At 11:29 AM +0100 3/6/00, Edwin Kremer wrote:
>On a side note: last week, Tatu Ylonen, principal author of SSH, posted a
>message on the SSH mailing-list (in the thread about the new SSH2 license)
>saying that:
>
> " OpenSSH is based on my version from back in 1995 or 1996. The
> " OpenSSH folks have fixed many of the (security) bugs in that
> " version, but not all of them when I last checked. Some of the
> " problems in SSH1 are very fundamental.
> "
> " I do not recommend use of OpenSSH (or SSH1 generally, for that matter).
>
>There hasn't been much followup on this. Anybody here who cares to
>comment on this? What issues are relevant here and how bad is it?
What he is saying is that the ssh2 protocol is better than the ssh1
protocol, and that is true. On the other hand, most of us here have
been sticking to ssh1 ("the product") because of licensing and pricing
issues with ssh2, and I'd say openssh either beats or will soon beat
the ssh1 product.
Not only that, but if you check the web page at OpenSSH.COM, you'll
see that they also claim to be working on ssh2 protocols for openssh.
Once that is done, openssh will also have addressed the fundamental
shortcomings of ssh1 that he is alluding to.
Also note that the security shortcomings are that ssh1 is not as
perfectly bullet-proof of a protocol as it could be. It is certainly
much much much much better, security-wise, than running telnet.
---
Garance Alistair Drosehn = [EMAIL PROTECTED]
Senior Systems Programmer or [EMAIL PROTECTED]
Rensselaer Polytechnic Institute
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
