OpenSSH

From Wikipedia, the free encyclopedia

OpenSSH

Don't tell anyone that I'm free.
Developer: The OpenBSD Project
Latest release: 4.5 / November 8, 2006
OS: Multiplatform
Use: Remote Access
License: BSD
Website: http://www.openssh.com
Prerequisites
SSH and Computer networking
Unix-like and Software licensing
Computer insecurity

OpenSSH (Open Secure Shell) is a set of free software computer programs providing encrypted communication sessions over a computer network using the SSH protocol. It was created as an open alternative to the proprietary Secure Shell software. The project is led by Theo de Raadt from Calgary, Alberta in Canada.

Contents

[edit] History

OpenSSH was created by the OpenBSD team as an alternative to the original SSH software by Tatu Ylönen, which is now proprietary software. The OpenSSH developers claim that it is more secure than the original, due to their policy of producing clean and audited code and the fact, to which the word open in the name refers, that it is released under the open source BSD license. Although source code is available for the original SSH, various restrictions are imposed on its use and distribution, making OpenSSH a more attractive project for many software developers.

OpenSSH first appeared in OpenBSD 2.6. OpenSSH 4.5 was released on November 8, 2006[1].

[edit] Trademark

In February of 2001, Tatu Ylönen, Chairman and CTO of SSH Communications Security informed the OpenSSH development mailing list, openssh-unix-dev@mindrot.org, that after speaking with key OpenSSH developers Markus Friedl, Theo de Raadt, and Niels Provos, the company would have to assert its ownership of the SSH and Secure Shell trademarks in order to protect them[2]. Ylönen also sought to change references to the protocol to SecSH or secsh, in order to maintain control of the name. He proposed having OpenSSH change its name in order to avoid a lawsuit; Theo de Raadt refused outright to consider changing the project's name.

At the time, "SSH", "Secure Shell" and "ssh" were used in the documents proposing the protocol as an open standard and it was hypothesised by many that by doing so, without marking these within the proposal as registered trademarks, Ylönen was relinquishing all exclusive rights to the name as a means of describing the protocol. This is because in the United States it is imperative that trademarks be used in advertising copy as adjectives, never as nouns or verbs. Improper use of a trademark, or allowing others to use a trademark incorrectly, results in the trademark becoming a generic term, like Kleenex or Aspirin, which opens the mark to use by others, via the public domain[3].

Also brought into question was if the name "ssh" was trademarked, or merely the logo using the lower case letters "ssh", many online pundits believed the latter, after study of the USPTO trademark database and also bringing doubt to the validity of the claim was the 6 years between the company's creation and the point in time when it began defending its trademark from free alternatives such as OpenSSH, and that only OpenSSH was receiving these threats of legal repercussions[4].

Both developers of OpenSSH and Ylönen himself were members of the IETF workgroup developing the new standard, which after several meetings, denied Ylonen's request for a renaming of the protocol, citing concerns that it would set a bad precedent for other trademark claims against the IETF. The working group participants argued that both Secure Shell and SSH were generic terms and that they could not be trademarks[5].

[edit] Portability

Partly because OpenSSH is required to perform authentication, a capability that has many varying implementations between different operating systems, it requires a substantial portability infrastructure. Rather than including this directly into OpenBSD and OpenSSH, it is developed separately as an addition under the auspices of the OpenSSH Portability Team and released as what are known as "portable releases". This model is also used for other OpenBSD projects such as OpenNTPD.

[edit] Programs included

The OpenSSH suite includes the following tools:

ssh user@example.com
scp user@example.com:somefile .
sftp user@example.com
sshd
  • ssh-keygen, a tool to generate the RSA and DSA keys that are used for user and host authentication:
ssh-keygen -t rsa
  • ssh-agent, a small daemon that can hold copies of public keys and use them to sign authentication challenges, avoiding the need to enter passphrases every time they are used:
eval `ssh-agent`
  • ssh-add, a tool to load keys into, or delete keys from a running ssh-agent:
ssh-add
  • ssh-keyscan, which scans a list of hosts and collects their public keys:
ssh-keyscan -t rsa 192.2.0.33 192.2.0.34 www.example.com
  • sftp-server, the sftp server subsystem (normally run directly by sshd)
  • ssh-keysign, a setuid helper program that signs "hostbased" authentication challenges using the host's private keys (normally executed directly by ssh)

[edit] Secure tunnels

[edit] Port forwarding

Most programs making use of TCP connections can be passed over a secure tunnel using OpenSSH. This is used to multiplex additional TCP connections over a single ssh connection. It is useful for concealing connections and encrypting protocols which are otherwise unsecured, and for circumventing firewalls. UDP connections may sometimes be tunnelled with the aid of programs such as netcat. Examples of easily tunnelled programs include the X Window System, http using a proxy and VNC. An X Window System tunnel is often created automatically between two Unix computers, so GUI programs from remote computers can be run simply by typing their names:

ssh -Y user@example.com
password:
$ xclock

In addition, some software can be set to automatically make use of OpenSSH to create a tunnel. Examples include DistCC, CVS, rsync, and fetchmail. Programs where tunneling is possible but complex are ftp, which can often be replaced with sftp in any case, and SMB. On some operating systems, remote filesystems can be mounted over ssh using shfs, lufs or podfuk.

Also, OpenSSH can be used to tunnel into a computer behind a NATing router. On the computer behind the NAT:

ssh -R 2222:localhost:2223 example.com

In another terminal on the computer behind the NAT:

/usr/sbin/sshd -p 2223

Now example.com, the computer on the outside, can get in via that forwarded port:

 ssh -p 2222 localhost

[edit] SOCKS

OpenSSH is capable of creating an ad hoc SOCKS proxy server to support more flexible proxying than is possible with ordinary port forwarding. For example:

ssh -D1080 user@example.com

establishes a local SOCKS server that listens on "localhost:1080".

[edit] tun-based VPN

Beginning with version 4.3, OpenSSH implements an OSI layer 2/3 "tun"-based VPN. This is the most flexible of OpenSSH's tunnelling capabilities, allowing applications to transparently access remote network resources without "socksification."

The following example illustrates setting up a VPN to see the 192.168.0.0/24 at example.com as 192.168.0.0/24 locally. The local box will be 192.168.0.20 in the remote network. Both ends run GNU/Linux.

On the client end:

ssh -f -w 0:any example.com true
ifconfig tun0 192.168.0.20 broadcast 192.168.0.255 netmask 255.255.255.0

On the server end:

ifconfig tun0 192.168.0.1 up
route add 192.168.0.20 dev tun0
#Make sure you don't have any interface up that you do not desire to be able to access eth0 through this box!
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#For example, we don't want ppp0 to be able to access eth0 through this box.
iptables -t nat -I PREROUTING -i ppp0 -d 192.168.0.0/24 -j DROP

[edit] Authentication

OpenSSH server can authenticate users using standard methods supported by the SSH protocol:

These methods often make use of authentication methods native to the host operating system. This can include using the BSD authentication system (bsd auth) or PAM to enable authentication through methods such as one time passwords.

An unfortunate side-effect of using PAM with OpenSSH is that it must be run as root when PAM support is enabled, as root privileges are typically required to operate PAM. OpenSSH versions after 3.7 allow the usage of PAM to be disabled at run-time, so regular users can run sshd instances.

[edit] Misconceptions

Because of the prefix Open- on its name, OpenSSL, which is a dependency of OpenSSH, is often associated with OpenBSD; which distributes several programs using the naming style of Open*, including OpenSSH. This is however a mistake as OpenSSL is developed completely outside of the scope of OpenBSD by The OpenSSL Project, under a different license than is commonly used by OpenBSD. Like with FreeBSD's OpenBSM, the project simply shares the goal of having an open source implementation of a valuable asset for the common good.

[edit] Books

[edit] See also

Portal:Cryptography
 Cryptography Portal
Portal:Free software
 Free software Portal

[edit] References

  1. ^ Miller, Damien on the mailing list openssh-unix-announce@mindrot.org announcing the release of OpenSSH 4.5, seen here
  2. ^ Ylonen, Tatu's mail to the openssh-unix-dev mailing list, found here. February 14, 2001. Accessed December 24, 2005.
  3. ^ CNet News article: "Ssh! Don't use that trademark", found here. February 14, 2001. Accessed December 24, 2005.
  4. ^ Newsforge article: "Ylönen: We own ssh trademark, but here's a proposal", available here. February 16, 2001. Accessed December 24, 2005.
  5. ^ Network World article: "SSH inventor denied trademark request": available here. February 16, 2001. Accessed December 24, 2005.

[edit] External links

Retrieved from "http://en.wikipedia.org../../../o/p/e/OpenSSH_9781.html"