As I have written here previously¹, that’s actually a bit of revisionist history, or at least a significant omission. Speaking as someone who was actually using Unix systems when this happened, the "ssh" command was replacing the rsh command, and also still ships an "slogin" command, replacing rsh’s companion command, "rlogin" (and "scp" replaced "rcp"). Where I was, nobody was even using telnet or FTP internally; everybody was using rsh, rlogin and rcp! This also better explains the naming; going from "rsh" to "ssh" is easier.

If someone had wanted to make telnet encrypted, they would just have had to implement the standard telnet protocol and add another option in the protocol; it has a bunch already, and even one for encryption, IIRC.

1. https://news.ycombinator.com/item?id=14178333>

    This document describes a the telnet encryption option as a generic
    method of providing data confidentiality services for the telnet data
    stream.  While this document summarizes currently utilized encryption
    types and codes, it does not define a specific encryption algorithm.
    Separate documents are to be published defining implementations of
    this option for each encryption algorithm.

A different data point: I was also a Unix sysadmin at the time (thought just out of school) and for me ssh replaced telnet and ftp. I never used rsh, rlogin, and rcp except when testing exploits.

SSH was a fantastic improvement at the time, though the whole licensing model interfered with my use for the first several years.

Much depends on whether your systems were running BSD-style RPC services.

In that letter he says: “It provides major improvements in security and functionality over existing telnet and rlogin protocols”.

So, while you are correct about rsh, it seems totally fair ( and likely just correct ) for him to say he chose port 22 for its proximity to telnet. Also, since SSH includes SFTP, what he says about FTP checks out as well.

The story is about “why 22” and telnet answers that question better than rsh does. I guess if the question was “why ssh”, the details you added would matter more.

ftp on the other hand was more like finger or similar.. going to some external site that was public, or had a login to distribute files.

So when you write your scp command and then realize you forgot to put in the port you have to go back and put it before the target.

Then again, I'm speaking as someone that came into the scene well after development, so that could just be annoyance via naivete.

The config-aware shell completion is especially cool.

NOPE I'd just specified the option wrong!

Usually I use per host `ssh_config(5)` (both for port and user) but some tools also don't make use of that!

     -o option
             Can be used to give options in the format used in the configura‐
             tion file.  This is useful for specifying options for which there
             is no separate command-line flag.  For full details of the op‐
             tions listed below, and their possible values, see ssh_config(5).

    ssh -o  

Fighting to legalize cryptography on the internet. PGP was banned. Sending encrypted emails was illegal...

Cypherpunks won. Thanks to them.

The United States had to be brought to court to finally allow cryptography: https://en.m.wikipedia.org/wiki/Bernstein_v._United_States

> Years before, the government had placed encryption, a method for scrambling messages so they can only be understood by their intended recipients, on the United States Munitions List, alongside bombs and flamethrowers, as a weapon to be regulated for national security purposes. Companies and individuals exporting items on the munitions list, including software with encryption capabilities, had to obtain prior State Department approval. — Electronic Frontier Foundation: EFF's History

Before that, export rules could be "worked around" by printing cryptography in books.

See also https://en.m.wikipedia.org/wiki/Export_of_cryptography_from_...

It still is.

e.g in France:

https://cyber.gouv.fr/en/protection-sensitive-and-restricted...

    This legal framework has been introduced in 2011 in order to protect facilities, knowledge, savoir-faire, information which, if intercepted, could:
    
    - Affect French economic interests (risk 1);
    - Reinforce military capacities of other country or weaken French military capacities (risk 2);
    - Lead to the proliferation of weapons of mass destruction in nuclear, ballistic, chemical or biological fields;
    - Lead to the development of terrorist activities on French territory or abroad.

See Annexe 1 here: https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000646995?...

This is one of the reasons why MobiusSync is not available in the French iOS App Store since it doesn't use iOS crypt which already has approval plus it doesn't fit into some of the exceptions to the restrictions, so they'd have to fill in paperwork which is only available in French and submit via snail mail (go figure, although they do accept answers written in English as a courtesy).

https://github.com/MobiusSync/MobiusSync/issues/27

Similar concerns, processes, and exceptions are effective for other countries, e.g for the U.S. you need Encryption Registration (ERN) approval from the U.S. Bureau of Industry (BIS). Exceptions are described in Category 5, Part 2 of the U.S. Export Administration Regulations.

It was perfectly fine for American citizens to use cryptography amongst each other or with outside nationals. It was also completely fine to download and use externally developed software.

What was illegal was developing and exporting cryptographic software. This is why, for the longest time, you would see warnings on web pages (puTTy, for instance) saying the software was only intended for use in the United States.

The form made it clear that using HTTPS is considered cryptography, so I’m fairly sure almost every app on the store has checked “yes” to that question.

To fully comply with this you would need as a library provider to fully KYC your clients so that there is a firewall between their US and non-US entities, and that travelling people don't bring out an encryption library at the same time.

It would be a operational nightmare.

The law never covered using cryptography, it was always about exporting it. Mostly it was written around keeping military specific cryptography from entering rival powers hands, but was overbearing. So they amended it to allow commercially developed/homegrown cryptography (explicitly not developed for governmental/military use) to be distributed normally. In practice, it's still a little muddy as many of those use DoJ/DoS-funded cryptography patterns, but the government has chosen to take a fairly hands off approach on those (RSA and DSA are key examples).

You're correct that it would also be almost impossible to enforce the original wording in today's world of globalization. They also have little power to enforce it on foreign nationals, which is why a warning was usually Good Enough(TM) for American software developers.

Re-read the first post and the last paragraph of the one you're replying to. Everything you're knee jerk contrarianizing is covered.

In (I think) early 1995 I bought a "This T-Shirt Is A Munition" shirt with RSA source code on it, by typing the information from the bottom of a personal check(!) into a web page. It was a whole thing.

For one thing, it sounds like sending wasn't impacted at all, once you had the software.

What I'm getting at is that it's simply incorrect that encryption wasn't available in the US, and it's also incorrect that encryption couldn't or wasn't in use. It most definitely was. The regulations were only about export. 40 bits max and all that.

This is way too much of an unknown. And we've seen with P2P/Napster and DMCA where just listing links without distributing still opens people to legal issues.

Edit: As for Napster and DMCA, the Napster story happened in 1999 and the DMCA in 1998. The limitations on crypto were loosened in 1998 and 1999 and removed in 2000. In other words, Napster and DMCA isn't really relevant here - the encryption story mostly unfolded before that time.

The US still restricts the export of (some) cryptography to (some) countries & organizations. Mostly that just requires submitting a self-classification report to the BIS stating that the cryptography is "mass market" and matches the definition thereof in the export regulations.

The issue here is the complexity of complying and closing all loopholes that would allow the government to bring the full weight of the legal system against a library writer.

https://en.wikipedia.org/wiki/Sealioning

You don't understand the legal liabilities people open themselves to if they provide the software.

Now they have to fully KYC customers to make sure they are from the US, with US only storage, and firewall so that people travelling cannot use the encryption library from out of the US.

You've seen the lawsuits on just P2P link providers, this is even worse.

This led to all kinds of stupidity. Internet Explorer shipped with nerfed TLS capabilities, limiting key sizes to 40 bits or 56 bits depending on the version.

When the encryption laws changed in 2000, Microsoft allowed users to download an update to improve SSL encryption: https://learn.microsoft.com/en-us/previous-versions/tn-archi...

You could legally encrypt emails, of course, as long as you kept the key sizes small and didn't export the encryption software to another country.

If you sell and export encryption products from the USA (and a bunch of other countries, see the Wassenaar Accords) to certain places (including China and Russia), you're still obligated to register your product if you use modern key sizes. I'm not sure if governments still care now that OpenSSL and PGP are freely available to anyone, but if your proprietary email encryption program is found on North Korean computers, your government may ask you some uncomfortable questions.

This leaves the critical infrastructure of emergency services and police force for a lot of countries (notably, US non-allies) wide open to attack.

And even if a determined person could get around the blocks, they severely limited the network effects; office workers on their employers' PCs weren't going to be getting encryption software from IRC bots to bypass arms export laws.

Some time towards the late 90s PGP became much more easily available.

I was at codecon, forget if Zimmerman was there, or just quoted. His story was recounted, then someone else who attended codecon and mentioned releasing ITAR restricted crypto. They were part of a leak of the RC4 source code. A copy was sent to a well known member of sci.crypt, saying along the lines of "I think you can post this anonymously", if you agree to this please post a "Looking for Joe Random" post on sci.crypt. The source code was posted and there was no lawsuit, no tax audit, and no hassling by the government.

Other people had a lot to do with the spread of strong crypto as well. Many people realized that encryption was necessary if we wanted to do business online. Matt Blaze (who was on the Cypherpunks list, but never said anything crazy), helped blow up the government's compromise solution, mandatory key escrow, by demonstrating flaws in their Clipper chip technology. The MIT Press published PGP's source code in book form, using an OCR font, because books couldn't be blocked as munitions. I think Hal Abelson, who wasn't on the list, was the person behind that.

The basic political idea behind the list was that you could effect change by writing code. Instead of going to the government, with your cap in your hand, and saying, Please, sir, can we have strong encryption?, you write code and give it away, thus making the law impossible to enforce. This sounds really cool when you're young, especially if you write code, but it's an anti-democratic idea.

The political positions of some of the leaders was kind of an extreme, anarchist spin on libertarianism. Bitcoin is a currency designed to solve a specific problem -- it's kind of the ultimate solution to the old goldbug fear that governments will print money and dilute the currency. That's impossible under Bitcoin.

The original crypto currency the Cypherpunks were really into was David Chaum's Digicash, which was designed to solve a completely different problem, the same one Monero is aimed at today. It was supposed to be untraceable. Instead of asking governments to lower taxes, the idea was that programmers could create a way to transfer funds anonymously. In theory, taxes would become impossible to collect, and national borders would collapse.

Eventually this led to things like discussions of anonymous murder contracts. There was a proposed protocol that was supposed to allow you to put out a hit on someone with complete safety. You could pay the killer anonymously with digital currency. I think the payment would go into some sort of escrow, so the killer would know they'd get paid. I don't remember how the system was able to know that the hit had taken place.

Those murder contracts were one of the things that made me pull back from the list. But it really was terrific to read, even though I think it would be a mistake to lionize it too much. Arguably, they were struggling to make the whole world run on 8chan's rules.

Is it? Code was deemed free speech, after all. So suppressing it would be anti-democratic, not spreading it.

Of course, we all (technical people) agree that it was the right thing, but ask yourself: If there was a vote on the issue, do you think the majority of people would vote for keeping strong encryption, or do you think they'd ban it? Especially back then.

I personally think they'd ban it. I bet the majority would just go "encryption is for terrorists and bad people, we don't need it", and we'd lose the vote.

Democracy is funny that way.

Democracy is a system where political disagreements are resolved through a set of agreed-upon rules (AKA "rule of law") instead of violence. The alternative to Democracy is mass murder. There is still plenty of violence in a Democracy -- witness the prison system in the USA, but it isn't neighbors just casually murdering each other (as also happened in the USA in an organized way in the Jim Crow era). Interesting to note -- both counter-examples were / are founded on denying parties participation in the democratic process...

The Rwandan and Bosnian civil wars are both examples of "tyranny of the masses" where there's no mechanism for resolving disputes between groups, besides killing your neighbor.

If you look in /etc/services you'll notice that all the older protocols listen on odd numbered ports.

Some of this still survives today. In active mode FTP servers listen on 21, ACK the inbound request and then connect to the client from 20.

I was doing some experimentation with LDAP, mailman and identity based encryption and needed some OIDs to support my undergraduate project work.

Private Enterprise Numbers are identifiers that can be used in SNMP configurations, in LDAP configurations, and wherever the use of an ASN.1 object identifier (OID) is appropriate.

So I went about signing up my university for a PEN. It helped that I also worked for the IT Services team at the time but I distinctly remember the request being done by email with the response more of less being "here's your number". :)

To my knowledge, I believe I'm the only person who has made use of the PEN assigned to the university.

    From: Tatu Ylonen 
    To: Internet Assigned Numbers Authority 
    Subject: request for port number
    Organization: Helsinki University of Technology, Finland

How SSH got port number 22 - https://news.ycombinator.com/item?id=33363795 - Oct 2022 (2 comments)

Was this article updated recently in some way? Not sure why it's mentioned at top of page, maybe just appended for posterity.

HN discussion then: https://news.ycombinator.com/item?id=14178091

“Yes”

the early days of the internet are so fantastical to me I can’t stand it. Makes me sad to be too young to have witnessed it.

I'm old enough to remember the early days of Bitcoin and how nobody I talked to about it had ever heard of it and was either dismissive ("That would be easy to hack" / "that can't work") or just treated it like a random chit-chat that didn't matter.

  Hello, would you like to hear a TCP joke?

  Yes, I'd like to hear a TCP joke.

  OK, I'll tell you a TCP joke.

  OK, I'll hear a TCP joke.

  Are you ready to hear a TCP joke?

  Yes, I am ready to hear a TCP joke.

  OK, I'm about to send the TCP joke. 
  It will last 10 seconds, 
  it has two characters, 
  it does not have a setting, 
  and it ends with punchline.

  OK, I'm ready to hear the TCP joke 
  that will last 10 seconds, 
  has two characters, 
  does not have a setting, 
  and will end with a punchline.

  I'm sorry, your connection has timed out...

  ...Hello, would you like to hear a TCP joke?

(In fact, not running SSH on port 22 is an industry best practice in 2024, sadly.)

A convention is a common language. It is something you have the right to break when needed / suitable but which is otherwise nice to follow when interacting with others.

Such conventions allow you to omit the port when typing a URL in a browser for instance. They allow taking nice shortcuts and avoiding verbose / irrelevant technical details.

(now, some conventions are mandated by laws indeed. For instance, if you are setting up electricity somewhere, you'd better use the right colors. One might argue that we ought to call such things rules)

Yeah, if only there were an authority that we could agree on to assign numbers for internet things like ports.

Some sort of internet assigned number authority…

https://www.iana.org/assignments/service-names-port-numbers/...

It was a simpler time for sure

The internet was decades old when Infoseek appeared.

That's 20-some years after the early days of the Internet.

I don't even consider myself an early user of the internet either, the people I learnt from had already been using it a good while.

I recall using it as my main search engine at altavista.digital.com before they moved to get its own domain at altavista.com.

[1] https://en.wikipedia.org/wiki/AltaVista

At a dinner party, we were arguing about how to move forward with discovery on the web, because the situation was so dire. Someone was arguing for keyword registration, a la AOL.

I really, really hope that someone wasn’t me; I’ve convinced myself over the years it wasn’t, but I didn’t have any better ideas, just knew that wouldn’t work.

Those were the early days when you could be designated as the point of a contact for a TCP port connection number and expect not to be swamped by emails!

Although, in several cases, there is an RFC, even though IANA's registry doesn't record it. For example, port 1 (tcpmux / TCP Port Service Multiplexer) uses a protocol defined by RFC1078, as Wikipedia's article on it helpfully explains – https://en.wikipedia.org/wiki/TCP_Port_Service_Multiplexer – but IANA's registry doesn't mention that.

Or similarly, port 5 is listed as rje / Remote Job Entry in the registry, but Wikipedia helpfully notes that it is the protocol defined by RFC407 (and maybe RFC725 is a newer version of it?). I doubt that ARPANET RJE protocol (whose syntax resembles FTP, SMTP, etc) ever saw any great amount of implementation; I believe historically the most popular RJE protocols were IBM's (2780/3780 and later Network Job Entry / NJE which was used in RSCS, most notably on BITNET) – but those protocols don't have an assigned port number, since they don't natively run on top of TCP/IP.

There are however some historical mysteries in this IANA registry for which even Wikipedia does not know the answer: the first of many is what ports 2 and 3, "compressnet", were used for. (Edit: What Wikipedia doesn't know, HN does: https://news.ycombinator.com/item?id=37016159

I'd like to see that email to IANA.

[0]: https://www.iana.org/assignments/service-names-port-numbers/...

[1] Here's A-D: https://i.imgur.com/tCn2FBB.png

And then RFC99999 defines a "new protocol" in which there is just a single header, which happens to have the same byte layout as IPv6+UDP+QUIC, with a bunch of fields like "reserved_01BB" which "always contains the bytes 0x01BB due to historical backward compatibility reasons"

Ah you’re an optimist I see

PASV instructs the server to specify another ip:port that it’s listening on to enable the client to connect.

PORT expects there to be an open port on the client for the server to connect to.

Why isn't it used?

The most definitive references to WKS are probably:

* RFC 1035 (1987), which defines the record format.

* RFC 1912 (1996), which noted that "[WKS records] serve no known useful function, except internally among LISP machines. Don't use them."

Port forwarding

Reverse port forwarding

Rsync

So much more. And it's free. What a privilege to be alive today - I remember when all this was just a dream.

Edit: Except if their address was @aol.com. Eternal September started in 1993.

> It would be great if this number could be used

You’ll notice that on the official IANA list of port numbers and service names, there is a separate section, after the numbered ports, listing only service names¹. Just apply for one of those.

1. At the time of writing, starting on page 135 of the HTML version: https://www.iana.org/assignments/service-names-port-numbers/...>

But getting a port assignment these days is going to be virtually impossible. It’s probably not going to happen without at least a Proposed Standard RFC.

https://www.iana.org/assignments/service-names-port-numbers/...

There’s not a single RFC published that concerns redis. It’s not going to happen.

I needed to write a justification why the organisation I represented needs a port number (a custom binary protocol), a formal confirmation that protocol has versioning built-in (so we will not request for a new port number for the next version of the protocol), a confirmation that we have a running code implementing the protocol (if I recall correctly, link to documentation was sufficient), and the reasons why we cannot use any of the existing protocols.

It’s not impossible and I think it’s totally doable for redis unless the port is already reserved for something else.

If there was a moderately complicated bureaucratic process to be assured of getting one, it wouldn't be Redis or the next SSH that got assigned ports. It would be Oracle or HP or someone else incapable of pretending to be a good Internet citizen, who filled in 10,000 of the forms promising that they have 10,000 totally necessary well known enterprise services.

there should be a vh1 where are they now special for assigned ports in /etc/services that shipped with early slackware.