OpenSSH Turns Five Years Old 146
heydrick writes "The OpenSSH project is five years old. Project member Damien Miller
writes, 'Five years ago, in late September 1999, the OpenSSH project was started. It began with an audit, cleanup and update of the last free version of Tatu Ylonen's legacy ssh-1.2.12 code. The project quickly gathered
pace, attracting a portability effort and, in early 2000, an independent
implementation of version 2 of the SSH protocol. Since then, OpenSSH
has led in the implementation of proactive security techniques such as
privilege separation & auto-reexecution.' Yaa for OpenSSH."
This story turns 8 months old (Score:5, Informative)
Actually.. (Score:5, Insightful)
No.
Re:Actually.. (Score:1, Interesting)
Re:Actually.. (Score:1)
Re:Actually.. (Score:1)
Re:Actually.. (Score:3, Funny)
maybe they never existed...
Re:Actually.. (Score:1)
Maybe we're all posting on a website, but it's really a computer. Huh?
Re:Actually.. (Score:3, Funny)
Maybe we're all posting on a website, but it's really a computer. Huh?
A website that really exists only as a computer process. Wow. That's deep.
Re:Actually.. (Score:2)
Re:Actually.. (Score:1)
That's a terrific idea, I wish I had thought of that.
Re:Actually.. (Score:1)
That's a terrific idea, I wish I had thought of that.
You did. Wow, that's deep, and possibly recursive. Now, we can only hope the thread is reentrant-safe. :)
Re:Actually.. (Score:1)
I have had a picnic with timothy before. Yes, a picnic. At the Pink House. The Pink House is gone now :-(. Timothy gave me his speaker stands in exchange for a voodoo3. That was the best trade ever, until my brother broke the polycarbonate rings. Bastard. Timothy gave me a Socket 7 board and a 500Mhz k6-2 that he didn't need; I used it for years. Timothy is awesome.
I met jeff covey and daniel from freshmeat too. And I even met roblimo at a LUG meeting (slashdot ended up interviewing me when I was a loser
The editors.. (Score:2)
Just wait for your promotion.
Re:Actually.. (Score:1)
Re:Actually.. (Score:2)
No.
I like to trot out this link in cases like this.
Slashdot editors used to verify stories [slashdot.org]
Re:Actually.. (Score:2)
Seems like only yesterday!!
Re:This story turns 8 months old (Score:1)
Re:This story turns 8 months old (Score:2, Insightful)
Re:This story turns 8 months old (Score:3, Funny)
Re:This story turns 8 months old (Score:1)
What? (Score:1, Redundant)
Re:What? (Score:3, Informative)
That marked the OpenSSH 1.2.2 release, which was shipped with OpenBSD 2.6 in December 1, 1999.
Further...
With the OpenBSD 2.6 release out of the way, Markus Friedl decided to pursue SSH 2 protocol support. Slaving away for months, he managed to keep OpenSSH slim and lean, while at the same time managing to turn it into a single piece of software that could do both the SSH 1 and SSH 2 protocols. This version, call
Re:What? (Score:2)
Re:happy birthday SSH! (Score:2)
Thanks... (Score:4, Insightful)
Re:Thanks... (Score:1)
AHHHH.... (Score:1)
What I use tunneling (putty) for is vnc and other services. I just tunnel my remote (login from) host ports through the login and into the localhost (login into).
Now what is SOCKS5 proxy, Dynamic tunneling?
Thx
On another similar topic. I been trying to tunnel on an old Mac 9.2. It has MacSSH. My ssh server uses SSH2. I can login to the server using putty, linux, and even Mac OS X. But even though I can login to the campus SSH2 (from there I can go to mine), I c
Re:AHHHH.... (Score:2)
Re:Thanks... (Score:1)
People just can't be trusted to police themselves at work.
-Scott
Re:Thanks... (Score:2)
Re:Thanks... (Score:2)
I also hear a lot of "well I can just ssh to my home machine and do x, y, and z" which is great until something happens (child porn is found on a library computer thanks to ssh and squid) and policies are suddenly changed and port 22 is blocked all over the place.
I'm hoping the above doesnt happen but I'm kinda
Re:Thanks... (Score:2)
if a user can login to a system behind your firewall then they can acess stuff behind your firewall unless you take specific action to stop them (ie local firewalls with user restriction).
Re:Thanks... (Score:1)
5 years since the first *release* (Score:5, Informative)
Re:5 years since the first *release* (Score:1)
Re:5 years since the first *release* (Score:2)
15-June is "Happy Release The Code Day".
Nah (Score:2)
5 years since OpenSSH 2.0 (Score:4, Informative)
Re:Uh (Score:2, Funny)
Re:Yaa? (Score:2, Funny)
But without the proper spelling.
Re:Yaa? (Score:3, Funny)
So you consider "misspelling" a complicated word then I guess?
Re:Yaa? (Score:2)
But I knew I was going to do something like that. Heh.
ssh -L 5902:happy:5901 birthday (Score:1)
Re:ssh -L 5902:happy:5901 birthday (Score:2)
auto-reexecution? (Score:2)
Re:auto-reexecution? (Score:5, Informative)
From the Changelog for OpenSSH 3.9:
Hope this helps. :)
Re:auto-reexecution? (Score:2)
What it means is that a new copy of sshd is exec'ed for each connection after the master sshd fork()s to handle the connection. Previously, the forked sshd would just handle the whole session. It starts off as a literal copy of the address space of the parent and stays very similar throughout its life.
Now should there be some kind of vulnerability in sshd, an attacker can connect, get a new fork()ed copy of the master sshd and attempt to guess whatever they nee
Re:auto-reexecution? (Score:2)
I was afraid it was something like this: OpenBSD is clearly completely on the wrong path when it comes to security.
OpenSSH (Score:3, Informative)
So hats off to OpenSSH, y'all. :)
Awesome software (Score:3, Interesting)
Kudos!
Re:Awesome software (Score:1)
Yeah, but how many Linux users give credit to either the Linux kernel hackers or to Red Hat for OpenSSH? "Hey, this Linux is awesome! I can telnet home from anywhere!"
Re:Awesome software (Score:2)
Cool... (Score:2)
1) I wish I could control what fowarding can occur in the config file on the server. Access lists would be great here.
Currently I do this by having the system in the DMZ and applying an access list to the entire user population.
2) I wish I had the ability to log which users opened what tunnels where.
Even so this a great application and I use it every day.
Grats on making it 5 years with
Re:Cool... (Score:1, Informative)
If you use public-key authentication (and users don't have r/w access to the ~/.ssh/authorized_keys file, you can put restrictions on what each key can forward to.
Re:Cool... (Score:1)
The sshd manual page [openbsd.org] has a section named "AUTHORIZED_KEYS FILE FORMAT" that has details on the format of what goes in $HOME/.ssh/authorized_keys and what options are supported.
Re:Cool... (Score:3, Informative)
therefore you should be able to control them with iptables user matching
Re:Cool... (Score:3, Interesting)
SSH is wonderful, and yet users still don't get it (Score:3, Informative)
I love ssh. I use it everyday.
Where I used to work (I quit 2 months ago) it was a contant battle to get users to use ssh instead of telnet. Yes, that's right, telnet. When I first started working there, a little over a year ago, I was shocked to discover that thousands (no exageration) of developers were still using telnet to access unix hosts.
When I asked my manager about this, his explanations ranged from "that is how they have always worked" to "some of them just don't know how to use ssh."
When I spoke to the users themselves they just could not understand what is wrong telnet.
Of course, I should point out that this is also a company that suffered a massive data theft (something like 90,000 email addresses) last year...
Re:SSH is wonderful, and yet users still don't get (Score:3, Insightful)
Manager: "some of them just don't know how to use ssh."
You: "{manager}, Telnet is a huge security risk and it is only a matter of time before we are screwed royally by this. I recommend that we plan on disabling telnet in the near future on all hosts. Before that time, I will send out an E-Mail to all affected staff with instructions for use and notification of when telnet services will be disabled. I think this is a good idea, what do you think?"
After
telnet can be reasonably secure (Score:1)
Re:SSH is wonderful, and yet users still don't get (Score:5, Insightful)
Never mind that telnet/rsh have no security at all, apparently if security exists, it has to be "approved". Now, I don't dispute the idea of having validated security, but I do dispute the claim that no security at all is preferable.
It also neglects the fact that SSH is merely the program, that the encryption algorithm used is AES, which is most certainly a FIPS standard.
In other words, it's not just that "users don't get it" - although that is often the case. The problem is also malignant attitudes in management that regard total insecurity as politically more acceptable.
IMHO, if management enacts a policy that cripples security or eliminates it entirely, then management should be culpable. Encryption may be explicitly covered by FIPS, but that doesn't mean insecurity should be an acceptable standard for anyone.
In the case described by the parent post, that of users not knowing how to use SSH, fine. Mandate that all computers use host-to-host IPSec. The users then don't need to know a damn thing, but the connections are just as secure.
In other words, ignorance can sometimes be an excuse, but this isn't one of those times, as all it would take is ticking a checkbox under Windows and not doing a whole lot more under Linux. They can remain blissfully ignorant, continue to be stupid, but still remain perfectly safe.
IPSec and SSH are not just good ideas, they SHOULD be the lore. (Not law, just lore. Though making telnet a crime might not be such a bad idea...)
Re:SSH is wonderful, and yet users still don't get (Score:2)
My strategy for getting rid of telnet has been to disable it on all new hosts (easy since it's disabled out of the box on new SuSE and RedHat installs. Then when people complain I go and show them how port forwarding works with X-windows and when they realize that they don't have to run xhost and set their display environment variable if they're us
Re:SSH is wonderful, and yet users still don't get (Score:2)
Re:SSH is wonderful, and yet users still don't get (Score:2)
Re:SSH is wonderful, and yet users still don't get (Score:1)
Re:SSH is wonderful, and yet users still don't get (Score:2)
Isn't ssh almost exactly the same as telnet in terms of the interface?
I really don't see how anyone could claim that using one is harder than the other. Or that they don't want to learn something they already know.
Re:SSH is wonderful, and yet users still don't get (Score:2)
Telnet doesn't copy any environment variables over, as it -is- a terminal emulator, and not a shell environment. SSH handles things like the display, but would be capable of passing any environment over.
SSH can be placed in the background - you are really not advised to do that with Telnet. :)
Last, but not
Re:SSH is wonderful, and yet users still don't get (Score:1)
Re:SSH is wonderful, and yet users still don't get (Score:2)
Security should, indeed, be verified and made safe, but that does not mean total insecurity at all levels should be accepted as the path of least resistance. When a bar has been raised, it is often easier and quicker to just walk round it and make no effo
Re:SSH is wonderful, and yet users still don't get (Score:4, Insightful)
Sure you _should_ use encrypted protocols, but when you look at a realworld network, it's full of NFS, SMB, FTP, SMTP, IMAP, HTTP, RPC, 5250/3270 and a gazillion other things that pass sensitive information in plaintext. Telnet is just the tip of the iceburg and the easiest to replace. Ultimate one should be looking at IPSec or VPN rather than making a big deal about SSH vs Telnet.
Now, if you are typing a root password onto a Internet host, that's another story, but I sincerely hope you don't have thousands of developers with root access somewhere.
Re:SSH is wonderful, and yet users still don't get (Score:2)
Re:SSH is wonderful, and yet users still don't get (Score:2)
Don't know how? You could probably 'ln -s
Seriously, instead of
telnet me@host
do
ssh me@host
For the trivial case it's a drop in replacement.
Re:SSH is wonderful, and yet users still don't get (Score:1)
Re:SSH is wonderful, and yet users still don't get (Score:2)
Re:SSH is wonderful, and yet users still don't get (Score:2)
Typo (Score:1, Funny)
Here's some dots to use in the future:
OpenSSH, seriously laggy mailservers (Score:1)
A much needed feature (Score:2)
LoginFailureTracking On
LoginFailureAttempts 3
LoginFailureShell "/sbin/iptables -I INPUT -s %1 -j DROP"
Oh, I need this or something like:
InvalidUserLockoutCount 3
InvalidUserLockoutByIP yes
InvalidUserLockoutResetSeconds 120
Or, does anyone do something similar using a log watching program? I would really like to know, now that I have SSH firewalled off so restrictive and my open boxes get more than 1,000 invalid user hits per day.
Re:Ettercap team claim SSH / SSL is easy crackable (Score:1, Informative)
Re:Ettercap team claim SSH / SSL is easy crackable (Score:3, Interesting)
Re:Ettercap team claim SSH / SSL is easy crackable (Score:2, Informative)
Re:Ettercap team claim SSH / SSL is easy crackable (Score:1)
Re:Ettercap team claim SSH / SSL is easy crackable (Score:4, Informative)
256 bit AES use 14 rounds with a 128 bit key in each round. Rather than generating the 1792 bit keyschedule from the 256 bit key, you could just use a 1792 bit key. The speed would be the same as 256 bit AES. But don't expect it to be much more secure.
Most likely the cipher isn't the weakest point anyway. If you want to have 256 bits of entropy in your password you need aproximately 42 random characters.
They are also trying to get publicity. (Score:5, Informative)
Re:in related news.... (Score:1, Funny)
I think that means the end of its "Leakage and Puncture Warranty" then.
Re:I've been SSHGuru for 13 years (Score:3, Insightful)