LWN: Comments on "The Grumpy Editor's guide to SSH servers"

The Grumpy Editor's guide to SSH servers

fgrosshans — Thu, 29 Jun 2006 09:29:48 +0000

Yes, it allows them :

>To qualify for a Non-Commercial Version License, You must: (1) use the
>Software solely on a system under the Linux, FreeBSD, NetBSD, or OpenBSD
>operating system (whether for commercial or non-commercial use), or (2)...

It doesn't allow lwn to use ssh on windows or solaris, but they can do so "under the Linux, FreeBSD, NetBSD, or OpenBSD operating system". I guess it would be possible for them to install linux ;-)

The Grumpy Editor's guide to SSH servers

Wol — Thu, 29 Jun 2006 07:48:42 +0000

Just because a GPL library was included doesn't make SSH GPL too ... it just means the SSH licence must be GPL-compatible (which is true of BSD).

So It's quite likely the SSH code was BSD, the library was GPL, and hence the combination was GPL.

In which case, there was no need to "rewrite all the GPL'd SSH code" because there wasn't any GPL'd SSH code to rewrite! :-)

Cheers,
Wol

The Grumpy Editor's guide to SSH servers

djm — Thu, 29 Jun 2006 05:40:36 +0000

To be fair to Niels Moller (the lsh developer), he actually started working on lsh before we started on OpenSSH, so it isn't a "me too" product.

Large scale SSH server survey, and top network security tool survey

roelofs — Wed, 28 Jun 2006 01:37:30 +0000

Speaking of security tools (and pardon me for plugging my own site), I released a new site this morning at SecTools.Org. This covers the top 100 network security tools, as voted on by more than 3,000 Nmap users. ... I do these security tool surveys every 3 years, and find them quite valuable for learning about the new and interesting tools out there. Sometimes we get stuck in a rut of using just the tools we know well, without exploring other options.

I came across that article via LinuxSecurity.com's newsletter, and I fully agree with the author--the tools survey is extremely useful, even if it does include many that aren't relevant to me due to my choice of OS. I only wish there was a single-page version of the survey (or, if there is one, that it was more prominently linked). ;-)

Greg

Getting away from C

kevinbsmith — Sat, 24 Jun 2006 14:13:00 +0000

At least in theory, wouldn't it be easier to write a highly secure tool (like an SSH server) in a higher-level language such as python? I realize there might (or might not) be performance issues, but for most of us (who have at most a handful of users) that's not even a consideration.

If someone built command-line wrappers around twisted conch and paramiko, we would immediately have 40% more SSH servers available for evaluation. An added benefit would be that they would be less featureful than openssh. Lots of configuration options can lead to confusion, and in the worst case, bad security.

The Grumpy Editor's guide to SSH servers

rickmoen — Sat, 24 Jun 2006 02:37:43 +0000

If I may be so immodest, I maintain a bestiary of all known SSH implementations categorised by OS at http://linuxmafia.com/ssh/. The Unix category is http://linuxmafia.com/ssh/unix.html. It's not a review piece and cannot compare with Jon's excellent work in that area, but does at least aim to be complete.

Rick Moen
rick@linuxmafia.com

The Grumpy Editor's guide to SSH servers

piman — Fri, 23 Jun 2006 20:57:34 +0000

That license doesn't allow LWN (which is commercial, not a personal user, and not a university) to download and review the product, even if they wanted to.

annoying third-person references

sbergman27 — Fri, 23 Jun 2006 17:11:01 +0000

Our editor's delightfully dry humor would not come off quite so well if said editor did not set such a formal tone in this site's journalistic offerings.

annoying third-person references

alvherre — Fri, 23 Jun 2006 16:11:25 +0000

Style. Myself, I don't like it when authors of an article use the first person. It's a matter of taste, of course.

The Grumpy Editor's guide to SSH servers

dd9jn — Fri, 23 Jun 2006 07:15:53 +0000

ssh 1.2.12 is the version OpenSSH was based on. It included for big integer arithmetics a copy of the GMP 1.3.2 - that version of the GMP (from 1993) is under the GPL. The FSF later relicensed the GMP under the LGPL but this is not the version included and used by that and all earlier ssh versions. Thus the rules of the GPL apply to these versions of ssh.

The Grumpy Editor's guide to SSH servers

scruffie — Fri, 23 Jun 2006 02:09:46 +0000

Another Python one is Paramiko.

The Grumpy Editor's guide to SSH servers

smoogen — Thu, 22 Jun 2006 23:22:39 +0000

Uhm.. actually I dont think ssh.com was ever GPL'd. They took the last version that had a BSD like licesne and worked from there.

The Grumpy Editor's guide to SSH servers

horen — Thu, 22 Jun 2006 18:08:01 +0000

Excerpted from the LICENSE file of ssh-3.2.9.1 (from SSH.COM):

"NON-COMMERCIAL VERSION LICENSE

To qualify for a Non-Commercial Version License, You must: (1) use the
Software solely on a system under the Linux, FreeBSD, NetBSD, or OpenBSD
operating system (whether for commercial or non-commercial use), or (2)
use the Software for non-commercial purposes as defined herein and be a
Non-Commercial Entity as defined herein, or (3) be an University User as
defined herein, or (4) be an Excluded Contractor as defined herein.

The term "Non-Commercial Entity" is limited to the following: university
or other educational institutions (such as pre-schools, elementary
schools, middle or junior high schools, high schools, and community or
junior colleges), non-profit organizations (such as public libraries,
charities, and other organizations created for the promotion of social
welfare), "University Users", and other individual users who use the
Software for personal use (such as connecting to an Internet Service
Provider for personal use, hobby, recreational, or educational
purposes). The term "University Users" is limited to students, faculty
members, researchers, administrators, support staff, and employees of a
university when acting in this capacity. The term "Excluded Contractor"
is limited to independent, solo contractors while performing work for a
Non-Commercial Entity, such as a university or other educational
institution in an individual capacity. If You qualify for a
Non-Commercial Version License, You may use the Software free of
charge. SSH reserves the right to further clarify the terms
Non-Commercial Entity, University Users and Excluded Contractor at its
sole determination."

I apologize for the length, but the SSH.COM server and client remain major players throughout the formal academic and no-less-formal personal-user communities. I have used it since it became available (while a Unix sysadmin at Tel-Aviv University), and continue doing so, on my personal home computers, to this very day.

Thank you for this provocative and eye-opening article. Perhaps someone will as Apple Computers, who chose to base their MacOSX on FreeBSD (and then castrate it by their non-Unix commands and horrible GUIs, but that's grist for a different mill).

The Grumpy Editor's guide to SSH servers

job — Thu, 22 Jun 2006 13:03:14 +0000

I think you are being a bit unfair to the non-OpenSSH implementations. I've had some servers on lshd since before OpenSSH came about, and I've had much less trouble with them compared to the latter. It's a very nice piece of software.

The Grumpy Editor's guide to SSH servers

job — Thu, 22 Jun 2006 12:59:53 +0000

There's also one in Python called Twisted Conch.

The Grumpy Editor's guide to SSH servers

Segora — Thu, 22 Jun 2006 09:24:29 +0000

There are also special purpose ssh servers like the one in Erlang/OTP.

The Grumpy Editor's guide to SSH servers

pointwood — Thu, 22 Jun 2006 09:07:03 +0000

At least we know that the OpenBSD/OpenSSH developers take security very seriously and have a very good track record.

The Grumpy Editor's guide to SSH servers

kirkengaard — Thu, 22 Jun 2006 08:44:14 +0000

Thanks; I wasn't aware of that. So it was a common itch, and poof! OpenSSH came along. That makes way more sense. Sorry for any false implications or statements on my part!

The Grumpy Editor's guide to SSH servers

dd9jn — Thu, 22 Jun 2006 07:58:50 +0000

To be fair the lsh developers: The lsh project came to life at a time when there was no free SSH implementation available and the GNU task list had a free ssh protocol implementation as an item. Then OpenSSH appeared out of the nowhere. Thus speaking of a GNU re-implementation is in this case not correct. Actually the OpenSSH development was the other way around: They took the last GPL implementation of ssh.com and replaced all GPL code by new code under the BSD license.

IIRC, the reason for the unusual architecture of lsh (i.e. very lispy) is due to several rewrites and that Nisse started reading the Wizard book while working on lsh.

The Grumpy Editor's guide to SSH servers

kleptog — Thu, 22 Jun 2006 07:53:57 +0000

The handling of the 2002 integer and buffer overflow vulnerability raised some eyebrows; the developers refused to disclose specifics on the vulnerability, insisting, instead, that all users perform a significant upgrade to the current release.

Ah yes, I remember that day, when a simple security update broke SSH throughout our network and I had to spend a good part of the day logging into every machine and fixing it.

The Grumpy Editor's guide to SSH servers

eru — Thu, 22 Jun 2006 06:08:12 +0000

>>play with the three SSH server implementations he found which are free

Nevertheless, it might be interesting to know how OpenSSH would
fare in comparison to the commercial SSH. Of course I realize that
benchmarking expensive proprietary software would be
outside lwn.net:s scope, and maybe resources as well. Wonder
if such comparison exists elsewhere?

Large scale SSH server survey, and top network security tool survey

fyodor — Thu, 22 Jun 2006 06:00:13 +0000

All available evidence indicates that almost every publicly reachable SSH server is running OpenSSH

Funny you should mention this, as Nmap developer Doug Hoyte just last week posted the results of an large scale Internet survey of SSH daemons. He did find that the vast majority of servers run OpenSSH, though he found that a bit more than 1% of the servers (98 of them out of about 8,000) ran Dropbear. LSH was truly obscure -- he found only 2 instances.

Speaking of security tools (and pardon me for plugging my own site), I released a new site this morning at SecTools.Org. This covers the top 100 network security tools, as voted on by more than 3,000 Nmap users. SSH made the list, with users specifying a certain implementation generally suggesting either OpenSSH or PuTTy. I think the latter is mostly used by Windows and embedded device users. I do these security tool surveys every 3 years, and find them quite valuable for learning about the new and interesting tools out there. Sometimes we get stuck in a rut of using just the tools we know well, without exploring other options.

-Fyodor
Insecure.Org

annoying third-person references

kmself — Thu, 22 Jun 2006 05:43:24 +0000

Your editor prefers "your editor". ;-)

annoying third-person references

b7j0c — Thu, 22 Jun 2006 05:23:46 +0000

why does the author refer to himself as "your editor", just say "I".

acacia nilotica

xoddam — Thu, 22 Jun 2006 04:19:02 +0000

Hmmm, a prickly kind of large shade tree. Try Acacia Nilotica.

http://eriss.erin.gov.au/biodiversity/invasive/publicatio...

It's an African species, but in Australia it's a 'weed of national
significance'.

The Grumpy Editor's guide to SSH servers

smitty_one_each — Thu, 22 Jun 2006 01:43:00 +0000

>play with the three SSH server implementations he found which are free

The Grumpy Editor's guide to SSH servers

miah — Thu, 22 Jun 2006 01:26:36 +0000

I'm kind of curious why ssh.com's ssh server wasn't reviewed. Considering its what OpenSSH was based on and is available for most UNIX's and even Windows. Though I use OpenSSH and Dropbear the most, I feel that you missed something with this review.

The Grumpy Editor's guide to SSH servers

ehovland — Wed, 21 Jun 2006 22:05:08 +0000

> I've been using dropbear for years now, it's actually pretty nice.

Just to say, me too!

Dropbear is the default client and server for the familiar distribution for handhelds running linux.

There have been a few issues that the familiar group has had to patch over and over again. For example, 2048-bit keys can cause a core dump on the dropbear ssh client, and only because dropbear does not allocate enough space for a key that size. But that issue is minor when one wants ssh on a small device (and let me tell you, ssh on a small device is handy).

The Grumpy Editor's guide to SSH servers

kirkengaard — Wed, 21 Jun 2006 20:38:08 +0000

(Wow, I need to be consistent with analogies, or leave them alone. Sorry!)

The Grumpy Editor's guide to SSH servers

kirkengaard — Wed, 21 Jun 2006 20:26:22 +0000

This seems to be the case with many de facto standard codebases. Like monolithic shade trees, it is hard for anything to grow in their shadow; most things that try to fill the same niche wind up compared to the 'big tree', just as dropbear and lsh do here. This is, to some extent, a self-reinforcing issue, and it can have good results, as you pointed out. A monoculture built around fanatic security-consciousness is perhaps more stable than some others. Big trees of this sort eat up a large share of their noosphere 'ground', and take up a very large share of the developer attention 'light'. Consider that dropbear lives by filling an available niche in the SSH market. There is ground and light for their particular choices. Lsh seems to be suffering the "Me, too!" that the GNU reimplementation tendencies can drive people to. The developer's itch is not common enough; OpenSSH is not enough of a pain to drive quality and masses to a GNU reimplementation.

I don't mean to sound like I'm complaining about the quality of the competition like it's OpenSSH's fault. This is a group choice in large part. It could be worse; at least this dominant player is nominally on the Open side of the fence, even if prickly at times. I've always thought of the logo as a caveat. ;)

The Grumpy Editor's guide to SSH servers

landley — Wed, 21 Jun 2006 20:02:10 +0000

I've been using dropbear for years now, it's actually pretty nice. It's
been the default ssh server/client in the embedded space since about 2004,
and I'm unaware of anything interesting openssh does that dropbear
doesn't.

Setup's fairly easy too: extract the tarball and run the standard
"./configure; make; make install", then set up a host key.

Right after running ./configure I edit options.h to comment out
the #defines for DROPBEAR_SMALL_CODE, DO_HOST_LOOKUP and DO_MOTD, and I
set DROPBEAR_RANDOM_DEV to "/dev/urandom", but all of that's just tweaks I
could live without.

After install you need to create a host key, ala:

mkdir /etc/dropbear
./dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key -s 2048

Then just run dropbear and you should be able to ssh to your machine.
(Try the loopback port.)

The Grumpy Editor's guide to SSH servers

sbishop — Wed, 21 Jun 2006 19:30:12 +0000

This article doesn't appear to be "subscribers only"...