OpenSSH 4.2 released 183
BSDForums writes "OpenSSH 4.2 has been released. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.
Changes since OpenSSH 4.1 include security bug fixes relating to GatewayPorts, and GSSAPI, which eliminates the risk of credentials being inadvertently exposed to an untrusted user/host. A new compression method, proactive changes for signed vs. unsigned integer bugs, and many additional bugfixes and improvements highlight this release."
Re:The new compression method is pretty fantastic. (Score:5, Insightful)
Re:Why you shouldn't use OpenSSH (Score:5, Insightful)
Frankly, I'd rather put up with arrogance and have access to amazing code, rather than dealing with a nice person who can't write code worthy of a cockfool.
It's our pleasure, Mr. Gates. (Score:3, Insightful)
Still no logging of sftp/scp transfers? (Score:2, Insightful)
Re:Why you shouldn't use OpenSSH (Score:3, Insightful)
Re:Why you shouldn't use OpenSSH (Score:4, Insightful)
Like him or not, but it's a great program, and not using it just because you don't like the lead developer, when there are no actual reasons not to, is stupid.
Which idiot makes this insightfull? (Score:5, Insightful)
Are you mod fucking insane?
Re:Why you shouldn't use OpenSSH (Score:3, Insightful)
As a friend of mine says, "It's OK if they call you an asshole, if they say it with awe."
Theo is certainly opinionated, and he may or may not be an asshole, but his group produces some damn fine software. You may not like his methods, but it's difficult to argue with his results.
Re:It's our pleasure, Mr. Gates. (Score:5, Insightful)
Re:Why you shouldn't use OpenSSH (Score:4, Insightful)
He gets results. For example, giving out contact information isn't the nicest way to get hardware docs and firmware, but it works.
Re:Why you shouldn't use OpenSSH (Score:3, Insightful)
They can take the freedom to be different and we have to understand that we have to adopt to them.
Re:Still no logging of sftp/scp transfers? (Score:3, Insightful)
Re:Please excuse my obvious ass-kissing (Score:5, Insightful)
The fact is that in OSS world one should, atleast once a month raise fingers from the keyboard and stop to think "What am I missing from my daily environment? Are stupid, repetetive or borings things that I do all too frequently?". The odds are that I could easily fix most of them swiftly and the ones that might require moderate amounts of work to happen it's quite likely that someone hast stumbled on those very same issues before me and fixed them. (and experience in *nix world teaches me that frequently the fix is quite brilliant)
Re:Slowing down dictionary attacks (Score:5, Insightful)
This exponential backoff system works when you're trying to log in from a tty. When SSH, the system doesn't know whether this is the same user trying to authenticate. It's similar to sitting in front of a Linux box, trying to log in on VT 1, and when it backs off, switch to VT 2, and so on.
The situation could be improved somewhat by sshd tracking failed logins by IP address, and disallowing that IP address from logging in for a while. However, this complicates sshd and isn't really bullet proof, what with NAT making any number of machines appear to have the same IP address.
Re:Increased default key size. (Score:3, Insightful)
The larger key will make your data more secure on the wire, in transit, but the weakest point has always been the key's passphrase. A 32768-bit key is just as crackable as a 256-bit key if you have physical access to the encrypted keyfile.
Improving transit security isn't an inherently bad idea, but it's making the strongest link in the chain even stronger. It probably won't do that much to increase overall security.
Re:Increased default key size. (Score:5, Insightful)
Cracking it on the first attempt and cracking it on the 10^50th attempt have equal probabilities.
True, but both probabilities are minute. The median of that range is 5*10^49 meaning that's the average number of tries you need. If you got lucky and found it in the first 10%, that's 10^49. If someone wanting to spy on you can muster the resources to crack that in a human lifetime, you've made an enemy of God!
Quantum computing opens up some interesting possibilities, but if a hypothetical Quantum computer in the year 2015 could search 1x10^23 keys per second (more than that massive distributed Internet project a while ago), it would still take millions of years on average.
10^50 is a big number.
Re:Proactive? (Score:0, Insightful)