OpenSSH Turns Five Years Old 146
heydrick writes "The OpenSSH project is five years old. Project member Damien Miller
writes, 'Five years ago, in late September 1999, the OpenSSH project was started. It began with an audit, cleanup and update of the last free version of Tatu Ylonen's legacy ssh-1.2.12 code. The project quickly gathered
pace, attracting a portability effort and, in early 2000, an independent
implementation of version 2 of the SSH protocol. Since then, OpenSSH
has led in the implementation of proactive security techniques such as
privilege separation & auto-reexecution.' Yaa for OpenSSH."
Actually.. (Score:5, Insightful)
No.
Thanks... (Score:4, Insightful)
Re:This story turns 8 months old (Score:2, Insightful)
Re:SSH is wonderful, and yet users still don't get (Score:3, Insightful)
Manager: "some of them just don't know how to use ssh."
You: "{manager}, Telnet is a huge security risk and it is only a matter of time before we are screwed royally by this. I recommend that we plan on disabling telnet in the near future on all hosts. Before that time, I will send out an E-Mail to all affected staff with instructions for use and notification of when telnet services will be disabled. I think this is a good idea, what do you think?"
After that, your responsibility in the matter is moot.
You: Documents that you brought this issue up with your manager in the event that he/she decides not to pursue your idea, covering your ass and placing as much blame on your manager for any fuck ups that occur as a result of his/her stupidity.
If you weren't in a position to suggest such policy, then I pity you and am glad you got out of such a job.
Re:SSH is wonderful, and yet users still don't get (Score:5, Insightful)
Never mind that telnet/rsh have no security at all, apparently if security exists, it has to be "approved". Now, I don't dispute the idea of having validated security, but I do dispute the claim that no security at all is preferable.
It also neglects the fact that SSH is merely the program, that the encryption algorithm used is AES, which is most certainly a FIPS standard.
In other words, it's not just that "users don't get it" - although that is often the case. The problem is also malignant attitudes in management that regard total insecurity as politically more acceptable.
IMHO, if management enacts a policy that cripples security or eliminates it entirely, then management should be culpable. Encryption may be explicitly covered by FIPS, but that doesn't mean insecurity should be an acceptable standard for anyone.
In the case described by the parent post, that of users not knowing how to use SSH, fine. Mandate that all computers use host-to-host IPSec. The users then don't need to know a damn thing, but the connections are just as secure.
In other words, ignorance can sometimes be an excuse, but this isn't one of those times, as all it would take is ticking a checkbox under Windows and not doing a whole lot more under Linux. They can remain blissfully ignorant, continue to be stupid, but still remain perfectly safe.
IPSec and SSH are not just good ideas, they SHOULD be the lore. (Not law, just lore. Though making telnet a crime might not be such a bad idea...)
Re:I've been SSHGuru for 13 years (Score:3, Insightful)
Re:SSH is wonderful, and yet users still don't get (Score:4, Insightful)
Sure you _should_ use encrypted protocols, but when you look at a realworld network, it's full of NFS, SMB, FTP, SMTP, IMAP, HTTP, RPC, 5250/3270 and a gazillion other things that pass sensitive information in plaintext. Telnet is just the tip of the iceburg and the easiest to replace. Ultimate one should be looking at IPSec or VPN rather than making a big deal about SSH vs Telnet.
Now, if you are typing a root password onto a Internet host, that's another story, but I sincerely hope you don't have thousands of developers with root access somewhere.