Talk:OpenSSH

From Wikipedia, the free encyclopedia

This article is within the scope of the following WikiProjects:

WikiProject Free Software (Rated Start-Class)

Free software Portal

This article is part of WikiProject Free Software, an effort to create, expand, organize, and improve free software-related articles.

Start

rated as Start-Class on the assessment scale

High

rated as high-importance on the assessment scale

WikiProject Cryptography
	This article is part of WikiProject Cryptography, an attempt to build a comprehensive and detailed guide to cryptography on Wikipedia. If you would like to participate, you can choose to edit the article attached to this page, or visit the project page, where you can join the project and see a list of open tasks.

WikiProject Canada (Rated start-Class)

Canada Portal

This article is within the scope of WikiProject Canada and related WikiProjects, an attempt to build a comprehensive and detailed guide to articles on Canada-related topics. If you would like to participate, visit the project member page, to join the project and/or contribute to the discussion.

Start

This article has been rated as start-Class on the quality scale.

Low

This article has been rated as Low-importance on the importance scale.


Archives
December 2001 – June 2007
About archives • Edit this box

[edit] cleaned up

That discussion page was a horrible mess, it needed a reboot. I have given it one. Please remember when posting to add your comment to the bottom of the page, or under what you're replying to, or else it becomes garbled, aslo, sign your comments using the four tildes so that it is easier to tell who's said what. 74.13.54.124 19:51, 12 July 2007 (UTC)

[edit] Possible point worth making...

One thing that might be worth pointing-out, and which none of the SSH manuals make clear, is that this software installs and starts FTP(SFTP) and Telnet(SCP) servers without your OK. Not only that, the SFTP server is totally without any limits as to where in the host disk-structure access is allowed.

Thus, if you installed SSH purely for secure portmapping (which many people do) this behaviour may be totally unexpected, and could in fact lead to your system's security being compromised instead of improved. The issue is more serious with Windows hosts, Linux hosts typically having some inherent directory-traversal protection by way of filesystem permissions, whereas Windows systems may not. In neither case is it a desirable situation, though.

Maybe the article could usefully mention this point?

--Anteaus 22:07, 18 October 2007 (UTC)

SCP is a file transfer protocol not related to telnet in ANY way and SFTP, while also a protocol for file transfer, is not FTP. It might be worth clarifying that the sshd daemon can also perform scp and sftp, but this should not be phrased as a biased warning. This is not only to remain NPOV, but because it is misleading--having shell access is more dangerous than being able to transfer files (and will be even more dangerous if the permissions for reading/writing/EXECUTING on a system are poor). --Karnesky 23:21, 18 October 2007 (UTC)

It may be useful to point out, if such additions are to be made, that it is very simple to disable sftp the interactive shell and password based logins. Geoff Riley 06:56, 19 October 2007 (UTC)

Agree, and apologies for SCP typo. However I don't think this is showing bias, just stating a demonstratable fact. An alarming one, too, considering that SSH will mostly find use on servers for establishing secure site-to-site portmappings, and not many admins would willingly give ordinary users telnet, or filesystem-root FTP access to a server. Yet, unless they've studied the manpages very thoroughly, they may not even realise they have inadvertently done so.

--Anteaus 09:48, 19 October 2007 (UTC)

It is a verifiable claim that sshd is able to be used to provide shell and file transfer access. I don't think it is verifiable or NPOV that many admins don't know this and wouldn't want it. The article for Secure Shell seems to address this quite well with "SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; it can transfer files using the associated SFTP or SCP protocols." --Karnesky 15:05, 19 October 2007 (UTC)

Yes, it's a verifiable claim, but then to take an example, Samba also facilitiates file-transfer, BUT I've yet to see a Samba daemon which throws-open the whole disk-subsystem to all valid users by default as soon as you launch it. (Or even a Windows server-process, at least for non-Administrators.) Yes you could make either do so, but it would take a deliberate action on your part. Likewise any decent, so-called 'insecure' FTP server will have controls over which folders are published, and will not permit directory-traversal exploits such as 'dot-dot' paths. It's this total lack of bounds-limiting that I find alarming. Anyway, enough on this, think I've made my point.

--Anteaus 22:18, 19 October 2007 (UTC)

I think you're being a little unfair with your statements. What you say is true; however, you presuppose that people are so lacking in security skills that they allow just anyone to gain access; if this were really so then they would already be having problems long before attempting to install an OpenSSH service. I have, literally, thousands of attempted logins attempted every day with whole dictionaries being used; but none get into because I enforce good password regulations. SSH, and associated protocols, can only be accessed by people with an appropriate key --- password logins are disabled --- and the number of keys issued is very small.

You are only partially correct in stating that it "throws-open the whole disk-subsystem to all valid users"; yes, you can wander around the disk, but the user does not gain access to anything that the user would be allowed to with an ordinary old fashioned tty login.

Anything that you install needs to be set up appropriately, OpenSSH is no different in that regard: you mention Samba, well that takes quite a bit of setting up before it will do anything at all. Are you really suggesting that OpenSSH is just too simple to set up?

If you are just concerned with the Windows implementation then perhaps you are either unaware of or are forgetting about the administration shares that get set up by default and are often points of weakness because of bad passwords. Geoff Riley 08:23, 20 October 2007 (UTC)

[edit] openssh.com vs. openssh.org

My understanding was that openssh.COM was the official domain name for the OpenSSH project, and openssh.ORG is not under the developers' control. Does anyone know why the article shows the website as http://www.openssh.org ? Both domains point to the same site at the moment, but it seems to me the article should really be showing the official domain name... EclecticMonk (talk) 14:40, 8 April 2008 (UTC)

Try using nslookup, it's not so hard. 74.13.60.58 (talk) 23:51, 9 April 2008 (UTC)

While they currently point to the same IP address, the concern was over the domain name ownership. Try using whois, it's not so hard. --Karnesky (talk) 01:33, 10 April 2008 (UTC)

I see you've updated it; fantastic. I probably should have just gone in and changed it, but I'm new here and lacking confidence :-) EclecticMonk (talk) 11:17, 15 April 2008 (UTC)