OpenSSH Going Strong After 10 Years With Release of v5.3 249
An anonymous reader writes "OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. It encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. Version 5.3 marks the 10th anniversary of the OpenSSH project."
I remember switching to openSSH. (Score:5, Interesting)
It was likely not far after openSSH became available, and the original SSH was starting to get less and less friendly. The great thing about SSH is is all started out free and open. Early on it was experimental (though very cool). This later changed when the original SSH became commercialized, and the licensing started closing up (thus my switching to openSSH). This was back in the days when an ssh client was something you had to hunt around for and much of the time all that was available was cruddy ssh1 clients.
We've come a long way since then. These days putty and SCP are available for any platform. I haven't even thought about the original ssh from Tatu for years, though I certainly used it so many years ago.
Re:Is OpenSSH still speed limited? (Score:3, Interesting)
Yeah, scp gets about 55MB/sec between Linux systems at work with gigabit LAN.
Re:Thanks OpenBSD (Score:5, Interesting)
What is interesting is how secure and easy it is to use.
I use it with fuse to mount my networked partitions. It involved no work and the fact that it is secure is just a bonus since there is no noticable speed loss for my transfers
Fast, Weak sshfs (Score:3, Interesting)
I find sshfs to be a much easier to use ad-hoc network fileystem mounter than the other popular alternatives. And it's secure by default.
But it's too secure. Or rather, there are scenarios in which the network transfer doesn't need the ssh security, but encrypting it takes too long (or too much CPU from other tasks, especially on dinky embedded network devices). Is there a way to force sshfs to use a much less compute intensive encryption, or maybe even a null crypto module? Without hacking the source directly, that is - like an execution option, a compile option, a config rule, etc.
Re:License (Score:3, Interesting)
Businesses really hate that viral open source thing in the GPL
You seem to think that we're on some ideological crusade to take over everything. In the real world, we just don't care at all about anything which is not "core business". The GPL is an excellent thing since we can give back source code without much need to think. The business justification is one check box (because we have to) rather than weeks of meetings about whether this feature is strategic. When you somehow end up giving away a feature to a GPL app, you know that even if the competition gains the same, they still have to make any fixes they make available to other people.
Speaking for most "businesses" everywhere.
Re:License (Score:3, Interesting)
It's like arguing that knives are superior to forks, so I only eat with knives! Licenses are a tool, each suitable for it's purpose.
I don't agree that the GPL "childishly punishes" anyone, nor that it is viral. It is copyright that provides the "virality" (virusness?), not the GPL, and even BSD has the requirement of attribution making it just as viral (through copyright) though with less onerous conditions.
Still no tunneling on OSX (Score:3, Interesting)
Unfortunately, on OSX, while the option (-w) is documented, OpenSSH still doesn't support tunneling, even after installing tuntap.
Re:How was life possible without it? (Score:5, Interesting)
Version 2 of the SSH protocol was also developed by Tatu YlÃnen and his company SSH Communication Security. It was just that they when they made the new, improved protocol they also switched to a proprietary license with SSH v2. It took a couple of years before the OpenBSD folks had developed the open source SSH v1 code to the point where it supported all features of the SSH v2 protocol. The two implementations of v2 still aren't fully compatible on client-side stuff like key storage, but nowadays it is the proprietary SSH that is considered the odd one out.
I don't consider Tatu YlÃnen here as a bad guy. What he has given to the world free of charge is 1) the SSH v1 protocol specification, 2) the SSH v1 open source implementation, and 3) the SSH v2 protocol specification. On top of that he has managed to make a living off of the SSH v2 code, and he certainly has the right to do that.
Beware of Linux-induced vulnerabilities (Score:3, Interesting)
http://lwn.net/Articles/354891/ [lwn.net]
Otherwise, OpenSSH is fantastically secure. :)
Does it run... (Score:3, Interesting)
Yes but, does it run on Windows 7?
I tried installing sshwindows on Win7 the other day and the service wouldn't start. As far as I can tell, openssh has never officially supported Windows and never will.
Sure, it's useful for 'nix to 'nix connections, but I need my Windows PC in on the action, too.
Re:tunneling (Score:3, Interesting)
Sure. (Score:3, Interesting)
Install cygwin or Microsoft'w own SFU (services for unix). They give you sshd under windows, init scripts, NFS mounting etc. SFU is actually based on openbsd userspace.
10 years and still no smart card/pkcs#11 support! (Score:1, Interesting)
OpenSSH is nice, but how come there is no way to use anything else than software keys in a sensible manner with OpenSSH? Hardware tokens, HSM accelerators, smart cards? Where is PKCS#11 support in OpenSSH?
Shame, especially because there are patches available for years to do this. Check out https://bugzilla.mindrot.org/show_bug.cgi?id=1371
Re:Thanks OpenBSD (Score:4, Interesting)
OpenSSH provides a lot more than just security. Sometimes I'd just like it to forward X over my LAN. In that case, encryption is completely unnecessary. Yeah, I could do it the old fashioned way, but it's been so long I've forgotten how.
Re:tunneling (Score:1, Interesting)
However, that will be VPN over TCP which has many bad performance corner cases. Setting up OpenVPN securely, while different concepts to learn, is not really any more difficult than setting up OpenSSH VPNs securely. And OpenVPN has proper tunneling over UDP so you do not get those strange corner cases like application UDP or TCP congestion control stalling on top of the tunnel's TCP congestion control.