream.

  3. putty by jmccue · · Score: 2

    Windows 10 that may just see the retirement of Putty

    I do not see that happening, most people I know who need to access UN*X systems via windows uses putty and hardly ever opens up a "DOS Box (? not sure what it is called now). Anyway putty is a nice tool for people who likes GUI type applications so it will still be around.

    BTW, I tried to get a few of them to go to Linux (work allows one to use Linux), but without luck.

    1. Re:putty by TheRealMindChild · · Score: 2

      not sure what it is called now

      Command prompt

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    2. Re:putty by Dr.Dubious+DDQ · · Score: 2

      Windows 10 that may just see the retirement of Putty

      [...]a "DOS Box (? not sure what it is called now).[...]

      In my experience, for masses of low-end Windows admins, it's called a "command prompt" (or "DOS Prompt" if the admin is old), and refers to that black-square icon you "run as administrator" in order to paste in the magic incomprehensible line of text that some website says fixes the problem you're trying to fix.

      For more skilled Windows admins, it's a "powershell session", which, to be fair, also often is "that blue-square icon you 'run as administrator' in order to paste in the magic incomprehensible line of text that some website says fixes the problem you're trying to fix", but at this level there's at least a chance that the admin in question understands what the line of text is supposed to do...

      --
      Hacker Public Radio is our Friend
  4. "doesn't use the OpenSSL library." by Chris+Mattern · · Score: 3, Insightful

    Then how is it 'OpenSSH"? If it isn't using the Open code, it's just SSH, right?

    1. Re: "doesn't use the OpenSSL library." by Zero__Kelvin · · Score: 2

      OpenSSH hasn't required OpenSSL since 2014. Of course that doesn't mean it is a good idea to just use any old SSL lib, and Microsoft has a long history of being unable to do encryption right going back at least to LANMAN incompetence, so you would be an incompetent fool to trust this implementation.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    2. Re:"doesn't use the OpenSSL library." by Barefoot+Monkey · · Score: 3, Informative

      OpenSSL and OpenSSH are not really related. Neither is OpenGL, for that matter. They are different projects maintained by different people, and just happen to all have "Open" in their names. It is possible for OpenSSH to use OpenSSL for some cryptographic functions, but not necessary (at least not anymore - once upon a time OpenSSL was a dependency).

      OpenSSH is the OpenBSD project's implementation of an SSH client, server and related utilities. If Microsoft is calling it "OpenSSH" then they must be using a port of OpenBSD's programs instead of creating their own. (In fact, Microsoft promised to port OpenSSH to Windows back in June 2015).

  5. There's several manual steps to getting it working by greenwow · · Score: 2

    https://www.bleepingcomputer.com/news/microsoft/how-to-install-the-built-in-windows-10-openssh-server/

    Are the best instructions I found. Also, you'll have to open port 22 in since the installer doesn't open it even if you use Microsoft's own firewall.

    Any idea when this is coming to Server 2016?

  6. Already deprecated algorithms by twistedcubic · · Score: 4, Insightful

    ....but why wouldn't MSFT include Blowfish, Twofish, CAST, and 3DES?...

    Slashdot article: New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish

    Bruce Schneier, the creator of Blowfish, long ago suggested people stop using it.