ssh - How widely used?
Does anyone know if there are MS-Dos or Mac versions of the ssh client? How much is ssh used? I've not seen much discussion of it but poking around an ISP yielded this: Ssh (Secure Shell) a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbi- trary TCP/IP ports can also be forwarded over the secure channel. and Usage: ssh [options] host [command] Options: -l user Log in using this user name. -n Redirect input from /dev/null. -a Disable authentication agent forwarding. -x Disable X11 connection forwarding. -i file Identity for RSA authentication (default: ~/.ssh/identity). -t Tty; allocate a tty even if command is given. -v Verbose; display verbose debugging messages. -q Quiet; don't display any warning messages. -f Fork into background after authentication. -e char Set escape character; ``none'' = disable (default: ~). -c cipher Select encryption algorithm: ``idea'' (default, secure), ``des'', ``3des'', ``tss'', ``arcfour'' (fast, suitable for bulk transfers), ``none'' (no encryption - for debugging only). -p port Connect to this port. Server must be on the same port. -L listen-port:host:port Forward local port to remote address -R listen-port:host:port Forward remote port to local address These cause ssh to listen for connections on a port, and forward them to the other side by connecting to host:port. -C Enable compression. -o 'option' Process the option as if it was read from a configuration file. Looks like a nice little implementation. Comments anyone? -- I hate lightning - finger for public key - Vote Monarchist unicorn@schloss.li
Looks like a nice little implementation.
Comments anyone?
Yup. Really nifty package that has been out (for unix) for about a year. Unfortunately, the author is turning it into a commerial product, so it may not be freely available in the future. There is now a Windows port, but it is entirely a commecial product. Source is not available. Though ssh is on the whole a nifty product, the unix version contained a number of nasty implementation bugs that opened large security holes. These were found because source code was made available. I wouldn't trust the Windows version. It seems inevitable that there will be some bugs in it, but unlike the Unix version, "good guys" are a lot less likely to find and report them.
Theres a windows version, mac is under vauge development. SSH is pretty cool, but the code base is somewhat messy, and its shows signs of its origins in things like systems calls not having their return values checked. Despite all this, I use it, like it, and recomend it for use in systems not likely to come under attack by professionals. Adam Black Unicorn wrote: | Does anyone know if there are MS-Dos or Mac versions of the ssh client? | How much is ssh used? | | I've not seen much discussion of it but poking around an ISP yielded this: | | Ssh (Secure Shell) a program for logging into a remote | machine and for executing commands in a remote machine. | It is intended to replace rlogin and rsh, and provide | secure encrypted communications between two untrusted | hosts over an insecure network. X11 connections and arbi- | trary TCP/IP ports can also be forwarded over the secure | channel. -- "It is seldom that liberty of any kind is lost all at once." -Hume
On Thu, 26 Sep 1996, Adam Shostack wrote:
Theres a windows version, mac is under vauge development. SSH is pretty cool, but the code base is somewhat messy, and its shows signs of its origins in things like systems calls not having their return values checked.
Shame it costs $$$, though I appreciate that Tatu needs to eat... ;-) Perhaps Cedomir Igaly could be persuaded to release the source code to the Windows port he did ? Anyone else interested in getting a little group together to hack on this ? (under GPL or BSD style copyright) Martin
Adam Shostack writes:
Theres a windows version, mac is under vauge development. SSH is pretty cool, but the code base is somewhat messy, and its shows signs of its origins in things like systems calls not having their return values checked.
Despite all this, I use it, like it, and recomend it for use in systems not likely to come under attack by professionals.
I actually think its probably okay even for systems that might come under professional attack -- I don't recommend it for use on systems that are mission critical, though, like systems running transactions and such. Indeed, I don't recommend running ANYTHING on such systems unless you are really, really, really careful about what you are running and where you are running it from. .pm
Rats, just a clarification:
"I" == Roger Williams <roger@coelacanth.com> blurted out:
There is certainly a Mac version...
Umm, Machten, that is. I don't think that the straight Mac version has been released for beta yet.
The SSH home page is <http://dtk60.pspt.fi/gruppa6/ssh.htm>.
Or at http://www.cs.hut.fi/ssh/, if you want it in *English*... -- Roger Williams finger me for my PGP public key Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/
Black Unicorn <unicorn@schloss.li> writes:
Does anyone know if there are MS-Dos or Mac versions of the ssh client? How much is ssh used?
There is certainly a Mac version, as well as ones for OS/2 and probably every Unix platform. There's also a Windows client. (We use SSH on OS/2 and Linux, but haven't yet had to try the Windows client.) The SSH home page is <http://dtk60.pspt.fi/gruppa6/ssh.htm>. -- Roger Williams finger me for my PGP public key Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/
On Thu, 26 Sep 1996, Black Unicorn wrote:
Does anyone know if there are MS-Dos or Mac versions of the ssh client? How much is ssh used?
Uni, SSH is used, as most security software is, by security aware individuals. I would love to say that means "widely", but unfortunately that isn't the case. For what is worth, SSH has my personal seal of approval. Use it. The UNIX version is freeware. The Windows version is commercially available at http://www.datafellows.com/ --Lucky
-----BEGIN PGP SIGNED MESSAGE----- On Thu, 26 Sep 1996, Black Unicorn wrote:
Does anyone know if there are MS-Dos or Mac versions of the ssh client?
There isn't a Mac version yet, but there is a beta version for Windows. Information is available at http://www.ssh.fi.
How much is ssh used?
It seems to be pretty widespread. A lot of security conscious ISP's run sshd and I think there will be an RFC on ssh eventually.
Looks like a nice little implementation.
Comments anyone?
It's really a very good program. The code is huge, so it is somewhat difficult to really be certain that there aren't any holes somewhere in the program. There also isn't much key management which makes MITM attacks easier. But that would make it even more complex. Mark - -- PGP encrypted mail prefered. Key fingerprint = d61734f2800486ae6f79bfeb70f95348 http://www.voicenet.com/~markm/ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQEVAwUBMkscHyzIPc7jvyFpAQE3iAf8D80eJCWEa2V5JInK6Lv83Od6PkF/BONp iTzjUZVXW8Qj01aYaMbyLV+StmqHYheBgMX0IKuGM4jrTSQyNTKY9nH83EaVY73/ jGHqeRdBRWNqyPHifWyDSmma7PH7CqYms2FRW+4OKJ7FgDIFmQ1/CV2dtbmrEikB 61+iP0RXvOevWCWmwXQTXOaNbzAD/yo9KGQN1R0U4Aoma9+eS7tEsJSDSWXM63/r qazQYJvLTVTdwarBCRtPrR0fiIRZcBPZSOvx6pVTAi7XaXcP6xO1F2yyOhxYX8a8 VOVM3As2lOE+C27adizKtsuM+ZQRzko3ZBC72v4SV82l8WCxAHefVg== =JQlW -----END PGP SIGNATURE-----
Black Unicorn wrote:
Does anyone know if there are MS-Dos or Mac versions of the ssh client? How much is ssh used?
Secure shell is an amazing package. Get it immediately. There are no DOS or Mac versions, but there is one for windows. We use it here almost exclusively. -- Chad Dougherty Lycos, Inc. "The Catalog of the Internet" http://www.lycos.com Phone: (412)261-6660x226 Email: chad@lycos.com
-----BEGIN PGP SIGNED MESSAGE----- Adam Shostack writes:
Theres a windows version, mac is under vauge development. SSH is pretty cool, but the code base is somewhat messy, and its shows signs of its origins in things like systems calls not having their return values checked.
Despite all this, I use it, like it, and recomend it for use in systems not likely to come under attack by professionals.
Adam
Why do you say "not likely to come under attack by professionals"? Have you found security holes in it? -Chad -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBMktvVTa/vRyBMxWdAQGRsAP+PbjVCYB0FrNTY6CUCH/D5BZ02gczvMzQ 1kdlf7Lcx+GcyAosaJXgovJpA/UcIq/ShIELtuvZQNqB3JVLCL3RvYbQ0vf5o6wI QEnL5gS8uEetr2C7U/Pt2lqkwv0PTQYv/O7uKjVFAd36p0aRrbQJOkX6LpKNbbYi oDk5B9XgbK4= =4aWj -----END PGP SIGNATURE-----
I have not found security holes in ssh-1.2.14, which is the version I've looked at most in depth. However, I have found things that are disquieting, and as such assume that clever professionals with time available might be able to exploit something. 'Standard' hackers with toolkits are likely to move to the next site. Adam Chad Dougherty wrote: | Adam Shostack writes: | > Theres a windows version, mac is under vauge development. SSH | > is pretty cool, but the code base is somewhat messy, and its shows | > signs of its origins in things like systems calls not having their | > return values checked. | > | > Despite all this, I use it, like it, and recomend it for use | > in systems not likely to come under attack by professionals. | > | > Adam | > | | Why do you say "not likely to come under attack by professionals"? | Have you found security holes in it? | | -Chad -- "It is seldom that liberty of any kind is lost all at once." -Hume
Chad Dougherty writes:
Despite all this, I use it, like it, and recomend it for use in systems not likely to come under attack by professionals.
Why do you say "not likely to come under attack by professionals"? Have you found security holes in it?
Security professionals do not recommend use of systems they feel less than perfectly comfortable with whether or not they know of specific holes. Perry PS sorry for posting something about a cryptographic security system in the midst of all the normal talk -- I know its off topic.
Actually, I recommend systems based on threat and comfort. If the system is protected (ie, behind a firewall, on a compartmentalized network), I use ssh, no problem. I use ssh even where I'm not comfortable with it because I'm more comfortable with it than with the alternatives, but there are times when the "No remote access" option is more comfortable than ssh. Adam Perry E. Metzger wrote: | Chad Dougherty writes: | > > Despite all this, I use it, like it, and recomend it for use | > > in systems not likely to come under attack by professionals. | > | > Why do you say "not likely to come under attack by professionals"? | > Have you found security holes in it? | | Security professionals do not recommend use of systems they feel less | than perfectly comfortable with whether or not they know of specific | holes. -- "It is seldom that liberty of any kind is lost all at once." -Hume
Does anyone know if there are MS-Dos or Mac versions of the ssh client? How much is ssh used?
Ssh is good stuff -- we use it here. Things I like: - It's an easy, drop-in replacement for the r* commands. It's easy to get people to use it. - It creates that much more encrypted traffic on the net. That can only be a good thing, eh? - There are a few different authentication modes, which makes life easy. Host keys can be used for fixed machines; per-user keys can sit on the laptop and work no matter whose network you've plugged into today. When my local ISP found a password sniffer running on his machine and went into red alert, I just smiled and didn't bother to change my passwords on hosts I had logged into via the ISP's net. Good stuff. jon Jonathan Corbet National Center for Atmospheric Research, Atmospheric Technology Division corbet@stout.atd.ucar.edu http://www.atd.ucar.edu/rdp/jmc.html
Jonathan Corbet writes: [stuff about SSH deleted]
When my local ISP found a password sniffer running on his machine and went into red alert, I just smiled and didn't bother to change my passwords on hosts I had logged into via the ISP's net.
You probably should. There's more places to 'sniff' information than just from the network. An example is the Streams-based tty snooper. It pushes a Streams module between the tty and the shell. No encryption program can protect that, as it has to be in the clear unless you can do RC4 in your head. :-) The program I'm thinking of (sorry I forgot the name) lets the operator both read and write to any tty session on the machine. -- Eric Murray ericm@lne.com ericm@motorcycle.com http://www.lne.com/ericm If you don't see the fnords, they won't eat your packets. If you do see the fnords, they will eat your packets, so you won't see them. PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF
participants (11)
-
Adam Shostack -
Black Unicorn -
Chad Dougherty -
Eric Murray -
Jonathan Corbet -
Lucky Green -
Mark M. -
martin hamilton -
nobody@cypherpunks.ca -
Perry E. Metzger -
Roger Williams