home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Columbia Kermit
/
kermit.zip
/
newsgroups
/
misc.19980901-19981211
/
000088_news@newsmaster….columbia.edu _Thu Oct 1 09:04:00 1998.msg
< prev
next >
Wrap
Internet Message Format
|
2020-01-01
|
6KB
Return-Path: <news@newsmaster.cc.columbia.edu>
Received: from newsmaster.cc.columbia.edu (newsmaster.cc.columbia.edu [128.59.35.30])
by watsun.cc.columbia.edu (8.8.5/8.8.5) with ESMTP id JAA04126
for <kermit.misc@watsun.cc.columbia.edu>; Thu, 1 Oct 1998 09:04:00 -0400 (EDT)
Received: (from news@localhost)
by newsmaster.cc.columbia.edu (8.8.5/8.8.5) id JAA01099
for kermit.misc@watsun; Thu, 1 Oct 1998 09:03:58 -0400 (EDT)
Path: news.columbia.edu!watsun.cc.columbia.edu!jaltman
From: jaltman@watsun.cc.columbia.edu (Jeffrey Altman)
Newsgroups: comp.protocols.kermit.misc
Subject: Re: Ssh support in Kermit?
Date: 1 Oct 1998 13:03:56 GMT
Organization: Columbia University
Lines: 92
Distribution: usa
Message-ID: <6uvujs$p7t$1@apakabar.cc.columbia.edu>
References: <6uookl$njm$1@vixen.cso.uiuc.edu>
Reply-To: kermit-support@newsmaster.cc.columbia.edu
NNTP-Posting-Host: watsun.cc.columbia.edu
Xref: news.columbia.edu comp.protocols.kermit.misc:9271
In article <6uookl$njm$1@vixen.cso.uiuc.edu>,
Adam H. Lewenberg <adam@orion.math.uiuc.edu> wrote:
: Are there any plans to support the ssh (secure shell) protocol in
: future versions of Kermit (either Kermit 95 or C Kermit)?
The quick answer is 'Yes'. The long answer is "SSH support is not
necessarily what you want to do" and I will explain that later on.
In fact, if you look in the archives of this newsgroup you will find
that last March I posted an article asking for users interested in
testing SSH support for Kermit 95 to contact me. At the time I had
taken the Unix SSHv1 distribution which is copyright SSH
Communications and modified it to run as a DLL based session handler
for Kermit 95. In general it worked well but due to the poor design
of the SSH code, when an SSH error occurred the DLL would terminate
the K95 process. Not quite what a user would want.
When 1.1.16 was released it was my intention to ship it with
Kerberos 4, Kerberos 5, SRP, and SSH. However, since Kermit 95
is a commercial product we would need to pay licensing fees to
Data Fellows for the use of their code; and we would need to
pay patent licensing fees for the RSA algorithms which are required
by SSHv1. Remember, The Kermit Project is a self funding not-for-
profit. If we were to license RSA or SSH for Kermit 95 the cost
of the product would have to increase. If we were to license it
for C-Kermit we would have to start charging. The money must come
from somewhere.
SSHv2 was also very close to being completed. The benefits of
SSHv2 are that it does not use the RSA algorithms for key exchange
instead using the Diffie-Hellman algorithm whose patent expired
last year. That means it doesn't require a patent license. SSHv2
also closes some rather bad weaknesses in the security provided
by SSHv1. SSHv2 is also an IETF Standards Track protocol. This means
that there will have to be multiple interoperable implementations
some of which we assume will be free and not requiring licensing
payments to Data Fellows. This is especially important due to the
language of the new SSH Communications license for non-commerical
use of SSH which makes it impossible for a University such as
Columbia to install SSH on a machine if it will ever be used for
an system administration function (such as logging in as root).
At the present time there are several projects underway to implement
a Free SSHv2 library. When that is complete we will integrate it
into Kermit.
There are some other things to be aware of. Although the IETF
has a working group which is managing the SSHv2 process, my
impression is that the IETF does not see SSHv2 as being anything
more than a very short term method for secure connections. Long term
the IETF solution is IPSec. The medium term solution is TLSv1 (the
successor to SSL). TLSv1 is being added to almost every protocol
in use on the Internet today in order to add transport layer security
while we wait for IPSec to become fully deployed. The Telnet option
for TLS is working its way through the standards process and the
Kermit Project is a part of that. I have already implemented it
in C-Kermit and Kermit 95 using Eric Young's SSLeay package which
is freely available. I will have a telnetd that implements it sometime
over the next couple of weeks.
The current state of affairs is rather unfortunate. SSHv1 is widely
deployed and due to the licensing terms of its inventor will probably
not migrate to SSHv2 at a rapid pace. SSHv1 cannot be implemented
legally within the United States without incurring a significant cost.
SSHv2 is a better protocol but freeware versions are not yet available
and even if they were would most likely not meet your needs due to
the lack of migration from SSHv1.
When we do implement secure connections we can't export them. So
adding SSH does not help our worldwide friends one bit and once we add
calls to secure routines in C-Kermit it makes it impossible for us to
distribute the full source code set for C-Kermit on the Internet due
to the same export restrictions imposed by the U.S. Government.
So the end result is that while we want to provide support for
every security method available on the Internet we are not always
able to so in a timely manner given the environment within which the
Kermit Project operates. There are competing demands for our limited
resources and we can't always do what seems like the nature
As a post script, there is a little known interface in Kermit 95 which
is documented at ftp://ftp.kermit-project.org/kermit/k95/k95dll/ which
was designed to allow a customer to implement a proprietary driver for
K95 could be used to implement SSH by a group outside of the Kermit
Project.
Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
The Kermit Project * Columbia University
612 West 115th St #716 * New York, NY * 10025
http://www.kermit-project.org/k95.html * kermit-support@kermit-project.org
