From owner-freebsd-security  Mon Jan  3  6:13:26 2000
Delivered-To: freebsd-security@freebsd.org
Received: from hilda.bohemians.lexington.ky.us (hilda.bohemians.lexington.ky.us [207.246.92.4])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7D86214A08; Mon,  3 Jan 2000 06:12:36 -0800 (PST)
	(envelope-from drankin@bohemians.lexington.ky.us)
Received: from rumpole.bohemians.lexington.ky.us (rumpole.bohemians.lexington.ky.us [207.246.92.3])
	by hilda.bohemians.lexington.ky.us (8.9.3/8.9.3) with ESMTP id GAA26907;
	Mon, 3 Jan 2000 06:11:56 -0800 (PST)
Received: (from drankin@localhost)
	by rumpole.bohemians.lexington.ky.us (8.9.3/8.9.3) id JAA03820;
	Mon, 3 Jan 2000 09:07:09 -0500 (EST)
Date: Mon, 3 Jan 2000 09:07:08 -0500
From: David Rankin <drankin@bohemians.lexington.ky.us>
To: Damien Miller <djm@mindrot.org>
Cc: Robert Watson <robert+freebsd@cyrus.watson.org>,
	David Rankin <drankin@bohemians.lexington.ky.us>,
	Brian Fundakowski Feldman <green@FreeBSD.org>,
	"Michael H. Warfield" <mhw@wittsend.com>,
	Dug Song <dugsong@monkey.org>, security@FreeBSD.org,
	openssh-unix-dev@mindrot.org
Subject: Re: OpenSSH protocol 1.6 proposal
Message-ID: <20000103090708.A3780@rumpole.bohemians.lexington.ky.us>
References: <Pine.BSF.3.96.1000103022509.7881A-100000@fledge.watson.org> <Pine.LNX.4.10.10001031922560.661-100000@mothra.mindrot.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.6us
In-Reply-To: <Pine.LNX.4.10.10001031922560.661-100000@mothra.mindrot.org>; from Damien Miller on Mon, Jan 03, 2000 at 07:30:58PM +1100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Jan 03, 2000 at 07:30:58PM +1100, Damien Miller wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

> While I agree that a free version of SSH 2.x is a worthwhile goal,
> it will take _months_ of effort (of course I would be happy to be 
> proved wrong on this).

It's probably a 2-4 month job to take OpenSSH 1.2.1 and implement SSH 2.0
start to finish, but it could be significantly less. The main difference
between 1.5 and 2.0 is the change in the transport protocol (and those
aren't that major). All of the encryption changes (DSS/DSA, blowfish, etc.)
are already in OpenSSL, with the exception of twofish.

> We already have a strong SSH 1.x implementation, why not clean up its
> few remaining nits (which may take only weeks)?

Please don't get me wrong. I believe that OpenSSH 1.2.1 needs to be
working now. I just happen to think that extending the SSH 1.5 protocol
should yield to implementing the 2.0 protocol, especially where the 1.6
features are a subset of the 2.0 protocol. Of course IMHO.

> Apart from standards-compliance, what does SSH2 buy you over a cleaned
> up SSH1?

I know it's been mentioned already, but the #1 is you can do PAM 
challenge/response authentication correctly. You can also handle
"You must change your password" correctly.

David

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin@bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message