Slashdot Mirror
OpenSSH Project Now at openssh.com
Anonymous Coward writes "The OpenSSH project now has a central webpage at www.openssh.com.
OpenSSH is based on the last free version of Tatu Ylonen's SSH with
all patent-encumbered algorithms removed, all known security bugs
fixed, new features reintroduced and many other clean-ups."
Excellent, now we have an open ssh package. No more visiting RedHat's ssh page and filling out those "are you a US citizen" forms before I can securely login to a remote machine.
Seriously, why does the US even bother with cryptographic export laws when many other countries can ship products that contain the same strength encryption as they are trying to keep locked up?
Especially with open source projects involving encryption that are being developed all over the world, this country's policies seem downright pointless.
Or am I missing the point?
I will try to avoid the classic open / closed source arguments here, although they creep in a little bit :-)
I think OpenSSH is very important to everyone. License status aside, it represents an alternative way to use the SSH protocol. Some people may prefer it while others may like the closed source version. But I think more people overall will be using one of the two. This is a good thing. There's still alot of plaintext authentication on the net, and I'd be happy to see less of it. POP3, FTP, and telnet are all commonly used, for example.
We all know the average user is lazy about passwords. Sniffing one password often compromises many things. Yes, the user is at fault but now the sysadmin can do something about it (namely wrapping the protocol in SSH). With OpenSSH, perhaps more sysadmins will agree with the licensing.
Additionally, I seem to remember reading somewhere that the IETF needs two independent implementations of a protocol before it can progress towards being an official standard. (Someone correct me if I'm wrong - I'm sorry I don't have a link to provide). With that in mind, SSH can get the IETF's blessing before a corporation with its own goals decides to muck with what should be in the standard.
Just my $.02
SEAL
"Coerced" is awfully strong language. So is "politics." Some might even consider them swear-words. Instead, may I suggest: "Consistency." "Principles."
As is often the case, here we have someone wanting to make a noisy controversy out of a normal event. The background, as I understand it, is that the OpenBSD folks didn't much care for the Data Fellows licensing policy for the new ssh, so they decided to rewrite the old version 1 as OpenSSH, and in the process nipped at least one known bug. The new version will be in OpenBSD 2.6 scheduled for release on December 1.
Meanwhile Debian decided to substitute this version, in line with its policy to have only totally free packages in the free distribution. The other version will continue to be available in non-free.
It's not as if this is some deep dark secret, nor has it been some big folderol. Matter-of-fact coverage can be found at BugTraq, OpenBSD and the Debian development lists.
There was also an announcement in Joey Hess' Debian Weekly News last week -- and here is the real scoop from Phil Hands.
"Politics" myass.
-------
Bill Gates Is My Evil Twin.
I recommend Tera Term Pro and the TTSSH extension if you must use Windows. Or use MindTerm, which is a Java-based SSH client. I've used both, and they both work well with any SSH 1.x server. (Including OpenSSH.)
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
re psst .. I'm sure any contributions from psst
:-)
.shosts.
would be welcomed, and I'm sure psst can read the
license and note they're welcomed to any code in
the OpenSSH tree, but a merger I doubt would occur, considering the different audiences each
is addressing.
re sshv2 protocol, it is a freely available spec,
and as such, has potential to be implemented in
OpenSSH (although has not yet been done). The
initial thrust of OpenSSH was to have something
equivalant to and compatible with ssh-1.2.x in OpenBSD 2.6, and that has certainly been accomplished. It is certianly not illegal to implement it in a free product; that the commercal
'ssh2' program costs something is the company
charging for their programmers, not the protocol.
While the incident with 1.2.27's security bug doesn't necessarily suggest OpenSSH is more secure in general, it does seem interesting to note that
in the code cleanup of creating OpenSSH, the bug
was accidentally fixed. Hats off to the programmers who have a high enough standard of coding that they accidentally fix bugs
ClosedSSH has superior algorithms? I implore you to back your statement with facts. Last I checked, the algorithms available in OpenSSH are
limited to those in the crypto library, and there
may be less algorithms in OpenSSH than ClosedSSH
because of this, but why include the insecure ones?
Beware of two things. First, I'm not a lawyer. Second, I believe my understanding of the crypto laws suggests if you compile it outside the us, you can use it outside the us, if you compile it inside the us you can't ship it outside the us,
and if you use it in the us, you can't use an
alternative to rsa's library if you wish to use
that particular algorithm, which at this time
requires commercial entities to talk to rsa for
licenses. I think. Someone maybe should confirm this though.
Read the man page for logging in from a particular ip without a password. Look for
Todd Fries
There seems to be a bit of confusion about exactly what this software offers over the standard SSH. Hopefully I can help clear it up a bit.
SSH1 comes with a license which is rather ambiguous about commercial use. The most common interpretation is that it's OK to use it commercially so long as one isn't making a profit directly off it. (e.g. charging people for the software.) SSH2 is much clearer-- in order to use SSH2 in a business you must use the closed-source, $400-a-server version from DataFellows.
Here is the vague portion of the SSH1 license:
Companies are permitted to use this program as long as it is not used for revenue-generating purposes. For example, an Internet service provider is allowed to install this program on their systems and permit clients to use SSH to connect; however, actively distributing SSH to clients for the purpose of providing added value requires separate licensing.
SSH2 clients cannot talk to SSH1 servers. This was by design in an attempt to drive people to upgrade to the new protocol. SSH1 clients are able to talk to SSH2 servers.
The IDEA (default) algorithm is patented and requires a license to use commercially. The RSA algorithm is also patented, but that patent has either expired or is about to expire. If one can find a copy of "rsaref", formerly offered freely from RSA's FTP site, then one can use it instead of the internal RSA algorithm to work around this little hurdle.
One reason there is demand for another implementation of the SSH protocol is so that people in small businesses can continue to use SSH while still maintaining access to the source code and also staying $400/server closer to being profitable.
Given the incompatibility of the clients, upgrading from SSH1 to SSH2 requires a flag day upon which day every client and server must be simultaneously upgraded to SSH2. Trying to upgrade in stages results in those with SSH2 unable to connect to SSH1 servers. It is possible to install both versions of the client, but the user will have to be the one "failing over" to the other version. Irritating at best, costly and time-consuming at worst.
For more information about SSH implementations, check out the Open Directory Project's SSH Category.
I have to say, with all the privacy stuff getting posted on
When I look back on it, I used to think being "anonymous coward" was cowardly, nowadays I'm thinking its not going to be too long before there's no choice in the matter...
To be on topic for a bit, I just installed OpenBSD (yes, after I read the /. thing, okay, I'm a lemming), and its really very very nice. OpenSSH is from the same crew, and they do very good work. Tight security. Astounding documentation. Attention to detail. Very nice. More power to them.
no warning:
The package tells you exactly what is going on using the shiny new debconf tool to put a nice dialog box up to ask you if you want to continue, or give you the chance to install ssh-nonfree instead.
Coerced:
As the Debian maintainer of both ssh (OpenSSH) and ssh-nonfree (the non-free ssh) I can tell you that the decision was mine. (I did check that nobody from the OpenSSH team minded)
My decision was based on the fact that Debian does not consider non-free software to be part of the distribution, so if there is a free and a non-free implementation of a package, the free one gets the name because its actually part of the distribution.
I've got nothing against ssh-nonfree (otherwise I wouldn't have maintained a Debian package of it for years) and I really appreciate the fact that Tatu wrote it, and allowed us all to use it. It just happens to be non-free, so the DFSG free alternative gets priority in our case.
I hope that clears things up.
Cheers, Phil.
Debian: GNU/Linux done the Linux way
As the "guy in Australia" who made the changes you mentioned, I cannot agree with your view. The OpenBSD developers have been very accomodating and we have been actively swapping patches and bug reports. I have not been "improving the code" as it is of good (and improving) quality already.
I have no expectation that the OpenBSD developers choke their CVS tree up with cross-platform cruft. Part of the reason why their OS is so clean and secure is that there is none of that junk in there. As mentioned previously, we do exchange patches to close bugs and add features.
Finally I find it ironic that, in a diatribe about how others failed to give me due credit, you didn't even bother to use my real name.