From owner-freebsd-current Mon Mar 6 11: 1:11 2000 Delivered-To: freebsd-current@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 74A7637BF28 for ; Mon, 6 Mar 2000 11:01:06 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id OAA25240; Mon, 6 Mar 2000 14:00:54 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20000306112939.A24401@cs.uu.nl> References: <200003060833.AAA18027@windsor.research.att.com> <200003060920.CAA57713@harmony.village.org> <20000306112939.A24401@cs.uu.nl> Date: Mon, 6 Mar 2000 14:01:15 -0500 To: Edwin Kremer , freebsd-current@FreeBSD.ORG From: Garance A Drosihn Subject: Re: openssh question Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 11:29 AM +0100 3/6/00, Edwin Kremer wrote: >On a side note: last week, Tatu Ylonen, principal author of SSH, posted a >message on the SSH mailing-list (in the thread about the new SSH2 license) >saying that: > > " OpenSSH is based on my version from back in 1995 or 1996. The > " OpenSSH folks have fixed many of the (security) bugs in that > " version, but not all of them when I last checked. Some of the > " problems in SSH1 are very fundamental. > " > " I do not recommend use of OpenSSH (or SSH1 generally, for that matter). > >There hasn't been much followup on this. Anybody here who cares to >comment on this? What issues are relevant here and how bad is it? What he is saying is that the ssh2 protocol is better than the ssh1 protocol, and that is true. On the other hand, most of us here have been sticking to ssh1 ("the product") because of licensing and pricing issues with ssh2, and I'd say openssh either beats or will soon beat the ssh1 product. Not only that, but if you check the web page at OpenSSH.COM, you'll see that they also claim to be working on ssh2 protocols for openssh. Once that is done, openssh will also have addressed the fundamental shortcomings of ssh1 that he is alluding to. Also note that the security shortcomings are that ssh1 is not as perfectly bullet-proof of a protocol as it could be. It is certainly much much much much better, security-wise, than running telnet. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message