Cryptography Reference
In-Depth Information
Web site about the fact the attack isn't even realistic in the opinion of people
who spread the warning themselves.
This suggests that the propagated migration to the SSH2 protocol must have had
a different reason. Bleichenbacher's work is quoted, but the countermeasures
he suggested were left out. Perhaps sound financial interests played the most
important role. That wouldn't be all that bad if SSH2 supported the old protocol,
of course, with the countermeasures suggested by Bleichenbacher in place.
Unfortunately, this was not so.
The public domain responded by developing free products compatible with
SSH2. A shell by the name of
LSH
wasn't very successful. Meanwhile, the
OpenSSH
program (
www.openssh.com
) is widely used. It was born on the free
UNIX variant FreeBSD and is further developed there. The current versions of
OpenSSH support both SSH protocols. It can be ported to most UNIX systems.
Among other things, SSH2 offers a password-free authentication over RSA,
and DSA keys that are kept on the local computers. This is clearly more secure
than password-logins, the more so since the keys can also be kept on external
data media, such as USB sticks. All the details would go beyond the scope and
volume of this topic, and wouldn't introduce any cryptological novelty anyway.
I'm not really happy with the new SSH in spite of it all. The versions change
faster than the weather in Iceland, the configuration is extremely complicated
and holds a large number of pitfalls. Nothing remained of the fast and com-
fortable way SSH1 secured your data traffic. Fortunately, OpenSSH is at least
an integral part of all Linux distributions, and it is used instead of
rlogin
, etc.,
by default. Yes, no kidding: you even have to separately install and activate
rlogin
and
telnet
to be able to use them. The password-login works right off the
bat. You don't have to learn anything. That's how security should be: always
activated in the regular case, whereas everything else requires your intervention.
Still, I can't help criticizing it a bit: if you try to log in without a password and
happen to make only a tiny wee mistake, you are in for it: you'll be looking
for the cause infinitely. Since I don't usually configure such a login, it happens
to me over and again. Together with the change from Version 3.6 to Version
3.7, the so-called 'X-forwarding' was disabled in the configuration file without
any comment. What this means is that, if you want to open an X-terminal on a
target computer, you now have to enter 'ssh -X', while the documentation still
tells you how it was done previously. These are little things that aggravate.
However, compared with GnuPG, OpenSSH is definitely friendlier. And don't
forget: the Windows world still uses the totally insecure
telnet
standard.
