OpenSSH

OpenSSH

"Don't tell anyone that I'm free"
Developer(s)	The OpenBSD Project
Initial release	1 December 1999 (1999-12-01)
Stable release	6.8 / March 18, 2015 (2015-03-18)
Development status	Active
Written in	C
Operating system	Cross-platform
Type	Remote access
License	Simplified BSD
Website	www.openssh.com

OpenSSH, also known as OpenBSD Secure Shell,^{[lower-alpha 1]} is a suite of security-related network-level utilities based on the SSH protocol, which help to secure network communications via the encryption of network traffic over multiple authentication methods and by providing secure tunneling capabilities.^[1] OpenSSH was designed as a free and open source alternative to the proprietary SSH implementation developed by Tatu Ylönen and offered by SSH Communications Security.

OpenSSH is a project of the OpenBSD team and is funded via donations. The proprietary SSH implementation was originally developed under a license that allowed other developers or users to fork or create an off-shoot of the software with their own customizations. As a result, OpenSSH is a fork of one of those customizations and was first released as part of a Unix-like operating system called OpenBSD in 1999.^[2] As part of the forking process, OpenSSH was released under a BSD license, an open source license which allows open manipulations and contributions. In order to effectively maintain the program, the OpenSSH project is developed under a policy of producing clean and audited code.^[3]

OpenSSH is not a single computer program, but rather a suite of programs in the OpenBSD operating system that offers an alternative to unencrypted network communication protocols like FTP and Rlogin. While OpenSSH is not actively maintained for operating systems other than OpenBSD, a dedicated team occasionally releases a version that can be ported or used in other operating systems. This has allowed OpenSSH and its derivatives to account for an almost 88% market share as of July 2008.^[4]

History

OpenSSH was created by the OpenBSD team as an alternative to the original SSH software by Tatu Ylönen, which is now proprietary software.^[5] Although source code is available for the original SSH, various restrictions are imposed on its use and distribution. OpenSSH was created as a fork of Björn Grönvall's OSSH that itself was a fork of Tatu Ylönen's original free SSH 1.2.12 release, which was the last one having a license suitable for forking.^[6] The OpenSSH developers claim that their application is more secure than the original, due to their policy of producing clean and audited code and because it is released under the BSD license, the open source license to which the word open in the name refers.

OpenSSH first appeared in OpenBSD 2.6 and the first portable release was made in October 1999.^[7]

Versions

Development and structure

OpenSSH is developed as part of the OpenBSD operating system. Rather than including changes for other operating systems directly into OpenSSH, a separate portability infrastructure is maintained by the OpenSSH Portability Team and "portable releases" are made periodically. This infrastructure is substantial, partly because OpenSSH is required to perform authentication, a capability that has many varying implementations. This model is also used for other OpenBSD projects such as OpenNTPD.

The OpenSSH suite includes the following tools:

• ssh, a replacement for rlogin, rsh and telnet to allow shell access to a remote machine.
• scp, a replacement for rcp.
• sftp, a replacement for ftp to copy files between computers.
• sshd, the SSH server daemon.
• ssh-keygen a tool to inspect and generate the RSA, DSA and Elliptic Curve keys that are used for user and host authentication.
• ssh-agent and ssh-add, utilities to ease authentication by holding keys ready and avoid the need to enter passphrases every time they are used.
• ssh-keyscan, which scans a list of hosts and collects their public keys.

The OpenSSH server can authenticate users using the standard methods supported by the ssh protocol: with a password; public-key authentication, using per-user keys; host-based authentication, which is a secure version of rlogin's host trust relationships using public keys; keyboard-interactive, a generic challenge-response mechanism that is often used for simple password authentication but which can also make use of stronger authenticators such as tokens; and Kerberos/GSSAPI. The server makes use of authentication methods native to the host operating system; this can include using the BSD authentication system (bsd auth) or PAM to enable additional authentication through methods such as one-time passwords. However, this occasionally has side-effects: when using PAM with OpenSSH it must be run as root, as root privileges are typically required to operate PAM. OpenSSH versions after 3.7 (September 16, 2003) allow PAM to be disabled at run-time, so regular users can run sshd instances.

On OpenBSD OpenSSH supports OTP and utilises systrace for sandboxing but like most OpenBSD native services, OpenSSH also utilises a dedicated sshd user by default to drop privileges and perform privilege separation in accordance to OpenBSDs least privilege policy that has been applied throughout the operating system such as for their X server (see Xenocara).

OpenSSH provides no support for Microsoft Windows, though by using additional software such as Cygwin or Subsystem for UNIX-based Applications OpenSSH can be used under Windows.

Features

OpenSSH includes the ability to forward remote TCP ports over a secure tunnel, allowing that way arbitrary TCP ports on the server side and on the client side to be connected through an SSH tunnel.^[12] This is used to multiplex additional TCP connections over a single SSH connection, to conceal connections and encrypting protocols that are otherwise unsecured, and to circumvent firewalls what opens up space for potential security issues. An X Window System tunnel may be created automatically when using OpenSSH to connect to a remote host, and other protocols, such as HTTP and VNC, may be forwarded easily.^[13]

In addition, some third-party software includes support for tunnelling over SSH. These include DistCC, CVS, rsync, and Fetchmail. On some operating systems, remote file systems can be mounted over SSH using tools such as sshfs (using FUSE).

An ad hoc SOCKS proxy server may be created using OpenSSH. This allows more flexible proxying than is possible with ordinary port forwarding.

Beginning with version 4.3, OpenSSH implements an OSI layer 2/3 tun-based VPN. This is the most flexible of OpenSSH's tunnelling capabilities, allowing applications to transparently access remote network resources without modifications to make use of SOCKS.^[14]

Vulnerabilities

In the case of using the default configuration, the attacker's success probability for recovering 32 bits of plaintext is .^[15] The OpenSSH 5.2 release modified the behavior of the OpenSSH server^[16][17] to further mitigate against this vulnerability.

Trademark

In February 2001, Tatu Ylönen, Chairman and CTO of SSH Communications Security informed the OpenSSH development mailing list, that after speaking with key OpenSSH developers Markus Friedl, Theo de Raadt, and Niels Provos, the company would be asserting its ownership of the "SSH" and "Secure Shell" trademarks. Ylönen commented that the trademark "is a significant asset ... SSH Communications Security has made a substantial investment in time and money in its SSH mark"^[18] and sought to change references to the protocol to "SecSH" or "secsh", in order to maintain control of the "SSH" name. He proposed that OpenSSH change its name in order to avoid a lawsuit, a suggestion that developers resisted. OpenSSH developer Damien Miller replied that "SSH has been a generic term to describe the protocol well before your [Ylönen's] attempt to trademark it" and urged Ylönen to reconsider, commenting: "I think that the antipathy generated by pursuing a free software project will cost your company a lot more than a trademark."^[19]

At the time, "SSH," "Secure Shell" and "ssh" had appeared in documents proposing the protocol as an open standard and it was hypothesised that by doing so, without marking these within the proposal as registered trademarks, Ylönen was relinquishing all exclusive rights to the name as a means of describing the protocol. Improper use of a trademark, or allowing others to use a trademark incorrectly, results in the trademark becoming a generic term, like Kleenex or Aspirin, which opens the mark to use by others.^[20] After study of the USPTO trademark database, many online pundits opined that the term "ssh" was not trademarked, merely the logo using the lower case letters "ssh." In addition, the six years between the company's creation and the time when it began to defend its trademark, and that only OpenSSH was receiving threats of legal repercussions, weighed against the trademark's validity.^[21]

Both developers of OpenSSH and Ylönen himself were members of the IETF working group developing the new standard; after several meetings this group denied Ylönen's request to rename the protocol, citing concerns that it would set a bad precedent for other trademark claims against the IETF. The participants argued that both "Secure Shell" and "SSH" were generic terms and could not be trademarks.^[22]

See also

Notes

References

Further reading

• The 101 Uses of OpenSSH: Part 1
• The 101 Uses of OpenSSH: Part 2
• OpenBSD OpenSSH man page
• ssh(1) – OpenBSD General Commands Manual
• sshd(8) – OpenBSD System Manager's Manual

External links

Wikibooks has more on the topic of: OpenSSH

• Official website
• OpenSSH at Freecode
• OpenSSH at the Super User's BSD Cross Reference (BXR.SU) OpenGrok

The OpenBSD Project Operating system OpenBSD timeline security Related projects CARP LibreSSL OpenSSH OpenBGPD OpenOSPFD OpenNTPD OpenSMTPD PF sndio spamd tmux Xenocara cwm W^X People Theo de Raadt OpenBSD Foundation Plaid Tongued Devils Resources OpenBSD Journal

Cryptographic software Email clients Apple Mail Claws Mail Enigmail GPG (GPGTools, Gpg4win) Kontact Outlook PGP Sylpheed Thunderbird Secure Messaging OTR Adium BitlBee Centericq ChatSecure climm Cryptocat Jitsi Kopete MCabber Profanity Signal TextSecure SSH Dropbear lsh OpenSSH PuTTY SecureCRT WinSCP TLS & SSL Bouncy Castle BoringSSL Botan cryptlib GnuTLS JSSE LibreSSL MatrixSSL NSS OpenSSL mbed TLS RSA BSAFE SChannel SSLeay stunnel wolfSSL RetroShare VPN Check Point VPN-1 Hamachi Openswan OpenVPN SoftEther VPN strongSwan ZRTP CSipSimple Jitsi Linphone RedPhone SFLphone Signal Zfone Disk encryption (Comparison) BitLocker FreeOTFE TrueCrypt History BestCrypt CipherShed CrossCrypt Cryptoloop DiskCryptor dm-crypt LUKS DriveSentry E4M eCryptfs FileVault GBDE geli PGPDisk Private Disk Scramdisk Sentry 2020 VeraCrypt Anonymity I2P Java Anon Proxy Tor Vidalia RetroShare Cryptographic file systems Freenet Tahoe-LAFS Educational CrypTool Related topics Outline of cryptography Timeline of cryptography Hash functions Cryptographic hash function List of hash functions S/MIME Category Commons Portal

Free and open-source software General Alternative terms for free software Comparison of open source and closed source Comparison of open-source software hosting facilities Formerly proprietary software Free and open-source Android applications Free and open-source software packages Free software Free software events Free software movement Free software project directories Free software web applications Gratis versus libre Long-term support Open-source software Outline SPDX Operating system families AROS BSD Contiki Darwin eCos FreeDOS GNU Haiku Inferno Linux Mach MINIX OpenSolaris Plan 9 ReactOS TUD:OS Development Basic For Qt Eclipse Free Pascal FreeBASIC Gambas GCC Java Julia LLVM Lua NetBeans Open64 OpenSSH Perl PHP Python ROSE Ruby Smalltalk Tcl History GNU Haiku Linux Mozilla Application Suite Firefox Thunderbird Organizations Android Open Source Project Apache Software Foundation Blender Foundation The Document Foundation Eclipse Foundation Free Software Foundation Europe India Latin America FreeBSD Foundation freedesktop.org FSMI GNOME Foundation GNU Project Google Code KDE e.V. Linux Foundation Mozilla Foundation Open Knowledge Foundation Open Source Geospatial Foundation Open Source Initiative OpenBSD Foundation Software Freedom Conservancy SourceForge Symbian Foundation Ubuntu Foundation VideoLAN Organization Wikimedia Foundation X.Org Foundation Xiph.Org Foundation XMPP Standards Foundation Licenses Apache APSL Artistic Beerware Boost BSD CC0 CDDL EPL GNU GPL GNU LGPL ISC MIT MPL Ms-PL/RL WTFPL zlib License types and standards Comparison of free and open-source software licenses Contributor License Agreement Copyfree Copyleft Debian Free Software Guidelines Definition of Free Cultural Works Free license The Free Software Definition The Open Source Definition Open-source license Permissive free software licence Public domain Viral license Challenges Binary blob Digital rights management Free and open-source graphics device driver Comparison of open-source wireless drivers Hardware restrictions License proliferation Mozilla software rebranding Proprietary software SCO–Linux controversies Secure boot Software patents Software security Trusted Computing Related topics The Cathedral and the Bazaar Forking Linux distribution Microsoft Open Specification Promise Revolution OS Book Category Commons Portal