ANNOUNCEMENT: FreSSH Version 0.3 and 0.8 Pre-Release

	The FreSSH project is proud to announce that versions 0.3 and
	0.8 of FreSSH, a client and server for the SSH protocol, are
	being made available to the public.  We consider this a
	"pre-release" of our code; a full release will follow shortly.
	The current FreSSH codebase implements SSH protocol version 1.5
	with extensions.

1. What is FreSSH?

	FreSSH is an independent reimplementation of the SSH
	communication protocol.  It is written in C and runs on Unix.
	It does not, unlike various other SSH implementations for Unix,
	trace its ancestry to the original SSH code written by Tatu
	Ylonen nor to any other known SSH codebase.

	FreSSH is distributed under a Berkeley-style license which
	permits you to redistribute modified or unmodified source or
	binaries, so long as you give credit to the copyright holders.

	We have always intended to publically distribute FreSSH but
	have put off the release due to a desire to "get it right the
	first time".  As very busy people with high standards and short
	attention spans, we never have quite seemed to get everything
	to the state of completion we would prefer.  However, a recent
	increase in the number of inquiries about the code has brought
	us to the conclusion that we should do a public pre-release.

	And if we're going to do one, why not two?  Two is better than
	one, right?

2. What's Available Now?

	So, we're announcing the pre-release of versions 0.3 and 0.8 of
	FreSSH.  Why these two versions?  Well, version 0.3 represents
	the last version of our original, server-only SSH protocol
	version 1 code.  It is significantly smaller, simpler, and
	slightly faster than other SSH protocol version 1
	implementations on the market and has a much more friendly
	memory footprint for small systems.  We don't anticipate doing
	much, if any, future development on this code, but we realize
	that it may be useful to others and want to make it public.
	The later version we're pre-releasing, version 0.8, is what we
	intend to clean up, enhance further (e.g. by filling the
	current skeleton of protocol version 2 support) and release as
	FreSSH 1.0.  Version 0.8 includes both a client and server, for
	SSH protocol version 1.5, and some local protocol enhancements
	intended to work-around various inherent problems of the 1.5
	version of the SSH protocol.

	The code has been extensively restructured in preparation for
	multithreading and currently runs using separate send and
	receive processes for each session, which should enhance
	performance on multiprocessors.  We hope to add both protocol
	version 2 support and real multithreading in full public
	releases which we hope to accomplish in the reasonably near
	future.

	Version 0.8 is still smaller and, we believe, simpler than
	other C implementations of the SSH protocol; where possible, we
	suggest that even those building small systems should use
	FreSSH version 0.8.

	FreSSH is extremely modular; this enhances portability and
	allows the easy addition of new cryptosystems, or the removal
	of some of those we supply (such as to produce a smaller
	run-time image).

	We ship FreSSH with a cryptographic module that uses underlying
	functionality provided by the OpenSSL project's "libcrypto";
	others have created alternate modules such as one for the RSA
	BSAFE library.  Adding a new cipher, if it is supported by
	OpenSSL, takes almost no time; writing an entire new
	cryptographic module takes well under a day.

	Careful attention has been paid to performance issues; we
	believe FreSSH 0.8 to be the fastest implementation of the SSH
	protocol version 1 currently available.

	To the extent of our knowledge, FreSSH does not suffer from any
	of the recently disclosed SSH server or client vulnerabilites.
	Our extensions to the SSH protocol version 1 also mitigate the
	impact of certain problems inherent to the protocol, such as
	the lack of a strong message authenticator and various poor
	choices of keying and cipher algorithms, if both the client and
	server are running FreSSH 0.8.  However, because FreSSH is
	still very young software and performs security-critical
	functions, we recommend a careful examination of the source
	code before use, just as is good practice with any such
	software.

	FreSSH strives to use underlying operating system functionality
	wherever possible; you will not find an entire /bin/login
	implementation inside FreSSH that you need to validate before
	you can be confident in its security.  FreSSH strives to run
	with privileges as little as possible, and we believe that we
	have done better in this regard than many other SSH protocol
	implementations.

	Thus, this pre-release.  We know it's not entirely finished,
	and in some places not just unpolished but downright ugly.
	Nonetheless, it's been useful to us and we hope that it might
	be useful to you.  Enjoy!

4. Where can I get FreSSH?

	You can download FreSSH version 0.3 or 0.8 from
	http://www.fressh.org.  http://www.fressh.org is also the
	right place to look for information on new versions of
	FreSSH, bugfixes, security issues, and mailing lists (which
	will be available shortly).

5. Who to Blame

	FreSSH was originally written for RedBack Networks by Eric
	Haszlakiewicz and Thor Lancelot Simon.  RedBack has generously
	given us permission to continue development and distribute the
	resulting code freely.

	Since the completion of the original RedBack work (which was
	only a v1 server), development has proceeded sporadically with
	help from many other similarly busy people, notably Andrew
	Brown (who wrote an entire client "from scratch" and put up
	with endless kibitzing about how it should work) and Jason
	Thorpe (who made many portability and functionality
	enhancements, including IPv6 support, RSA authentication
	support, and agent support).

	This product includes software developed by RedBack Networks,
	Inc.

	This product includes software developed by the University of
	California, Berkeley and its contributors.
