OpenSSH 5.0 released [LWN.net]

OpenSSH 5.0 released

Posted Apr 7, 2008 15:11 UTC (Mon) by nix (subscriber, #2304)
In reply to: OpenSSH 5.0 released by gmaxwell
Parent article: OpenSSH 5.0 released

Hear, hear. This is the single biggest fault in OpenSSH, to my mind, and 
one I hear constantly from users. It's this great strong 
authentication-and-connection toolkit, but other than the manpages and a 
book you have to buy (so nobody does: ssh is often a small component of 
larger systems, so the documentation should be incorporatable into the 
docs for those systems: but it's in book form, so it isn't), there is *no 
useful documentation*, and for a security system that is *really* 
unfortunate, because if you make an error in configuring a security system 
you tend to introduce insecurity without even knowing it. (This may or may 
not be true of OpenSSH: I can't tell.)

I mean I've been using OpenSSH since it forked from SSH: I read the 
changelogs religiously and know the manpages pretty much by heart, but I 
still have *no* idea what the moduli file is for, what the consequences 
are when it gets changed in some OpenSSH release (there must be 
consequences or 'make install' would overwrite, but there can't be 
consequences or newer fresh installs would have trouble talking to older 
upgraded installs), why I might want to use  a different MAC from the 
default, why I might want to use a different cipher from the default (that 
I *think* I know, but where security is concerned that's not really good 
enough)... I only know how subsystems work because I read the code, and 
when I did I was jumping around babbling about how cool this is, oh look 
you can attach anything that can chatter to stdin/stdout as a subsystem 
and ride on OpenSSH's authorization/authentication/networking layer...

... but nobody who hasn't read the code knows that, and things like that 
really should not lie hidden for ten years because of a total absence of 
useful docs.


*Are* there useful docs somewhere? (The manpages, for these purposes, are 
not useful. There's too much they leave unsaid. Printed books are 
minimally useful: you can't grep them, you never have them around when you 
need them, and you can't point confused customers in Australia at them 
when they're having trouble getting their end of some SSH tunnel up).

Otherwise, well, I'd write some better docs, but that's sort of hard since 
there's too much I don't know. Someone who actually knows SSH has to do 
it, and as far as I can tell that set consists largely of the maintainers.

(Log in to post comments)

OpenSSH 5.0 released

Posted Apr 7, 2008 22:55 UTC (Mon) by nix (subscriber, #2304) [Link]

I was actually more interested in a WHY. i.e. a simple feature list and 
answers to the question 'you have this feature, why is it there? What was 
it intended for? What's its purpose?' `How do you use it' is, if anything, 
secondary. Right now we can't answer that question because we don't know 
what features *exist* unless we read the entire source base, because many 
of them (e.g. subsystems) are pretty much completely undocumented.

This sort of rationale thing is the sort of question for which an answer 
*must* exist (or why was the feature added in the first place?) but which 
generally the only people who know the answers are the people who added 
the features in the first place :(

(but I agree with the lack-of-manpower part. It's just surprising that, 
given the percentage of security problems caused by unknowing misuse of 
security features, someone on a project as security-obsessed as OpenBSD 
hasn't found the time.)