| gabriel rosenkoetter on Thu, 21 Mar 2002 00:30:12 +0100 |
|
On Wed, Mar 20, 2002 at 04:50:54PM -0500, Fred K Ollinger wrote: > I have installed ssh2 on a debian system recently. I can make it backwards > compatable w/ ssh1. Fine. > > How is one to get ssh2 to install from source (openssh-3.1p1)? > > Is there a rh 6.2 package for this? > > I didn't see one anywhere. I was going to download src for ssh2-2.4 and > compile. Is there a better way? All kinds of misunderstandings here. Some clarification of terms: SSH-1 and SSH-2 refer to the protocols. You might see SSH-2 also referred to as SECSH. When you say ssh1 or ssh2 (or sshd1, or sshd2, or some other permutation) people who've dealt extensively with this firestorm will think you're talking about a specific vendor's product, which I don't think you are. (Oh, and there are actually three versions of the SSH protocol in vaguely common use: 1.3, 1.5, and 2.0. But 1.3 and 1.5 share a lot.) There is one commercial vendor for ssh client and server software, they are SSH.com. Once upon a time their software was both free and open. It's not free if you want to use it for business purposes, and it's not open if you want to use it anywhere besides Unix. (They'd LOVE for you to buy their Windows/Mac client, F-Secure.) There are many open source (primarily for Unix-like operating systems, though not exclusively) SSH-1 and SSH-2 client and server programs. OpenSSH is probably the most popular. OpenSSH 3.x implements BOTH SSH-1 and SSH-2 in the same server. You can tell it to only do one or the other. SSH.com's sshd2 will only speak SSH-1 if you've got their sshd1 installed (or someone else's you've called sshd1, I suppose). The principle is that there is a security problem with the SSH-1 protocol (there are good descriptions merely a google search away), so you really shouldn't be doing it. But it's kind of hard to get people using, say, Mac OS 8, where there's no SSH-2 client, to get with the program. SSH.com chose to be anti-social, OpenSSH (and FreSSH; if they ever get their shit back together, they'll replace OpenSSH as NetBSD's default-installed SSH client and server) chose to leave that up to the local administrator. (SSH protocols 1.3 and 1.5 share this bug; SSH protocol 2.0 does not.) There are some subtle compatibility problems between SSH.com's software and OpenSSH (not in basic communication, but with things like the formatting of their public/private keys on-disk). So, coming back to your question: 1. If you build and install OpenSSH 3.1 or above (and don't install anything before that, as there's a nasty bug in it), you will have both SSH-1 and SSH-2 functionality, provided you allow for it in your sshd_config. This is the openssh-3.1p1 you mention above. 2. If you already have SSH.com's SSH-1 installed (make sure it's the most recent version, since they've had security problems all over the place), then you can install their SSH-2 over top of that and support both protocols. But they recommend against it. This is the ssh2-2.4 you mention above (I think). I recommend against using SSH-1(.anything) too, and I don't use SSH.com's software because they want money for it (yes, I AM cheap, but I also contribute back) and, in my experience, don't respond as quickly to security problems. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpNXPgyTAihJ.pgp
|
|