Forgot your password?
typodupeerror
Security Encryption

OpenSSH Turns Five Years Old 146

Posted by CmdrTaco
from the edoc-eht-kaerb dept.
heydrick writes "The OpenSSH project is five years old. Project member Damien Miller writes, 'Five years ago, in late September 1999, the OpenSSH project was started. It began with an audit, cleanup and update of the last free version of Tatu Ylonen's legacy ssh-1.2.12 code. The project quickly gathered pace, attracting a portability effort and, in early 2000, an independent implementation of version 2 of the SSH protocol. Since then, OpenSSH has led in the implementation of proactive security techniques such as privilege separation & auto-reexecution.' Yaa for OpenSSH."
This discussion has been archived. No new comments can be posted.

OpenSSH Turns Five Years Old

Comments Filter:
  • by Anonymous Coward on Sunday June 05, 2005 @01:20PM (#12729882)
    And it's a dupe [slashdot.org], too. Remember when editors actually read submissions?
  • What? (Score:1, Redundant)

    by TerminaMorte (729622)
    Five years? It's not September.... how is this news?
    • Re:What? (Score:3, Informative)

      by suitepotato (863945)
      TFA is insufficient and history can be found here: http://www.openssh.com/history.html/ [openssh.com].

      That marked the OpenSSH 1.2.2 release, which was shipped with OpenBSD 2.6 in December 1, 1999.

      Further...

      With the OpenBSD 2.6 release out of the way, Markus Friedl decided to pursue SSH 2 protocol support. Slaving away for months, he managed to keep OpenSSH slim and lean, while at the same time managing to turn it into a single piece of software that could do both the SSH 1 and SSH 2 protocols. This version, call
    • by Tuck (41529)
      This is indeed old news [theage.com.au]. An announcement was sent at the time to the mailing lists. A day or so ago, someone's broken email system [theaimsgroup.com] remailed the message to the lists (check the wicked delay in the Received: headers). How it made to the front page of /. is another question...
  • Thanks... (Score:4, Insightful)

    by Anonymous Coward on Sunday June 05, 2005 @01:26PM (#12729908)
    For the awesome tool. Ssh, scp, and ssh tunnels are an integral part of how I accomplish things at work, and how I bypass corporate firewalls to use bittorrent. Thanks for the outstanding work.
    • How do you use ssh (tunneling?) to bypass corporate firewalls?
    • I consider SSH to be a VITAL part of the tool package I rely on. SCP is the other. Whether this story is old or not, I'll wish them happy birthday...who cares if it is a dupe.
    • and that is SSH's biggest problem - no one implements it properly. I can't begin to count the number of servers with nice firewalls that let users ssh tunnel to ports they shouldnt have access to.

      I also hear a lot of "well I can just ssh to my home machine and do x, y, and z" which is great until something happens (child porn is found on a library computer thanks to ssh and squid) and policies are suddenly changed and port 22 is blocked all over the place.

      I'm hoping the above doesnt happen but I'm kinda
      • if they have shell access then they could just use a seperate app to forward the data. ssh's build in port forwarding doesn't really let you do anything you couldn't do other ways.

        if a user can login to a system behind your firewall then they can acess stuff behind your firewall unless you take specific action to stop them (ie local firewalls with user restriction).
      • I also hear a lot of "well I can just ssh to my home machine and do x, y, and z" which is great until something happens (child porn is found on a library computer thanks to ssh and squid) and policies are suddenly changed and port 22 is blocked all over the place.
        Which is why I run my SSH server on Port 443 because it's very rare that that will ever be blocked.
  • by heatdeath (217147) on Sunday June 05, 2005 @01:28PM (#12729923)
    The project was first released as OpenSSH 5 years ago today. The project was started, however, much earlier than that.
  • by ikkibr (848955) on Sunday June 05, 2005 @01:29PM (#12729924) Homepage
    From openssh.com: "With the OpenBSD 2.6 release out of the way, Markus Friedl decided to pursue SSH 2 protocol support. Slaving away for months, he managed to keep OpenSSH slim and lean, while at the same time managing to turn it into a single piece of software that could do both the SSH 1 and SSH 2 protocols. This version, called OpenSSH 2.0, shipped with OpenBSD 2.7 on June 15, 2000. Most of the checking of Markus' changes were done by Niels Provos and Theo de Raadt. Bob Beck is to be thanked for updating OpenSSL to a newer version."
  • ssh -L 5902:happy:5901 birthday
  • Someone care to explain what OpenSSH means by that? The only mention of it seems to be with OpenSSH, and I'm pretty sure I have never needed "auto-reexecution" in order to make anything secure so far...
    • Re:auto-reexecution? (Score:5, Informative)

      by slavemowgli (585321) on Sunday June 05, 2005 @02:38PM (#12730265) Homepage

      From the Changelog for OpenSSH 3.9:

      Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things.

      Hope this helps. :)

    • From a response I posted first time around [lwn.net]:

      What it means is that a new copy of sshd is exec'ed for each connection after the master sshd fork()s to handle the connection. Previously, the forked sshd would just handle the whole session. It starts off as a literal copy of the address space of the parent and stays very similar throughout its life.

      Now should there be some kind of vulnerability in sshd, an attacker can connect, get a new fork()ed copy of the master sshd and attempt to guess whatever they nee

  • OpenSSH (Score:3, Informative)

    by Mark_MF-WN (678030) on Sunday June 05, 2005 @02:05PM (#12730112)
    SSH rules -- definitely one of the triumphs of modern software development. An absolutely essential set of tools, with open standards, competing implementations, and availability on every platform conceivable.

    So hats off to OpenSSH, y'all. :)

  • Awesome software (Score:3, Interesting)

    by maelstrom (638) on Sunday June 05, 2005 @02:17PM (#12730164) Homepage Journal
    Thank god that OpenBSD cares enough to make the portable version of OpenSSH. I've used OpenSSH to make my machines more secure on everything from Solaris to Linux to *BSD.

    Kudos!
  • I recently implemented OpenSSH for a remote access project and while I really like OSSH I have a few feature requests:

    1) I wish I could control what fowarding can occur in the config file on the server. Access lists would be great here.

    Currently I do this by having the system in the DMZ and applying an access list to the entire user population.

    2) I wish I had the ability to log which users opened what tunnels where.

    Even so this a great application and I use it every day.

    Grats on making it 5 years with
    • Re:Cool... (Score:1, Informative)

      by Anonymous Coward
      I wish I could control what fowarding can occur in the config file on the server. Access lists would be great here.

      If you use public-key authentication (and users don't have r/w access to the ~/.ssh/authorized_keys file, you can put restrictions on what each key can forward to.
      • If you use public-key authentication (and users don't have r/w access to the ~/.ssh/authorized_keys file, you can put restrictions on what each key can forward to.

        The sshd manual page [openbsd.org] has a section named "AUTHORIZED_KEYS FILE FORMAT" that has details on the format of what goes in $HOME/.ssh/authorized_keys and what options are supported.

    • Re:Cool... (Score:3, Informative)

      by petermgreen (876956)
      if you use privilage seperation then tunnels come from the userid that created them.

      therefore you should be able to control them with iptables user matching

      • Re:Cool... (Score:3, Interesting)

        by smkndrkn (3654)
        Sadly, or not, I'm using SecurID from RSA Security and the PAM module requires that I shut off Privsep.
  • by Rantastic (583764) on Sunday June 05, 2005 @02:23PM (#12730191) Journal

    I love ssh. I use it everyday.

    Where I used to work (I quit 2 months ago) it was a contant battle to get users to use ssh instead of telnet. Yes, that's right, telnet. When I first started working there, a little over a year ago, I was shocked to discover that thousands (no exageration) of developers were still using telnet to access unix hosts.

    When I asked my manager about this, his explanations ranged from "that is how they have always worked" to "some of them just don't know how to use ssh."

    When I spoke to the users themselves they just could not understand what is wrong telnet.

    Of course, I should point out that this is also a company that suffered a massive data theft (something like 90,000 email addresses) last year...

    • Manager: "that is how they have always worked"
      ...

      Manager: "some of them just don't know how to use ssh."

      You: "{manager}, Telnet is a huge security risk and it is only a matter of time before we are screwed royally by this. I recommend that we plan on disabling telnet in the near future on all hosts. Before that time, I will send out an E-Mail to all affected staff with instructions for use and notification of when telnet services will be disabled. I think this is a good idea, what do you think?"

      After
    • Telnet on BSD has had encryption for at lease ever since we started using it. I remember Linux did not a few years ago when we first changed to BSD but it appears that the recent Linux systems running on our ISP and on Sourceforge are now running the BSD telnet with encryption. ssh is still better because you can use dual public/private rsa/dsa keys and login without having to type a password, but as long as you are not telneting to/from a toy system that has no regard for security and does not support en
    • You think that's bad? Many Government places insist on using Telnet and RSH (with .rhosts files!) because "SSH isn't a FIPS standard".


      Never mind that telnet/rsh have no security at all, apparently if security exists, it has to be "approved". Now, I don't dispute the idea of having validated security, but I do dispute the claim that no security at all is preferable.


      It also neglects the fact that SSH is merely the program, that the encryption algorithm used is AES, which is most certainly a FIPS standard.


      In other words, it's not just that "users don't get it" - although that is often the case. The problem is also malignant attitudes in management that regard total insecurity as politically more acceptable.


      IMHO, if management enacts a policy that cripples security or eliminates it entirely, then management should be culpable. Encryption may be explicitly covered by FIPS, but that doesn't mean insecurity should be an acceptable standard for anyone.


      In the case described by the parent post, that of users not knowing how to use SSH, fine. Mandate that all computers use host-to-host IPSec. The users then don't need to know a damn thing, but the connections are just as secure.


      In other words, ignorance can sometimes be an excuse, but this isn't one of those times, as all it would take is ticking a checkbox under Windows and not doing a whole lot more under Linux. They can remain blissfully ignorant, continue to be stupid, but still remain perfectly safe.


      IPSec and SSH are not just good ideas, they SHOULD be the lore. (Not law, just lore. Though making telnet a crime might not be such a bad idea...)

      • No kidding. And then you have idiot programs such as Oracle RAC and Veritas NetBackup which need to have .rhosts files so that they can install client software.

        My strategy for getting rid of telnet has been to disable it on all new hosts (easy since it's disabled out of the box on new SuSE and RedHat installs. Then when people complain I go and show them how port forwarding works with X-windows and when they realize that they don't have to run xhost and set their display environment variable if they're us

        • Oracle RAC can work over ssh, the 10g install docs even specifically mention it.

          Note:
          This section describes how to set up user equivalence for rcp, which the Installer uses when copying Oracle software to the other cluster nodes. If you prefer, you can configure the Secure Shell (SSH) tool suite, so that the Installer uses scp instead of rcp. See the SSH documentation for information about setting up user equivalence for scp.
        • Netbackup can be installed over ssh; it's a question of whether or not the rep doing the install wants to deal with it. I got asked to open telnet and rlogin and I stood my ground on that one. I told the rep that I'd be happy to create a temporary set of ssh keys so that he could call ssh like he'd use rlogin (and not have to use a passwd). He agreed, modified his install script, and installed. After he was done I removed the keys and everything was kosher.
      • In the case described by the parent post, that of users not knowing how to use SSH, fine.

        Isn't ssh almost exactly the same as telnet in terms of the interface?

        I really don't see how anyone could claim that using one is harder than the other. Or that they don't want to learn something they already know.
        • Uh, no. Telnet is a terminal emulator and you can escape into the telnet control panel by using CTRL-]. SSH opens up a shell on the remote machine and copies the output onto your existing terminal.

          Telnet doesn't copy any environment variables over, as it -is- a terminal emulator, and not a shell environment. SSH handles things like the display, but would be capable of passing any environment over.

          SSH can be placed in the background - you are really not advised to do that with Telnet. :)

          Last, but not

      • AFAIK, government might have a problem with SSH: It isn't FIPS standard and they might be afraid that there's some nice booby trap that sends their connection data to 3rd parties. Code audit isn't done by trusted (by government) side. I use SSH more than any other single program. Great way for 'screen -r' and then you have all your IM, IRC and mail program apps wherever you are. No problem with untrusted (even unencrypted) wireless networks as long as I have a laptop I can trust.
    • by NutscrapeSucks (446616) on Sunday June 05, 2005 @04:05PM (#12730690)
      Personally, I think the "OMG Telnet!" thing has gone way overboard when you are talking about internal networks.

      Sure you _should_ use encrypted protocols, but when you look at a realworld network, it's full of NFS, SMB, FTP, SMTP, IMAP, HTTP, RPC, 5250/3270 and a gazillion other things that pass sensitive information in plaintext. Telnet is just the tip of the iceburg and the easiest to replace. Ultimate one should be looking at IPSec or VPN rather than making a big deal about SSH vs Telnet.

      Now, if you are typing a root password onto a Internet host, that's another story, but I sincerely hope you don't have thousands of developers with root access somewhere.
    • some of them just don't know how to use ssh

      Don't know how? You could probably 'ln -s /usr/bin/ssh /usr/bin/telnet' without anybody noticing much. Sure there may be "power users" of telnet, but they probably already know how to use ssh.

      Seriously, instead of

      telnet me@host
      do
      ssh me@host

      For the trivial case it's a drop in replacement.
    • I've had similar experiences with both SSH and sudo. Never mind that 'ssh host' is easier than 'telnet host,' especially with keys set up. Never mind that scp is light-years more pleasant than ftp. Never mind that sftp does ftp's job, better. Never mind that sudo is an absolutely brilliant solution to the problem of Unix's weak support for roles (I love Unix, but let's be honest--it's not the end-all, be-all of OS design). Never mind that I, as a Unix admin, do all of my work with ssh & sudo; someho
  • Typo (Score:1, Funny)

    by Anonymous Coward
    Actually the name is Tatu Ylönen.

    Here's some dots to use in the future: ......

  • I got the announcement earlier today and wondered why it was dated 28 Sep 2004, a little header parsing revealed the following (email addresses altered to protect the innocent):

    Received: from warr.ath.cx (70-32-9-83.frdrmd.adelphia.net [70.32.9.83])
    by shitei.mindrot.org (Postfix) with SMTP id 14EC827C188
    for <openssh-unix-announce...>;
    Sun, 5 Jun 2005 15:00:29 +1000 (EST)
    Received: (qmail 30775 invoked by uid 1000); 5 Jun 2005 05:00:27 -0000
    Delivered-To: unknown
    Received: from suen.ed.psu.edu (

  • I wish that OpenSSH would include the following features:

    LoginFailureTracking On
    LoginFailureAttempts 3
    LoginFailureShell "/sbin/iptables -I INPUT -s %1 -j DROP"

    Oh, I need this or something like:

    InvalidUserLockoutCount 3
    InvalidUserLockoutByIP yes
    InvalidUserLockoutResetSeconds 120

    Or, does anyone do something similar using a log watching program? I would really like to know, now that I have SSH firewalled off so restrictive and my open boxes get more than 1,000 invalid user hits per day.

"The value of marriage is not that adults produce children, but that children produce adults." -- Peter De Vries

Working...