Berkeley CSUA MOTD:Entry 20646
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/07/08 [General] UID:1000 Activity:popular
7/8     

2001/2/22 [Computer/SW/Security] UID:20646 Activity:nil
2/20    How come we are still running OpenSSH 2.3.0? Shouldn't
        we upgrade to the newer 2.5.1?
        Also I've read up on that IDEA cypher that tom keeps asking
        for, it turns out that IDEA is deliberately ommited from
        OpenSSh because there is a big security whole associated
        with it. I'm not sure why he wants it anyway, as the other
        supported methods are much better.
         \_ Let me try to explain this one more time.  We have a choice of
            using a server which will support whatever client one of our
            users is using, with whatever configuration they want to use.
            Or we can use OpenSSH.  No one has put forth a reason why
            OpenSSH is even theoretically better.  So why are we running it?
             -tom
                \_ Because it's open and open is kewl.  Ride bike!
            \_ OpenSSH is as good as FSecure in terms of protocol support
               and because its auditing practices are like OpenBSD it is
               proactively secure. Who knows what buffer overflows are in
               the commerical closed source alternatives. Besides, Tatu
               is a much more immature punk than Theo de Raat.
                \_ OpenSSH is absolutely not as good as FSecure in terms of
                   protocol support.  OpenSSH does not support session
                   re-keying, which is a required part of the ssh2 protocol.
                   The ssh server from http://www.ssh.com also supports this, and
                   is, of course, open source.  -tom
                   \_ Okay explain to me why you need session re-keying.
                      And Tatu's ssh from http://ssh.com may be "open source",
                      but there are serious restrictions on who can and
                      cannot use it. OpenSSH has no restrictions.
                        \_ I need session re-keying because IT IS A
                           REQUIREMENT OF THE PROTOCOL and therefore
                           PROPERLY-FUNCTIONING SSH2 CLIENTS DO NOT WORK
                           WHEN CONNECTED TO OPENSSH SERVERS.  How many
                           times does this need to be explained?  -tom
                           \_ Whatever. What is re-keying anyway?
                              What does it do and why is it needed
                              by the protocol? I mean SSH v2 seems
                              to work find without it when using
                              OpenSSH. Are you just being ANAL again?
                                \_ Leave your ssh2 client idle for an hour or
                                   so when connected to an openssh server.
                                   It will freeze eventually and that makes
                                   SSH2 protocol support in OpenSSH useless for
                                   people who need it.
        \_ The fact that openssh does not support rekeying made its
           ssh2 protocol support nearly useless. Has this been fixed in 2.5.1?
           \_ Just short by one feature.  No big deal.
              \_ This is a big deal for sites that need a working ssh2
                 protocol support
                 \_ soda doesn't need ssh2.
        \_ fsecure ssh 2.3 and earlier have a flaw in their HMAC code.
           this is documented along with the openssh lack of rekeying:
           http://www.openssh.com/faq.html#2.3 --jon.
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2025/07/08 [General] UID:1000 Activity:popular
7/8     

You may also be interested in these entries...
2013/10/24-11/21 [Computer/Companies/Apple] UID:54747 Activity:nil
9/19    "No, A Severed Finger Will Not Be Able to Access a Stolen iPhone 5S"
        http://mashable.com/2013/09/15/severed-finger-iphone-5s
        I'm sure the Apple QA department has tested extensively that a severed
        finger will not be able to access a stolen iPhone 5S.
        \_ It doesn't matter whether or not a severed finger can be used.  It
           matters whether or not a robber thinks that a severed finger can be
	...
2013/6/6-7/31 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:54690 Activity:nil
6/6     Wow, NSA rocks. Who would have thought they had access to major
        data exchangers? I have much more respect for government workers,
        crypto experts, mathematicans now than ever.
        \_ flea to Hong Kong --> best dim-sum in the world
           \_ "flee"
        \_ The dumb ones work for DMV, the smart ones for the NSA. If you
	...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/9/20-11/7 [Computer/SW/Unix, Finance/Investment] UID:54482 Activity:nil
9/20    How do I change my shell? chsh says "Cannot change ID to root."
        \_ /usr/bin/chsh does not have the SUID permission set. Without
           being set, it does not successfully change a user's shell.
           Typical newbie sys admin (on soda)
           \_ Actually, it does: -rwsr-xr-x 1 root root 37552 Feb 15  2011 /usr/bin/chsh
	...
2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil
8/6     Amazon and Apple have lame security policies:
        http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "
	...
Cache (8192 bytes)
www.openssh.com/faq.html#2.3
OpenSSH is a FREE version of the SSH suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. The OpenSSH suite includes the 35 ssh program which replaces rlogin and telnet, and 36 scp which replaces 37 rcp and 38 ftp. OpenSSH has also added 39 sftp and 40 sftp-server which implement an easier solution for file-transfer. This listens for connections from client machines, and whenever it receives a connection, it performs authentication and starts serving the client. Its behaviour is controlled by the config file 43 sshd_config. OpenSSH is a suite of tools to help secure your network connections. All communications are automatically and transparently encrypted. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel. Pure RSA authentication never trusts anything but the private key. Currently, almost all communications in computer networks are done without encryption. As a consequence, anyone who has access to any machine connected to the network can listen in on any communication. This is being done by hackers, curious administrators, employers, criminals, industrial spies, and governments. Some networks leak off enough electromagnetic radiation that data may be captured even from a distance. When you log in, your password goes in the network in plain text. Thus, any listener can then use your account to do any evil he likes. Many incidents have been encountered worldwide where crackers have started programs on workstations without the owner's knowledge just to listen to the network and collect passwords. Programs for doing this are available on the Internet, or can be built by a competent programmer in a few hours. Businesses have trade secrets, patent applications in preparation, pricing information, subcontractor information, client data, personnel data, financial information, etc. Currently, anyone with access to the network (any machine on the network) can listen to anything that goes in the network, without any regard to normal access restrictions. Many companies are not aware that information can so easily be recovered from the network. They trust that their data is safe since nobody is supposed to know that there is sensitive information in the network, or because so much other data is transferred in the network. Even though OpenSSH is developed on 54 OpenBSD a wide variety of ports to other operating systems exist. The portable version of OpenSSH is headed by 55 Damien Miller. For a quick overview of the portable version of OpenSSH see 56 OpenSSH Portable Release. Currently, the supported operating systems are: * OpenBSD * NetBSD * FreeBSD * AIX * HP-UX * IRIX * Linux * NeXT * SCO * SNI/Reliant Unix * Solaris * Digital Unix/Tru64/OSF * Mac OS X A list of vendors that include OpenSSH in their distributions is located in the 57 OpenSSH Users page. The OpenSSH developers have tried very hard to keep OpenSSH free of any patent or copyright problems. To do this, some options had to be stripped from OpenSSH. OpenSSH does not support any patented transport algorithms. In SSH1 mode, only 3DES and Blowfish are available options. In SSH2 mode, only 3DES, Blowfish, CAST128, Arcfour and AES can be selected. OpenSSH provides support for both SSH1 and SSH2 protocols. Since the RSA patent has expired, there are no restrictions on the use of RSA algorithm using software, including OpenBSD. In addition to the main 58 OpenSSH website, there are many mailing lists to try. Before trying any mailing lists, please search through all mailing list archives to see if your question has already been answered. For more information on subscribing to OpenSSH related mailing lists, +please see 60 OpenSSH Mailing lists. Information about submitting bug reports can be found at the OpenSSH 61 Reporting bugs page. The OpenSSH client uses low numbered ports for rhosts and rhosts-rsa authentication because the server needs to trust the username provided by the client. UsePrivilegedPort no Or you can specify this option on the command line, using the -o option to 62 ssh command. A privileged port is also required for rhosts-rsa authentication to older SSH releases. Additionally, for both rhosts-rsa authentication (in protocol version 1) and hostbased authentication (in protocol version 2) the ssh client needs to access the private host key in order to authenticate the client machine to the server. If you wish to use a privileged source port, you must manually set the setuid bit on ssh. Their code was not supplying the full data block output from the digest, and instead always provided 128 bits. The old versions of SSH used a patented algorithm to encrypt their /etc/ssh/ssh_host_key. This problem will manifest as 65 sshd not being able to read its host key. To solve this, use the command below to convert your ssh_host_key to use 3DES. NOTE: Use the 66 ssh-keygen program from the Commercial SSH product, *NOT* OpenSSH for the example below. Such keys were advertised as being full-length, but are actually, half the time, smaller than advertised. OpenSSH will print warning messages when it encounters such keys. To rid yourself of these message, edit you known_hosts files and replace the incorrect key length (usually "1024") with the correct key length (usually "1023"). The default configuration files disable authentication agent and X11 forwarding. Between versions changes can be made to sshd_config or ssh_config. You should always check on these changes when upgrading versions of OpenSSH. You can verify if your shell is doing this by executing: ssh yourhost /usr/bin/true If the above command produces any output, then you need to modify your shell initialization. The closest thing it has to a specification is "what rcp does". Since the same command is used on both ends of the connection, adding features or options risks breaking interoperability with other implementations. New features are more likely in sftp, since the protocol is standardized (well, a 68 draft standard), and the client and server are decoupled. If the remote server is running sshd, it may be possible to tunnel'' certain services via ssh. This may be desirable, for example, to encrypt POP or SMTP connections, even though the software does not directly support encrypted communications. Tunnelling uses port forwarding to create a connection between the client and server. The client software must be able to specify a non-standard port to connect to for this to work. The idea is that the user connects to the remote host using ssh, and specifies which port on the client's machine should be used to forward connections to the remote server. The options most relevant to tunnelling are the -L and -R options, which allow the user to forward connections, the -D option, which permits dynamic port forwarding, and the -f option, which instructs ssh to background itself. It does not matter which port is used, as long as it's greater that 1023 (remember, only root can open sockets on privileged ports) and doesn't conflict with any ports already in use. The connection is forwarded to port 6667 on the remote server, since that's the standard port for IRC services. The remote command sleep 10'' was specified to allow an amount of time (10 seconds, in the example) to start the service which is to be tunnelled. If no connections are made within the time specified, ssh will exit. If more time is required, the sleep value can be increased appropriately or, alternatively, the example above could be added as a function to the user's shell. See ksh and csh for more details about user-defined functions. However, use of this option causes ssh to wait around for ever (as opposed to exiting after a remote command has completed), and the user must take care to manually kill the process afterwards. This is usually the res...
Cache (156 bytes)
www.ssh.com
Company 10 Products 11 Services 12 Solutions 13 Support 14 Partners 15 Investors 16 SSH Communications Security is a leading provider of security solutions.
Cache (389 bytes)
ssh.com
NetSec 2004 SF, USA, June 14-16 The new version of SSH Tectia introduces seamless integration with enterprise identity management and enhanced PKI compatibility reducing the total costs of managed security middleware. FIPS 140-2 Certification The encryption module used in SSH Tectia Client/Server 40 has been awarded Level 1 FIPS 140-2 certification for Windows, UNIX and Linux platforms.