LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

OpenSSH 5.0 released

OpenSSH 5.0 released

Posted Apr 7, 2008 5:44 UTC (Mon) by gmaxwell (subscriber, #30048)
Parent article: OpenSSH 5.0 released

Another release without SRP support. *Sigh*.

(Log in to post comments)

OpenSSH 5.0 released

Posted Apr 7, 2008 11:59 UTC (Mon) by djm (subscriber, #11651) [Link] 

SRP has lots of scary patents surrounding it.

OpenSSH 5.0 released

Posted Apr 7, 2008 13:25 UTC (Mon) by gmaxwell (subscriber, #30048) [Link]

SRP has lots of scary patents surrounding it.
My understanding is that Stanford University has granted a royalty free license to the basic form of SRP as described in RFC-2945. Stanford has been pretty loudly beating "it's free! it's free!" drum. ... and at least some groups seem to have bought into these claims... For example, GNUTLS includes SRP and I'd expect them to be somewhat patent paranoid.

While I wouldn't be at all surprised to discover that Stanford's claims are inaccurate, it sure would be nice to have a good reference on the patent problems. Any suggestions?

The lack of an automatic PKI in SSH is a serious impediment to security in the real world. While OpenSSH provides all the tools needed for a skilled user to be secure, real users simply do not understand or use them. MITM attacks against SSH work in the real world, not only against unskilled users but against technically competent ones as well. The classic solutions to this class of problems are too centralized, too complex, or simply too labor-intense to address SSH's needs.

In my opinion SRP would result in too large an increase in effective security to be ignored. Whatever patent concerns exist need to be sorted out, because the current state of affairs is harmful to the public.

OpenSSH 5.0 released

Posted Apr 7, 2008 15:11 UTC (Mon) by nix (subscriber, #2304) [Link] 

Hear, hear. This is the single biggest fault in OpenSSH, to my mind, and 
one I hear constantly from users. It's this great strong 
authentication-and-connection toolkit, but other than the manpages and a 
book you have to buy (so nobody does: ssh is often a small component of 
larger systems, so the documentation should be incorporatable into the 
docs for those systems: but it's in book form, so it isn't), there is *no 
useful documentation*, and for a security system that is *really* 
unfortunate, because if you make an error in configuring a security system 
you tend to introduce insecurity without even knowing it. (This may or may 
not be true of OpenSSH: I can't tell.)

I mean I've been using OpenSSH since it forked from SSH: I read the 
changelogs religiously and know the manpages pretty much by heart, but I 
still have *no* idea what the moduli file is for, what the consequences 
are when it gets changed in some OpenSSH release (there must be 
consequences or 'make install' would overwrite, but there can't be 
consequences or newer fresh installs would have trouble talking to older 
upgraded installs), why I might want to use  a different MAC from the 
default, why I might want to use a different cipher from the default (that 
I *think* I know, but where security is concerned that's not really good 
enough)... I only know how subsystems work because I read the code, and 
when I did I was jumping around babbling about how cool this is, oh look 
you can attach anything that can chatter to stdin/stdout as a subsystem 
and ride on OpenSSH's authorization/authentication/networking layer...

... but nobody who hasn't read the code knows that, and things like that 
really should not lie hidden for ten years because of a total absence of 
useful docs.


*Are* there useful docs somewhere? (The manpages, for these purposes, are 
not useful. There's too much they leave unsaid. Printed books are 
minimally useful: you can't grep them, you never have them around when you 
need them, and you can't point confused customers in Australia at them 
when they're having trouble getting their end of some SSH tunnel up).

Otherwise, well, I'd write some better docs, but that's sort of hard since 
there's too much I don't know. Someone who actually knows SSH has to do 
it, and as far as I can tell that set consists largely of the maintainers.

OpenSSH 5.0 released

Posted Apr 7, 2008 21:59 UTC (Mon) by djm (subscriber, #11651) [Link] 

No, we don't have a good HOWTO guide. That's because nobody has stepped up to write one - they
don't write themselves...

OpenSSH 5.0 released

Posted Apr 7, 2008 22:55 UTC (Mon) by nix (subscriber, #2304) [Link] 

I was actually more interested in a WHY. i.e. a simple feature list and 
answers to the question 'you have this feature, why is it there? What was 
it intended for? What's its purpose?' `How do you use it' is, if anything, 
secondary. Right now we can't answer that question because we don't know 
what features *exist* unless we read the entire source base, because many 
of them (e.g. subsystems) are pretty much completely undocumented.

This sort of rationale thing is the sort of question for which an answer 
*must* exist (or why was the feature added in the first place?) but which 
generally the only people who know the answers are the people who added 
the features in the first place :(

(but I agree with the lack-of-manpower part. It's just surprising that, 
given the percentage of security problems caused by unknowing misuse of 
security features, someone on a project as security-obsessed as OpenBSD 
hasn't found the time.)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds