Federico Biancuzzi, 2005-12-19
Federico Biancuzzi interviews OpenSSH developer Damien Miller to discuss features included in the upcoming version 4.3, public key crypto protocols details, timing based attacks and anti-worm measures.
Colapse all |
Post comment
OpenSSH cutting edge
2005-12-21
Alex Blewitt (1 replies)
Alex Blewitt (1 replies)
Editorial: alter use of HTML-comments
2005-12-21
Anonymous (1 replies)
Anonymous (1 replies)
Seems like Firefox (1.0.7 atleast) hides large parts of part two of the article due to incorrect use of HTML-comments.
<!-----> is not an valid comment: some character in between the start and the end tag must not be a "-" character....
[ more ] [ reply ]
<!-----> is not an valid comment: some character in between the start and the end tag must not be a "-" character....
[ more ] [ reply ]
OpenSSH cutting edge
2005-12-21
Anonymous (4 replies)
Anonymous (4 replies)
Niiiice. Convenient userspace layer2 and 3 tunneling in a ubiquitous text mode protocol.
Who cares that it makes network security administration a nightmare. Or that I'll have to shut down SSH to the DMZ's, since you're implementing a bi-directional network tunnel. Or that a user can leave the co...
[ more ] [ reply ]
Who cares that it makes network security administration a nightmare. Or that I'll have to shut down SSH to the DMZ's, since you're implementing a bi-directional network tunnel. Or that a user can leave the co...
[ more ] [ reply ]
Re: OpenSSH cutting edge
2005-12-21
Anonymous (1 replies)
Anonymous (1 replies)
Your implication is that it is safe to allow ssh to pass through the firewall from untrusted inside hosts/users today, but will become hopelessly less so after openssh implements more functional tunnels, and that the openssh team should therefore not provide such functionality.
However, your firs...
[ more ] [ reply ]
However, your firs...
[ more ] [ reply ]
Re: OpenSSH cutting edge
2005-12-21
Anonymous (1 replies)
Anonymous (1 replies)
I may be naive here, but wouldn't the use of tun devices require root at both ends?...
[ more ] [ reply ]
[ more ] [ reply ]
Re: OpenSSH cutting edge
2005-12-22
Anonymous (1 replies)
Anonymous (1 replies)
None of which are problems if the administrators do their job of "administrating" and (a) disable sshd from allowing tunnelling and (b) ensure that normal users can't create tun devices.
Next you're going to say that just because a compiler exists, random users can insert security holes into the ...
[ more ] [ reply ]
Next you're going to say that just because a compiler exists, random users can insert security holes into the ...
[ more ] [ reply ]
TCP over TCP considered harmful
2005-12-22
Anonymous (3 replies)
Anonymous (3 replies)
This "real VPN" stuff all sounds good until you run end up running TCP over TCP.
TCP dynamically measures the capacity and round trip times of the underlying network, to try to continually optimise performance based on the underlying network's available capacity. One of the tools it uses to do th...
[ more ] [ reply ]
TCP dynamically measures the capacity and round trip times of the underlying network, to try to continually optimise performance based on the underlying network's available capacity. One of the tools it uses to do th...
[ more ] [ reply ]
Re: TCP over TCP considered harmful
2005-12-22
Anonymous (1 replies)
Anonymous (1 replies)
Could TCP over TCP problems not be solved by dropping some packets or setting ECN bits in the transported packets? It's TCP over SSH over TCP, so you get to manipulate the stream. ...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: TCP over TCP considered harmful
2006-01-07
Anonymous
Anonymous
I'd doubt it, as I'd think TCP implementation being used is the one in the OS kernel, and I'm pretty sure there aren't any knobs you can switch on to get TCP to be unreliable and not to opmitimise it's behaviour for the available network capacity. Having those knobs would defeat the fundamental purp...
[ more ] [ reply ]
[ more ] [ reply ]
Re: TCP over TCP considered harmful
2006-01-03
Baron von Leezard
Baron von Leezard
The above analysis of how TCP over TCP goes wrong is not quite accurate. The issue has more to do with TCP's congestion avoidance backoff behavior when more than two sequential TCP packets are dropped. If you have two layered and independent timers, you can get very bad behavoir.
This business of...
[ more ] [ reply ]
This business of...
[ more ] [ reply ]
Re: TCP over TCP considered harmful
2006-02-07
Jason
Jason
In real life, I do this a *lot*. Not for VOIP or anything, but for normal interactive sessions, *effectively* running many SSH's over a single SSH.
My experience with this has been very satisfactory.. and a lot more stable than the VPN software The Company provides.
"Harmful", is fairly subject...
[ more ] [ reply ]
My experience with this has been very satisfactory.. and a lot more stable than the VPN software The Company provides.
"Harmful", is fairly subject...
[ more ] [ reply ]
OpenSSH cutting edge
2006-01-03
Anonymous (2 replies)
Anonymous (2 replies)
Damien gives the following reason for not implementing ECC: "many ECC methods are patented. The NSA made the press recently for licensing these patents, something that we have neither the means nor the desire to do."
Sounds like he doesn't understand the NSA's license. Their license allows for th...
[ more ] [ reply ]
Sounds like he doesn't understand the NSA's license. Their license allows for th...
[ more ] [ reply ]
Re: OpenSSH cutting edge
2007-11-10
Anonymous
Anonymous
Well things have changed even more since. Now, the US government is trying to get people to adopt ecc for a lot of good reasons. OpenSSH is sadly lacking in this capacity right now where it should be leading. It is sitting in openssl already. Times have changed, this should be reconsidered....
[ more ] [ reply ]
[ more ] [ reply ]
[ more ] [ reply ]