Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Project Now at openssh.com

Posted by Roblimo on from the security-for-the-masses dept.

Anonymous Coward writes "The OpenSSH project now has a central webpage at www.openssh.com. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced and many other clean-ups."

5 of 132 comments (clear)

  1. Re:I must speak up. by phred · · Score: 4

    "Coerced" is awfully strong language. So is "politics." Some might even consider them swear-words. Instead, may I suggest: "Consistency." "Principles."

    As is often the case, here we have someone wanting to make a noisy controversy out of a normal event. The background, as I understand it, is that the OpenBSD folks didn't much care for the Data Fellows licensing policy for the new ssh, so they decided to rewrite the old version 1 as OpenSSH, and in the process nipped at least one known bug. The new version will be in OpenBSD 2.6 scheduled for release on December 1.

    Meanwhile Debian decided to substitute this version, in line with its policy to have only totally free packages in the free distribution. The other version will continue to be available in non-free.

    It's not as if this is some deep dark secret, nor has it been some big folderol. Matter-of-fact coverage can be found at BugTraq, OpenBSD and the Debian development lists.

    There was also an announcement in Joey Hess' Debian Weekly News last week -- and here is the real scoop from Phil Hands.

    "Politics" myass.

    -------

    --
    Bill Gates Is My Evil Twin.
  2. Re:Client for 'doze? by demon · · Score: 4

    I recommend Tera Term Pro and the TTSSH extension if you must use Windows. Or use MindTerm, which is a Java-based SSH client. I've used both, and they both work well with any SSH 1.x server. (Including OpenSSH.)

    --

    Sam: "That was needlessly cryptic."
    Max: "I'd be peeing my pants if I wore any!"
  3. Why OpenSSH by Wanker · · Score: 4

    There seems to be a bit of confusion about exactly what this software offers over the standard SSH. Hopefully I can help clear it up a bit.

    • Licensing

      SSH1 comes with a license which is rather ambiguous about commercial use. The most common interpretation is that it's OK to use it commercially so long as one isn't making a profit directly off it. (e.g. charging people for the software.) SSH2 is much clearer-- in order to use SSH2 in a business you must use the closed-source, $400-a-server version from DataFellows.

      Here is the vague portion of the SSH1 license:

      Companies are permitted to use this program as long as it is not used for revenue-generating purposes. For example, an Internet service provider is allowed to install this program on their systems and permit clients to use SSH to connect; however, actively distributing SSH to clients for the purpose of providing added value requires separate licensing.

    • Compatibility

      SSH2 clients cannot talk to SSH1 servers. This was by design in an attempt to drive people to upgrade to the new protocol. SSH1 clients are able to talk to SSH2 servers.

    • Patents

      The IDEA (default) algorithm is patented and requires a license to use commercially. The RSA algorithm is also patented, but that patent has either expired or is about to expire. If one can find a copy of "rsaref", formerly offered freely from RSA's FTP site, then one can use it instead of the internal RSA algorithm to work around this little hurdle.

    One reason there is demand for another implementation of the SSH protocol is so that people in small businesses can continue to use SSH while still maintaining access to the source code and also staying $400/server closer to being profitable.

    Given the incompatibility of the clients, upgrading from SSH1 to SSH2 requires a flag day upon which day every client and server must be simultaneously upgraded to SSH2. Trying to upgrade in stages results in those with SSH2 unable to connect to SSH1 servers. It is possible to install both versions of the client, but the user will have to be the one "failing over" to the other version. Irritating at best, costly and time-consuming at worst.

    For more information about SSH implementations, check out the Open Directory Project's SSH Category.

  4. Re:Good to avoid dumb US laws by Forward+The+Light+Br · · Score: 4

    DISCLAIMER: I do not support this law, I just want to explain it.

    Seriously, why does the US even bother with cryptographic export laws when many other countries can ship products that contain the same
    strength encryption as they are trying to keep locked up?

    the theory goes, that much of the crypto (and generally, much of the research in areas restricted by this law) reseach in this country is sponsored at least partly by the federal government, the development of crypto entirely in the private sector is a new developement (as opposed to simply implementing it, which has been private sector for a while)

    The federal government did not want to fund research that could come back to haunt them in terms of inhibiting SIGINT obtained overseas from being useable.

    Realize that this is an old law, and the crypto battle between the Soviets and the US was very active for much of the last 50 years.

    Even now, the US government has an interest in trying to prevent strong crypto from existing outside this country, and in point of fact, most currently existing crypto DOES originate from inside US borders (SSH included)

    the only caveat is that the US Judicial branch has ruled that the federal government had better have a very compelling reason to inhibit written speach. To legislate prior restraint is almost impossible...

    to keep the law constitutional, written algorithms were exempted from the law.

    That is how PGP got outside the US, and how OpenSSH was able to exist.

    Even if some crypto is leaking out, the USG has a compelling interest in trying to read foreign SIGINT.

    I think they should just invest more money in finding ways to break the codes, as that is likely to be more effective, but I fault them more for their methods than their motives...

    -RS
    We are all in the gutter, but some of us are looking at the stars --Oscar Wilde

    --

    Grrr. my nick is "Forward the Light Brigade"...
  5. Perhaps you should have kept quiet... by Phil+Hands · · Score: 5

    no warning:

    The package tells you exactly what is going on using the shiny new debconf tool to put a nice dialog box up to ask you if you want to continue, or give you the chance to install ssh-nonfree instead.

    Coerced:

    As the Debian maintainer of both ssh (OpenSSH) and ssh-nonfree (the non-free ssh) I can tell you that the decision was mine. (I did check that nobody from the OpenSSH team minded)

    My decision was based on the fact that Debian does not consider non-free software to be part of the distribution, so if there is a free and a non-free implementation of a package, the free one gets the name because its actually part of the distribution.

    I've got nothing against ssh-nonfree (otherwise I wouldn't have maintained a Debian package of it for years) and I really appreciate the fact that Tatu wrote it, and allowed us all to use it. It just happens to be non-free, so the DFSG free alternative gets priority in our case.

    I hope that clears things up.

    Cheers, Phil.

    --

    Debian: GNU/Linux done the Linux way