OpenSSH
Encyclopedia
OpenSSH is a set of computer program
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...

s providing encrypted
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...

 communication sessions over a computer network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....

 using the SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...

 protocol. It was created as an open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...

 alternative to the proprietary Secure Shell
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...

 software suite offered by SSH Communications Security
SSH Communications Security
SSH Communications Security' is a Finnish company that is based in Helsinki and was founded by Tatu Ylönen in 1995. It is known as the original developer of the Secure Shell protocol and it currently has about 55 employees. The company's current CEO is Tatu Ylönen...

.

OpenSSH is developed as part of the security conscious OpenBSD
OpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...

 project, which is led by Theo de Raadt
Theo de Raadt
Theo de Raadt , born May 19, 1968 in Pretoria, South Africa, is a software engineer who lives in Calgary, Alberta, Canada. He is the founder and leader of the OpenBSD and OpenSSH projects, and was a founding member of the NetBSD project.- Childhood :...

. The project's development is funded via donations.

History

OpenSSH was created by the OpenBSD team as an alternative to the original SSH software by Tatu Ylönen, which is now proprietary software
Proprietary software
Proprietary software is computer software licensed under exclusive legal right of the copyright holder. The licensee is given the right to use the software under certain conditions, while restricted from other uses, such as modification, further distribution, or reverse engineering.Complementary...

. Although source code
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...

 is available for the original SSH, various restrictions are imposed on its use and distribution. The OpenSSH developers claim that it is more secure than the original, due to their policy of producing clean and audit
Audit
The general definition of an audit is an evaluation of a person, organization, system, process, enterprise, project or product. The term most commonly refers to audits in accounting, but similar concepts also exist in project management, quality management, and energy conservation.- Accounting...

ed code and because is released under the BSD license, the open source license to which the word open in the name refers.

OpenSSH first appeared in OpenBSD 2.6 and the first portable release was made in October 1999.

Release History:
  • OpenSSH 5.9: September 6, 2011
  • OpenSSH 5.8: February 4, 2011
  • OpenSSH 5.7: January 24, 2011
  • OpenSSH 5.6: August 23, 2010
  • OpenSSH 5.5: April 16, 2010
  • OpenSSH 5.4: March 8, 2010
    • Disabled SSH protocol 1 default support. Clients and servers must now explicitly enable it.
    • Added PKCS11
      PKCS11
      In cryptography, PKCS #11 is one of the family of standards called Public-Key Cryptography Standards , published by RSA Laboratories, that defines a platform-independent API to cryptographic tokens, such as Hardware Security Modules and smart cards...

       authentication support for ssh(1) (-I pkcs11)
    • Added Certificate
      Public key certificate
      In cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...

       based authentication
    • Added "Netcat
      Netcat
      Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used directly or easily driven by other programs and scripts...

       mode" for ssh(1) (-W host:port). Similar to "-L tunnel", but forwards instead stdin and stdout. This allows, for example, using ssh(1) itself as a ssh(1) ProxyCommand to route connections via intermediate servers, without the need for nc(1)
      Netcat
      Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used directly or easily driven by other programs and scripts...

       on the server machine.
    • Added the ability to revoke public keys
      Public-key cryptography
      Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private...

       in sshd(8) and ssh(1). While it was already possible to remove the keys from authorised lists, revoked keys will now trigger a warning if used.
  • OpenSSH 5.3: October 1, 2009
  • OpenSSH 5.2: February 23, 2009
  • OpenSSH 5.1: July 21, 2008
  • OpenSSH 5.0: April 3, 2008
  • OpenSSH 4.9: March 30, 2008
    • Added chroot
      Chroot
      A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot...

       support for sshd(8)
  • OpenSSH 4.7: September 4, 2007
  • OpenSSH 4.6: March 9, 2007
  • OpenSSH 4.5: November 7, 2006
  • OpenSSH 4.4: September 27, 2006
  • OpenSSH 4.3: February 1, 2006
    • Added OSI
      Open Systems Interconnection
      Open Systems Interconnection is an effort to standardize networking that was started in 1977 by the International Organization for Standardization , along with the ITU-T.-History:...

       layer 2/3 tun
      TUN/TAP
      In computer networking, TUN and TAP are virtual network kernel devices. They are network devices that are supported entirely in software, which is different from ordinary network devices that are backed up by hardware network adapters....

      -based VPN (-w option on ssh(1))
  • OpenSSH 4.2: September 1, 2005
  • OpenSSH 4.1: May 26, 2005
  • OpenSSH 4.0: March 9, 2005
  • OpenSSH 3.9: August 17, 2004
  • OpenSSH 3.8: February 24, 2004
  • OpenSSH 3.7.1: September 16, 2003
  • OpenSSH 3.7: September 16, 2003
  • OpenSSH 3.6.1: April 1, 2003
  • OpenSSH 3.6: March 31, 2003
  • OpenSSH 3.5: October 14, 2002
  • OpenSSH 3.4: June 26, 2002

Development and structure

OpenSSH is developed as part of the OpenBSD operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...

. Rather than including changes for other operating systems directly into OpenSSH, a separate portability
Porting
In computer science, porting is the process of adapting software so that an executable program can be created for a computing environment that is different from the one for which it was originally designed...

 infrastructure
Infrastructure
Infrastructure is basic physical and organizational structures needed for the operation of a society or enterprise, or the services and facilities necessary for an economy to function...

 is maintained by the OpenSSH Portability Team and "portable releases" are made periodically. This infrastructure is substantial, partly because OpenSSH is required to perform authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

, a capability that has many varying implementation
Implementation
Implementation is the realization of an application, or execution of a plan, idea, model, design, specification, standard, algorithm, or policy.-Computer Science:...

s. This model is also used for other OpenBSD projects such as OpenNTPD
OpenNTPD
OpenNTPD is a Unix system daemon implementing the Network Time Protocol to synchronize the local clock of a computer system with remote NTP servers. It is also able to act as an NTP server to NTP-compatible clients....

.

The OpenSSH suite includes the following tools:
  • ssh, a replacement for rlogin
    Rlogin
    rlogin is a software utility for Unix-like computer operating systems that allows users to log in on another host via a network, communicating via TCP port 513.It was first distributed as part of the 4.2BSD release....

    , rsh
    Remote Shell
    The remote shell is a command line computer program that can execute shell commands as another user, and on another computer across a computer network.The remote system to which rsh connects runs the rshd daemon...

     and telnet
    TELNET
    Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection...

     to allow shell
    Shell (computing)
    A shell is a piece of software that provides an interface for users of an operating system which provides access to the services of a kernel. However, the term is also applied very loosely to applications and may include any software that is "built around" a particular component, such as web...

     access to a remote machine.
  • scp
    Secure copy
    Secure Copy or SCP is a means of securely transferring computer files between a local and a remote host or between two remote hosts. It is based on the Secure Shell protocol....

    , a replacement for rcp
    Rcp (Unix)
    rcp stands for the Unix 'remote copy' command. It is a command on the Unix operating systems that is used to remotely copy—to copy one or more files from one computer system to another...

    .
  • sftp
    Secure file transfer program
    The sftp command is a command-line interface client program implementing the client-side of the SSH File Transfer Protocol as implemented by the sftp-server command by the OpenSSH project, which runs inside the encrypted Secure Shell connection....

    , a replacement for ftp
    File Transfer Protocol
    File Transfer Protocol is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server...

     to copy files between computers.
  • sshd, the SSH server daemon
    Daemon (computer software)
    In Unix and other multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user...

    .
  • ssh-keygen
    Ssh-keygen
    SSH-Keygen is a Unix utility that is used to generate, manage, and convert authentication keys for ssh authentication. With the help of the SSH-Keygen tool, a user can create passphrase keys for both SSH protocol version 1 and version 2...

     a tool to inspect and generate the RSA and DSA
    Digital Signature Algorithm
    The Digital Signature Algorithm is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology in August 1991 for use in their Digital Signature Standard , specified in FIPS 186, adopted in 1993. A minor...

     keys that are used for user and host authentication
    Authentication
    Authentication is the act of confirming the truth of an attribute of a datum or entity...

    .
  • ssh-agent and ssh-add, utilities to ease authentication by holding keys ready and avoid the need to enter passphrases every time they are used.
  • ssh-keyscan, which scans a list of hosts and collects their public keys.


The OpenSSH server can authenticate users using the standard methods supported by the ssh
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...

 protocol: with a password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....

; public-key authentication, using per-user keys; host-based authentication, which is a secure version of rlogin
Rlogin
rlogin is a software utility for Unix-like computer operating systems that allows users to log in on another host via a network, communicating via TCP port 513.It was first distributed as part of the 4.2BSD release....

's host trust relationships using public keys; keyboard-interactive, a generic challenge-response mechanism that is often used for simple password authentication but which can also make use of stronger authenticators such as tokens
Security token
A security token may be a physical device that an authorized user of computer services is given to ease authentication...

; and Kerberos/GSSAPI
Generic Security Services Application Program Interface
The Generic Security Services Application Program Interface is an application programming interface for programs to access security services....

. The server makes use of authentication methods native to the host operating system; this can include using the BSD authentication system (bsd auth
BSD Authentication
BSD Authentication, otherwise known as BSD Auth, is an authentication framework and software API employed by some Unix-like operating systems, specifically OpenBSD and BSD/OS, and accompanying system and application software such as OpenSSH and Apache...

) or PAM
Pluggable Authentication Modules
Pluggable authentication modules are a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface . It allows programs that rely on authentication to be written independent of the underlying authentication scheme...

 to enable additional authentication through methods such as one time passwords. However, this occasionally has side-effects: when using PAM with OpenSSH it must be run as root
Superuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....

, as root privileges are typically required to operate PAM. OpenSSH versions after 3.7 (September 16, 2003) allow PAM to be disabled at run-time, so regular users can run sshd instances.

Features

OpenSSH includes the ability to forward
Port forwarding
Port forwarding or port mapping is a name given to the combined technique of# translating the address and/or port number of a packet to a new destination# possibly accepting such packet in a packet filter...

 remote TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...

 ports over a secure tunnel. This is used to multiplex additional TCP connections over a single ssh connection, concealing connections and encrypting protocols which are otherwise unsecured, and for circumventing firewalls. An X Window System
X Window System
The X window system is a computer software system and network protocol that provides a basis for graphical user interfaces and rich input device capability for networked computers...

 tunnel may be created automatically when using OpenSSH to connect to a remote host, and other protocols, such as HTTP
Hypertext Transfer Protocol
The Hypertext Transfer Protocol is a networking protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web....

 and VNC
Virtual Network Computing
In computing, Virtual Network Computing is a graphical desktop sharing system that uses the RFB protocol to remotely control another computer...

, may be forwarded easily.

In addition, some third-party software includes support for tunnelling over SSH. These include DistCC
Distcc
In software development, distcc is a tool for speeding up compilation of source code by using distributed computing over a computer network. With the right configuration, distcc can dramatically reduce a project's compilation time ....

, CVS
Concurrent Versions System
The Concurrent Versions System , also known as the Concurrent Versioning System, is a client-server free software revision control system in the field of software development. Version control system software keeps track of all work and all changes in a set of files, and allows several developers ...

, rsync
Rsync
rsync is a software application and network protocol for Unix-like and Windows systems which synchronizes files and directories from one location to another while minimizing data transfer using delta encoding when appropriate. An important feature of rsync not found in most similar...

, and Fetchmail
Fetchmail
Fetchmail is an open source software utility for POSIX-compliant operating systems which is used to retrieve e-mail from a remote POP3, IMAP, ETRN or ODMR mail server to the user's local system. It was developed from the popclient program, written by Carl Harris.Its chief significance is perhaps...

. On some operating systems, remote file system
File system
A file system is a means to organize data expected to be retained after a program terminates by providing procedures to store, retrieve and update data, as well as manage the available space on the device which contain it. A file system organizes data in an efficient manner and is tuned to the...

s can be mounted over SSH using tools such as sshfs
SSHFS
In computing, SSHFS is a filesystem client to mount and interact with directories and files located on a remote server or workstation...

 (using FUSE
Filesystem in Userspace
Filesystem in Userspace is a loadable kernel module for Unix-like computer operating systems that lets non-privileged users create their own file systems without editing kernel code...

).

An ad hoc SOCKS
SOCKS
SOCKS is an Internet protocol that routes network packets between a client and server through a proxy server. SOCKS5 additionally provides authentication so only authorized users may access a server...

 proxy server may be created using OpenSSH. This allows more flexible proxying than is possible with ordinary port forwarding.

Beginning with version 4.3, OpenSSH implements an OSI
Open Systems Interconnection
Open Systems Interconnection is an effort to standardize networking that was started in 1977 by the International Organization for Standardization , along with the ITU-T.-History:...

 layer 2/3 tun
TUN/TAP
In computer networking, TUN and TAP are virtual network kernel devices. They are network devices that are supported entirely in software, which is different from ordinary network devices that are backed up by hardware network adapters....

-based VPN
Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....

. This is the most flexible of OpenSSH's tunnelling capabilities, allowing applications to transparently access remote network resources without modifications to make use of SOCKS.

Trademark

In February 2001, Tatu Ylönen, Chairman and CTO of SSH Communications Security informed the OpenSSH development mailing list, that after speaking with key OpenSSH developers Markus Friedl, Theo de Raadt, and Niels Provos
Niels Provos
Niels Provos is a researcher in the areas of secure systems, malware and cryptography. He is currently a Principal Software Engineer at Google. He received his PhD in Computer Science from the University of Michigan....

, the company would be asserting its ownership of the "SSH" and "Secure Shell" trademark
Trademark
A trademark, trade mark, or trade-mark is a distinctive sign or indicator used by an individual, business organization, or other legal entity to identify that the products or services to consumers with which the trademark appears originate from a unique source, and to distinguish its products or...

s. Ylönen commented that the trademark "is a significant asset ... SSH Communications Security has made a substantial investment in time and money in its SSH mark" and sought to change references to the protocol to "SecSH" or "secsh", in order to maintain control of the "SSH" name. He proposed that OpenSSH change its name in order to avoid a lawsuit, a suggestion that developers resisted. OpenSSH developer Damien Miller replied that "SSH has been a generic term to describe the protocol well before your [Ylönen's] attempt to trademark it" and urged Ylönen to reconsider, commenting: "I think that the antipathy generated by pursuing a free software project will cost your company a lot more than a trademark."

At the time, "SSH," "Secure Shell" and "ssh" had appeared in documents proposing the protocol as an open standard and it was hypothesised that by doing so, without marking these within the proposal as registered trademarks, Ylönen was relinquishing all exclusive rights to the name as a means of describing the protocol. Improper use of a trademark, or allowing others to use a trademark incorrectly, results in the trademark becoming a generic term, like Kleenex
Kleenex
Kleenex is a brand name for a variety of toiletry paper-based products such as facial tissue, bathroom tissue, paper towels, and diapers. The name Kleenex is a registered trademark of Kimberly-Clark Worldwide, Inc. Often used as a genericized trademark, especially in the United States, "Kleenex"...

 or Aspirin
Aspirin
Aspirin , also known as acetylsalicylic acid , is a salicylate drug, often used as an analgesic to relieve minor aches and pains, as an antipyretic to reduce fever, and as an anti-inflammatory medication. It was discovered by Arthur Eichengrun, a chemist with the German company Bayer...

, which opens the mark to use by others. After study of the USPTO trademark database, many online pundits opined that the term "ssh" was not trademarked, merely the logo using the lower case letters "ssh." In addition, the six years between the company's creation and the time when it began to defend its trademark, and that only OpenSSH was receiving threats of legal repercussions, weighed against the trademark's validity.

Both developers of OpenSSH and Ylönen himself were members of the IETF working group developing the new standard; after several meetings this group denied Ylönen's request to rename the protocol, citing concerns that it would set a bad precedent for other trademark claims against the IETF. The participants argued that both "Secure Shell" and "SSH" were generic terms and could not be trademarks.

See also

  • BSD Authentication
    BSD Authentication
    BSD Authentication, otherwise known as BSD Auth, is an authentication framework and software API employed by some Unix-like operating systems, specifically OpenBSD and BSD/OS, and accompanying system and application software such as OpenSSH and Apache...

  • Comparison of SSH clients
    Comparison of SSH clients
    An SSH client is a software program which uses the secure shell protocol to connect to a remote computer. This article compares a selection of popular clients.-General:-Platform:...

  • Comparison of SSH servers
    Comparison of SSH servers
    An SSH server is a software program which uses the secure shell protocol to accept connections from remote computers. This article compares a selection of popular servers.-General:-Platform:...

  • CopSSH
    CopSSH
    Copssh is an ssh/sftp server and client implementation for Windows systems. It is a yet another packaging of portable Openssh, Cygwin, some popular utilites, plus implementation of some best practices regarding security...

  • FTPS
    FTPS
    FTPS is an extension to the commonly used File Transfer Protocol that adds support for the Transport Layer Security and the Secure Sockets Layer cryptographic protocols....

  • POSSE project
    POSSE project
    The Portable Open Source Security Elements, or POSSE project, was a co-operative venture between the University of Pennsylvania Distributed Systems Laboratory, the OpenBSD project and others. It received funding through a grant from the United States Defense Advanced Research Projects Agency, or...

  • Secure Shell
    Secure Shell
    Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...

  • TCP Wrapper
    TCP Wrapper
    TCP Wrapper is a host-based networking ACL system, used to filter network access to Internet Protocol servers on operating systems such as Linux or BSD...


Further reading

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK