BETA release of OpenSSH-2.5.2p2 with SRP

Tom Holroyd tomh at po.crl.go.jp
Fri Mar 30 21:11:39 EST 2001


This is to announce the availability of SRP (Secure Remote Password)
support for OpenSSH.  A tarball is available on Tripod:

http://members.tripod.com/professor_tom/archives/
http://members.tripod.com/professor_tom/archives/openssh-2.5.2p2-srp5.tar.gz

(Note: Tripod requires you to LEFT click on links to download files.)

To install, unpack, configure --with-srp, and make install, then create an
SRP verifier (your "password" file) with srp-keygen, and edit your config
files to enable SRP authentication (you may want to disable some other
methods at the same time).

Features:

	* Strong authentication of both client *and* server, to protect
	  against server-spoofing attacks.

	* Implements SRP as an SSH2 "authentication method"; the session
	  id generated during key exchange is built in to the SRP exchange
	  hashes, which provides strong authentication of the host key
	  as well as the user verifier.  This protects against spoofed
	  servers even when the host key changes and/or the client doesn't
	  know the host key.

	* Fully compatible with the Stanford SRP distribution,
	  so if you already have an /etc/tpasswd file it'll get used
	  (libsrp is NOT required).

	* No legal issues.  Here's a quote from Tom Wu, the designer
	  of SRP:

		"The past ambiguity has been resolved.  SRP is
		royalty-free for commercial and non-commercial use
		worldwide.  The licensing statements on the Web site, in
		the distribution, and other places (like the IETF) are
		clear on this issue." -- Tom Wu

	* Several alpha versions were checked over by Tom and several
	  other readers of this list.

	* Draft protocol documentation included in the tarball.

	* Conforms to OpenBSD style(9) guidelines.

Please note this is the first public release of this code.  It is not
intended for production environments and there may be major security
holes, though none are currently known.  Please help us test this patch,
and get it ready for inclusion in the mainline code.  It has been tested
on Irix/SGI, Linux/Alpha, Linux/x86, and a few other systems.  Please send
all bug reports/patches/complaints to me, Tom Holroyd <tomh at po.crl.go.jp>.

md5sum (note tar file not gzip):
c409d865a44c85de95f9b9f778502b9c  openssh-2.5.2p2-srp5.tar

GPG signature (key on homepage):
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEABECAAYFAjrEZOUACgkQiGAp74wl3UPpCgCeOPfebFZY5Q7oE9dhDZ7M2NtX
xHoAn3WIcmm0lq3rwMgxfJDHcWwrz52n
=flpe
-----END PGP SIGNATURE-----

Dr. Tom Holroyd
"I am, as I said, inspired by the biological phenomena in which
chemical forces are used in repetitious fashion to produce all
kinds of weird effects (one of which is the author)."
	-- Richard Feynman, _There's Plenty of Room at the Bottom_







More information about the openssh-unix-dev mailing list