Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenSSH Turns Five Years Old

CmdrTaco posted more than 9 years ago | from the edoc-eht-kaerb dept.

Security 146

heydrick writes "The OpenSSH project is five years old. Project member Damien Miller writes, 'Five years ago, in late September 1999, the OpenSSH project was started. It began with an audit, cleanup and update of the last free version of Tatu Ylonen's legacy ssh-1.2.12 code. The project quickly gathered pace, attracting a portability effort and, in early 2000, an independent implementation of version 2 of the SSH protocol. Since then, OpenSSH has led in the implementation of proactive security techniques such as privilege separation & auto-reexecution.' Yaa for OpenSSH."

Sorry! There are no comments related to the filter you selected.

This story turns 8 months old (5, Informative)

Anonymous Coward | more than 9 years ago | (#12729882)

And it's a dupe [slashdot.org] , too. Remember when editors actually read submissions?

Actually.. (5, Insightful)

backslashdot (95548) | more than 9 years ago | (#12729889)

Remember when editors actually read submissions?

No.

Re:Actually.. (1, Interesting)

Anonymous Coward | more than 9 years ago | (#12729936)

Looks like they didn't even read the summary: 5 years ago was not September 1999..

Re:Actually.. (0)

Anonymous Coward | more than 9 years ago | (#12730602)

Looks like you didn't read the parent.

Re:Actually.. (1)

markwalling (863035) | more than 9 years ago | (#12731048)

4.5 years ago

Re:Actually.. (0, Troll)

theslak (875840) | more than 9 years ago | (#12730263)

yeah I think if you really wanna know the origins of openssh in detail read this [myphotos.cc] .

Re:Actually.. (3, Funny)

KillShill (877105) | more than 9 years ago | (#12730404)

has anyone ever actually seen the editors?

maybe they never existed...

Re:Actually.. (1)

Profane MuthaFucka (574406) | more than 9 years ago | (#12730750)

This is like that one Star Trek where they're inside an asteroid, and their god is actually a computer. Or the one where they are on a planet and their god Vol is actually a computer. Or the one where the chick touches you and kills you, and it turns out that she's really just a computer. Or the Archons, which are actually just computers.

Maybe we're all posting on a website, but it's really a computer. Huh?

Re:This story turns 8 months old (1)

My Iron Lung (834019) | more than 9 years ago | (#12729892)

And it seems to me, September 1999 was almost 6 years ago.

Emailed daddypants (0)

Anonymous Coward | more than 9 years ago | (#12729903)

And nothing. Maybe "daddy" should start wearing his "pants"?

Re:This story turns 8 months old (2, Insightful)

Edzor (744072) | more than 9 years ago | (#12729941)

The editors read submissions?

Re:This story turns 8 months old (2, Funny)

Basje (26968) | more than 9 years ago | (#12730289)

Editors? I always thought it was just a computer that selected submissions randomly, and then inserted a few spelling errors.

Re:This story turns 8 months old (1)

larry bagina (561269) | more than 9 years ago | (#12730815)

Yes ... [bbspot.com]

Re:This story turns 8 months old (0)

Anonymous Coward | more than 9 years ago | (#12730889)

I heard somebody started developing a program to avoid this when slashdot was started, called Dupe'nukem forever.

Re:This story turns 8 months old (1)

Acid-Duck (228035) | more than 9 years ago | (#12730950)

This is definately a dupe. From:

http://www.theage.com.au/articles/2004/09/28/10961 37217294.html?oneclick=true [theage.com.au]

You can read:

"Miller joined the project in October 1999, just a month or so after it began [...]"

from the second paragraph.

PS: Hooray for democracy (as it exists on slashdot) they finally removed that freakin IMAGE-TO-TEXT app after too many people complained about it :)

Erik

What? (1, Redundant)

TerminaMorte (729622) | more than 9 years ago | (#12729887)

Five years? It's not September.... how is this news?

Re:What? (2, Informative)

suitepotato (863945) | more than 9 years ago | (#12729958)

TFA is insufficient and history can be found here: http://www.openssh.com/history.html/ [openssh.com] .

That marked the OpenSSH 1.2.2 release, which was shipped with OpenBSD 2.6 in December 1, 1999.

Further...

With the OpenBSD 2.6 release out of the way, Markus Friedl decided to pursue SSH 2 protocol support. Slaving away for months, he managed to keep OpenSSH slim and lean, while at the same time managing to turn it into a single piece of software that could do both the SSH 1 and SSH 2 protocols. This version, called OpenSSH 2.0, shipped with OpenBSD 2.7 on June 15, 2000.

That would make it over five years old, much older if you count the groundwork laid with OSSH, and 2.0 is coming up on its fifth birthday.

I use ports of it with public key authentication on Windows and Linux. I salute the people who've worked so hard on making and keeping this going. OpenSSH is at the top of my "must have working or it's a no-go" list of tools for remote access and security.

Yaa (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12729890)

What the fuck is Yaa?

It's the sound (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12729918)

CmdrTaco makes with a penis in his mouth.

BURRRNNNN

happy birthday SSH! (0, Flamebait)

xWastedMindx (636296) | more than 9 years ago | (#12729891)

Happy Birthday OpenSSH!! :D

Re:happy birthday SSH! (1)

Rei (128717) | more than 9 years ago | (#12730007)

"Unfortunately, the fifth birthday turned sour as the developers proved unable to provide the pony ride that it wanted at its party, and it stormed out of the room crying."

Re:happy birthday SSH! (0)

Anonymous Coward | more than 9 years ago | (#12730185)


"...it then ran outside and promptly fell into a well."

Poor kid.

Thanks... (4, Insightful)

Anonymous Coward | more than 9 years ago | (#12729908)

For the awesome tool. Ssh, scp, and ssh tunnels are an integral part of how I accomplish things at work, and how I bypass corporate firewalls to use bittorrent. Thanks for the outstanding work.

Re:Thanks... (1)

orlanz (882574) | more than 9 years ago | (#12729977)

How do you use ssh (tunneling?) to bypass corporate firewalls?

Re:Thanks... (0)

Anonymous Coward | more than 9 years ago | (#12730033)

Putty's Dynamic tunneling allows it to act as a SOCKS5 proxy via your external SSH server.

So, you connect to your SSH server (on port 80 or 443 if necessary) with the dynamic tunnel acting as a SOCKS5 proxy, then tell your applications to use the fairly standard SOCKS5 proxy running on localhost.

Re:Thanks... (0)

Anonymous Coward | more than 9 years ago | (#12730074)

Why not just run a commandline bittorrent on your remote host? Proxying stuff over SSL has to be slower.

Re:Thanks... (0)

Anonymous Coward | more than 9 years ago | (#12730100)

Well, I don't use it for bittorrent, but was just explaining how one can use it.

AHHHH.... (1)

orlanz (882574) | more than 9 years ago | (#12730283)

Ok... more questions arose from one :(

What I use tunneling (putty) for is vnc and other services. I just tunnel my remote (login from) host ports through the login and into the localhost (login into).

Now what is SOCKS5 proxy, Dynamic tunneling?

Thx

On another similar topic. I been trying to tunnel on an old Mac 9.2. It has MacSSH. My ssh server uses SSH2. I can login to the server using putty, linux, and even Mac OS X. But even though I can login to the campus SSH2 (from there I can go to mine), I can't seem to get to my ssh2 directly. No matter what I try! Any Mac users out there?

Re:AHHHH.... (0)

Anonymous Coward | more than 9 years ago | (#12730333)

If you use Putty, and you go into Connection > SSH > Tunnels, you can add a new forwarded port. To setup a SOCKS5 proxy/dynamic tunnel, put in a source port (1080 is pretty standard for SOCKS5), leave the destination blank, then click add. Save/open this session and login. Now, in an application that supports SOCKS5 proxies, like a web browser, set the SOCKS host to 127.0.0.1, and the port to 1080. Now all access will be done over your SSH tunnel proxy. The advantage is that you don't need to set up multiple ports.

Re:Thanks... (1)

ilyanep (823855) | more than 9 years ago | (#12730013)

So...what are you downloading on bt that you'd need to bypass a firewall? ;)

Re:Thanks... (0)

Anonymous Coward | more than 9 years ago | (#12730027)

The reason I want to use BT at work is to leech off the awesome bandwidth it has. If I tunnel to some other host without as much bandwidth, what point do I have. Uh, hypothetical speaking of course. But of course if someone can give me a pointer to how to bypass blocking of bt ports, I'll be a much happier man at "work". *Remembers to check the Post Anonymously checbox*

Re:Thanks... (0)

Anonymous Coward | more than 9 years ago | (#12730080)

I'm also a gnaa member. :D

Re:Thanks... (1)

PenguinBoyDave (806137) | more than 9 years ago | (#12730072)

I consider SSH to be a VITAL part of the tool package I rely on. SCP is the other. Whether this story is old or not, I'll wish them happy birthday...who cares if it is a dupe.

Re:Thanks... (1)

gad_zuki! (70830) | more than 9 years ago | (#12730606)

and that is SSH's biggest problem - no one implements it properly. I can't begin to count the number of servers with nice firewalls that let users ssh tunnel to ports they shouldnt have access to.

I also hear a lot of "well I can just ssh to my home machine and do x, y, and z" which is great until something happens (child porn is found on a library computer thanks to ssh and squid) and policies are suddenly changed and port 22 is blocked all over the place.

I'm hoping the above doesnt happen but I'm kinda waiting for the hammer to fall once people understand how powerful ssh tunnels are. On the bright side, it hasnt happened yet, but I'm still concerned of the promiscious port forwarding for low-priv users.

Re:Thanks... (1)

petermgreen (876956) | more than 9 years ago | (#12730951)

if they have shell access then they could just use a seperate app to forward the data. ssh's build in port forwarding doesn't really let you do anything you couldn't do other ways.

if a user can login to a system behind your firewall then they can acess stuff behind your firewall unless you take specific action to stop them (ie local firewalls with user restriction).

in related news.... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12729909)

CmdrTaco's boyfriend also turned 5 years old. To celebrate by, Taco is giving him a meat popsicle to suck on.

Re:in related news.... (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12730025)

I'm sorry. I fear my latent homosexuality and I get my frustrations out by launching slurs against other men.

Re:in related news.... (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12730039)

You must embrace the penis. Go downtown now to a gay bookshop and start atoning for your sins.

Re:in related news.... (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12730948)

your fears are perfectly understandable. After all, you're a five year old boy and CmdrTaco has been violating you for as long as you can remember.

Re:in related news.... (0, Troll)

JeiFuRi (888436) | more than 9 years ago | (#12730124)

Be quiet you heterophobe.

Re:in related news.... (1, Funny)

Anonymous Coward | more than 9 years ago | (#12730177)

CmdrTaco's boyfriend also turned 5 years old.

I think that means the end of its "Leakage and Puncture Warranty" then.

5 Years Old 8+ MONTHS AGO! (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#12729917)

Using Google cache, from Sun-Help web site:

Happy Birthday, OpenSSH! Posted by Bill Bradford on Sep 27, 2004 The OpenSSH Project turns five years old today. From their news release:

Five years ago, in late September 1999, the OpenSSH project was started. It began with an audit, cleanup and update of the last free version of Tatu Ylonen's legacy ssh-1.2.12 code. The project quickly gathered pace, attracting a portability effort and, in early 2000, an independent implementation of version 2 of the SSH protocol. Since then, OpenSSH has led in the implementation of proactive security techniques such as privilege separation & auto-reexecution.

5 years since the first *release* (5, Informative)

heatdeath (217147) | more than 9 years ago | (#12729923)

The project was first released as OpenSSH 5 years ago today. The project was started, however, much earlier than that.

Re:5 years since the first *release* (1)

markild (862998) | more than 9 years ago | (#12729971)

That settles it! Kind-of-happy birthday OpenSSH!? ...maybe

Re:5 years since the first *release* (1)

Nutria (679911) | more than 9 years ago | (#12730257)

That settles it! Kind-of-happy birthday OpenSSH!? ...maybe

15-June is "Happy Release The Code Day".

Nah (1)

product byproduct (628318) | more than 9 years ago | (#12730093)

In computer science 5 years is 2048 days, the closest power of two.

5 years since OpenSSH 2.0 (5, Informative)

ikkibr (848955) | more than 9 years ago | (#12729924)

From openssh.com: "With the OpenBSD 2.6 release out of the way, Markus Friedl decided to pursue SSH 2 protocol support. Slaving away for months, he managed to keep OpenSSH slim and lean, while at the same time managing to turn it into a single piece of software that could do both the SSH 1 and SSH 2 protocols. This version, called OpenSSH 2.0, shipped with OpenBSD 2.7 on June 15, 2000. Most of the checking of Markus' changes were done by Niels Provos and Theo de Raadt. Bob Beck is to be thanked for updating OpenSSL to a newer version."

Uh (0)

Anonymous Coward | more than 9 years ago | (#12729980)

Wouldn't that be in 10 days? Clearly this was a mistake by Taco.

Re:Uh (2, Funny)

caino59 (313096) | more than 9 years ago | (#12730016)

Don't worry - you'll see the dupe in 10 days.

Ettercap team claim SSH / SSL is easy crackable (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12729930)

read their site

Re:Ettercap team claim SSH / SSL is easy crackable (0)

Anonymous Coward | more than 9 years ago | (#12729974)

No link, no article, nothing?

Insightful you are not.

Re:Ettercap team claim SSH / SSL is easy crackable (0)

Anonymous Coward | more than 9 years ago | (#12729981)

What site? Should I guess it is ettercap dot com, dot net, dot org, dot us, dot ru, dot hk, dot dot dot?

Re:Ettercap team claim SSH / SSL is easy crackable (1, Informative)

Anonymous Coward | more than 9 years ago | (#12730006)

Newsforge interview [newsforge.com]

Re:Ettercap team claim SSH / SSL is easy crackable (3, Interesting)

AndreyF (701606) | more than 9 years ago | (#12730071)

Remember when the US Federal Gov'nt was having a royal fit about encryption and then just kinda "gave up"? Unless they can crack it, they wouldn't have given up (use 4096 encryption, people!)

Re:Ettercap team claim SSH / SSL is easy crackable (2, Informative)

packetl0ss (887279) | more than 9 years ago | (#12730307)

What symmetric cipher, that ssh uses, even supports 4096 bit encryption? I thought bits that high were only supported for public/private keys but not the symmetric ciphers themself. According to the ssh manual page [openbsd.org] , it seems like the supported symmetric ciphers only go up to 256 bits.

Re:Ettercap team claim SSH / SSL is easy crackable (1)

AndreyF (701606) | more than 9 years ago | (#12730464)

Hm, I suppose I stand corrected. Would it be practical to have a summetric cipher with 4094 bit encryption, or would that make things run a bit slow?

Re:Ettercap team claim SSH / SSL is easy crackable (3, Informative)

kasperd (592156) | more than 9 years ago | (#12730681)

Would it be practical to have a summetric cipher with 4094 bit encryption, or would that make things run a bit slow?

256 bit AES use 14 rounds with a 128 bit key in each round. Rather than generating the 1792 bit keyschedule from the 256 bit key, you could just use a 1792 bit key. The speed would be the same as 256 bit AES. But don't expect it to be much more secure.

Most likely the cipher isn't the weakest point anyway. If you want to have 256 bits of entropy in your password you need aproximately 42 random characters.

They are also trying to get publicity. (4, Informative)

Some Random Username (873177) | more than 9 years ago | (#12730079)

Yes, SSL and SSH are vulnerable to MITM attacks if used incorectly. This is not news, and has been known for years. Trying to pretend this is new and interesting and "easily crackable" is dishonest.

Yaa? (0)

KillerDeathRobot (818062) | more than 9 years ago | (#12730049)

I hate to be a spelling nazi (kind of ;) but yaa? Is that supposed to be yay? Or yeah maybe?

Seriously, I can understand mispelling complicated words, but how do you not know how to spell yay?

(To be fair, "yea" is a different valid spelling that means something else.)

Re:Yaa? (1, Funny)

iamsure (66666) | more than 9 years ago | (#12730111)

Think more like Howard Dean's "YaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaH!"

But without the proper spelling.

Yaa! (0)

Anonymous Coward | more than 9 years ago | (#12730120)

Yaa're completely right! ;)

Re:Yaa? (2, Funny)

blixel (158224) | more than 9 years ago | (#12730669)

Seriously, I can understand mispelling complicated words, but how do you not know how to spell yay?

So you consider "misspelling" a complicated word then I guess?

ssh -L 5902:happy:5901 birthday (1)

dotslashdot (694478) | more than 9 years ago | (#12730068)

ssh -L 5902:happy:5901 birthday

Re:ssh -L 5902:happy:5901 birthday (0)

Anonymous Coward | more than 9 years ago | (#12730183)

Am I missing something? Is there some hidden signifcance to ports 5901 and 5902 that somehow makes this witty?

Re:ssh -L 5902:happy:5901 birthday (1)

DrSkwid (118965) | more than 9 years ago | (#12730218)

tunelling vnc, don't you get it?

hmmmm... (0, Offtopic)

BungoMan85 (681447) | more than 9 years ago | (#12730094)

Anyone else notice how broken /. has been lately? Maybe it's just a false impression I'm getting based on a few incidents, or maybe I just notice it now. But it seems there's been a lot more duped stories, bot floods of comments, and entire discussions over mod points compared to even a month or two ago.

It's not you (0)

Anonymous Coward | more than 9 years ago | (#12730109)

I blame Zonk. Zonk posts a lot of dupes. While we lost michael's flamebait stories, we now see Zonk's "HEY I DON'T READ SLASHDOT, I JUST GET PAID TO CLICK BUTTONS" stories.

Re:hmmmm... (0, Offtopic)

LiquidCoooled (634315) | more than 9 years ago | (#12730286)

I noticed this as well, and put a note about it into the slash bug thingy. I was told slash was under crapflood attack.
A couple of days later, the Captcha image things were put in, and it all stopped for a while.
Now because of issues with the Captcha (other slash bug notices), they have apparantly been removed again, and the problem has come back...

Its disconcerting to see comments and replies posted about stories you read earlier in the day.
So much so, it felt more like a DB corruption than an attack, but since we must believe our slash gods, and since they appeared to stop with the Captchas, I would assume they know more than us :)

Re:hmmmm... (0)

Anonymous Coward | more than 9 years ago | (#12730997)

yeah, slashdot is being crapflooded. I tracked down the ip address and found it was CmdrTaco, et al postings all these gay stories.

John Adments, Sr. Network Consultant, VA Linux.

We need a general forum (0, Offtopic)

jpardey (569633) | more than 9 years ago | (#12730509)

If there was a general forum with no topic, then complaints could be discussed. Of course, then people could also complain about specific editors...

auto-reexecution? (1)

cahiha (873942) | more than 9 years ago | (#12730096)

Someone care to explain what OpenSSH means by that? The only mention of it seems to be with OpenSSH, and I'm pretty sure I have never needed "auto-reexecution" in order to make anything secure so far...

Re:auto-reexecution? (4, Informative)

slavemowgli (585321) | more than 9 years ago | (#12730265)

From the Changelog for OpenSSH 3.9:

Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things.

Hope this helps. :)

OpenSSH (2, Informative)

Mark_MF-WN (678030) | more than 9 years ago | (#12730112)

SSH rules -- definitely one of the triumphs of modern software development. An absolutely essential set of tools, with open standards, competing implementations, and availability on every platform conceivable.

So hats off to OpenSSH, y'all. :)

Re:OpenSSH (0)

Anonymous Coward | more than 9 years ago | (#12731037)

$ dig openssh.wideopenbsd.org txt

I've been SSHGuru for 13 years (0, Offtopic)

SSHGuru (887709) | more than 9 years ago | (#12730114)

Should I sue them for violating my stock service called SSHGuru(dot)com?

No you haven't (0)

Anonymous Coward | more than 9 years ago | (#12730214)

$ whois sshguru.com
...
Domain name: sshguru.com

Registrant Contact:
SSHGuru
Scott Weiner (Scott@SSHGuru.com)
+1.9542247201
Fax: +1.9543372927
757 SE 17th Street
#1012
Fort Lauderdale, FL 33316
US
...
Creation date: 21 Jul 2004 18:13:41
Expiration date: 21 Jul 2010 18:13:41

Not even thirteen months, let alone thirteen years. "Weiner" is so appropriate.

Re:I've been SSHGuru for 13 years (0)

Anonymous Coward | more than 9 years ago | (#12730578)

SSH 1 dates back at least to 1995 - 10 years. And it's a different field. And as sibling post has pointed out, your service certainly wasn't called SSHGuru.com back then.

Re:I've been SSHGuru for 13 years (2, Insightful)

ArbitraryConstant (763964) | more than 9 years ago | (#12730685)

No, "SSH" has been around for a long time, it predates the OpenSSH client and probably your website.

Awesome software (2, Interesting)

maelstrom (638) | more than 9 years ago | (#12730164)

Thank god that OpenBSD cares enough to make the portable version of OpenSSH. I've used OpenSSH to make my machines more secure on everything from Solaris to Linux to *BSD.

Kudos!

Re:Awesome software (1)

ignorant_coward (883188) | more than 9 years ago | (#12730205)


Yeah, but how many Linux users give credit to either the Linux kernel hackers or to Red Hat for OpenSSH? "Hey, this Linux is awesome! I can telnet home from anywhere!"

Re:Awesome software (1)

N1KO (13435) | more than 9 years ago | (#12730819)

None, because kernel hackers work on the kernel and they shouldn't get credit for openssh.

Re:Awesome software (0)

Anonymous Coward | more than 9 years ago | (#12730785)


Since it's from OpenBSD, does this mean that Linux is dying?

Cool... (1)

smkndrkn (3654) | more than 9 years ago | (#12730166)

I recently implemented OpenSSH for a remote access project and while I really like OSSH I have a few feature requests:

1) I wish I could control what fowarding can occur in the config file on the server. Access lists would be great here.

Currently I do this by having the system in the DMZ and applying an access list to the entire user population.

2) I wish I had the ability to log which users opened what tunnels where.

Even so this a great application and I use it every day.

Grats on making it 5 years with a quality application.

Re:Cool... (1, Informative)

Anonymous Coward | more than 9 years ago | (#12730225)

I wish I could control what fowarding can occur in the config file on the server. Access lists would be great here.

If you use public-key authentication (and users don't have r/w access to the ~/.ssh/authorized_keys file, you can put restrictions on what each key can forward to.

Re:Cool... (1)

packetl0ss (887279) | more than 9 years ago | (#12730270)

If you use public-key authentication (and users don't have r/w access to the ~/.ssh/authorized_keys file, you can put restrictions on what each key can forward to.

The sshd manual page [openbsd.org] has a section named "AUTHORIZED_KEYS FILE FORMAT" that has details on the format of what goes in $HOME/.ssh/authorized_keys and what options are supported.

Re:Cool... (2, Informative)

petermgreen (876956) | more than 9 years ago | (#12730305)

if you use privilage seperation then tunnels come from the userid that created them.

therefore you should be able to control them with iptables user matching

SSH is wonderful, and yet users still don't get it (2, Informative)

Rantastic (583764) | more than 9 years ago | (#12730191)

I love ssh. I use it everyday.

Where I used to work (I quit 2 months ago) it was a contant battle to get users to use ssh instead of telnet. Yes, that's right, telnet. When I first started working there, a little over a year ago, I was shocked to discover that thousands (no exageration) of developers were still using telnet to access unix hosts.

When I asked my manager about this, his explanations ranged from "that is how they have always worked" to "some of them just don't know how to use ssh."

When I spoke to the users themselves they just could not understand what is wrong telnet.

Of course, I should point out that this is also a company that suffered a massive data theft (something like 90,000 email addresses) last year...

Re:SSH is wonderful, and yet users still don't get (2, Insightful)

brsmith4 (567390) | more than 9 years ago | (#12730262)

Manager: "that is how they have always worked"
...

Manager: "some of them just don't know how to use ssh."

You: "{manager}, Telnet is a huge security risk and it is only a matter of time before we are screwed royally by this. I recommend that we plan on disabling telnet in the near future on all hosts. Before that time, I will send out an E-Mail to all affected staff with instructions for use and notification of when telnet services will be disabled. I think this is a good idea, what do you think?"

After that, your responsibility in the matter is moot.

You: Documents that you brought this issue up with your manager in the event that he/she decides not to pursue your idea, covering your ass and placing as much blame on your manager for any fuck ups that occur as a result of his/her stupidity.

If you weren't in a position to suggest such policy, then I pity you and am glad you got out of such a job.

telnet can be reasonably secure (1)

vince1 (660035) | more than 9 years ago | (#12730574)

Telnet on BSD has had encryption for at lease ever since we started using it. I remember Linux did not a few years ago when we first changed to BSD but it appears that the recent Linux systems running on our ISP and on Sourceforge are now running the BSD telnet with encryption. ssh is still better because you can use dual public/private rsa/dsa keys and login without having to type a password, but as long as you are not telneting to/from a toy system that has no regard for security and does not support encryption, telnet is not so bad. We still use it a lot on our LAN. We are running all NetBSD and FreeBSD.

Re:SSH is wonderful, and yet users still don't get (4, Insightful)

jd (1658) | more than 9 years ago | (#12730619)

You think that's bad? Many Government places insist on using Telnet and RSH (with .rhosts files!) because "SSH isn't a FIPS standard".


Never mind that telnet/rsh have no security at all, apparently if security exists, it has to be "approved". Now, I don't dispute the idea of having validated security, but I do dispute the claim that no security at all is preferable.


It also neglects the fact that SSH is merely the program, that the encryption algorithm used is AES, which is most certainly a FIPS standard.


In other words, it's not just that "users don't get it" - although that is often the case. The problem is also malignant attitudes in management that regard total insecurity as politically more acceptable.


IMHO, if management enacts a policy that cripples security or eliminates it entirely, then management should be culpable. Encryption may be explicitly covered by FIPS, but that doesn't mean insecurity should be an acceptable standard for anyone.


In the case described by the parent post, that of users not knowing how to use SSH, fine. Mandate that all computers use host-to-host IPSec. The users then don't need to know a damn thing, but the connections are just as secure.


In other words, ignorance can sometimes be an excuse, but this isn't one of those times, as all it would take is ticking a checkbox under Windows and not doing a whole lot more under Linux. They can remain blissfully ignorant, continue to be stupid, but still remain perfectly safe.


IPSec and SSH are not just good ideas, they SHOULD be the lore. (Not law, just lore. Though making telnet a crime might not be such a bad idea...)

Re:SSH is wonderful, and yet users still don't get (1)

multiplexo (27356) | more than 9 years ago | (#12730695)

No kidding. And then you have idiot programs such as Oracle RAC and Veritas NetBackup which need to have .rhosts files so that they can install client software.

My strategy for getting rid of telnet has been to disable it on all new hosts (easy since it's disabled out of the box on new SuSE and RedHat installs. Then when people complain I go and show them how port forwarding works with X-windows and when they realize that they don't have to run xhost and set their display environment variable if they're using ssh -X they become ssh converts. This is good because it means that I haven't had to use my fallback position yet, which is to tell the users that we didn't have enough money to buy telnet and rsh licenses for new UNIX systems.

Re:SSH is wonderful, and yet users still don't get (1)

Spectra72 (13146) | more than 9 years ago | (#12730786)

Oracle RAC can work over ssh, the 10g install docs even specifically mention it.

Note:
This section describes how to set up user equivalence for rcp, which the Installer uses when copying Oracle software to the other cluster nodes. If you prefer, you can configure the Secure Shell (SSH) tool suite, so that the Installer uses scp instead of rcp. See the SSH documentation for information about setting up user equivalence for scp.

Re:SSH is wonderful, and yet users still don't get (1)

N1KO (13435) | more than 9 years ago | (#12730861)

In the case described by the parent post, that of users not knowing how to use SSH, fine.

Isn't ssh almost exactly the same as telnet in terms of the interface?

I really don't see how anyone could claim that using one is harder than the other. Or that they don't want to learn something they already know.

Re:SSH is wonderful, and yet users still don't get (3, Insightful)

NutscrapeSucks (446616) | more than 9 years ago | (#12730690)

Personally, I think the "OMG Telnet!" thing has gone way overboard when you are talking about internal networks.

Sure you _should_ use encrypted protocols, but when you look at a realworld network, it's full of NFS, SMB, FTP, SMTP, IMAP, HTTP, RPC, 5250/3270 and a gazillion other things that pass sensitive information in plaintext. Telnet is just the tip of the iceburg and the easiest to replace. Ultimate one should be looking at IPSec or VPN rather than making a big deal about SSH vs Telnet.

Now, if you are typing a root password onto a Internet host, that's another story, but I sincerely hope you don't have thousands of developers with root access somewhere.

Re:SSH is wonderful, and yet users still don't get (1)

dubious9 (580994) | more than 9 years ago | (#12730709)

some of them just don't know how to use ssh

Don't know how? You could probably 'ln -s /usr/bin/ssh /usr/bin/telnet' without anybody noticing much. Sure there may be "power users" of telnet, but they probably already know how to use ssh.

Seriously, instead of

telnet me@host
do
ssh me@host

For the trivial case it's a drop in replacement.

Typo (1, Funny)

Anonymous Coward | more than 9 years ago | (#12730292)

Actually the name is Tatu Ylönen.

Here's some dots to use in the future: ......

Proactive? They've got to be kidding. (0)

Anonymous Coward | more than 9 years ago | (#12730676)

Proactive?!! Others have done privsep years before OpenSSH finally got around to it, and that was only after a number of serious holes were found.

Nice to know (0)

Anonymous Coward | more than 9 years ago | (#12730851)

What I want to know is: why is it that OpenSSH's chief dependency, OpenSSL, hasn't even reached 1.0 status over these past 5 years?

OpenSSH, seriously laggy mailservers (1)

^Case^ (135042) | more than 9 years ago | (#12730982)

I got the announcement earlier today and wondered why it was dated 28 Sep 2004, a little header parsing revealed the following (email addresses altered to protect the innocent):
Received: from warr.ath.cx (70-32-9-83.frdrmd.adelphia.net [70.32.9.83])
by shitei.mindrot.org (Postfix) with SMTP id 14EC827C188
for <openssh-unix-announce...>;
Sun, 5 Jun 2005 15:00:29 +1000 (EST)
Received: (qmail 30775 invoked by uid 1000); 5 Jun 2005 05:00:27 -0000
Delivered-To: unknown
Received: from suen.ed.psu.edu (146.186.175.19) by myria.szcat.lan with POP3;
05 Jun 2005 05:00:27 -0000
Delivered-To: ...
Received: (qmail 6581 invoked from network); 28 Sep 2004 14:46:23 -0000
Received: from tr12g04.aset.psu.edu (HELO tr12n04.aset.psu.edu)
(128.118.146.130)
by cdr19.ed.psu.edu with SMTP; 28 Sep 2004 14:46:23 -0000
And yes, I know it's not really a laggy mailserver ;-)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?