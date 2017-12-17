Microsoft Releases a Preview of OpenSSH Client and Server For Windows 10 (servethehome.com) 144
kriston (Slashdot user #7,886) writes: Microsoft released a preview of the OpenSSH server and client for Windows 10. Go to Settings, Apps & Features, and click "Manage optional features" to install them. The software only supports AES-CTR and chacha20 ciphers and supports a tiny subset of keys and KEXs, but, on the other hand, a decent set of MACs.
It also says that it doesn't use the OpenSSL library. That's the really big news, here. I understand leaving out arcfour/RC4 and IDEA, but why wouldn't MSFT include Blowfish, Twofish, CAST, and 3DES? At least they chose the CTR versions of these ciphers. (Blowfish isn't compromised in any practical way, by the way). I prefer faster and less memory- and CPU-intensive ciphers.
Still, it's a good start. The SSH server is compelling enough to check out especially since I just started using X2GO for remote desktop access which requires an SSH server for its file sharing feature.
We've already got PuTTY (Score:2, Insightful)
It works well, it's been field proven for decades and it doesn't "call home" to Redmond.
Re:We've already got PuTTY (Score:5, Informative)
Cygwin provides an SSH server, with current OpenSSH releases and a more powerf bash based local working environment. It does require additional non-Microsoft published binaries, and it has had issues operating with various anti-virus software packages. I admit that I'm very, very curious what shell and what capability for chroot sftp access may be available with the new Microsoft published server.
Activating that future could be very helpful for people who wish to safely upload, or download, more safely from what is already a publicly exposed Windows server.
Me too. The "their is" client is the worst. Even worse than your grammar, believe it or not.
Re:We've already got PuTTY (Score:5, Informative)
It does - or at least it did last time I tried it.
This project appears to be the Powershell team doing an honest port of the "Portable OpenSSH" code to native Windows, apparently including legitimate efforts to upstream the port to the main "Portable OpenSSH" project, and it seems (or at least seemed) to be as compatible as one would expect.
When I last tried it, the only issue I ran into was oddities in the terminal emulation, due to Microsoft's shell environment being "special" (things like backspace/del behaving oddly etc.), but it otherwise seemed to work just the same as OpenSSH on my Linux boxen. It's probably been nearly a year since I tried to seriously play with it, so I imagine a lot of improvements have taken place since then.
One nice thing about this project is that there seem to be rumors that "Powershell remoting" will eventually use SSH as its authentication and transport mechanism, which is a major hole in the current port of Powershell to non-Windows platforms. (You *can* do "powershell remoting" from e.g. Linux to Windows, but *only* if you substantially downgrade the security on the Windows side to allow it, because apparently it currently depends on one of the many special "Windows-only" features in powershell to do otherwise. Switching to SSH for this would fix that problem.)
why on earth would anyone want to use power shell on other platforms?
Well, I originally thought the answer would be "so that you can do some of the useful Special Windows Things (like WMI queries of Windows machines) from other platforms", but it turns out the "Special Windows Things" remain proprietary and not included in cross-platform Powershell port so...I'm not really sure. Besides "because Microsoft wants you to", I mean.
Powershell's actually got some neat tricks, and is really handy on Windows systems, but so far I feel like I'd rather just use Python instead, in gene
That was my thought too. I was particularly keen on being able to do queries against AD. I was mightily disappointed to find the Linux version of Powershell does not do all the cool AD stuff, then was even more disappointed to find it didn't do the WMI stuff either, and then gave up when the remoting didn't work without messing about on the Windows machine.
Decades in use and the UI still still sucks ass. Its like its "designer" had never seen a gui application.
I'm sure someone out there can do like Mozilla and make it look like Chrome.
PS - noobs are the only ones who even notice the GUI. "Oh noes! This GUI is different from the others! I'm confoozed!"
Works for me. Right click on the icon and the usual addresses pop up.
We're engineers, we don't want or need that cute CSS/animated JS eye candy.
The fork KiTTY is a little better:
http://www.9bis.net/kitty/ [9bis.net]
It stores its config in files so you can easily copy them to another machine or track them with Git. It still has the same bizarre starting interface to open and edit sessions and lacks a find feature.
If you want something that has a lot of configuration abilities, look at Remote Desktop Manager. It is a commercial utility, but has a free version. It handles not just SSH, but RDP, VNC, Apple Remote Access, and a ton of other protocols.
Re:We've already got PuTTY (Score:5, Funny)
PuTTY does ANSI terminal emulation. So can watch Star Wars by Telnet in color!
telnet towel.blinkenlights.nl
If everyone watched movies in the efficient open standard Telnet instead of the bloated and patent encumbered H.264 we'd save 52 Gigatonnes of CO2 per year.
I use a linux workstation at work. Having an SSH Server on windows would make life a lot easier for the rare occasion that I have to do something on a windows server.
Err... have we not learned? (Score:3, Insightful)
After Windows 10 turned out to be one OS-sized piece of spyware [networkworld.com], why would any sane person use it for anything [dailykos.com]?
Time to kick that shit to the curb.
Anyways Linux and BSD both have much better SSH support, without the malware coming bundled with win10.
why would any sane person use it for anything [dailykos.com]?
People didn't care about Google.
People didn't care about Facebook.
What makes you think that people would care now?
Interesting that you question their sanity. What was the definition of insane? Seeing the same thing happen over and over again and expecting a different outcome!
Re: Err... have we not learned? (Score:3)
What? Tunneling you can do just about anything.
Re: (Score:2)
You're mistaken. SSH does not establish an SSL connection for shells or anything else. SSH is a cryptographic protocol in its own right, just like SSL and TLS. An "SSH tunnel" really is tunnelling through SSH, not some other protocol.
Amusingly enough, due to their respective places in the OSI model you're more likely to see SSL running on top of SSH than the other way around.
Re: (Score:3)
You should probably read the summary, which talks about the protocols the Microsoft version does and doesn't support.
Those are cyphers.
You should probably get a basic level of education on why open*SSL* was required by OpenSSH until 2014.
OpenSSL has many components, including libssl (which provides SSL support for applications), libcrypto (providing a number of cryptographic functions) and some tools for working with certificates. OpenSSH's dependency on OpenSSL was because it used libcrypto for cyphers.
Re: (Score:2)
Tunelling happens at the SSL/TLS layer. SSH is a protocol that leverages SSL (old school) or TLS (new school) to perform the tunneling.
Wrong. I've already told you that SSH doesn't use SSL or TLS at all. Encryption and tunnelling is all handled within the SSH protocol itself. Here [ietf.org] is the RFC for the SSH transport layer protocol, which describes how it works.
Re: (Score:2)
Sorry, but that's not good enough. You linked to a brief article on differencebetween.net with nothing to support your claim other than the phrase "more often than not SSH uses SSL under the hood", with no elaboration on what that means and nothing to indicate that it's anything other than a naive assumption. And where does your claim "the rest of the time it uses TLS" come from? Pure guesswork? Did you even look at the RFC before replying?
If you want to convince me of your claim you should start by doing s
Re: (Score:3)
RFC 4253 [ietf.org]
Re: (Score:3)
Click on the link. The title is "The Secure Shell (SSH) Transport Layer Protocol". That is the name if the secure transport layer that SSH uses. SSH uses SSH-TRANS as a transport layer, and doesn't use SSL or TLS for anything. You asked for the specs for the SSH encryption mechanism, and you got them, so don't complain.
Here's another link: RFC 4251 [ietf.org] - The Secure Shell (SSH) Protocol Architecture. That explains how the various parts of SSH work together. Here's an excerpt:
1. Introduction
Secure Shell (SSH) is a protocol for secure remote login and other
secure network services over an insecure network. It consists of
three major components:
- The Transport Layer Protocol [SSH-TRANS] provides server
authentication, confidentiality, and integrity. It may optionally
also provide compression. The transport layer will typically be
run over a TCP/IP connection, but might also be used on top of any
other reliable data stream.
- The User Authentication Protocol [SSH-USERAUTH] authenticates the
client-side user to the server. It runs over the transport layer
protocol.
- The Connection Protocol [SSH-CONNECT] multiplexes the encrypted
tunnel into several logical channels. It runs over the user
authentication protocol.
The client sends a service request once a secure transport layer
connection has been established. A second service request is sent
after user authentication is complete. This allows new protocols to
be defined and coexist with the protocols listed above.
The connection protocol provides channels that can be used for a wide
range of purposes. Standard methods are provided for setting up
secure interactive shell sessions and for forwarding ("tunneling")
arbitrary TCP/IP ports and X11 connections.
Encryption is handled by the lowest l
SSH does not use TLS. It uses the OpenSSL library and uses a transport layer (https://tools.ietf.org/html/rfc4253) that is similar to TLS which has caused some confusion. However the statement that SSH uses SSL internally is false, the two protocols look quite different on the wire.
Re: (Score:2)
You can show an auditor that every box *thinks* its patched...
But try scanning the boxes using nessus with admin creds, which will actually log in to all the boxes and check the individual files installed by patches rather than looking at the list of "installed" patches...
You will OFTEN have systems where a patch is registered as installed, but actually isn't.
putty (Score:3)
Windows 10 that may just see the retirement of Putty
I do not see that happening, most people I know who need to access UN*X systems via windows uses putty and hardly ever opens up a "DOS Box (? not sure what it is called now). Anyway putty is a nice tool for people who likes GUI type applications so it will still be around.
BTW, I tried to get a few of them to go to Linux (work allows one to use Linux), but without luck.
Re: (Score:2)
One installs "MRemoteNG", a very useful tab-based GUI for putty. I recommend it to all my Windows using colleagues who need SSH management. It's available at https://mremoteng.org/ [mremoteng.org]
Re: (Score:3)
Command prompt
Re: (Score:2)
It's called the console, and it changed a lot in Windows 10, breaking many apps.
I do not see that happening, most people I know who need to access UN*X systems via windows uses putty and hardly ever opens up a "DOS Box
Not entirely sure what a DOS Box has to do with it given both putty and openssh can most easily be run by start > run > "putty -s 192.blahblahblah". Now you just write ssh instead!
Also I'm sick of putty. It has so many problems with ncurses. There's no valid settings that make it work properly with a variety of software. If midnight commander renders correctly you know nmon won't, and vis-versa as just one example.
Personally when I want to access a Linux box from Windows 10, I start the command with s
Re: (Score:3)
Windows 10 that may just see the retirement of Putty
[...]a "DOS Box (? not sure what it is called now).[...]
In my experience, for masses of low-end Windows admins, it's called a "command prompt" (or "DOS Prompt" if the admin is old), and refers to that black-square icon you "run as administrator" in order to paste in the magic incomprehensible line of text that some website says fixes the problem you're trying to fix.
For more skilled Windows admins, it's a "powershell session", which, to be fair, also often is "that blue-square icon you 'run as administrator' in order to paste in the magic incomprehensible line
Re: (Score:2)
I don't agree with the silly "retirement of PuTTY" sentiment in this article. Everyone knows that the console prompt won't meet the needs of even the most casual remote shell users.
The big news is that, in the future, there will be an officially-supported and NATIVE implementation of OpenSSH using the native Microsoft Windows crypto library instead of OpenSSL on the Windows platform.
That's worth the cost of admission, if you ask me.
Re: (Score:2)
Windows 10 has both an officially supported Ubuntu bolt-on and, of course, the availability of Cygwin and MINGW. Putty is really only necessary if you don't have a *ix subsystem like one of those three installed, and I find it surprising so few Slashdotters actually want a *ix subsystem in Windows.
Cygwin was always a life saver for me, though I've always hated its package management system. The Ubuntu subsystem is great.
How long until Windows has become Linux? (Score:1)
Or BSD, of course.
Given an exponential curve, it can only be a few years now.
A crippled version without all the meaningful things that the average complete retard doesnâ(TM)t care about (because heâ(TM)s a retard), like freedom, open source, individual choice, and of course compatibility with what they originally embraced.
Because nobody has told them that they are't the all-powerful monopolist anymore, and so
... gotta still reach for step 2 and 3: extend, and extinguish.
"doesn't use the OpenSSL library." (Score:4, Insightful)
Then how is it 'OpenSSH"? If it isn't using the Open code, it's just SSH, right?
PowerShell/Win32-OpenSSH [github.com]
Re: "doesn't use the OpenSSL library." (Score:3)
Re:"doesn't use the OpenSSL library." (Score:4, Informative)
OpenSSL and OpenSSH are not really related. Neither is OpenGL, for that matter. They are different projects maintained by different people, and just happen to all have "Open" in their names. It is possible for OpenSSH to use OpenSSL for some cryptographic functions, but not necessary (at least not anymore - once upon a time OpenSSL was a dependency).
OpenSSH is the OpenBSD project's implementation of an SSH client, server and related utilities. If Microsoft is calling it "OpenSSH" then they must be using a port of OpenBSD's programs instead of creating their own. (In fact, Microsoft promised [microsoft.com] to port OpenSSH to Windows back in June 2015).
Most likely using alternate libs written by a three-letter-agency - I assume M$ gets paid large amounts to do such things.
So I would consider M$ version of "openSSH" to be similar to 'secure-boot' - names intended to mislead the general public.
Re: (Score:2)
No almost certainly using the Windows platform cryptography libraries, which is the sane thing to do on a Windows platform. It's also the state goal from back in 2015 when Microsoft announced the plan to port OpenSSH to Windows had been approved since Balmer had left and was no longer able to veto it.
That's a big gap in time (Score:2)
Re: (Score:2)
There's no gap at all. You can install telnet on Windows 10 exactly the same way as you would install this SSH client or server.
Microsoft didn't remove telnet, they just made it optional.
Re: (Score:2)
That's right. Most of us install the telnet client by habit when installing Windows.
Now we can install a native SSH client. If we want, we can install an SSH server, too.
Re: (Score:2)
Microsoft didn't remove telnet, they just made it optional.
Which makes it completely useless for remote TCP troubleshooting - which is all I ever really used it for. If some random computer is going to have to load the Add/Remove Windows Components screen and take upwards of 5 minutes, it's no longer the quick and dirty tool it once was.
Re: (Score:2)
You inability to not install suitable software on a remote computer before you run into trouble is not Microsoft's concern.
You inability to continue not doing so since this version of SSH is delivered in the same way as the current telnet is (please try and follow the conversation rather than angry-ranting) still is not Microsoft's concern.
Re: (Score:2)
You inability to not install suitable software on a remote computer before you run into trouble is not Microsoft's concern.
I frequently do remote support for people I've never had contact with before. Being Hiding a 129KB
.exe with likely no dependencies is not really going to fix Microsoft's bloat problem.
The good news is that I have found a very fast way to install it
/iu:"TelnetClient"
pkgmgr
OpenNSAbackoor? (Score:1)
No thanks.
Where's the source?
Thought so.
CPU intensive? (Score:2)
If your limiting factor is CPU in your OpenSSH sessions you're doing something very VERY wrong.
Hahah, no, I'm not doing anything VERY wrong when I'm using this feature on a device that does not have hardware encryption and also has a weak CPU, like the Windows 10 IoT Core which is targetted at these devices.
Try again. And don't assume you know what the real-world implementation is.
Re: (Score:2)
I'm impressed. You found something that runs Windows 10 IoT core but has trouble with your SSH session! As for weak CPU you really should qualify that. SSH hasn't been CPU bound for 20+ years, and the weakest of devices currently are faster than they were.
There's several manual steps to getting it working (Score:2)
https://www.bleepingcomputer.com/news/microsoft/how-to-install-the-built-in-windows-10-openssh-server/ [bleepingcomputer.com]
Are the best instructions I found. Also, you'll have to open port 22 in since the installer doesn't open it even if you use Microsoft's own firewall.
Any idea when this is coming to Server 2016?
Ubuntu for Windows WSL (Score:2)
That works much better and bash.exe and doing a apt-get install openssh gives you the full package
Re: (Score:2)
Not really. That worked well in the past on the Windows Subsystem for Linux model, but this implementation is in native Windows, using native Windows crypto libraries.
It doesn't involve the WSL model at all.
That means remote access to PowerShell primitives without bothering with the extra layer of WSL.
first powershell now this (Score:1)
Will it do ... (Score:1)
ssh -X, ssh -R or ssh -L like openssh and putty?
If it does ssh -X natively without xming or whatever your preferred windows X server I will be impressed.
Already deprecated algorithms (Score:5, Insightful)
Slashdot article: New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish [slashdot.org]
Bruce Schneier, the creator of Blowfish, long ago suggested people stop using it.
Re: (Score:2)
Thanks, I posted this without enough comment to avoid baiting this kind of comment.
Congratulations, you've taken the bait. He didn't really discourage its use, just that he was suprised that so many people still used it.
OpenSSH for Windows (Score:2)
OpenSSH for Windows [mls-software.com]
I make a SFTP Server... (Score:1)
Just wanted to say... (Score:2)
