Re: openssh question
At 10:37 PM +0100 3/6/00, Christian Weisgerber wrote: William Woods [EMAIL PROTECTED] wrote: How do we update it, ie, when a updated version comes out. OpenSSH doesn't really have releases. The upstream version is straight out of the OpenBSD repository. I assume several of our developers monitor the OpenBSD commits and will carry over any changes. Out of the OpenBSD repository, or out of the OpenSSH project? Note that www.openssh.COM currently says: *NEW* OpenSSH 1.2.3 released March 6, 2000 which sounds a lot like a new release to me... I would rather not make world just to update that. How do you handle updates to any other part of the system? Why do you consider openssh a special case? I think openssh is a bit different than most things in the current base system, in that it is still in rapid development, and some of those developments WILL be of immediate interest to sites using openSSH (in particular, some of the improvements to compatibility with other implementations of ssh1). You can usually update individual parts of FreeBSD without doing a "make world". cd /usr/src/... make -jX install make clean. While I do think OpenSSH is something of a special case, this answer should be fine for my own purposes. I was also wondering how easy it would be to update just openssh without updating all of the world. Thanks. --- Garance Alistair Drosehn = [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Institute To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: openssh question
On Mon, 6 Mar 2000, Garance A Drosihn wrote: Out of the OpenBSD repository, or out of the OpenSSH project? Both are the same thing. Note that www.openssh.COM currently says: *NEW* OpenSSH 1.2.3 released March 6, 2000 which sounds a lot like a new release to me... They (arbitrarily) bumped the version this morning. The version numbers don't really correspond to anything other than periodic checkpoints along the CVS branch. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: openssh question
Second, how does one specify options on the command line? In ssh 1.2.x, I say ssh -o ForwardX11=yes, but that doesn't work in OpenSSH. Bug or feature? Browsing the source, it looks like "ssh -o 'ForwardX11 yes'" should work. Both ssh and openssh define -o as: -o 'option' Can be used to give options in the format used in the config file. This is useful for specifying options for which there is no separate command-line flag. The option has the same format as a line in the configuration file. However, ssh allows lines in the configuration file to be of the form "keyword = arguments" but openssh only allows "keyword arguments". So you're really running into a difference in configuration file parsing. Ugh =) Bill To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: openssh question
Thanks Bill. I forgot that old versions of ssh were this picky... OpenSSH inherited this from the 1.2.12 version it started from. Warner To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: openssh question
On Mon, Mar 06, 2000 at 02:20:35AM -0700, Warner Losh wrote: : OpenSSH inherited this from the 1.2.12 version it started from. On a side note: last week, Tatu Ylonen, principal author of SSH, posted a message on the SSH mailing-list (in the thread about the new SSH2 license) saying that: " OpenSSH is based on my version from back in 1995 or 1996. The OpenSSH " folks have fixed many of the (security) bugs in that version, but not " all of them when I last checked. Some of the problems in SSH1 are " very fundamental. " " I do not recommend use of OpenSSH (or SSH1 generally, for that matter). There hasn't been much followup on this. Anybody here who cares to comment on this? What issues are relevant here and how bad is it? Best regards, -- Edwin H. Kremer, senior systems- and network administrator. [EMAIL PROTECTED] Dept. of Computer Science, Utrecht University, The Netherlands [WHOIS: ehk3] http://www.cs.uu.nl/people/edwin/ --- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: openssh question
Warner Losh wrote: First, how does one enable TIS/SKEY authorization for ssh? It appears that the frst step would be to add -DSKEY to the Makefile conditional on something. Are there other steps? Yes, there are other steps. openssh depends upon functions in the openbsd libskey that we do not have. These functions appear to have been added somewhere between our initial version of skey and openbsd's as they exist in openbsd's initial version, but not ours. The skey support in the openssh port has the exact same problems. That being said, if there is some demand for this, I could merge openbsd's libskey into ours and get the skey authentication working. Jim Bloom [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: openssh question
On Mon, Mar 06, 2000 at 11:29:39AM +0100, Edwin Kremer wrote: " I do not recommend use of OpenSSH (or SSH1 generally, for that matter). There hasn't been much followup on this. Anybody here who cares to comment on this? What issues are relevant here and how bad is it? I'm sure he'd much prefer you use the version that puts money in his pocket. -- Bill Fumerola - Network Architect Computer Horizons Corp - CVM e-mail: [EMAIL PROTECTED] / [EMAIL PROTECTED] Office: 800-252-2421 x128 / Cell: 248-761-7272 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: openssh question
Bill Fumerola wrote: On Mon, Mar 06, 2000 at 11:29:39AM +0100, Edwin Kremer wrote: " I do not recommend use of OpenSSH (or SSH1 generally, for that matter) . There hasn't been much followup on this. Anybody here who cares to comment on this? What issues are relevant here and how bad is it? I'm sure he'd much prefer you use the version that puts money in his pocket. To be fair, there *are* weaknesses in the ssh1 protocols. However, as you point out, it doesn't change the fact that Tatu Ylonen has a conflict of interest here. Cheers, -Peter To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: openssh question
At 11:29 AM +0100 3/6/00, Edwin Kremer wrote:
On a side note: last week, Tatu Ylonen, principal author of SSH, posted a
message on the SSH mailing-list (in the thread about the new SSH2 license)
saying that:
" OpenSSH is based on my version from back in 1995 or 1996. The
" OpenSSH folks have fixed many of the (security) bugs in that
" version, but not all of them when I last checked. Some of the
" problems in SSH1 are very fundamental.
"
" I do not recommend use of OpenSSH (or SSH1 generally, for that matter).
There hasn't been much followup on this. Anybody here who cares to
comment on this? What issues are relevant here and how bad is it?
What he is saying is that the ssh2 protocol is better than the ssh1
protocol, and that is true. On the other hand, most of us here have
been sticking to ssh1 ("the product") because of licensing and pricing
issues with ssh2, and I'd say openssh either beats or will soon beat
the ssh1 product.
Not only that, but if you check the web page at OpenSSH.COM, you'll
see that they also claim to be working on ssh2 protocols for openssh.
Once that is done, openssh will also have addressed the fundamental
shortcomings of ssh1 that he is alluding to.
Also note that the security shortcomings are that ssh1 is not as
perfectly bullet-proof of a protocol as it could be. It is certainly
much much much much better, security-wise, than running telnet.
---
Garance Alistair Drosehn = [EMAIL PROTECTED]
Senior Systems Programmer or [EMAIL PROTECTED]
Rensselaer Polytechnic Institute
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: openssh question
Now that openssh is in the base system, I assume it will no longer be in the ports. How do we update it, ie, when a updated version comes out. I would rather not make world just to update that. -- E-Mail: [EMAIL PROTECTED] Date: 06-Mar-00 Time: 11:22:26l -- NOTICE TO BULK E-MAILERS: Pursuant to US Code, Title 47, Chapter 5, Subchapter II, 227, and all unsolicited commercial e-mail sent to this address is subject to a download and archival fee in the amount of $500 US To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: openssh question
On 6 Mar 2000, Christian Weisgerber wrote: Now that openssh is in the base system, I assume it will no longer be in the ports. I expect the port to be maintained for the remaining lifetime of the 3.x branch. This is of no concern to 4.x users, of course. Correct. We should probably mark the port BROKEN for 4.x and ask people to install the system version, which will likely be better supported. e.g. we don't support Perl5 in ports any more, either. How do we update it, ie, when a updated version comes out. OpenSSH doesn't really have releases. The upstream version is straight out of the OpenBSD repository. I assume several of our developers monitor the OpenBSD commits and will carry over any changes. Right. Whenever something significant changes in the "upstream" version we'll update ours too. If you keep an eye on the commit messages you'll know when you might want to rebuild it, if you want to aggressively track OpenSSH but not track make world. I would rather not make world just to update that. How do you handle updates to any other part of the system? Why do you consider openssh a special case? You can usually update individual parts of FreeBSD without doing a "make world". cd /usr/src/... make -jX install make clean. Yep. In the case of SSH you might also need to rebuild secure/lib/libssh as well as secure/usr.bin/foo. Write a little script to do it if you like :-) Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: openssh question
On Mon, Mar 06, 2000 at 11:23:45AM -0800, William Woods wrote: Now that openssh is in the base system, I assume it will no longer be in the ports. How do we update it, ie, when a updated version comes out. I would rather not make world just to update that. # cvsup standard-supfile (until 4.0 becomes -stable) # cd /usr/src/secure/usr.bin/ssh make clean depend all install Someone correct me if I'm wrong. :-) -- Will Andrews [EMAIL PROTECTED] GCS/E/S @d- s+:++:- a---+++ C++ UB P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP t++ 5 X++ R+ tv+ b++ DI+++ D+ G+ e- h! r--+++ y? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
openssh question
Actually two. First, how does one enable TIS/SKEY authorization for ssh? It appears that the frst step would be to add -DSKEY to the Makefile conditional on something. Are there other steps? Second, how does one specify options on the command line? In ssh 1.2.x, I say ssh -o ForwardX11=yes, but that doesn't work in OpenSSH. Bug or feature? Warner To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
