LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 10-21-2020, 10:56 AM   #1
etcetera
Member
 
Registered: Aug 2004
Posts: 268

Rep: Reputation: 16
Is SSH restricted outside of US?


Strong crypto used to be restricted export-wise outside of US.

Does this apply to US? Can you build a Linux machine with a SSH server running on it and ship it overseas and connect to it via SSH from US?

Any hard data on this is appreciated, not just speculation.

this may shed some light on it but does not answer the question:

https://en.wikipedia.org/wiki/Export..._United_States

Last edited by etcetera; 10-21-2020 at 11:01 AM.
 
Old 10-21-2020, 11:12 AM   #2
boughtonp
Member
 
Registered: Feb 2007
Location: UK
Distribution: Debian
Posts: 820

Rep: Reputation: 602Reputation: 602Reputation: 602Reputation: 602Reputation: 602Reputation: 602
Quote:
Originally Posted by etcetera View Post
Any hard data on this is appreciated, not just speculation.
The canonical answer will come from the people responsible for such restrictions - the Bureau of Industry and Security: https://www.bis.doc.gov

They have encryption-related FAQs here: https://www.bis.doc.gov/index.php/all-articles/15-policy-guidance/encryption/560-encryption-faqs

If the answer you need isn't there, there's a "Contact Us" link in their page footer.

 
Old 10-22-2020, 05:28 AM   #3
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 15,890
Blog Entries: 10

Rep: Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655
Is SSH restricted outside of US?
No, it isn't.
It also does not originate from the US of NA.

That said, I heard about these things you write.
I think it's one of the reasons why the original internet/www is/was completely unencrypted.
 
Old 10-22-2020, 05:45 AM   #4
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,245
Blog Entries: 3

Rep: Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588
The "Crypto Wars" version 1 is probably what is being alluded to. Back then any useful encryption was classified as munitions and prohibited for export. So with OpenSSH, specifically, all the work had to be done in Canada and elsewhere outside the US. It was allowed to import the encryption then but not export it even if it came from outside. I think the older versions may have had that information in the README file.

Phill Zimmermann, then at MIT, and PGP and Eben Moglen were at the epicenter.

https://www.wired.com/1995/03/the-co...il-zimmermann/

https://www.techdirt.com/articles/20...-results.shtml

Once they defeated the US government's legal attacks, as a side effect it was then possible for the WWW to move forward with online shopping and online banking, just two examples.

Strong encryption is under political attack again lately and it is a concerted effort by many nations' weaker-minded politicians. This is starting to be referred to as Crypto Wars II.

Last edited by Turbocapitalist; 10-22-2020 at 06:02 AM. Reason: grammar
 
Old 10-22-2020, 06:06 AM   #5
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 2,679

Rep: Reputation: 895Reputation: 895Reputation: 895Reputation: 895Reputation: 895Reputation: 895Reputation: 895
Quote:
Originally Posted by ondoho View Post
Is SSH restricted outside of US?
No, it isn't.
The answer to the question is not as simple as you might think. Many countries outside the US do not allow encrypted communications, eg: France... And in my country, the use of encryption is only allowed domestically.

Mind you, many people here use foreign VPNs in order to bypass the government's metadata collection policies. I don't know how that is allowed when that traffic would surely be encrypted too?
 
Old 10-22-2020, 03:59 PM   #6
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 15,890
Blog Entries: 10

Rep: Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655
I don't have positive proof for this, but I'm sure I would have heard if the general use of (open)ssh was restricted anywhere.
Quote:
Originally Posted by Turbocapitalist View Post
So with OpenSSH, specifically, all the work had to be done in Canada and elsewhere outside the US.
Looking at the history of SSH, openssh and OpenBSD I would rather say that it simply does not come from the US of NA, full stop.
 
Old 10-22-2020, 10:35 PM   #7
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,245
Blog Entries: 3

Rep: Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588
Quote:
Originally Posted by ondoho View Post
I don't have positive proof for this, but I'm sure I would have heard if the general use of (open)ssh was restricted anywhere.
Based on some very verbose and hard to parse PDFs regarding a relevant international treaty, it looks like quite a few countries appear to ban it *, along with many other technologies. I have the feeling that for the time being the authorities there just pretend not to see or else enforce selectively based on political criteria. One can't take common sense for granted, especially when "... with a computer" or "... on the Internet" can be appended to activities. Remember, the US spent years fighting online shopping and banking. Note that the banking services there are still a decade or two behind the rest of the world.

* Warning, PDFs in general are programs, not just rendering. Also that same site requires dowloading and running Javascripts on your computer. Proceed at your own risk.

There are some more summaries for the US specifically: https://its.uiowa.edu/support/article/104113
That page appears to go to a number of dead links, but it gives an idea of what to search for elsewhere.
 
Old 10-23-2020, 04:44 AM   #8
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 15,890
Blog Entries: 10

Rep: Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655
Quote:
Originally Posted by Turbocapitalist View Post
Based on some very verbose and hard to parse PDFs regarding a relevant international treaty, it looks like quite a few countries appear to ban it *
That site is about "Export Controls for Conventional Arms and Dual-Use Goods and Technologies". You are going to have to prove to me that it specifically applies to openssh (and, more generally, to any Linux distro having it in their repos). Until then I call BS, sorry. And once again, I have the feeling you're looking at this US-centric.
Since openSSH was an international project from the start (or rather part of - namely OpenBSD), how can any of this even apply.
 
Old 10-23-2020, 04:58 AM   #9
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,245
Blog Entries: 3

Rep: Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588
Notice the signatories of the Wassenaar Agreement. Then observe below the absence of old, weak, export ciphers (with the exception of 3DES):

Code:
$ ssh -Q cipher | sort
3des-cbc
aes128-cbc
aes128-ctr
aes128-gcm@openssh.com
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
rijndael-cbc@lysator.liu.se
International laws go through several stages: lobbying, drafting, adoption, enforcement. By the time you have individual countries adoping local implementations of the law, it is more or less too late. By the time you have enforcement, it is far too late. You don't feel the bite of any of it until the enforcement stage. Until then, those that do follow along get to play Cassandra and, if the pushback is big enough, attacked in the press.

For background, look up the "Crypto Wars" from the early 1990s. For what's going on now, look at what is sometimes called "Crypto Wars II".

Last edited by Turbocapitalist; 10-23-2020 at 05:54 AM. Reason: additional link to Schneier
 
Old 10-23-2020, 06:06 AM   #10
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 15,890
Blog Entries: 10

Rep: Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655
I don't see how any of this applies to this question:
Quote:
Originally Posted by etcetera View Post
Can you build a Linux machine with a SSH server running on it and ship it overseas and connect to it via SSH from US?
 
Old 10-23-2020, 06:36 AM   #11
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,245
Blog Entries: 3

Rep: Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588
It applies to the legal / political side of the answer.

Technically, the answer is, "yes, it's a piece of cake". Legally, the answer is, "maybe, it depends on which country you want to ship to".
 
Old 10-24-2020, 07:16 AM   #12
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 15,890
Blog Entries: 10

Rep: Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655
Quote:
Originally Posted by Turbocapitalist View Post
Legally, the answer is, "maybe, it depends on which country you want to ship to".
Well, that maybe so for the US of NA.
I'm out.
 
Old 10-24-2020, 07:53 PM   #13
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 2,679

Rep: Reputation: 895Reputation: 895Reputation: 895Reputation: 895Reputation: 895Reputation: 895Reputation: 895
Quote:
Originally Posted by ondoho View Post
Well, that maybe so for the US of NA.
I wouldn't be so flippant. There are several other countries where the answer to OP's question is not an easy one. Turbocapitalist gave the most accurate responses in this thread.

Last edited by rkelsen; 10-25-2020 at 12:21 AM.
 
Old 10-25-2020, 05:01 AM   #14
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 15,890
Blog Entries: 10

Rep: Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655Reputation: 4655
I wasn't being flippant.
Op asked: "...and connect to it from the US". I cannot answer that with authority.
But I have never, ever heard that using ssh on a Linux distro might be a problem generally. And in any case I'd be more interested in actual hard data that this might happen anywhere, globally - and not (just) the US of NA. Sorry, OP.
Maybe you would like to provide that data?
In any case I now realise that I was getting into a discussion about Turbocapitalist's interpretation of OP, not OP itself.

Maybe the point is that strong crypto (as per OP) does not even originate in the US (anymore), and therefore OP's assumption is invalid?
I think Turbocapitalist was alluding to that in post #9: "...observe below the absence of old, weak, export ciphers..."

I also don't see how the wikipedia in post #1 article doesn't answer OP's questions already, specifically the chapers "PC era" and "Current status"?

Last edited by ondoho; 10-25-2020 at 05:11 AM.
 
Old 10-27-2020, 11:03 PM   #15
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,245
Blog Entries: 3

Rep: Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588Reputation: 2588
Quote:
Originally Posted by Turbocapitalist View Post
It applies to the legal / political side of the answer.
As a followup to my comment, there is a rather good and current legal overview provided by a panel discussion at USENIX's Enigma conference on Youtube, USENIX Enigma 2020 - Encrypted Messaging (Panel), from January of this year.

Quote:
Moderator: Jon Callas, Senior Technology Fellow, ACLU
Panelists: Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity, Stanford Center for Internet and Society; Daniel J. Weitzner, Founding Director, MIT Internet Policy Research Initiative; Matt Blaze, Georgetown University

In the panel, our four experts will discuss the background of "Crypto Wars" of the past, and thus how we got to our current situation; how this Crypto War is different from the last one(s); the international issues and where the present threats to encryption are coming from; and how we experts at large might measure the problem and see what other mitigations might help before we go shooting ourselves in the face.
Though I would assert that service provider claims of "end-to-end encryption" where the provider actually holds either the software and or the keys are false and describe something very far from end-to-end.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
port 25 can send/recieve outside but cant telnet from outside robertkwild Linux - Networking 8 10-24-2015 12:49 PM
[SOLVED] SSH no route to host error. can ssh outside lan, but not to clients on lan... jmd9qs Linux - Networking 3 01-21-2012 11:28 AM
KVM on Redhat 5.7: KVM can ping outside network, outside network can't ping KVM svandyk Linux - Networking 1 09-23-2011 07:45 AM
Postfix (restricted user send mail to outside) marmen Linux - Newbie 1 10-20-2007 05:12 PM
My clients "can browse" outside but "can't ping" outside mrnoe Linux - Networking 1 09-05-2003 03:55 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 06:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration