Date: Tue, 4 Jan 2000 12:38:23 -0500 From: David Rankin <drankin@bohemians.lexington.ky.us> To: Markus Friedl <markus.friedl@informatik.uni-erlangen.de> Cc: David Rankin <drankin@bohemians.lexington.ky.us>, Brian Fundakowski Feldman <green@FreeBSD.org>, "Michael H. Warfield" <mhw@wittsend.com>, Dug Song <dugsong@monkey.org>, security@FreeBSD.org, openssh-unix-dev@mindrot.org Subject: Re: OpenSSH protocol 1.6 proposal Message-ID: <20000104123822.B6035@rumpole.bohemians.lexington.ky.us> In-Reply-To: <20000103234930.A10240@folly.informatik.uni-erlangen.de>; from Markus Friedl on Mon, Jan 03, 2000 at 11:49:30PM %2B0100 References: <20000102151208.A21548@folly.informatik.uni-erlangen.de> <Pine.BSF.4.10.10001021441330.8076-100000@green.dyndns.org> <20000103092733.B3780@rumpole.bohemians.lexington.ky.us> <20000103234930.A10240@folly.informatik.uni-erlangen.de>
next in thread | previous in thread | raw e-mail | index | archive | help
I'll condense two different responses into one letter. Also, I have posted what I'd call a "draft action plan" for an OpenSSH 2.0 project to http://www.bohemians.lexington.ky.us/~drankin/openssh2.proposal for anyone interested to examine. I suggest that we limit further discussion of this thread to openssh-dev-list. Thanks, David On Mon, Jan 03, 2000 at 07:47:15PM +0000, Philip Hands wrote: > David Rankin <drankin@bohemians.lexington.ky.us> writes: > > Once we get someone to make a list, I think we can start working on > > the details. No use flooding security@FreeBSD.org or openssh-dev-list > > with a lot of off-topic discussion (and can stop the monster CC:... :) > Would it not be better to attempt to get lsh finished off, since that > doesn't have any possible licensing problem related to the > protocol/name thing. So long as we maintain compatability with SSH 1.5, I don't think that there are licensing issues. This should be true even when/if SSH 2.0 support is included. As for lsh, I like what is already there, but there's a couple of fundamental design choices that I don't agree with in lsh. They are: 1> Lack of compatability with the SSH 1.5 protocol. This is of course the biggest issue for me. There are a ton of SSH 1.x implementations out there. 2> Non-forking server. A select() system is inherantly more complex than a fork/exec design. I can see a lightweight thread replacement for fork/exec, but not a monolithic non-forking server. > Cheers, Phil. On Mon, Jan 03, 2000 at 11:49:30PM +0100, Markus Friedl wrote: } I hope this is my last mail on this subject. All this discussion } about SSH2 misses the fact that we are talking about a security } product, so 'features' should not be overrated. } Especially for ssh it should be remembered that "complexity is the } enemy". You almost get my SSH1.6 for free. The patches consist } of minor modifications that are supposed to makes SSH1 much more } secure. Compare the code size of OpenSSH (~ 20.000 lines) with the } code size of ssh-2.0.1x (~ 100.000 lines), an incarnation of SSH2. } Do secure protocols leed to secure implementations? I wasn't aware of how close to completion your SSH 1.6 patches are. In this case, I think that it'd be a Good Thing(tm) to include them right after OpenSSH 1.2.1 is ready. Also, I'm not sure if comparing code lines is fair. OpenSSH + OpenSSL are more than ~20000 lines, although still not in the 100k range. That said, your point is valid: SSH 2.0 is more complex, and any SSH 2.0 implementation is also more complex. That means that it's going to be a while before OpenSSH 1.2 is obsolete. I agree with your SSH 1.6 proposal as an interim solution, possibly its completion driving OpenSSH 1.3. Thanks, David -- David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin. Email: drankin@bohemians.lexington.ky.us Address/Phone Number: Ask me. "It is no great thing to be humble when you are brought low; but to be humble when you are praised is a great and rare accomplishment." St. Bernard To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000104123822.B6035>