Hacker News new | past | comments | ask | show | jobs | submit login
How SSH Port Became 22 (ssh.com)
382 points by kawera on Oct 24, 2019 | hide | past | favorite | 81 comments

So the crux of the story is “I had to email an internet icon and she mailed me back right away having done what I asked”.

I can sympathize. When I worked at Sendmail I was tasked with running DNS for the company, which included Sendmail.org. The first thing I had to do was find a secondary DNS. Our founder said to “email his friend Paul”.

It turned out his friend was Paul Vixie, the inventor of BIND, who responded in just a couple minutes that he had set up a-root to secondary the domains I was running.

Here I was, 22 years old at my first job, emailing with the inventor of critical internet infrastructure who was relying on a database I ran as a source of truth.

I remember Wired publishing an article about PGP waaay back in the day, and they included Phil Zimmermans phone number in the article, for some bizaare reason.

On a whim, after reading the article and because I was at the time involved in setting up ISP services all over SoCal, I decided to just call him and say thanks.

Imagine my surprise when he answered, confirmed it was really him, and we chatted for 20 minutes or so about the Internet, how it needed to be secured, and so on. I'll never forget his huge "meh." in response to my statement "it must be weird having your personal phone # published in a national publication" .. ;)

> When I worked at Sendmail

> Here I was, 22 years old at my first job, emailing with the inventor of critical internet infrastructure who was relying on a database I ran as a source of truth.

But you were working for a company who employed or was started by the creator of Sendmail, Eric Allman? Surely you were already rubbing shoulders with the Internet giants of old?

According to Wikipedia, "in 1996, approximately 80% of the publicly reachable mail-servers on the Internet ran Sendmail".

> Surely you were already rubbing shoulders with the Internet giants of old?

I was, but I just didn't see Eric that way, I guess because I saw him all the time? I mean looking back, there were quire a few Internet giants that either worked there or hung out at the office, but that email with Paul was the one that really got me. Maybe because the response was that data I was creating was getting mirrored to a-root.

This reminds me of a time in the nineties I was at USENIX LISA conference and got into an elevator with a gentleman with a badge that read "Eric Allman". I (barely) restrained myself from exclaiming "You are Eric Allman!"

LISA is in Portland next week, by the way: https://www.usenix.org/conference/lisa19

Paul did not invent/created BIND, in fact BIND was created 8 years before he took over its maintenance.

BIND was created in Berkeley by grad students (probably that's why originally was so buggy) and the name stands for Berkeley Internet Name Domain. Paul of course made major contributions to DNS and of course BIND.

Berkeley Internet Name Daemon

It's actually "Domain", not "Daemon". There's a couple of good episodes of "The Network Collective" podcast that discuss the early history of DNS and BIND:

- https://thenetworkcollective.com/2018/01/hon-dns-origins/

- https://thenetworkcollective.com/2018/01/dns-adoption/

He co-founded ISC, and was in charge of BIND 8 IIRC.

* https://en.wikipedia.org/wiki/Paul_Vixie

See also Vixie cron.


Now you can tell people you were in a thread with jedberg. Mind, I've tried that one and it didn't come across well.

Personally I find how/why FTP uses two ports, 20 and 21, to be more interesting:

So the first thing to know is the FTP is 'old', in that it predates TCP and originally ran on NCP:

> The original specification for the File Transfer Protocol was written by Abhay Bhushan and published as RFC 114 on 16 April 1971. Until 1980, FTP ran on NCP, the predecessor of TCP/IP.[2] The protocol was later replaced by a TCP/IP version, RFC 765 (June 1980) and RFC 959 (October 1985), the current specification.

* https://en.wikipedia.org/wiki/File_Transfer_Protocol

The second thing to know is that, unlike TCP or UDP, NCP was not duplex:

> NCP preceded the Transmission Control Protocol (TCP) as a transport layer protocol used during the early ARPANET. NCP was a simplex protocol that utilized two port addresses, establishing two connections, for two-way communications. An odd and an even port were reserved for each application layer application or protocol. The standardization of TCP and UDP reduced the need for the use of two simplex ports for each application down to one duplex port.[1]

* https://en.wikipedia.org/wiki/Network_Control_Program

So the original transport layer that FTP relied on necessitated two ports, and when the move to a newer transport layer occurred the use of two ports was carried over for simplicity's sake. And several decades later that design still exists.

Also, Telnet was originally port 1 and FTP was port 3 (RFC 433, December 1972). On an incompatible protocol change (mentioned in RFC 542, August 1973), they were "temporarily" moved to 23 and 21 respectively until the old versions were taken down. Of course, the move back to 1 and 3 never happened.

Wouldn't FTP need three simplex connections - commands to server, responses from server, data transfer?

> Wouldn't FTP need three simplex connections - commands to server, responses from server, data transfer?

AFAICT, per RFC 114, responses from the server are considered a data type: when a user sends a command to the server, sometimes the response is a status update ('MKDIR successful'†) and sometimes the response is the requested file.

The data structure of the response has fields to say what's coming back on the data channel for the requested transaction.

† MKDIR was not a command, just using it as an modern example.

FTP puts data and commands on the same socket. This is perfectly doable in NCP.

> FTP puts data and commands on the same socket.

Not on TCP it doesn't. And some of the Arpanet FTP RFCs refer to separate connections as well, e.g. for the MAIL and MLFL commands which send email over the command and data connections, respectively. (SMTP didn't exist yet so mail was sent over FTP.)

And till fairly recently a gotcha for firewalls and when the firewall team is different from the requesting team oh the jokes

Perhaps it received command responses from the data port too.

I've written a lot of TCP deep-packet inspection code, including parsing FTP control protocol. So I was surprised by this post by Robert Graham: https://blog.erratasec.com/2019/08/hacker-jeopardy-wrong-ans... - FTP control protocol follows the specification for Telnet.

You might find the MUD community interesting in this regard, as they've built de facto standards for 16-bit color encoding, text compression, hidden sideband metadata communication usable by clients, and even simple embedded HTML and image rendering all on top of telnet. On top of that, because of the wildly varying capabilities of MUD clients, every single feature has to be totally backwards-compatible with a plain text terminal.

I can vouch for this wholeheartedly! However, be aware that these are all ad-hoc in some fascinating yet depressing ways. I can't help but mention a few names and fun facts...

> 16-bit color encoding

I think the xterm-256 escape codes came from somewhere other than MUDs, but it is forever frustrating to me that whoever designed them used the parameter separator `;` instead of the subparameter separator `:`. For SGR (`\e[m`-type escapes), each parameter is an individual change to the graphic state, so you can combine multiple settings into a single SGR. (For instance, `\e[1;32m` means "bold" followed by "green foreground".) But the 256-color extensions use a pattern "\e[38;5;<n>m", which makes itself into a fresh edge case you have to handle specially instead of treating "38", "5", and the chosen <n> as individual commands. `:` is perfectly well defined as binding more tightly than `;`, so "38:5:<n>" would have worked perfectly well as a definition for the otherwise-undefined "38" code, but no...

> text compression

The MCCP (Mud Client Compression Protocol) is very cool, but its first version called to signal the start of compression with the byte sequence `IAC SB MCCP SE`. The intent was to send an empty MCCP subnegotiation frame and immediately return to the main Telnet channel, but they left off an `IAC` to preceed the `SE`, meaning that this just starts a subnegotion frame, sends `SE` as the first byte, and then forgets to close the frame. Ever. So if you want to support MCCPv1, you have to add a little hack to detect this situation and pretend the frame was actually closed as intended. (Please don't support MCCPv1.)

> hidden sideband metadata communication usable by clients

Yes! One of my favorite topics. Iron Realms-published MUDs introduced "ATCP", another subnegotiation-based protocol that would provide additional information about your character, which directions you can move, your inventory, etc., so that your client could provide graphical representations of this information in the UI. They replaced it with "GMCP" later on -- the "standardization" process behind that was memorable -- which used JSON as the payload format.

Fun fact about ATCP: It was originally designed with a lightweight handshake mechanism so that only Iron Realms clients ("Nexus") could utilize this information. Before my time, someone seems to have reverse engineered this algorithm, so it pretty quickly spread to custom plugins for third-party clients. They never seemed openly upset about this development, and GMCP dropped this mechanism.

And none of this is even getting into MXP, which embedded XML-inspired tags directly into the main data channel instead of using a subnegotiation. The presence of tags is controlled by using a non-standard ANSI-style escape sequence. I never ended up implementing MXP, because ATCP and GMCP were so much simpler to work with, but it's still a very cool piece of tech.

> every single feature has to be totally backwards-compatible with a plain text terminal.

Telnet is actually a shockingly cool little protocol. Sure, there are some anachronisms, like the "Network Virtual Terminal" (NVT) defining a variety of special text editing commands to provide a common representation for the many terminals sold by many vendors and their incompatible command representations. But Telnet at its core is a data multiplexer with 1 primary data channel and 256 negotiable framed channels ("options"). The mechanism for negotiating the use of a channel is symmetric, meaning that the client and server are on equal footing -- both have to agree, and either one can advertise its willingness to use a channel. It's a really cool protocol to study -- and small enough that you really can understand the whole thing!

Source for all this: I was a MUD enthusiast for several years as a teenager, and wrote my own Telnet stack, ANSI escape parser (referencing the ECMA spec!), and started on my own web-based MUD client. I did a heck of a lot of digging back then on these topics. It's still one of my favorite esoteric technology stacks to play around with.

Some MUDs even have sound!

>... was carried over for simplicity's sake.

Or for simplexity's sake!

From the previous discussion of SSH port 22:


Back in the "bad old days" of the simplex NCP protocol, before the full duplex TCP/IP protocol legalized same-sex network connections, connect and listen sockets had gender defined by their parity, and all connections were required to use sockets with different parity gender (one even and the other odd -- I can't remember which was which, or if it even mattered -- they just had to be different). The act of trying to connect an even socket to another even socket, or an odd socket to another odd socket, was considered a "peculiar error" called "homosocketuality", which was strictly forbidden by internet protocols, and mandatory "heterosocketuality" was called the "Anita Bryant feature".



    When the error code is zero, the next 8 bit byte
    is the Stanford peculiar error code, followed by 
    72 bits of the ailing command returned. Here are 
    the Stanford error codes. [...]

    IGN 3 Illegal Gender (Anita Bryant feature--sockets 
    must be heterosocketual, ie. odd to even and even
    to odd) [...]

    Illegal gender in RFC, host hhh/iii, link 0

    The host is trying to engage us in homosocketuality.
    Since this is against the laws of God and ARPA, we
    naturally refuse to consent to it.

    ; Try to initiate connection

            init log,17
            sixbit /IMP/
            jrst noinit
            setzm conecb
            setom conecb+lsloc
            move ac3,hostno
            movem ac3,conecb+hloc
            setom conecb+wfloc
            movei ac3,40
            movem ac3,conecb+bsloc
            move ac3,consck
            trnn ac3,1
                jrst gayskt            ; only heterosocketuals can win!
             movem ac3,conecb+fsloc
             mtape log,[
                    byte (6) 2,24,0,7,7
                         ]          ; Time out CLS, RFNM, RFC, and INPut


    gayskt:    outstr [asciz/Homosocketuality is prohibited (the Anita Bryant feature)


        ife rsexec,<jrst rstart;>exit       1,
(The PDP-10 code above adds the connect and listen socket numbers together, which results in bit 0 being 0 if they are the same gender, then TRNN is "test bits right, no change, skip if non zero", which skips the next instruction (jrst gayskt) if they different sex.)

This is actually more interesting than the original article. When reading the title (ftp+telnet)/2 was my guess and turned out it was correct.

I think I complained to you when you posted this before that there is no actual addition in the code. consck is just loaded into ac3 but the code that sets it isn't there.

FTP was also how mail was transported in the NCP days (and you'll notice that RFC 733 still refers to FTP mail for back compatibility).

Wasn't UUCP more popular, or was it after?

UUCP wasn't written until '78 which was much later than we're talking about, though the Internet transition to TCP (and thus, for this conversation, SMTP) didn't happen until (my memory is hazy) '82 or '83.

Also UUCP was for unix machines only (at least back then) which were a small proportion of machines on the net. Most of them were 36-bit machines plus a few IBM machines. You can still see the old 36-bit influence in some contemporary protocols (e.g. a high level protocol like FTP has a commend to set byte size), big-endian traffic etc.

My memory may be flawed here but I vaguely remember there being a minor controversy over SSH being awarded port 22 instead of a competing protocol/program called “stelnet”. It was a similar solution to SSH but only “replaced” telnet, not FTP. Back then there were “strong feelings about” rsh versus telnet, with SSH actually being modeled more after rsh/rcp/rlogin. Anyway at best this is probably just more internet protocol trivia but I do wonder if anybody can confirm I am remembering this right?

This makes me wonder. What such booming technology is there right now where I can contribute something like this and make a mark for myself?

Having born much later in the history of Internet, I think I have missed out on many of the early magical years of the Internet.

But if I can get involved in some other technology that is in early stage and booming and where I have a chance to contribute something that may become a de-facto standard 10 years from now, that's something I will be very interested to invest my time on.

The most unsatisfying but realistic answer is probably that you're best off working on whatever sparks your passion, because making dent in the universe seldomly happens intentionally, and if you don't succeed hugely at least you had fun and learned a lot on the way.

If we're talking about basic tech such as networking, the time for foundational work has probably passed, or it has at least become exponentially more unlikely that you'll contribute another bedrock protocol or mechanism. It's also worth noting that you never hear from the many thousands of technologies that either failed to reach critical mass or became obsolete a long time ago. Just like founding a startup, this will be the most likely outcome.

If you're looking to be the first to do something, my advice is: try to do it in space. Seriously. Finally things are happening again there, and you can probably make your mark inventing basic necessities and/or being one of the first people to colonize a new place.

If you're looking for something in software, opinions on what's needed differ a lot. As an old person, my perspective is that we're going to need a way to deal with complexity and brittleness. Our software stacks have become bloated, unreliable, and a nightmare to debug. Things are getting slower and more buggy year by year, because we have not yet hit the right balance between using low-level primitives and high-level abstractions. We're now using huge frameworks regularly for very simple things, both because it's what we're used to and because these frameworks help paper over design defects lower down the stack. This needs to be solved, we can't keep stacking things on top forever. There is a real, concrete danger to our society here.

Probably something that looks like a toy.


> Having born much later in the history of Internet, I think I have missed out on many of the early magical years of the Internet.

The Internet pioneers probably thought the same about the computer pioneers. And so on further back in time.

Unreal Engine. Its the next OS.

3d browser.

I’m more surprised that there is an ssh.com. And that it looks like it was put together with a bad corporate WordPress template.

SSH is a publicly traded company since the dotcom era[1]. I think corporate wordpress feel is in line.


I am sure the site admin will find surprisingly high traffic today :)

slightly offtopic: I wish scp also used -p instead of -P for defining a custom port, everytime I want to ssh or scp on a custom port I have to look up which one of the two uses -p or -P :)

At least it's not like sftp where you have to put `-oPort=` and it doesn't work if it's at the end!

Reminds me of a story about a professor. He has framed an old request for a grant and put it up in his office:

> I need 20000US$.

That's all it reads (with value converted to today's dollar-value for easier interpretation) - and of course it was granted.

I'd love to get a little more context. Who applied for the grant? Where was this?

Aaah, thanks! This is what I had in mind. Though I misjudged the time frame: 10000 Mark in 1921 is in the ball park of 2000 US$ today; that is, if he got lucky, since the German hyperinflation in the 20s quickly made that money essentially worthless.

With the benefit of hindsight, we know that ssh became extremely successful, so allocating it a nice port was a good choice.

Funnily enough, changing the ssh port to a random unprivileged one is now possibly the easiest and most effective step to harden a box... I guess it shows how the internet has changed.

In the last two months, I've been getting lots of bruteforce scan attempts on all my boxes that run ssh on high ports, so it seems this is no longer as effective as it was :-/

You are not alone in this. This week I actually changed ports for ssh because of the sheer number of brute force attempts. We'll see how long that holds out.

Why not just restrict access to specific IP blocks? Even if you left it open to Verizon's entire IP space so you can hit it with your cell, you would still dramatically lower your incident rate.

Yeah I could do that I suppose. I host several people on it however. Right now the unique port is enough.

Why not just use fail2ban or similar, to automatically block the ninnies for a while after a few attempts?

Yup, using LFD for that purpose. There's still a lot of attempts.

For personal ssh port knocking is a fun solution.

Look how easy was the whole procedure. You just sent an email and boom next day your application's port was registered by IANA. Nowdays you must have a team of academics backed up by Google to apply for that.

I remember applying for a Class C block of IP addresses back in 1993 was as simple as sending in a preformatted email template to InterNIC and getting your address space about twenty minutes later in a reply.

I've still got that Class C registered, but it hasn't been used in years, and I'm not entirely sure what to do with it.

You could sell, or even better lease it out

The internet was a sort of toy used by 10000 people.

Nowadays you should need 2 teams of academics backed up by 4 companies and 2 governments to change anything.

I'm not kidding. The internet of today should be like democracy: really hard and slow to change because sudden change is very disruptive.

Yeah, that's my point. It was like a playground of technologists and hackers. I wish I was born earlier to experience this magic place.

> Dear Sir,

In Finnish culture is this considered a generic term of address? From the write up it seems like the author knew that Joyce K. Reynolds was on the IANA but still addressed the email to “Dear Sir”.

No. "Dear sir" sounds like something he picked up in high school English class, taught for use when addressing an unknown recipient.

If writing this in Finnish you'd normally use something very close to "Dear Mr Reynolds".

Most of us rarely write such formal letters. I don't remember when is the last time I've written something as formal for a Finnish recipient.

At school I was taught to use "Dear Sir or Madam" or "To whom it may concern" but neither of those sound natural, they're just learned. If writing for a Finn, I just start with "Hei" ("Hey") (in fact that has lead me to start emails in English with just "Hey" as well). I may have used some other formality once or twice in my life when it was required for school or such matters but not as an adult.

So it may be that they were out of their element when writing that email and just put the first thing that came to their mind.

"Hei" means "hi". You can use that in your email.

English "hey" is said when someone is annoyed. "Hey you! Stop that!"

Hey is not exclusively used when annoyed. It's very commonly used as an informal greeting.

Hmm, tone is what differentiates the greeting and the admonishment. Your 2nd sentence is correct, but not exclusively.

TL;DR I use "hey" as a greeting.

[en-gb native]

But it's very informal/slang, used among peers. e.g. If I answered the phone to an unknown caller I'd say 'Hello?', but a friend might get a 'Hey.'

I certainly wouldn't say 'Hey IANA, please reserve me port 22' any more than I would sign off 'kthxbye'.

[also en-gb native]

> "hey" as a greeting

I blame the US TV series "Friends" for that.

Curiously the OED doesn't (yet) have this greeting sense.

> Curiously the OED doesn't (yet) have this greeting sense.

Interesting, neither does my (more liberally accepting than Oxford) 2016 Collins. I've certainly been using it as an informal greeting since '00s.

I don't know if I got it from Friends, it wouldn't have occurred to me, but I did start watching it around that time so it's certainly plausible.

SSH is a service, the port is a standard, but the service doesn't have to be on port 22, it's just the standards base port. I never run it on port 22 exposed to the internet (because of the flagrant criminals on the internet trying to hack into systems).


Uh, it was the next available near 23/telnet which it aimed to replace?

That’s why, not how. The how is interesting.

Not really. He asked IANA, which was literally 2 guys in a room back in the 90's. Literally anyone could get a port assigned in those days, just like anyone could get a /24 address block.

Correction: 1 guy + 1 gal, not 2 guys. Joyce K. Reynolds was a woman. :-)


Channelling Mitch Hedberg:

She used to be a woman. She still is, but she used to, too.

* https://www.youtube.com/watch?v=VqHA5CIL0fg

More seriously, she passed away in 2015:

* https://en.wikipedia.org/wiki/Joyce_K._Reynolds

Joyce K. Reynolds died in 2015.

>just like anyone could get a /24 address block.

FWIW pretty much anyone who can afford the relatively low fees can still get a /24 today, but sure, the process is slightly slower.

Back then, /24's were free, and all it took was an email. No justification required. I still have one (legacy registration) and have never paid anything.

That's fair. I was around and tangiently involved at the time, hence my ambivalence.

TLDR; "Because I just asked for it."

I feel so old!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact