Hi all, We have Open SSH 3.4p1 available on our HPTE (HP Telco Extensions) Linux. We have a need to comply with the following requirements for our customers: * The SSH product shall support Version 2 of SSH as defined by the standards * The SSH product shall support both client and server versions * The SSH product shall support the following authentication methods - Password Authentication - Public-Key Authentication - Host-Based Authentication - Certificate Authentication - Kerberos Authentication - Pluggable Authentication Module (PAM) - SecurID * The SSH shall support a packet filtering firewall. This requirement allows for secure telnet only from some physical ports and regular telnet from other physical ports * The SSH product shall support secure Public Key encryption * The SSH product shall be capable of being exported to all countries in accordance with US governmental trade policies (i.e. Denied or Restricted Parties) * The SSH product shall support real time applications. Run time speed, footprint, etc are important parameters that should be optimized * SSH agent should be included in the product * Use force command configuration of the SSH - it limits what clients can do in a session Is there any Specifications document for Open SSH which describes as to what all features are supported in a particular version? Otherwise, should we perform the validation for ourselves using some test library? Your co-operation is very much appreciated. Thanks, Prakash
Velupula, Prakash wrote:> We have Open SSH 3.4p1 available on our HPTE (HP Telco Extensions) > Linux. We have a need to comply with the following requirements for our > customers: > > * The SSH product shall support Version 2 of SSH as defined by the > standardsThere are no standards for SSH version 2. There are only draft protocol specifications and they're still changing.> * The SSH product shall support both client and server versions > * The SSH product shall support the following authentication > methods > - Password Authentication > - Public-Key Authentication > - Host-Based Authentication > - Certificate AuthenticationVanilla OpenSSH doesn't support (x.509) certificates you would need a third-party patch such as Roumen Petrov's.> - Kerberos Authentication > - Pluggable Authentication Module (PAM) > - SecurIDOpenSSH supports PAM via keyboard-interactive authentication. There's no direct support for SecurID however it ought to work via PAM if a suitable module is available. There are also third-party patches but I'm not sure if they're currently maintained.> * The SSH shall support a packet filtering firewall. This > requirement allows for secure telnet only from some physical ports and > regular telnet from other physical portsPacket filtering is a kernel function not an application function.> * The SSH product shall support secure Public Key encryption > * The SSH product shall be capable of being exported to all > countries in accordance with US governmental trade policies (i.e. Denied > or Restricted Parties)That's a question for your legal team.> * The SSH product shall support real time applications. Run time > speed, footprint, etc are important parameters that should be optimizedI'm not sure what an SSH application would do differently to "support real time applications".> * SSH agent should be included in the product > * Use force command configuration of the SSH - it limits what > clients can do in a session > > Is there any Specifications document for Open SSH which describes as to > what all features are supported in a particular version?The best bet is the ssh_config(5) and sshd_config(5) man pages for the version you're interested in. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.