Ostiary is distributed under the GPL (GNU Public License). Basically, that means that you can take the source code and do whatever you like with it, but if you distribute modified versions of the binaries, you have to distribute the modified source code as well. Follow the link for the details.
Note that Ostiary 3.2 and above use HMAC-SHA1, not HMAC-MD5. This means that they are not compatible with older versions. However, 3.2 clients are perfectly compatible with 3.3 and 3.4 servers, and so the Palm, Windows, and Java client-only packages have not been updated.
This version fixes an uninitialized variable during command-line parsing, some minor (non-security-related) bugs related to logging, and corrects an error in the configure scripts that could make it impossible to properly compile in libwrap support. See the CHANGELOG file for details. (Thanks to John Stamp for finding these, as well as creating Debian packages!)
Ostiary is available in both source and binary form, but the server only runs on POSIX systems. I've successfully compiled and run it on Linux, OSX, NetBSD, Solaris, AIX, Compaq Tru64, HP-UX, and IRIX. It will compile and run on Cygwin, though there's some issues with users and groups on that platform.
Source is available for 'ostiaryd', and 'ostclient', the command-line client that will do the challenge-response ostiaryd's looking for. Man pages are included for ostiaryd, ostclient, and 'ostiary.cfg', the config file for ostiaryd.
It runs fine on my Palm IIIxe (OS 3.5.3), and should work all the way back to OS 2.0 Pro (basically any Palm with the Net Library). It ought to run on OS5.x devices, but I haven't had a chance to test it.
Here's a screenshot:
You enter the host and port in the first field, and the password in the second field. The "Hide pass" checkbox will conceal or reveal the password, to help prevent snoopers from reading it. Setting the "V1 hash" checkbox uses the old 'plain-MD5' hash, so you can still talk to servers you haven't upgraded to 2.0 yet. The "Exec" button actually sends the command.
The "Rcvd:" and "Sent:" fields show the 'salt' hash that came from the server, and the response that the client sent back. (BTW: if you get a zero-length hash from a server, you're probably locked out...)
This version does not require the Cygwin runtime dlls. Sorry, the only way to run an Ostiary server on Windows right now is with Cygwin. (I suppose maybe "Services for Unix" might work, but I haven't tried it.)
I'm learning Java now for various reasons, and naturally one of the first things I did was code up an Ostiary client. It works as a command-line application ("java -jar ostiary.jar"), but more interestingly, it also works an applet suitable for embedding on a webpage. When combined with, say, a Java SSH applet (such as this one or this one), you can have a secure remote connection using any Java-enabled web browser, without installing any extra software onto a machine.
Source code and documentation on how to set it up in a web page is included in the package.
In case my main server goes down or is Slashdotted or something, you can find a mirror of the software here. (If that happens, I guess you must be reading this out of the Google cache.)
Please let me know ASAP if these checksums don't match what you get, or if they don't match what's posted on the mirror site.
The clients have not been updated from 3.2 because the protocol has not changed.
| Package | Description | md5sum | sha1sum |
| ostiary-3.4-1.i386.rpm | Linux/i386 RPM | ed136b145a344231295dfb3b3bc83df6 | d6e3fc939e59541a3da6f24e74d746ce0b629056 |
| ostiary-3.4-1.src.rpm | Source RPM | 2f321177d03423e3f3461047c5684d96 | 485785d445408bee16ee41cef4fe6b95f37de8c4 |
| ostiary-client_3.4-1_i386.deb | Linux/i386 Debian package (client) | 94f376ce5d6299ae11bec700d713ddf1 | e3ed485af2d20ddb5da7ab0e264291888134e641 |
| ostiary-server_3.4-1_i386.deb | Linux/i386 Debian package (server) | 7f41131895bb8892d82f2434cba44054 | 90bce368995f46b04af525ae73d1c19263c305ba |
| ostclient-3.2.zip | Palm client | c7a6e9ca883676ac09a3f68a047d6296 | 9c7b6d90c72e61ee283d9b32146091c52eee0c96 |
| winost-3.2.zip | Windows Client | f411bdab13f658e67fa85b44007969ee | b12cf9913ab3047db9fb04dcf12ada6cfb40d059 |
| javost-3.3.zip | Java Client | b01a8cbda8a53c3a02a6f0cafb47a3f4 | c0b55973b85293b7014a30391b6af01540437b27 |
| ostiary-3.4.tar.gz | POSIX and Windows source | 680eeff0bbf98b379bc2d8bb2a188365 | 90bce368995f46b04af525ae73d1c19263c305ba |
| palmost-3.2.tar.gz | Palm client source | 220fc23ea1cf7bdd107942a3b61eca62 | 76dc76bab7e60c1fd7eaffbe422c722b3ef826fb |
These are the old versions of the Ostiary software. While there are no known bugs, the fundamental algorithms used are not expected to be as secure as later versions. I don't recommend using them at this point, but for historical interest, here they are.
So you can confirm that what I'm sending is what you should be getting, I provide md5sums to check against. Note that these should match the md5sums listed on the mirror site. If they don't, there's a major problem.
| Package | md5sum |
| ostiary-3.3-1.i386.rpm | b03d42212b7e66e5d044cd71c1b71d9d |
| ostiary-3.3-1.src.rpm | 46ac72aca197c4cec31bd03bfe203cf0 |
| ostiary-3.3.tar.gz | c9e20d478f4105e46baf291a0c5fb4e2 |
| ostiary-2.31-1.i386.rpm | 2bbcfbdfc5908601a0788581898b6d38 |
| ostiary-2.31-1.src.rpm | 7028ceb9c4c8b15598a614c9696cf2de |
| ostiary-2.31.tgz | 87b1d021390dac14b766e41a0e8ea4ff |
| ostclient-2.0.zip | 3242e32376f803847e89609fba6a4b75 |
| palmost-2.0.tar.gz | e0fe98d197d4070b1db8b1a7bb86e9db |
| winost-2.0.zip | 38e15c83cb65a18001cdab5277f4acda |
| ostiary-2.0-1.i386.rpm | ccb10b9d5ac7d6fe5cbeba0847d89317 |
| ostiary-2.0-1.src.rpm | 6fc9821f905b27d4ae5f92891e9ad4f1 |
| ostiary-2.0.tar.gz | 6a899f5bd63b138020580371733022ba |
| ostclient-1.0.zip | 6f6d345b76cad2828b3a92244ef68d3a |
| ostiary-1.0.tar.gz | 4f09c041921733b75c716b053377ba32 |
| palmost-1.0.tar.gz | ffa501919692e4b2edc53970e2a2c34c |
| winost-1.0.zip | f450fe6636587d6e8eb0fe38f6e1eeef |