Slashdot Mirror
OpenSSH Project Now at openssh.com
Anonymous Coward writes "The OpenSSH project now has a central webpage at www.openssh.com.
OpenSSH is based on the last free version of Tatu Ylonen's SSH with
all patent-encumbered algorithms removed, all known security bugs
fixed, new features reintroduced and many other clean-ups."
Nice page, too. Think they use blowfish, much? :)
I, personally, could care less, but I'd love to see that this stuff can be included in Debian and all the other purist distributions, and contributed to, and stuff. That's the good part.
Besides, the licensing for SSH 2 got worse, I understand, and that's why we have free versions: to protect us from that.
---
pb Reply rather than vaguely moderate me.
pb Reply or e-mail; don't vaguely moderate.
One aspect of OpenSSH that many people should like is that the most recent security hole in ssh-1.2.27 was non-existant in OpenSSH. For that reason alone, OpenSSH might be a better choice -- especially with the lack of developer news concerning ssh1 and ssh2.
-B
ps. Check www.securityfocus.com for the bugtraq archives and mailing list.
Excellent, now we have an open ssh package. No more visiting RedHat's ssh page and filling out those "are you a US citizen" forms before I can securely login to a remote machine.
Seriously, why does the US even bother with cryptographic export laws when many other countries can ship products that contain the same strength encryption as they are trying to keep locked up?
Especially with open source projects involving encryption that are being developed all over the world, this country's policies seem downright pointless.
Or am I missing the point?
Debian has been coerced into renaming the OpenSSH package to SSH. In other words, people who are upgrading their system will have the real SSH transparently removed and replaced with OpenSSH.
There is no warning although the functionalities are not equivalent. The original SSH package has been renamed.
It is my understanding that all this has happened at the bequest of Theo. This is yet another case where POLITICS interferes with the TECHNICAL aspects of Debian.
I will try to avoid the classic open / closed source arguments here, although they creep in a little bit :-)
I think OpenSSH is very important to everyone. License status aside, it represents an alternative way to use the SSH protocol. Some people may prefer it while others may like the closed source version. But I think more people overall will be using one of the two. This is a good thing. There's still alot of plaintext authentication on the net, and I'd be happy to see less of it. POP3, FTP, and telnet are all commonly used, for example.
We all know the average user is lazy about passwords. Sniffing one password often compromises many things. Yes, the user is at fault but now the sysadmin can do something about it (namely wrapping the protocol in SSH). With OpenSSH, perhaps more sysadmins will agree with the licensing.
Additionally, I seem to remember reading somewhere that the IETF needs two independent implementations of a protocol before it can progress towards being an official standard. (Someone correct me if I'm wrong - I'm sorry I don't have a link to provide). With that in mind, SSH can get the IETF's blessing before a corporation with its own goals decides to muck with what should be in the standard.
Just my $.02
SEAL
But this is more than free speech, this is liberty.
"Open Source?" - Press any key to continue
That's the point. You couldn't distribute SSH in america to foriegners. OpenBSD is based in Canada (so it gets passed all the mess US laws), so yes.
I think, but I likely have this confused, that US developers couldn't design a free implement because of the patents and export laws. When OpenSSH came out, I remember one of my LUGs chatting about wanting to port or copy (whichever got Linux the most credit), but were annoyed because US developers would only hurt the project.
"Open Source?" - Press any key to continue
I recommend Tera Term Pro and the TTSSH extension if you must use Windows. Or use MindTerm, which is a Java-based SSH client. I've used both, and they both work well with any SSH 1.x server. (Including OpenSSH.)
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
re psst .. I'm sure any contributions from psst
:-)
.shosts.
would be welcomed, and I'm sure psst can read the
license and note they're welcomed to any code in
the OpenSSH tree, but a merger I doubt would occur, considering the different audiences each
is addressing.
re sshv2 protocol, it is a freely available spec,
and as such, has potential to be implemented in
OpenSSH (although has not yet been done). The
initial thrust of OpenSSH was to have something
equivalant to and compatible with ssh-1.2.x in OpenBSD 2.6, and that has certainly been accomplished. It is certianly not illegal to implement it in a free product; that the commercal
'ssh2' program costs something is the company
charging for their programmers, not the protocol.
While the incident with 1.2.27's security bug doesn't necessarily suggest OpenSSH is more secure in general, it does seem interesting to note that
in the code cleanup of creating OpenSSH, the bug
was accidentally fixed. Hats off to the programmers who have a high enough standard of coding that they accidentally fix bugs
ClosedSSH has superior algorithms? I implore you to back your statement with facts. Last I checked, the algorithms available in OpenSSH are
limited to those in the crypto library, and there
may be less algorithms in OpenSSH than ClosedSSH
because of this, but why include the insecure ones?
Beware of two things. First, I'm not a lawyer. Second, I believe my understanding of the crypto laws suggests if you compile it outside the us, you can use it outside the us, if you compile it inside the us you can't ship it outside the us,
and if you use it in the us, you can't use an
alternative to rsa's library if you wish to use
that particular algorithm, which at this time
requires commercial entities to talk to rsa for
licenses. I think. Someone maybe should confirm this though.
Read the man page for logging in from a particular ip without a password. Look for
Todd Fries
Putty's another good client, although its not particularly configurable at the moment.
CloudWarrior . "I may be in the gutter but I'm looking to the stars"
There seems to be a bit of confusion about exactly what this software offers over the standard SSH. Hopefully I can help clear it up a bit.
SSH1 comes with a license which is rather ambiguous about commercial use. The most common interpretation is that it's OK to use it commercially so long as one isn't making a profit directly off it. (e.g. charging people for the software.) SSH2 is much clearer-- in order to use SSH2 in a business you must use the closed-source, $400-a-server version from DataFellows.
Here is the vague portion of the SSH1 license:
Companies are permitted to use this program as long as it is not used for revenue-generating purposes. For example, an Internet service provider is allowed to install this program on their systems and permit clients to use SSH to connect; however, actively distributing SSH to clients for the purpose of providing added value requires separate licensing.
SSH2 clients cannot talk to SSH1 servers. This was by design in an attempt to drive people to upgrade to the new protocol. SSH1 clients are able to talk to SSH2 servers.
The IDEA (default) algorithm is patented and requires a license to use commercially. The RSA algorithm is also patented, but that patent has either expired or is about to expire. If one can find a copy of "rsaref", formerly offered freely from RSA's FTP site, then one can use it instead of the internal RSA algorithm to work around this little hurdle.
One reason there is demand for another implementation of the SSH protocol is so that people in small businesses can continue to use SSH while still maintaining access to the source code and also staying $400/server closer to being profitable.
Given the incompatibility of the clients, upgrading from SSH1 to SSH2 requires a flag day upon which day every client and server must be simultaneously upgraded to SSH2. Trying to upgrade in stages results in those with SSH2 unable to connect to SSH1 servers. It is possible to install both versions of the client, but the user will have to be the one "failing over" to the other version. Irritating at best, costly and time-consuming at worst.
For more information about SSH implementations, check out the Open Directory Project's SSH Category.
I have to admit I have issues with the OpenBSD folks who are maintaining OpenSSH.
;-) ) So some guy in Australia ports it to Linux/autoconf-automake so it will compile on Linux and other *nixs...
Their code is very BSD oriented, makes no attempt to be portable. (this is not inherently a huge sin, I am sure it was tiring writing the thing in the first place
Along the way, he introduces PAM (which is a *nix standard, OpenBSD just chooses not to use it) and in general improves the code (I don't have the rest of the feature list handy)
instead of allowing him to merge it back into the code tree, or even offering to host it, www.openssh.com takes credit for it by adding a link labeled "Linux/Solaris" and links directly to the ftp location. No acknowledgements, no link to the web page.
This sort of snottiness may or may not be endemic to the *BSD community, such a generalization would be unfair. HOWEVER it _does_ worsen their reputation, not to mention fly in the face of the commonly accepted code of ethics that accompany the open source concept.
I do not mean this as a flame of anyone other than those from the OpenSSH project who were actually involved in the decision to ignore the compatibility initiative. The rest have my unequivocal admiration and gratitude, as the product itself (OpenSSH) is very impressive, and we all should thank them for volunteering their time to provide us with it.
And for the record, other than admiring him and his work, I have no relation to that chap from Australia nor his port of OpenSSH to Linux...
-RS
We are all in the gutter, but some of us are looking at the stars --Oscar Wilde
Grrr. my nick is "Forward the Light Brigade"...
I have to say, with all the privacy stuff getting posted on
When I look back on it, I used to think being "anonymous coward" was cowardly, nowadays I'm thinking its not going to be too long before there's no choice in the matter...
To be on topic for a bit, I just installed OpenBSD (yes, after I read the /. thing, okay, I'm a lemming), and its really very very nice. OpenSSH is from the same crew, and they do very good work. Tight security. Astounding documentation. Attention to detail. Very nice. More power to them.
no warning:
The package tells you exactly what is going on using the shiny new debconf tool to put a nice dialog box up to ask you if you want to continue, or give you the chance to install ssh-nonfree instead.
Coerced:
As the Debian maintainer of both ssh (OpenSSH) and ssh-nonfree (the non-free ssh) I can tell you that the decision was mine. (I did check that nobody from the OpenSSH team minded)
My decision was based on the fact that Debian does not consider non-free software to be part of the distribution, so if there is a free and a non-free implementation of a package, the free one gets the name because its actually part of the distribution.
I've got nothing against ssh-nonfree (otherwise I wouldn't have maintained a Debian package of it for years) and I really appreciate the fact that Tatu wrote it, and allowed us all to use it. It just happens to be non-free, so the DFSG free alternative gets priority in our case.
I hope that clears things up.
Cheers, Phil.
Debian: GNU/Linux done the Linux way
Debian never distributed the SSH package anyway.
If debian never distributed ssh (which comes as a surprise to me, given that I've been maintaining it for over two years) then why are you complaining that it overwrites the old package?
Why does Debian decide to BREAK the user's system by RENAMING packages?
If OpenSSH has broken your system, please report a bug, and I will endeavor to resolve your problem.
If on the other hand you are just being an idiot, please shut up and stop wasting our time.
Cheers, Phil.
Debian: GNU/Linux done the Linux way
Sorry I guess I wasn't very clear, especially with my little slip up about licensing.
:) who wanted SSH installed at work, but was prevented from doing so because the boss didn't want to pay for it. OpenSSH is a blessing for people in my position.
First part: stupid users
The idea here is to make things transparent to them. Let them use their same old apps, but make the behind-the-scenes networking secure. For example, some mail programs can now connect using SSL. If a sysadmin sets it up this way, the end user doesn't usually care (or even know). That's how we need to attack the stupid-user problem. I agree with you that we can't rely on them to get un-stupid.
Part 2: licensing
I said that having OpenSSH in addition to SSH will serve to increase the number of people using this protocol. Reason: I was thinking of the sysadmin ohhhh... like ME
Other companies may prefer to purchase SSH so that they have someone to call up when things go wrong. That's OK too - there's nothing wrong with paying for a commercial version. I think it is a good thing to have BOTH implementations out there.
Best regards,
SEAL
The jackbooted thugs aren't interested in keeping anyone dangerous from having encryption, because that's a hell of a lot of work. The purpose in all this petty harassment of coders and publishers is to prevent strong cryptography from becoming common and more importantly, turn on by default.
Right now, nearly everything is in the clear, and that makes work much easier for FBI agents on fishing expeditions without a warrant.
Make no mistake, crypto restriction serves *no* legitimate law enforcement purpose. It's only usefulness is to enable illegal acts by governments agains law abiding citizens.
Check into the use of PGP by Amnesty International, and look up what kinds of slimy tricks J. Edgar Hoover pulled on Martin Luther King and others.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Lsh is not really ready for real-world use yet, but it's making progress. It's based on the IETF spec on the SSH2 protocol.
For developers who want to have a look at what's being done, you can have a look http://www.lysator.liu.se/~nisse/lsh/.
I use Vandyke's SecureCRT software, which is a win32 SSH v1, v2, telnet, and general terminal emulation client. Version 3.0 lets you connect to either SSHv1 or SSHv2 servers with lots of encryption/compression/port forwarding options. If you're using a client like this a v1 to v2 server upgrade "flag" day isn't as annoying as it could be.
I don't have any affiliation with Vandyke, but I would like to say that they make beta releases readily available, return email promptly with a personal reply, and emailed me the the upgrade license from version 2 to version 3 without any "upgrade" charge. Yes, it's closed, non-free software, but much better than most I've dealt with.
-OT
I think the AES competition (www.nist.gov/aes), a competition for the replacement of DES by the U.S. government, should finally put a end to the lie that the U.S. has some kind of monopoly on encryption. A full 40% of the finalists were foreign in origin, despite a selection process that was biased for American solutions.
Similarly, while MIT/RSADI hold the U.S. patent on the RSA public key encryption method used in SSH, most modern cryptographers believe that RSA public key encrpytion is obsolete. Most of the work on its proposed replacement, elliptic curve cryptography, is being done in Britain and Canada (in fact, the biggest vendor of elliptic curve cryptography is Canadian).
Don't get me wrong, the U.S. still has many great cryptographers. Bruce Schneier, Ron Rivest, the list goes on. But I seriously doubt that the U.S. still does the majority of public cryptographic research. If you don't believe me, go browse the cryptographic links section on my home page.
-E
Send mail here if you want to reach me.
if you dont like debian, dont use it. this is why we have fourteen thousand linux distributions. I'm quite certain you can track one down that doesnt get your panties all in a knot.
if the maintainer of a distribution wants to change the distribution, and if users of the distribution are allowed to use other distributions, there is no problem at all. I see no way to compare this to "OH WHAT IF MICROSOFT DID THIS".
quit bitching. thanks!
One thing I'd like to do is remove the RSA encryption entirely from SSH and replace it with a non-patent-encumbered method of doing the public key authentication. RSA really isn't necessary anymore, there are now patent-unencumbered methods for doing public key session key exchanges and public key digest authentication without use of the RSA patented algorithm. My understanding is that RSA was kept in OpenSSH because it's necessary in order to maintain backward compatibility.
So yes, backward compatibility should be maintained by OpenSSH, unless something seriously stupid was done. I'm about to go test that theory personally :-).
-E
Send mail here if you want to reach me.