You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl-cvs@perl.apache.org by Stas Bekman <sb...@iil.intel.com> on 2000/01/11 09:53:54 UTC
ssh2
Hi, Brian
I just wanted to remind that there was a security hole found in ssh1, and
most of the sites I work with have already moved to ssh2 protocol. Do you
think apache.org should do the same?
_______________________________________________________________________
Stas Bekman mailto:sbekman@iname.com http://www.stason.org/stas
Perl,CGI,Apache,Linux,Web,Java,PC http://www.stason.org/stas/TULARC
perl.apache.org modperl.sourcegarden.org perlmonth.com perl.org
single o-> + single o-+ = singlesheaven http://www.singlesheaven.com
Re: ssh2
Posted by Vivek Khera <kh...@kciLink.com>.
>>>>> "SB" == Stas Bekman <sb...@iil.intel.com> writes:
SB> I just wanted to remind that there was a security hole found in ssh1, and
SB> most of the sites I work with have already moved to ssh2 protocol. Do you
SB> think apache.org should do the same?
Is it a hole in the protocol or the implementation?
I think many people have problems with ssh2 because of patent and
licensing issues; I for one cannot use ssh2 because of the restrictive
license and I'm not willing to pay the extra fees when OpenSSH is
available and works extremely well. Perhaps OpenSSH is a better
alternative?
Re: ssh2
Posted by Brian Behlendorf <br...@apache.org>.
On Tue, 11 Jan 2000, Stas Bekman wrote:
> So it's secured now, right?
Yes.
Brian
Re: ssh2
Posted by Stas Bekman <sb...@iil.intel.com>.
> On Tue, 11 Jan 2000, Stas Bekman wrote:
> > I just wanted to remind that there was a security hole found in ssh1, and
> > most of the sites I work with have already moved to ssh2 protocol. Do you
> > think apache.org should do the same?
>
> Actually the security hole was in the RSAref libraries, and I've updated
> and securifyied everything appropriately within hours of seeing the
> bugtraq post.
So it's secured now, right?
> I refuse to update to SSH2 because the new protocol is an attempt by
> F-Secure to grab hold of the momentum behind the open-source SSH for
> itself. SSH2 provides no material advantages, and its server is non-free
> (not just non-open-source, non-free in other wats). The effort to support
> is OpenSSH - www.openssh.org. I installed their daemon but it had
> interoperability problems with SecureCRT so I bailed on it, but I plan to
> return to it once it's got more stability.
Yes, I've heard that OpenSSH is not yet cleaned out.
_______________________________________________________________________
Stas Bekman mailto:sbekman@iname.com http://www.stason.org/stas
Perl,CGI,Apache,Linux,Web,Java,PC http://www.stason.org/stas/TULARC
perl.apache.org modperl.sourcegarden.org perlmonth.com perl.org
single o-> + single o-+ = singlesheaven http://www.singlesheaven.com
Re: ssh2
Posted by Brian Behlendorf <br...@collab.net>.
On Tue, 11 Jan 2000, Stas Bekman wrote:
> I just wanted to remind that there was a security hole found in ssh1, and
> most of the sites I work with have already moved to ssh2 protocol. Do you
> think apache.org should do the same?
Actually the security hole was in the RSAref libraries, and I've updated
and securifyied everything appropriately within hours of seeing the
bugtraq post.
I refuse to update to SSH2 because the new protocol is an attempt by
F-Secure to grab hold of the momentum behind the open-source SSH for
itself. SSH2 provides no material advantages, and its server is non-free
(not just non-open-source, non-free in other wats). The effort to support
is OpenSSH - www.openssh.org. I installed their daemon but it had
interoperability problems with SecureCRT so I bailed on it, but I plan to
return to it once it's got more stability.
Brian