Howdy, I'm needing a few things like ssh and mod_ssl for SuSE 6.4 - the things that are left out of the US version. I understand that they can't be included with the CD due to _export_ laws, but it's ok for me to download them into the US, for use in the US - right? So my question is, where's the proper place to get them from? I Can't find them on ftp.suse.com. (note: I'm looking specifically for the SuSE-made rpms, not just rpms in general Thanks, JW
Hi, On Fri, Aug 18, Jonathan Wilson wrote:
I'm needing a few things like ssh and mod_ssl for SuSE 6.4 - the things that are left out of the US version.
I understand that they can't be included with the CD due to _export_ laws, but it's ok for me to download them into the US, for use in the US - right? So my question is, where's the proper place to get them from? I Can't find them on ftp.suse.com.
ftp.suse.com is located in the US, so you won't find the crypto stuff there. Use ftp.gwdg.de instead.
(note: I'm looking specifically for the SuSE-made rpms, not just rpms in general
Thanks, JW -o) Hubert Mantel Goodbye, dots... /\\ _\_v
On Fri, 18 Aug 2000, Jonathan Wilson wrote:
I'm needing a few things like ssh and mod_ssl for SuSE 6.4 - the things that are left out of the US version.
I understand that they can't be included with the CD due to _export_ laws, but it's ok for me to download them into the US, for use in the US - right? So my question is, where's the proper place to get them from? I Can't find them on ftp.suse.com.
(note: I'm looking specifically for the SuSE-made rpms, not just rpms in general
SSH and openssh are available in the US for Unix and Win machines from: ftp://ftp.cis.fed.gov/pub/ or ftp://metalab.unc.edu/pub/packages/security/ There are various tar.gz and rpm files there. Building ssh from the tarballs is extremely easy. There is a list of worldwide mirrors for ssh at: http://www.ssh.com/products/ssh/download.html There is a licence required for commercial use of ssh. I don't understand why SuSE do not have (open)ssh on their US CD's as the program is freely downloadable in the US and I have to go to metalab and get it each time I install a new SuSE version. Maybe it's the licence and not the laws. SuSE guys?? I believe openssh, openssl, mod_ssl and ssh are all downloadable as SuSE rpms from: ftp://ftp.gwdg.de/pub/linux/suse/6.4/i386.de/suse/sec1/ Regards,
On Sun, Aug 20, 2000 at 13:26 -0400, S.T.Ryder wrote:
[ ... where to find ssh when not found on CD ... ]
I don't understand why SuSE do not have (open)ssh on their US CD's as the program is freely downloadable in the US and I have to go to metalab and get it each time I install a new SuSE version. Maybe it's the licence and not the laws. SuSE guys??
I could be wron in this respect, but is there such a thing as "the US CD"? Until now I thought it would be the German and the international version, which would imply more aspects to think about than what's relevant for the USA region. (I'm aware that's the opposite to what's the status most of the other time when there's just "US" and "them". :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
On Sun, 20 Aug 2000, Gerhard Sittig wrote:
On Sun, Aug 20, 2000 at 13:26 -0400, S.T.Ryder wrote:
[ ... where to find ssh when not found on CD ... ]
I don't understand why SuSE do not have (open)ssh on their US CD's as the program is freely downloadable in the US and I have to go to metalab and get it each time I install a new SuSE
I could be wron in this respect, but is there such a thing as "the US CD"? Until now I thought it would be the German and the international version, which would imply more aspects to think about than what's relevant for the USA region.
(I'm aware that's the opposite to what's the status most of the other time when there's just "US" and "them". :)
I just thought it was strange that the US Federal government have a server up (ftp.cis.fed.gov) that offers ssh, openssh, openssl to the world and we cannot have it on the CD's. It says on the fed.gov site that rpms and src.rpm are available "mainly RedHat and SuSE have been tested". Yes, they specifically mention our SuSE. I did'nt want to, but I bought a Linux Mandrake "Secure Server Edition" to see how the Apache Server was put together for ssl. The blurb on the Mandrake box says "Server was built with a single server Advanced Cryptography Licence from RSA, providing full 128 bit encryption.. Provides a great starting base for E-commerce" So I bought it. I didn't want to export it. I just wanted to use it. I found out that Mandrake secure server is just RedHat with Apache, openssl and mod_ssl. The Apache came from apache.org, openssl was from OpenSSL.org and Mod_SSL was from engelshall.com. The Mandrake distro even came with a printed manual for setting up the server, configuring it and generating keys and certificate requests. Nothing secret, nothing illegal. I just walked into MicroCenter, picked up the box, paid the money and went home. I prefer SuSE, and am wondering why we cannot have an ssl distro too. Mandrake can sell it, so why not SuSE? Why do I have to hack my SuSE disto for ssl. Are SuSE not interested in e-commerce and offering a secure server to their loyal customers in the good ole US?? Am I'm going to have to go through that whole rigmarole again with patching and rebuilding the apache server next month when SuSE 7.0 comes out? With Kind Regards,
I just thought it was strange that the US Federal government have a server up (ftp.cis.fed.gov) that offers ssh, openssh, openssl to the world and we cannot have it on the CD's. It says on the fed.gov site that rpms and src.rpm are available "mainly RedHat and SuSE have been tested". Yes, they specifically mention our SuSE.
Legally those software packages cannot be re-exported outside the US or Canada. Currenbtly US crypto laws says: 64 bit and lower is ok (but no-one really uses <64 bit crypto). Export licenses are easier to get, especially for western europe/etc, but most opensource packages are done outside the US in the first place (Canada, Australia and Germany seem popular). Open Source crypto is supposedly exportable if you notify the BXA (Bureau of Export Administration), so in theory you can put PGP on a webpage as long as you tell them...... Your mileage may vary, and if you end up in federal prison don't blame me. As for the "Secure server", yes it is "off the shelf" software components you can get for free, but they RSA data component of OpenSSL is licensed. OpenSSL can also use RSAREF, which is slower and generally uglier then "proper" RSA. Legally in the US you cannot use RSA unless you license it, or use RSAREF (and RSAREF has a nasty license, you can't use it for anything that generates revenue, so for example universities cannot use it since they charge tuition which pays for network services). The patents should run out September 20th however at which point the rules change. The main problem is if you press the CD's in the US and put crypto on 'em you cannot export them outside US/Canada without some potential problems. Now I doubt the US would throw every US SuSE employee in federal prison if they did do crypto on the cd's, but OTOH I would advise you consult your lawyer first and make damn sure it's legal.
With Kind Regards,
-Kurt
Hi,
The main problem is if you press the CD's in the US and put crypto on 'em you cannot export them outside US/Canada without some potential problems. Now I doubt the US would throw every US SuSE employee in federal prison if they did do crypto on the cd's, but OTOH I would advise you consult your lawyer first and make damn sure it's legal. I heard from SuSE that the problem with the US is, that there are several distibutors which distribute world-wide; that is not only SuSE/US sends package to customes, but also other companies do. In Germany, I think (almost) only SuSE sends this packages to customes, other companies only sell it in their shops.
Since the re-export laws now allow more, we may see a SuSE-"US" version which includes full crypto support. With kind regards from Berlin, Tobias
Greetings All, I am trying to set up a firewall box for a friend who wants to house a small LAN with access to the Internet via a cable modem. His ISP provides dynamic IP addresses with DHCP and I'm using the office network at work to test the setup of the firewall box. I'm having trouble getting dhclient to behave on SUSE 6.4. Over the last couple of weeks the dhclient hardly (if ever) seems to get an IP address, and when it fails it appears to set off a fork bomb of dhclient-script instances that (in around 2 hours) makes the machine (a pentium 166) grind to a complete halt (not even seeming to process any keyboard input). Looking in /var/log/messages after each instance of the problem (after renaming dhclient-script to stop the fork bomb killing the machine) I see either a repeated sequence of (IP address in line 2 changed to protect the guilty): dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 dhclient: DHCPOFFER from 123.123.123.123 dhclient: DHCPDECLINE on eth0 to 255.255.255.255 port 67 (the time between the first and second line is always less than a second, and the time between the second and third line is 5 to 6 seconds) or I see a repeated sequence of: dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 2 dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5 dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 9 .... dhclient: No DHCPOFFERS received dhclient: No working leases in persistent database - sleeping. It is known that our DHCP server is sometimes not very reliable, which explains the second type of error, but not the first. Why would the dhclient refuse the dhcp offer? And why does the dhclient-script fork bomb every time it fails to get an address. I also have been using the SuSEfirewall package, but I don't think that it has any impact on this particular problem, because the above symptoms still occur when the firewall is turned off (START_FW="no" in /etc/rc.config). (As an aside, I had a to add an ipchains rule to the SuSEfirewall script to permit DHCP requests to be transmitted without the firewall blocking them (even though I had set FW_SERVICE_DHCLIENT to yes in /etc/rc.config.d/firewall.rc.config). The logs showed that the dhcp requests were tagged with the IP address of the firewall box's other network interface (which has a static 192.168.x.y address) and were thus presumably being blocked by the rules on the "forward" chain.) Any help with the dhclient problem would be much appreciated, Jason McDonald. -- Random Signature #117: Maths and alcohol don't mix - never drink and derive.
I heard from SuSE that the problem with the US is, that there are several distibutors which distribute world-wide; that is not only SuSE/US sends package to customes, but also other companies do. In Germany, I think (almost) only SuSE sends this packages to customes, other companies only sell it in their shops. Since the re-export laws now allow more, we may see a SuSE-"US" version which includes full crypto support. With kind regards from Berlin,
Tobias
This is correct.
As you might expect, publishing two seperate distributions every time
is costly.
As Kurt Seifried pointed out already, we need to make sure that the legal
issues are bullet-proof. Our legal professionals are working on a
solution, but most of you might know some of the properties of the US
legal system. See http://www.suse.de/~draht/usa.jpg (sorry, this is
German) and smile.
Btw, talking crypto: The netscape packages will show up later today in the
German SuSE ftp site ftp.suse.de. For bandwidth reasons, we rely on our
mirrors - ftp.gwdg.de will have the updates available soon after. You will
see more precise paths/URLs in the advisory. I just hope that the mirrors
get sync fast enough, otherwise we're on delay.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
participants (8)
-
Gerhard Sittig
-
Hubert Mantel
-
Jason McDonald
-
Kurt Seifried
-
Roman Drahtmueller
-
S.T.Ryder
-
Tobias Burnus
-
wilson@claborn.net