On Tue, 28 Mar 2000, Tatu Ylonen wrote:
> Please note that there have been serious security problems in SSH1
> (and OpenSSH) kerberos support.
Tatu, you made like comments (not qualified to the kerberos
aspect and now explicitly adding the OpenSSH project) two weeks ago,
and when pressed for details, offered neither specifics, a reference
to a specific active issue in non-kerberos post 1.2.26 SSH, nor any
other description of the present claimed 'serious security problems
in SSH1' [presumably the ssh v 1.5 protocol].
At the time of the Rootshell incident [has it been almost two
years(?)], there was a lot of loose talk about claimed
vulnerabilities, none of which have been publically documented here
or on Bugtraq, by you or others in your organization.
Is there substance behind your statement, or just the opinion
of a former maintainer? [Dug might fairly be considered one of the
OpenBSD 'maintainers' for the OpenSSH implementation, which has
issued and which implementation claims to have been audited.]
Obviously a product implementing the earlier protocol is again
in active development and maintenance, and with the upcoming US RSA
patent expirations ... less than half a year, failure to provide
specifics could be construed as just an expression of disgruntlement
on your part. And perhaps an attempt to move a userbase into a
protocol with a longer remaining patent life. There is nothing
wrong with salesmanship --- but spreading 'fear, uncertainty, and
doubt (FUD)' in furtherance of that end would be an unworthy coda to
the fine effort in the ssh.fi group.
Having reviewed the 1.5, and 2. version protocol documents in
some detail, I understand your belief that the later version may
well be stronger. But its difficult license, and the rise of the
'GNU/GPL/Open Source' culture are clearly at odds with each other.
Have you any specifics or formal analysis which go beyond that
unadorned assertion of vulnerability?
--
end
==================================
.-- -... ---.. ... -.- -.--
Copyright (C) 2000 R P Herrold
[EMAIL PROTECTED] NIC: RPH5 (US)
My words are not deathless prose,
but they are mine.
Owl River Company 614 - 221 - 0695
"The World is Open to Linux (tm)"
... Open Source LINUX solutions ...
[EMAIL PROTECTED]
Columbus, OH
