OpenSSH protocol 1.6 proposal

David Rankin drankin at bohemians.lexington.ky.us
Wed Jan 5 04:38:23 EST 2000


I'll condense two different responses into one letter. Also, I have
posted what I'd call a "draft action plan" for an OpenSSH 2.0 project
to http://www.bohemians.lexington.ky.us/~drankin/openssh2.proposal
for anyone interested to examine.

I suggest that we limit further discussion of this thread to 
openssh-dev-list.

Thanks,
David

On Mon, Jan 03, 2000 at 07:47:15PM +0000, Philip Hands wrote:
> David Rankin <drankin at bohemians.lexington.ky.us> writes:

> > Once we get someone to make a list, I think we can start working on
> > the details. No use flooding security at FreeBSD.org or openssh-dev-list
> > with a lot of off-topic discussion (and can stop the monster CC:... :)

> Would it not be better to attempt to get lsh finished off, since that
> doesn't have any possible licensing problem related to the
> protocol/name thing.

So long as we maintain compatability with SSH 1.5, I don't think that
there are licensing issues. This should be true even when/if SSH 2.0
support is included. 

As for lsh, I like what is already there, but there's a couple of 
fundamental design choices that I don't agree with in lsh. They are:
1> Lack of compatability with the SSH 1.5 protocol. This is of course
   the biggest issue for me. There are a ton of SSH 1.x implementations
   out there.
2> Non-forking server. A select() system is inherantly more complex than
   a fork/exec design. I can see a lightweight thread replacement for
   fork/exec, but not a monolithic non-forking server.

> Cheers, Phil.

On Mon, Jan 03, 2000 at 11:49:30PM +0100, Markus Friedl wrote:
} I hope this is my last mail on this subject.  All this discussion
} about SSH2 misses the fact that we are talking about a security
} product, so 'features' should not be overrated.

} Especially for ssh it should be remembered that "complexity is the
} enemy".  You almost get my SSH1.6 for free.  The patches consist
} of minor modifications that are supposed to makes SSH1 much more
} secure.  Compare the code size of OpenSSH (~ 20.000 lines) with the
} code size of ssh-2.0.1x (~ 100.000 lines), an incarnation of SSH2.
} Do secure protocols leed to secure implementations?

I wasn't aware of how close to completion your SSH 1.6 patches are.
In this case, I think that it'd be a Good Thing(tm) to include them
right after OpenSSH 1.2.1 is ready.

Also, I'm not sure if comparing code lines is fair. OpenSSH + OpenSSL
are more than ~20000 lines, although still not in the 100k range.

That said, your point is valid: SSH 2.0 is more complex, and any SSH 2.0
implementation is also more complex. That means that it's going to be
a while before OpenSSH 1.2 is obsolete. I agree with your SSH 1.6 proposal
as an interim solution, possibly its completion driving OpenSSH 1.3.

Thanks,
David

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard





More information about the openssh-unix-dev mailing list