Slashdot Mirror
OpenSSH Project Now at openssh.com
Anonymous Coward writes "The OpenSSH project now has a central webpage at www.openssh.com.
OpenSSH is based on the last free version of Tatu Ylonen's SSH with
all patent-encumbered algorithms removed, all known security bugs
fixed, new features reintroduced and many other clean-ups."
I know psst has links to some free SSH implementations. Are these going to merge or what?
Also I have to say that I am quite happy to have a Free (speech) SSH implementation. I feel dirty using the commercial one. But I need the functionality.
Nice page, too. Think they use blowfish, much? :)
I, personally, could care less, but I'd love to see that this stuff can be included in Debian and all the other purist distributions, and contributed to, and stuff. That's the good part.
Besides, the licensing for SSH 2 got worse, I understand, and that's why we have free versions: to protect us from that.
---
pb Reply rather than vaguely moderate me.
pb Reply or e-mail; don't vaguely moderate.
One aspect of OpenSSH that many people should like is that the most recent security hole in ssh-1.2.27 was non-existant in OpenSSH. For that reason alone, OpenSSH might be a better choice -- especially with the lack of developer news concerning ssh1 and ssh2.
-B
ps. Check www.securityfocus.com for the bugtraq archives and mailing list.
IMHO, closed-source doesn't necessarily mean evil. I think the present SSH is great. Admittedly, I'd prefer it if it was OSS, but that's the way it is. I'll continue to use ClosedSSH, just because of all the superior algorithms and stuff ... Just my $0.03 (2c is rounded down to 0). d
-
-
I rather like cows.
Excellent, now we have an open ssh package. No more visiting RedHat's ssh page and filling out those "are you a US citizen" forms before I can securely login to a remote machine.
Seriously, why does the US even bother with cryptographic export laws when many other countries can ship products that contain the same strength encryption as they are trying to keep locked up?
Especially with open source projects involving encryption that are being developed all over the world, this country's policies seem downright pointless.
Or am I missing the point?
Debian has been coerced into renaming the OpenSSH package to SSH. In other words, people who are upgrading their system will have the real SSH transparently removed and replaced with OpenSSH.
There is no warning although the functionalities are not equivalent. The original SSH package has been renamed.
It is my understanding that all this has happened at the bequest of Theo. This is yet another case where POLITICS interferes with the TECHNICAL aspects of Debian.
I recently learned about and began using SSH. Does anyone know of a good Windows SSH2 Client thats not comercial that has full strength crypto. Secure CRT seems OK for an american crypto product (honestly i dont want to use American based crypto anything at this point). Is OpenSSH SSH2 compliant ?
One aspect of OpenSSH that many people should like is that the most recent security hole in ssh-1.2.27 was non-existant in OpenSSH. For that reason alone, OpenSSH might be a better choice -- especially with the lack of developer news concerning ssh1 and ssh2.
Does that mean that OpenSSH would be more secure? I don't think so. The fact that it didn't have the bug which was in ssh-1.2.27 does not mean that it wouldn't have bugs which don't exist in ssh. The fact that there haven't been so many OpenSSH bugs in public simply means that it isn't as widely used as ssh. Widely used == widely tested.
Repeat after me: There is no bug-free software! (and ssh is actually really good; I can only remember two "public" bugs in it in the last year or so, compare to e.g. browsers..)
On the other hand, it might be possible that OpenSSH would respond faster to security bugs; If it becomes really popular, time will tell.
--
It has to work - rfc1925
I will try to avoid the classic open / closed source arguments here, although they creep in a little bit :-)
I think OpenSSH is very important to everyone. License status aside, it represents an alternative way to use the SSH protocol. Some people may prefer it while others may like the closed source version. But I think more people overall will be using one of the two. This is a good thing. There's still alot of plaintext authentication on the net, and I'd be happy to see less of it. POP3, FTP, and telnet are all commonly used, for example.
We all know the average user is lazy about passwords. Sniffing one password often compromises many things. Yes, the user is at fault but now the sysadmin can do something about it (namely wrapping the protocol in SSH). With OpenSSH, perhaps more sysadmins will agree with the licensing.
Additionally, I seem to remember reading somewhere that the IETF needs two independent implementations of a protocol before it can progress towards being an official standard. (Someone correct me if I'm wrong - I'm sorry I don't have a link to provide). With that in mind, SSH can get the IETF's blessing before a corporation with its own goals decides to muck with what should be in the standard.
Just my $.02
SEAL
Sorry I shouldn't have called it open vs. closed source. I meant to emphasize that OpenSSH has a less restrictive license. My error.
SEAL
Excellent, ssh with a less restrictive licensing is a very powerful tool for sysadmins.
At the risk of getting flamed, does anyone know if there is a Windows client program that will work with OpenSSH? All Matter-AntiMatter jokes aside, I like to be able to admin from as many different platforms as possible (flexibility) and currently use TeraTerm's SSH extensions. Is there a free (speech, beer, whatever) 'doze client that will work with OpenSSH?
-- "God, Root, what is difference?" - Pitr, "User Friendly"
Since SSH contains crypto algo, can OpenSSH be used OUTSIDE of the U.S. of A. ?
Muchas Gracias, Señor Edward Snowden !
Well, there is another alternative to OpenSSH called LSH (the GNU implementation of SSH), and they did release the code some months ago. Miguel
I was using ssh for a while. Then I heard of open ssh. Installing openssh was easier (rpm) and so was configuring it. When I got openssh running I got rid of telnet completely.
Originally when I got ssh I got the newest version. 2.x.x then I realized that it was incompatable as hell. So I had to get the 1.x.x version. openssh just worked, Everyone should use it, there is no reason not to.
It has been statistically shown that helmets increase the risk of head injury.
The OpenBSD project is based in Canada.
The Export Control List of Canada places no significant restriction on the export of cryptographic software, and is even more explicit about the free export of freely-available cryptographic software. Marc Plumb has done some research to test the cryptographic laws.
From http://www.openbsd.org/crypto.html.
Keep in mind OpenSSH is by the same folks that brought you OpenBSD. They don't code sloppy.
\w0zz - OpenBSD - A Better Solution
Oh fuck off. Troll.
Why does Debian not take advantage of /etc/alternatives/? Debian never distributed the SSH package anyway. Why does Debian decide to BREAK the user's system by RENAMING packages? This is bullshit.
Well, yes, it's called rsh, and it's exactly that sort of idiocy that ssh was designed to prevent. Relying on either hostnames or IP addresses for authentication is about the easiest way to get your box rooted by someone that can do elementary spoofing. Don't use it.
that is such a cute logo on the OpenSSH page. Kawaii!!
Can I now just delete my SSH installation(s) and replace them with OpenSSH/Psst/LSH? Will OpenSSH etc work transparently with commercial SSH? What impact does not having support for the patented algos have?
Also can someone compare SSH, OpenSSH, Psst and LSH. What state is each of them at WRT each other?
TIA,
--
Simon.
I really need to pay attention to the world. I missed this little security hole. Ah, well, all patched up now. At least ssh, while not being free in all the good ways, has source code available which is heavily reviewed. I guess that would be Visible Source software. Should I trademark that name, do you think? :-)
It's not a bug, it's a feature...
re psst .. I'm sure any contributions from psst
:-)
.shosts.
would be welcomed, and I'm sure psst can read the
license and note they're welcomed to any code in
the OpenSSH tree, but a merger I doubt would occur, considering the different audiences each
is addressing.
re sshv2 protocol, it is a freely available spec,
and as such, has potential to be implemented in
OpenSSH (although has not yet been done). The
initial thrust of OpenSSH was to have something
equivalant to and compatible with ssh-1.2.x in OpenBSD 2.6, and that has certainly been accomplished. It is certianly not illegal to implement it in a free product; that the commercal
'ssh2' program costs something is the company
charging for their programmers, not the protocol.
While the incident with 1.2.27's security bug doesn't necessarily suggest OpenSSH is more secure in general, it does seem interesting to note that
in the code cleanup of creating OpenSSH, the bug
was accidentally fixed. Hats off to the programmers who have a high enough standard of coding that they accidentally fix bugs
ClosedSSH has superior algorithms? I implore you to back your statement with facts. Last I checked, the algorithms available in OpenSSH are
limited to those in the crypto library, and there
may be less algorithms in OpenSSH than ClosedSSH
because of this, but why include the insecure ones?
Beware of two things. First, I'm not a lawyer. Second, I believe my understanding of the crypto laws suggests if you compile it outside the us, you can use it outside the us, if you compile it inside the us you can't ship it outside the us,
and if you use it in the us, you can't use an
alternative to rsa's library if you wish to use
that particular algorithm, which at this time
requires commercial entities to talk to rsa for
licenses. I think. Someone maybe should confirm this though.
Read the man page for logging in from a particular ip without a password. Look for
Todd Fries
You use the .rhost and .shost files in the home directory of the target machine... long time since i set it up, but it is described in the man pages.
Another option is to use ssh-agent, which means that you only need to enter the password once, and can log into all sites you have access to without entering a password.
-- Tov Are Jacobsen
The US government still thinks like a dinosaur mother - not particularly quickly nor effectively, but with concern for its eggs. It's just those damned mammals underfoot "what causes unrest". The US has always thought that two big oceans meant it really could keep the world outside. The same unstated assumptions lead the Soviet coup-makers to not bother to seize the TV stations for hours and ignore those silly newfangled fax machines (actually more useful against the coup-makers than the net, at least at that time). I would sympathize, but as a Canadian who is appalled by US legislation that tries to penalize companies in other sovereign nations that dare to trade with Cuba (which unlike, say, Chile under Pinochet or Nicaragua prior to the Sandanistas were marvelously democratic engines of social reform), I consider this the usual "We're in charge here...and by the way, where the hell are we?" of American foreign policy. America is still far and away the most polite superpower in history, which is probably why many Canadians such as myself remain sympathetic with the goals if not always the execution of American foreign policy. Just remember that if you don't vote and don't get involved that you've got no right to kvetch (a marvellous Yiddish word meaning to bitch, moan and complain in however many modes your audience will tolerate until they have done with you - this message being itself an example). Let your congresscritter know that you think this not only futile, but just plain silly.
There seems to be a bit of confusion about exactly what this software offers over the standard SSH. Hopefully I can help clear it up a bit.
SSH1 comes with a license which is rather ambiguous about commercial use. The most common interpretation is that it's OK to use it commercially so long as one isn't making a profit directly off it. (e.g. charging people for the software.) SSH2 is much clearer-- in order to use SSH2 in a business you must use the closed-source, $400-a-server version from DataFellows.
Here is the vague portion of the SSH1 license:
Companies are permitted to use this program as long as it is not used for revenue-generating purposes. For example, an Internet service provider is allowed to install this program on their systems and permit clients to use SSH to connect; however, actively distributing SSH to clients for the purpose of providing added value requires separate licensing.
SSH2 clients cannot talk to SSH1 servers. This was by design in an attempt to drive people to upgrade to the new protocol. SSH1 clients are able to talk to SSH2 servers.
The IDEA (default) algorithm is patented and requires a license to use commercially. The RSA algorithm is also patented, but that patent has either expired or is about to expire. If one can find a copy of "rsaref", formerly offered freely from RSA's FTP site, then one can use it instead of the internal RSA algorithm to work around this little hurdle.
One reason there is demand for another implementation of the SSH protocol is so that people in small businesses can continue to use SSH while still maintaining access to the source code and also staying $400/server closer to being profitable.
Given the incompatibility of the clients, upgrading from SSH1 to SSH2 requires a flag day upon which day every client and server must be simultaneously upgraded to SSH2. Trying to upgrade in stages results in those with SSH2 unable to connect to SSH1 servers. It is possible to install both versions of the client, but the user will have to be the one "failing over" to the other version. Irritating at best, costly and time-consuming at worst.
For more information about SSH implementations, check out the Open Directory Project's SSH Category.
I have to admit I have issues with the OpenBSD folks who are maintaining OpenSSH.
;-) ) So some guy in Australia ports it to Linux/autoconf-automake so it will compile on Linux and other *nixs...
Their code is very BSD oriented, makes no attempt to be portable. (this is not inherently a huge sin, I am sure it was tiring writing the thing in the first place
Along the way, he introduces PAM (which is a *nix standard, OpenBSD just chooses not to use it) and in general improves the code (I don't have the rest of the feature list handy)
instead of allowing him to merge it back into the code tree, or even offering to host it, www.openssh.com takes credit for it by adding a link labeled "Linux/Solaris" and links directly to the ftp location. No acknowledgements, no link to the web page.
This sort of snottiness may or may not be endemic to the *BSD community, such a generalization would be unfair. HOWEVER it _does_ worsen their reputation, not to mention fly in the face of the commonly accepted code of ethics that accompany the open source concept.
I do not mean this as a flame of anyone other than those from the OpenSSH project who were actually involved in the decision to ignore the compatibility initiative. The rest have my unequivocal admiration and gratitude, as the product itself (OpenSSH) is very impressive, and we all should thank them for volunteering their time to provide us with it.
And for the record, other than admiring him and his work, I have no relation to that chap from Australia nor his port of OpenSSH to Linux...
-RS
We are all in the gutter, but some of us are looking at the stars --Oscar Wilde
Grrr. my nick is "Forward the Light Brigade"...
I have to say, with all the privacy stuff getting posted on
When I look back on it, I used to think being "anonymous coward" was cowardly, nowadays I'm thinking its not going to be too long before there's no choice in the matter...
To be on topic for a bit, I just installed OpenBSD (yes, after I read the /. thing, okay, I'm a lemming), and its really very very nice. OpenSSH is from the same crew, and they do very good work. Tight security. Astounding documentation. Attention to detail. Very nice. More power to them.
no warning:
The package tells you exactly what is going on using the shiny new debconf tool to put a nice dialog box up to ask you if you want to continue, or give you the chance to install ssh-nonfree instead.
Coerced:
As the Debian maintainer of both ssh (OpenSSH) and ssh-nonfree (the non-free ssh) I can tell you that the decision was mine. (I did check that nobody from the OpenSSH team minded)
My decision was based on the fact that Debian does not consider non-free software to be part of the distribution, so if there is a free and a non-free implementation of a package, the free one gets the name because its actually part of the distribution.
I've got nothing against ssh-nonfree (otherwise I wouldn't have maintained a Debian package of it for years) and I really appreciate the fact that Tatu wrote it, and allowed us all to use it. It just happens to be non-free, so the DFSG free alternative gets priority in our case.
I hope that clears things up.
Cheers, Phil.
Debian: GNU/Linux done the Linux way
Debian never distributed the SSH package anyway.
If debian never distributed ssh (which comes as a surprise to me, given that I've been maintaining it for over two years) then why are you complaining that it overwrites the old package?
Why does Debian decide to BREAK the user's system by RENAMING packages?
If OpenSSH has broken your system, please report a bug, and I will endeavor to resolve your problem.
If on the other hand you are just being an idiot, please shut up and stop wasting our time.
Cheers, Phil.
Debian: GNU/Linux done the Linux way
Sorry I guess I wasn't very clear, especially with my little slip up about licensing.
:) who wanted SSH installed at work, but was prevented from doing so because the boss didn't want to pay for it. OpenSSH is a blessing for people in my position.
First part: stupid users
The idea here is to make things transparent to them. Let them use their same old apps, but make the behind-the-scenes networking secure. For example, some mail programs can now connect using SSL. If a sysadmin sets it up this way, the end user doesn't usually care (or even know). That's how we need to attack the stupid-user problem. I agree with you that we can't rely on them to get un-stupid.
Part 2: licensing
I said that having OpenSSH in addition to SSH will serve to increase the number of people using this protocol. Reason: I was thinking of the sysadmin ohhhh... like ME
Other companies may prefer to purchase SSH so that they have someone to call up when things go wrong. That's OK too - there's nothing wrong with paying for a commercial version. I think it is a good thing to have BOTH implementations out there.
Best regards,
SEAL
The jackbooted thugs aren't interested in keeping anyone dangerous from having encryption, because that's a hell of a lot of work. The purpose in all this petty harassment of coders and publishers is to prevent strong cryptography from becoming common and more importantly, turn on by default.
Right now, nearly everything is in the clear, and that makes work much easier for FBI agents on fishing expeditions without a warrant.
Make no mistake, crypto restriction serves *no* legitimate law enforcement purpose. It's only usefulness is to enable illegal acts by governments agains law abiding citizens.
Check into the use of PGP by Amnesty International, and look up what kinds of slimy tricks J. Edgar Hoover pulled on Martin Luther King and others.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
I'd like to thank you for maintaining the SSH packages. It is my belief that you've made a wrong decision on several counts in this case, but hey, we all err and I'm grateful nevertheless.
I never used ssh or telnet or any other way of remotly connecting to connect to my box. All my ports are closed and I feel safe from outside attacks. But I have always wanted to connect from my school as they run Windows (a Bad Thing) and I run Linux (a Good Thing) and I am in a programming class. I think now with this openssh I will get VNC and do so. Does anyone know if there is a windows version of openssh?
If you think you know what the hell is really going on you're probably full of shit.
If you think you know what the hell is really going on you're probably full of shit.
jdube is who I am.
That's Ylönen not Ylonen!
On the subject of the "dumb US export laws" discussed above, be aware that the restriction is on all export of crypto implementations.
So if you are in, say, Europe, and download the SSH implementaion to your laptop you are OK to travel to the USA. However, legally you can not leave until you have deleted SSH from your laptop.
I know they do not normally search your harddisks at the airport, but you might want to consider the implications if they make an exception for you.
(I remember this was a real problem fro a Swedish company who used strong encryption for their internal e-mail systems. Their executives had to wipe their laptops everytime they left JFK and then re-install back in Sweden. It really is a stupid law.)
Hi!
Look! It's a troll!
Ohhh, how *cute*!
Sure, if you tell me which hostname that box you're doing this to has... man rsh should solve your problems
Doesn't ssh seem like it's trying to do way too much?
All that port forwarding stuff etc seems like trying to do VPN stuff in a kludgy and bug prone way.
Give me a plain SSL telnet style thing anytime. Pity not many people seem as keen on this.
Cheerio,
Link.
I use ssh as my primary way of logging in to my work machines from home, and I'd like to install the free version of ssh, but the machines at work are not under my control. Am I going to run into compatibility problems if I install OpenSSH here but can't convince the powers that be to change over?
-r
We know you're not what you pretend to be...
BSD people should remember that there's more than one UNIX.
Debian did this because SSH is insecure and not free for commercial use.. Check out the latest ssh remote exploit: http://www.security-focus.org/templates/archive.pi ke?list=1&date=1999-11-8&msg=382DB21B.CB 92D7A0@thievco.com
the theory goes, that much of the crypto (and generally, much of the research in areas restricted by this law) reseach in this country is sponsored at least partly by the federal government, the development of crypto entirely in the private sector is a new developement (as opposed to simply implementing it, which has been private sector for a while)
The federal government did not want to fund research that could come back to haunt them in terms of inhibiting SIGINT obtained overseas from being useable.
Funding research and prohibiting exports are completely different things. The Feds have a full right not to give money to projects they don't like. That doesn't translate into export restrictions, however. Besides, it's not like these damned foreigners are completely clueless and cannot come up with a crypto system of their own.
Even now, the US government has an interest in trying to prevent strong crypto from existing outside this country
Probably true, but so what? The US government also has an interest in having everybody on this planet answering "Sir, yes Sir!" every time a US official asked them to do something. It also has an interest in having all governments and corporations send to the US copies of all their correspondence, reports, and meetings minutes. So?
in point of fact, most currently existing crypto DOES originate from inside US borders (SSH included)
Thanks to the export restrictions this fact is rapidly changing (and SSH was coded in Finland AFAIK).
Even if some crypto is leaking out, the USG has a compelling interest in trying to read foreign SIGINT.
Just because the government has an interest, it doesn't necessarily have the right to do everything to further that interest, especially when the means it chose are stupid, do not work, and are the laughingstock of all more or less civilized world. Yes, I know the argument that these restrictions are quite effective in preventing widespread default use of crypto, but the loss of credibility for the US government has been substantial. Besides, the world is a small place. All it means is that US citizens and companies are locked out of a quite an important area.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
I use Vandyke's SecureCRT software, which is a win32 SSH v1, v2, telnet, and general terminal emulation client. Version 3.0 lets you connect to either SSHv1 or SSHv2 servers with lots of encryption/compression/port forwarding options. If you're using a client like this a v1 to v2 server upgrade "flag" day isn't as annoying as it could be.
I don't have any affiliation with Vandyke, but I would like to say that they make beta releases readily available, return email promptly with a personal reply, and emailed me the the upgrade license from version 2 to version 3 without any "upgrade" charge. Yes, it's closed, non-free software, but much better than most I've dealt with.
-OT
I think the AES competition (www.nist.gov/aes), a competition for the replacement of DES by the U.S. government, should finally put a end to the lie that the U.S. has some kind of monopoly on encryption. A full 40% of the finalists were foreign in origin, despite a selection process that was biased for American solutions.
Similarly, while MIT/RSADI hold the U.S. patent on the RSA public key encryption method used in SSH, most modern cryptographers believe that RSA public key encrpytion is obsolete. Most of the work on its proposed replacement, elliptic curve cryptography, is being done in Britain and Canada (in fact, the biggest vendor of elliptic curve cryptography is Canadian).
Don't get me wrong, the U.S. still has many great cryptographers. Bruce Schneier, Ron Rivest, the list goes on. But I seriously doubt that the U.S. still does the majority of public cryptographic research. If you don't believe me, go browse the cryptographic links section on my home page.
-E
Send mail here if you want to reach me.
First :
You can add the patented algorithms to OpenSSH just by installing the right shared libs, it's a personnal decision and not the default because of CDs distribution. (and because patents sucks)
Second :
ssh always included non-patented algorithms like triple-DES.
Theo's dead?? You would have thought it would have hit all the news. I mean, he's the founder of OpenBSD! If he really is dead, I have dibs on his bicycle.
(let's see if we can start a rumor here).
-russ
Don't piss off The Angry Economist
if you dont like debian, dont use it. this is why we have fourteen thousand linux distributions. I'm quite certain you can track one down that doesnt get your panties all in a knot.
if the maintainer of a distribution wants to change the distribution, and if users of the distribution are allowed to use other distributions, there is no problem at all. I see no way to compare this to "OH WHAT IF MICROSOFT DID THIS".
quit bitching. thanks!
Yeah. I think you're a troll.
We need a Godwin's Law equivalent for Slashdot discussions: invoking gratuitous comparisons to M$ behavior indicates you've run out of ideas/arguments/contributions, and have abdicated your right to speak further on the subject.
That is a frightening statement on their home page. Let's hope they do not honestly believe that.
"IMHO, closed-source doesn't necessarily mean evil. I think the present SSH is great. Admittedly, I'd prefer it if it was OSS"
Excuse me, but where did you get the idea that the non-free (DataFellows) SSH (called ClosedSSH here for clarity's sake) was not OSS? While it may not be DFSG-free or meet Debian's social contract guidelines, that doesn't means it is not OSS.
"IMHO, closed-source doesn't necessarily mean evil. I think the present SSH is great. Admittedly, I'd prefer it if it was OSS"
Excuse me, but where did you get the idea that the non-free (DataFellows) SSH (called ClosedSSH here for clarity's sake) was not OSS? While it may not be DFSG-free or meet Debian's social contract guidelines, that doesn't means it is not OSS.
The problem which makes it non-free is one of (evil) licensing, not one of source unavailability.
Had the source been unavailable, ClosedSSH would never have been viewed with any credibility in the cryptographic community, IMO.
One thing that I haven't figured out, though, is how to get the equivalent of ssh -l username with scp.
They're announcing tons of commercial things, like at freshmeat, and now OpenSSH, which isn't GPL'd, but OpenSource. You should consider using lsh, a real replacement for SSH 2. At least they don't need this sort of pub. Grow /. authors.
"One thing that I haven't figured out, though, is how to get the equivalent of ssh -l username with scp"
scp filenamehere userthere@host.there:filenamethere
Slashdot: docs for nerds ;)