Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 6 Mar 2000 14:01:15 -0500
From:      Garance A Drosihn <drosih@rpi.edu>
To:        Edwin Kremer <edwin+freebsd-current@cs.uu.nl>, freebsd-current@FreeBSD.ORG
Subject:   Re: openssh question
Message-ID:  <v04210115b4e9ae12ee75@[128.113.24.47]>
In-Reply-To: <20000306112939.A24401@cs.uu.nl>
References:  <200003060833.AAA18027@windsor.research.att.com> <200003060920.CAA57713@harmony.village.org> <20000306112939.A24401@cs.uu.nl>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 11:29 AM +0100 3/6/00, Edwin Kremer wrote:
>On a side note: last week, Tatu Ylonen, principal author of SSH, posted a
>message on the SSH mailing-list (in the thread about the new SSH2 license)
>saying that:
>
>   " OpenSSH is based on my version from back in 1995 or 1996.  The
>   " OpenSSH folks have fixed many of the (security) bugs in that
>   " version, but not all of them when I last checked.  Some of the
>   " problems in SSH1 are very fundamental.
>   "
>   " I do not recommend use of OpenSSH (or SSH1 generally, for that matter).
>
>There hasn't been much followup on this. Anybody here who cares to
>comment on this? What issues are relevant here and how bad is it?

What he is saying is that the ssh2 protocol is better than the ssh1
protocol, and that is true.  On the other hand, most of us here have
been sticking to ssh1 ("the product") because of licensing and pricing
issues with ssh2, and I'd say openssh either beats or will soon beat
the ssh1 product.

Not only that, but if you check the web page at OpenSSH.COM, you'll
see that they also claim to be working on ssh2 protocols for openssh.
Once that is done, openssh will also have addressed the fundamental
shortcomings of ssh1 that he is alluding to.

Also note that the security shortcomings are that ssh1 is not as
perfectly bullet-proof of a protocol as it could be.  It is certainly
much much much much better, security-wise, than running telnet.


---
Garance Alistair Drosehn           =   gad@eclipse.acs.rpi.edu
Senior Systems Programmer          or  drosih@rpi.edu
Rensselaer Polytechnic Institute


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v04210115b4e9ae12ee75>