OpenSSH Now Supports SSH2

Anonymous Coward writes: "The OpenSSH project released version 2.1 earlier this month. It now supports the SSH2 protocol. SSH2 is regarded by many as a more secure protocol (but was for a long time only supported in a restricted license implementation)." Nice work, guys. I'm downloading the source, I'm buying a T-shirt, life is good.

Re:SSHv2 is crap

[gr]

It seems more likely that your server processor is slow enough that the encryption time is significant.

... which sounds like restatement when I reread it.

Point is, I don't have the same problem that ClaudioLeite did, and I doubt that a majority of people connecting with an ssh1 client to an sshd2-on-sshd1 server do.

Re:sftp would be cool

[Ex Machina]

You can use OpenSSH as a a wrapper around any TCP connection, including FTP (although) i don't know if it handles data ports right). Of course, there is a nice little thing called scp.

Re:OpenBSD 2.7 waiting in the wings too...

[alexandre]

i just tried 2.6, it looked good (besides the fact that i couldnt get color or completion to work in the shell :) but how come they are still keeping everything activated in /etc/inetd.conf ??

---

Free SSH client for Win (Re:Number two.)

[defender]

I also struggled with TeraTerm.

why don't you check out 'PuTTY' it's a telnet/ssh/raw client:
http://www.chiark.greenend.org.u k/~sgtatham/putty/ [greenend.org.uk]

it works great !

(plus it has basic xterm mouse-handling !!! so you can just cut'n'paste between Windows and the terminal with your mouse-buttons !!!)

--
Dutch Linux Users Group [nllgg.nl]

Re:Finding RPMS for Openssh / Openssl

[mrsam]

There's a .spec file buried in the openssh tarball, which you can use to build your RPMs. It's not a very "high-quality" .spec file, but should be good enough to put together a basic package with all the defaults.

Last year I mailed the maintainer a far more robust spec file, which I use, but, as typical with most OSS developers, the mail simply vanished into a black hole. Screw 'em.

Re:Free SSH client for Win (PUTTY -- zmodem?)

[antdude]

Does it have zmodem support? The last time I checked, no. SCRT has it though. :)

Why should I upgrade?

[LunaticLeo]

This is a serious question, which might have a
good answer. I just don't know it.

Why should I upgrad from a SSHv1 client/server
to a SSHv2 client/server?

FiSSH

[notsoanonymouscoward]

Hey looking for a free ssh client?
Fissh [massconfusion.com]

Where's Kerberos V support?

[jbuhler]

I keep wanting to use OpenSSH,but it only supports Kerberos IV authentication. It ought to be easy to hack in GSSAPI or Kerb V, but there seems to be some political issue with protocol numbering that keeps this from happening. Search deja for openssh + Kerberos to see what I'm talking about.

Re:Why should I upgrade?

[Anonymous Coward]

Protocol 2 is not vulnerable to the insertion attack (which is detectable but not preventable in version 1 except by shutting down the connection). Also, protocol 2 can avoid RSA entirely, thus getting around patent restrictions.

Apart from that, I haven't been able to find any clear documentation about the differences in the new protocol aside from vague assurances that it's "more secure".

NO help from DOMAIN SQUATTER

[Alejo]

Facts

• yes, we all know Theo isn't what you call a PR guy ;)
• anyway, that guy has NO RELATION with current OpenSSH
• He is doing ad of his competitor project
• He does FUD
• He won't give up the domain
• what would you thing if OpenBSD project had "linux.org" and put ads of OpenBSD/FreeBSD there? And the excuse is to "prevent" linux monopolixing the free OS market!!!

Re:SSHv2 is crap

[ClaudioLeite]

Several friends have experienced similar problems. The server machines all vary in speed, but I don't think encryption time matters in this case. SSH1 sessions have always been smoother and less laggy for me (I use CompressionLevel 9) than SSH2, even with compression enabled.

I don't experience the halting problem too often, it's more of a matter of speed and compatibility that make me hate ssh2. There aren't any new features that are of any use to the average person (except maybe sftp), so I see no reason to upgrade.

The files are gone???

[Scarabaeus]

I might be halucinating, but all the OpenSSH dirs on all mirror ftp servers are empty. What happened? Does anyone have a copy of the portable source?

Number two.

[nazerim]

Are you sure? Or do you want to catch the /. kiddies out in not being too knowledgeable?

>Number two is that scp2 doesn't quite work, because it uses a proprietary protocol, although you can use scp1 over ssh2 fine.

scp uses ssh to transfer files. ssh supports the version 2 protocol - this is clearly documented and not "proprietary" as you claimed. What is proprietary is the sftp protocol used by ssh.com's commercial server. Is this what you mean?

OpenBSD 2.7 waiting in the wings too...

[stab]

Dont forget that OpenSSH is also bundled as part of the forthcoming OpenBSD 2.7 [openbsd.org], which is due to be released on the 15th June.

I just installed OpenBSD-current for the first time from anoncvs to test it out, as part of a migration from Linux to OpenBSD, and it utterly rocks so far! The huge difference is just the fact that it is secure out of the box, and comes with a wealth of audit scripts that scan the box every day and mail you with automated changelogs and security alerts. I can easily believe their claim that they have not had any remote exploits for over 2 years.

Big kudos to the OpenSSH and OpenBSD teams .. I always had the impression of OpenBSD as lacking in features and friendliness compared to the other *nices, but after using Linux as a stepping stone to learn my way around, I cant wait to really sink my teeth into OpenBSD 2.7!

PS: No affiliation to openbsd myself; I visited the webpage for the first time 3 days ago :D

--
Anil Madhavapeddy, anil@recoil.org

Sftp support ?

[wolruf]

Is sftp a priority in the TODO list ?

Re:I'll wait for the idiots to run it first.

[puetzk]

umm...
a) openssh has been out for some time (though this ssh2 protocol stuff is new)

b) c'mon, this is the openbsd team. You think they'd jeapordize their record :-)?

you've got a point, but this is probably a lot better than most other .0 programs. I wouldn't probably put it on any production-secure servers, but I'll probably be watching and helping shake it out on non-production machines.

INSTALL file

[Jeff Knox]

is it just me, or is the release missing the installation instructions. It says to read the INSTALL file, there is none.

Re:Still a couple holes

[localman]

From the ssh-keygen manpage:

ssh-keygen generates and manages authentication keys for ssh(1). ssh-keygen defaults to generating an RSA key for use by protocols 1.3 and 1.5; specifying the -d flag will create a DSA key instead for use by protocol 2.0.

I believe that ssh2 needs to be on all the machines involved, but key login seems to work for me.

Re:Whatever happened to the openssh org vs com deb

[puetzk]

umm.. those links just go to other pages on openssh.com

there are two development groups (from what I see on the page), a core openssh group (which handles openbsd) and a porting group. While a little bit unusual, I don't really see how the org structure harms that much (or maybe it's just a personal thing among developers, I wouldn't know about that).

Re:Compatibility with SSH2 keys.

[cybermage]

Am I the only one who finds this a little strange?

Surely you weren't hoping to give it a public key and get the private key on stout? ;)

--

The circle is now complete... (sort of)

[localman]

This is great news for people running *nix servers that need to be accessed securely by Windows users. Although it's a closed-source product, Vandyke [vandyke.com] has an excellent secure FTP client for Windows - SecureFX which came out a month or so ago.

Thanks to that and the OpenSSH group, I have been able to eliminate all clear-text passwords from my network, AND all my Windows users are happy!

As a note - I've been running OpenSSH 2 for about two weeks now on RedHat 6.1 with no problems.

Re:Number two.

[Alan Shutko]

That's what I meant. Basically, I meant you can't scp to a server which is only running an ssh2 server. (Because scp2 uses sftp.)

rpmfind does it for me

[Wesley Felter]

Whenever I need software, I go straight to rpmfind [rpmfind.net]. I know I've gotten OpenSSH RPMs from there several times.

Re:Before the cheering commences..

[x0dus]

I had the same problem getting 'password incorrect' every time I tried to log in to my Slackware machine. After reading the FAQ, I found the solution. You have to link OpenSSH with libcrypt:

LIBS=-lcrypt ./configure [options]

Works perfectly for me now.

Re:Number two.

[prac_regex]

The sftp protocol from ssh.com is nice, but not free. If you have people on your staff who have a brain and you dont mind telling them what an ftp tunneled connection is then I recommend using that. Does anyone know of a gui interpretation that competes in the commercial ssh realm that supports ssh2 client? BTW, you can allow users access only by their DSA keys, its the RequirePassword line, put that to no and make darn sure you generated your DSA keys correctly, longer the better! If you are looking for a VPN solution, I don tknow how this stands though, I dont see a good reason why it cant, and blowfish is fast as heck for that matter. One last note, ftp tunnels and the commercial sftp protocol dont encrypt the files themselves, just the password transmission stage. Then they watch the connections for hijacks. whoop

Old news

[hackerhue]

WTF? I submitted this story the day after it was released, and it was rejected. Then Freshmeat had the announcement a couple days later. And now I see this a couple weeks later. Do you guys have something against being the first to announce things?

Re:Still a couple holes

[Alan Shutko]

Well, it might be more secure, but openssh has the ssh-agent for RSA keys, so it seems that it just hasn't gotten DSA keys yet.

Re:INSTALL file

[agramata]

Yep..you're right. No INSTALL file....I was just thinking the same thing. Maybe if I just Use the Force it will compile right the first time without any help :)

Finding RPMS for Openssh / Openssl

[PrimeEnd]

Finding RPMS for this is difficult. There is no mention of them on the www.openssh.com web site. I don't know if this is intentional. But anyway the rpms for openssh exist on the ftp mirror sites listed.

Unfortunately, a new version of openssl is required and rpms for it seem harder to find (no luck at freshmeat or rpmfind).

The good news is that the old openssh/linux site (which seems to be in the process of being phased out) still exists and has links. Here is a list of mirrors [ibs.com.au] completely distinct from those listed at www.openssh.com. Start with one of them to get the openssh rpms. Then look in the "support" subdirectory to get openssl-0.9.5a-1.

Let's hope that these other openssh mirrors continue to exist!!

Re:Number one

[hackerhue]

Read the README.openssh2 file. It talks all about generating DSA keys, and converting to and from commercial ssh2 key format.

socks support?

[3,7,A]

ssh needs to have a socks support, to be usable from behind a corp. firewall. could not find that option anywhere --with-socks or something

Definitely NOT a domain squatter

[Yenya]

Alex de Joode (the openssh.org [openss.org] owner) is not a domain squatter. The domain was registered before the OpenSSH project was announced (see the discussion at /. [slashdot.org] for details).

Not related to this, this guy runs one of the best archives of crypto/security-related software for RedHat, the ftp.zedz.net [zedz.net] (which used to be ftp.replay.com before they sold the domain).

Alex de Joode is definitely NOT a cybersquatter.

-Yenya
--

Re:Finding RPMS for Openssh / Openssl

[NightParrot]

I gave up on finding RPMs for anything a long time ago because nobody ever made them relocatable. Time after time, I'd suck down the RPM, rpm -qlp, oh gee, another tool that thinks it goes in /usr. Sorry, if I didn't find you on the distribution media, you go in /usr/local. Then I'd suck down the tarball, fix up the spec file, and do it right. Eventually I gave up on the lengthy and useless first round. I think of it this way: an RPM is a binary, the spec file is the source. I'll take the source, thanks. (:

Re:NO help from DOMAIN SQUATTER

[uSuRa]

1) I never claimed to be involved with Theo's OpenSSH Project.

2) there is no competing project.

3) there is no FUD [*1]

4) actually I offered it again, this time to Markus Friedl, who does most of the work. [*2]

[*1]
Actually Markus thought the same, after I explained some things to him, the structure of the OpenSSH Project suddenly was changed, (which is Good [TM]) there now is a 'OpenBSD' and a 'Ported' version of SSH. The websites are also merged.

So if you feel some of the stuff on the site is FUD you have to realise that it was written before the OpenSSH Project addressed the issues I raised.

[*2]
Markus hasn't decided if he wants to accept the offer ..

Your score: 1 correct fact, 1 incorrect suggestion, 3 incorrect facts, 1 useless 'what if'.

--

Re:what is the OpenBSD Wireframe Daemon head shirt

[HoserHead]

It means the ever popular OBSD Wireframe Daemon Head shirt - it is a shirt with the Wireframe Daemon's Head on it.

Re:Finding RPMS for Openssh / Openssl

[Fredbo]

Yes it likely is intentional. This was one of the conditions of Alex in the com/org debate that the openbsd (openssh.com) guys wouldn't meet (showing links to openssh for other platforms) that he wouldn't hand the openssh.org domain over.

Re:Whatever happened to the openssh org vs com deb

[divec]

personally i am going to continue using ssh2 because i dont like anti-linux/anti-netbsd attitude of some of the openSSH developers

C'mon, this is free software, the openssh team don't control its distribution and can't rescind its license. Wheras the non-free ssh2 is in the hands of a single company who can pretty much stop all development for a given platform whenever they please. Is it really sensible to give the proprietory version more weight because a few people may have moronic streaks?

Re:Old news

[The_Messenger]

I sort of agree; I've been using the new version on GNU/Linux, FreeBSD, and Solaris for weeks. My guess is that the Slashdot boys thought there'd be more to talk about if we had the chance to install and test it for a few weeks.

(Also, if Slashdot ever were the first to announce something, the cries of "This isn't Freshmeat!" would be deafening.)

I find the OpenBSD/SSH team's attitude towards the other BSDs to be interesting. For instance, you can go to openssh.com and click on the alternative (to OpenBSD) OS of your choice, listed on the blue sidebar. Other BSDs are listed on that blue sidebar, but when you're taken to http://www.openssh.com/portable.html, they aren't mentioned. That can't possibly be a simple oversight.

"Linux" is first on the list, though. I don't see this supposed anti-GNU/Linux mentality. Hell, they provide RPMs! (Red Hat isn't Linux, but you have to quite a "lun1x lu53r" to distribute RPMs. What's so wrong with tarballs?)

Also, they aren't making a big deal about US and International releases with this new version. Are they deciding to keep the politics with the OS, or just tiring of all the animosity? As I'm sure Theo knows, it's very taxing, mentally and physically, to be angry all the time.

Congrats to the team, though. A great product. I hope people will buy some merchandise while they're there. OpenBSD doesn't enjoy the corporate funding that other OSs do; they may not want the corporate funding, but development costs money all the same.

---------///----------
This post is not redundant, please don't moderate it as such. I repeat, this post is not redundant.

Still a couple holes

[Alan Shutko]

There are still a couple of holes in the support. Number one on my annoyance list is that the agent does not yet support DSA keys, so you have to type in a password whenever you connect to an ssh2 host. (Unless I've missed something somewhere.)

Number two is that scp2 doesn't quite work, because it uses a proprietary protocol, although you can use scp1 over ssh2 fine.

Otherwise, it works great. There's a tool to convert ssh2 keys into a form ossh understands, and I had no problem using it.

Compatibility with SSH2 keys.

[XNormal]

From ssh-keygen man page: (my emphasis)

-x This option will read a private OpenSSH DSA format file and print a SSH2-compatible public key to stdout.

-X This option will read a SSH2-compatible public key file and print an OpenSSH DSA compatible public key to stdout.

Am I the only one who finds this a little strange?

Maybe that's why they call them asymmetric ciphers :-)

----

non openbsd versions

[Phexro]

the link provided was to the openbsd-specific source. there is a port for other unixes here [openssh.com] - source is here [openbsd.org] , a diff against the `official' openbsd version (for those who downloaded from the incorrect link) is here [openbsd.org]

--

Whatever happened to the openssh org vs com debate

[Anonymous Coward]

A while ago Slashdot had an article [slashdot.org] on the OpenSSH dot org controversy. Emmet would write a follow up [openssh.org] to it. But it never came. I would very much like to know how it ended and if the openbsd com site now finally supports other platforms (like GNU/Linux) or links to other free implementations.

SSHv2 is crap

[ClaudioLeite]

For those of us who still have to suffer with modems, SSH version 2 is absolute crap. Sessions are extremely slow, and often halt for no reason. When both sides are on modems, results are even worse. It is absolutely impossible to do anything that requires frequent keypresses (try editing a file, its horrible) because of the extreme latency.

SSHv1 and the old OpenSSH have none of these problems. SSHD2 with fallback to SSHD1 still has all these problems, even though it is using the SSH1 client.

I always loved the fact that SSHv2 had bad licensing, so most people didn't use it. Now with this, more intelligent people will be using version 2 daemons, which means the rest of us who aren't lucky enough to have fast connections will suffer.

Re:Number two.

[jpowers]

I think they use SecureCRT at one of the offices I support. One server they link to uses ssh, the other uses ssh2. It's like $90. Maybe check their website. [vandyke.com]

I wish I could find a free one with keymapping, TeraTerm's not quite getting the job done at my office, and I can't code worth a damn.

-jpowers

You Know You've Been Watching Too Much Ranma 1/2 When...

Before the cheering commences..

[uncleFester]

I run a 'dual-platfom' shop (bread and butter boxes are HPUX, my desktop & primary mail reflector are linux) and was quite pleased to discover this Thursday. Built openssh for both platforms but only installed on the linux machine. I've since run into the problem of the old ssh clients (ssh-1.2.7) not consistently connecting to the new ssh (openssh) server using protocol v1. Things work fine after daemon init, but falter after some time. Forcing a ssh2/dsa connection is a little more reliable.

This really hurts me with scp stuff back and forth.

Problem manifests itself as a 'password incorrect' error. Nothing obvious when using -v at the client & debug/nodaemon flags at the server.

I've not fully digested this problem yet so I haven't majorly pursued this (or filed any bug report). I want to make sure it's not MY fault. If you have a sizable ssh1 implementation you may want to stick this on a single box & watch it a day or two. I plan to upgrade ALL my unix boxes.. but will still need some ssh1 support as my PD win (HUSH) ssh clients only support ssh1.

Thx to the OpenSSH team for 'helping' us with that goofyass ssh2 license problem the 'other' product has.

Re:Whatever happened to the openssh org vs com deb

[gr]

Considering that debate hinges primarily on the hubris of Theo de Raadt [theos.com], who has a long history [theos.com] of being fairly disagreeable rather permanently, that doesn't seem very likely.

OpenBSD is good software, which I use in several places for several organizations, and Theo seems like a pretty nice guy most of the time, but he definitely has difficulties controling his temper, especially when he doesn't get his way.

Better than the original (?)...

[1984]

One of the nicest things about the SSH v2 support in OpenSSH is that both protocol versions are supported in a single binary. No more installing SSH1 and then SSH2 over the top.

Okay, so it wasn't that much hassle installing both versions, but the OpenSSH way is a neater solution.

Now the real question -- apparent minor lack of functionality aside -- is: how long before we're all happy to chuck out our official copies of both SSH 1 and 2 and start using OpenSSH instead? How long do people wait before deciding "It's been out long enough that it's probably as secure as the alternative"? (It being something of a faith issue for those of us who don't have the time or skill to do a full audit of the code.)

Re:SSHv2 is crap

[gr]

Hm.

I connect quite regularly from an aging Gateway machine running Win98 via a dialup at my apartment to my NetBSD/macppc machine running sshd2 on Swarthmore College's campus. Granted, the dialup and the server are on the same LAN, but I see no greater latency connecting to my NetBSD machine with a G3) than I do connecting to the Computer Science Program's Solaris 2.6 box running sshd1 (which has two UltraSparcs).

It seems more likely that your server processor is slow enough that the encryption time is significant.