OpenSSH

Source: Wikipedia, the free encyclopedia.
Not to be confused with OpenSSL.

OpenSSH or OpenBSD Secure Shell
Developer(s)The OpenBSD Project
Initial release1 December 1999; 24 years ago (1999-12-01)
Stable release
9.7[1] Edit this on Wikidata / 11 March 2024
Remote access
LicenseBSD, ISC, public domain
Websiteopenssh.com

OpenSSH (also known as OpenBSD Secure Shell[a]) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.[4][5]

OpenSSH started as a

SSH Communications Security.[6] OpenSSH was first released in 1999 and is currently developed as part of the OpenBSD operating system
.

OpenSSH is not a single computer program, but rather a suite of programs that serve as alternatives to unencrypted protocols like

FTP. OpenSSH is integrated into several operating systems, namely Microsoft Windows, macOS and most Linux operating systems,[7][8] while the portable version is available as a package in other systems.[9][10][11]

History

OpenBSD Secure Shell was created by

BSD license, the open-source license
to which the word open in the name refers.

OpenSSH first appeared in OpenBSD 2.6. The first portable release was made in October 1999.

Ed25519 public host keys, version 6.8 of March 2015[19]
).

On 19 October 2015, Microsoft announced that OpenSSH will be natively supported on Microsoft Windows and accessible through PowerShell, releasing an early implementation and making the code publicly available.[20] OpenSSH-based client and server programs have been included in Windows 10 since version 1803. The SSH client and key agent are enabled and available by default, and the SSH server is an optional Feature-on-Demand.[21]

In October 2019 protection for private keys at rest in RAM against speculation and memory

side-channel attacks were added in OpenSSH 8.1.[22]

Development

OpenSSH remotely controlling a server through Unix shell

OpenSSH is developed as part of the OpenBSD operating system. Rather than including changes for other operating systems directly into OpenSSH, a separate portability infrastructure is maintained by the OpenSSH Portability Team, and "portable releases" are made periodically. This infrastructure is substantial, partly because OpenSSH is required to perform authentication, a capability that has many varying implementations. This model is also used for other OpenBSD projects such as OpenNTPD.

The OpenSSH suite includes the following

daemons
:

The OpenSSH server can authenticate users using the standard methods supported by the

pluggable authentication modules (PAM) to enable additional authentication through methods such as one-time passwords. However, this occasionally has side effects: when using PAM with OpenSSH, it must be run as root
, as root privileges are typically required to operate PAM. OpenSSH versions after 3.7 (16 September 2003) allow PAM to be disabled at run-time, so regular users can run sshd instances.

On OpenBSD, OpenSSH uses a dedicated sshd user by default to drop privileges and perform privilege separation in accordance with the principle of least privilege, applied throughout the operating system including the Xenocara X server.

Features

OpenSSH includes the ability to set up a secured channel through which data sent to local, client-side

HTTP and VNC, may be forwarded easily.[25]

Tunneling a TCP-encapsulating payload (such as PPP) over a TCP-based connection (such as SSH's port forwarding) is known as "TCP-over-TCP", and doing so can induce a dramatic loss in transmission performance (a problem known as "TCP meltdown"),[26][27] which is why virtual private network software may instead use for the tunnel connection a protocol simpler than TCP. However, this is often not a problem when using OpenSSH's port forwarding, because many use cases do not entail TCP-over-TCP tunneling; the meltdown is avoided because the OpenSSH client processes the local, client-side TCP connection in order to get to the actual payload that is being sent, and then sends that payload directly through the tunnel's own TCP connection to the server side, where the OpenSSH server similarly "unwraps" the payload in order to "wrap" it up again for routing to its final destination.[28]

In addition, some third-party software includes support for tunnelling over SSH. These include

sshfs (using FUSE
).

An ad hoc SOCKS proxy server may be created using OpenSSH. This allows more flexible proxying than is possible with ordinary port forwarding.

Beginning with version 4.3, OpenSSH implements an

OSI layer 2/3 tun-based VPN. This is the most flexible of OpenSSH's tunnelling capabilities, allowing applications to transparently access remote network resources without modifications to make use of SOCKS.[29]

Supported public key types

OpenSSH supports the following public key types:[30][31]

Vulnerabilities

Before version 5.2 of OpenSSH, it was possible for an attacker to recover up to 14 bits of plaintext with a success probability of 2−14.[39] The vulnerability was related to the CBC encryption mode. The AES CTR mode and arcfour ciphers are not vulnerable to this attack.

A local privilege escalation vulnerability existed in OpenSSH 6.8 to 6.9 (

denial of service vulnerability.[40] With the use of the TIOCSTI ioctl, it was possible for authenticated users to inject characters into other users terminals and execute arbitrary commands on Linux.[41]

Malicious or compromised OpenSSH servers could read sensitive information on the client such as private login keys for other systems, using a vulnerability that relies on the undocumented connection-resuming feature of the OpenSSH client, which is called roaming, enabled by default on the client, but not supported on the OpenSSH server. This applies to versions 5.4 (released on 8 March 2010

CVE-2016-0778 (buffer overflow).[43][44]

On March, 29 2024 a serious supply chain attack on XZ Utils has been reported, targeting indirectly the OpenSSH server (sshd) running on Linux. The OpenSSH code is not directly concerned, the backdoor is caused by the dependencies on liblzma via libsystemd applied by a tierce patch, applied by various Linux distributions.

Trademark

In February 2001, Tatu Ylönen, Chairman and CTO of SSH Communications Security informed the OpenSSH development mailing list that the company intended to assert its ownership of the "SSH" and "Secure Shell" trademarks,[45] and sought to change references to the protocol to "SecSH" or "secsh", in order to maintain control of the "SSH" name. He proposed that OpenSSH change its name in order to avoid a lawsuit, a suggestion that developers resisted. OpenSSH developer Damien Miller replied urging Ylönen to reconsider, arguing that "SSH" had long since been a generic trademark.[46]

At the time, "SSH", "Secure Shell" and "ssh" had appeared in documents proposing the protocol as an open standard. Without marking these within the proposal as registered trademarks, Ylönen ran the risk of relinquishing all exclusive rights to the name as a means of describing the protocol. Improper use of a trademark, or allowing others to use a trademark incorrectly, results in the trademark becoming a generic term, like

USPTO trademark database, many online pundits opined that the term "ssh" was not trademarked, merely the logo using the lower case letters "ssh". In addition, the six years between the company's creation and the time when it began to defend its trademark, and that only OpenSSH was receiving threats of legal repercussions, weighed against the trademark's validity.[48]

Both developers of OpenSSH and Ylönen himself were members of the IETF working group developing the new standard; after several meetings this group denied Ylönen's request to rename the protocol, citing concerns that it would set a bad precedent for other trademark claims against the IETF. The participants argued that both "Secure Shell" and "SSH" were generic terms and could not be trademarks.[6]

See also

Notes

  1. startup scripts
    .

References

  1. ^ "release-9.7".
  2. ^ "OpenSSH Portable Release". OpenBSD. Retrieved 15 October 2015.
  3. ^ "Specifications implemented by OpenSSH". The OpenBSD Project. Retrieved 14 October 2015.
  4. ^ Venkatachalam, Girish (April 2007). "The OpenSSH Protocol under the Hood". Linux Journal (156): 74–77 – via the Discovery Database at LSU.
  5. ^ Network Working Group of the IETF, January 2006, RFC 4252, The Secure Shell (SSH) Authentication Protocol.
  6. ^ a b Duffy Marsan, Carolyn (22 March 2001). "Secure Shell inventor denied trademark request". ITworld.com. Retrieved 14 December 2021.
  7. ^ "dragonfly.git/blob - crypto/openssh/README". gitweb.dragonflybsd.org. Retrieved 19 May 2016. This is the port of OpenBSD's excellent OpenSSH to Linux and other Unices.
  8. ^ "src/crypto/external/bsd/openssh/dist/README - view - 1.4". NetBSD CVS Repositories. Retrieved 19 May 2016.
  9. ^ "openssh". OpenSUSE. Retrieved 17 May 2016.
  10. ^ "Debian -- Details of package openssh-client in jessie". Debian. Retrieved 17 May 2016.
  11. ^ "Arch Linux - openssh 7.2p2-1 (x86_64)". Arch Linux. Retrieved 17 May 2016.
  12. ^ "Project History and Credits". OpenBSD. Retrieved 8 April 2008.
  13. ^ OSSH sources
  14. ^ ssh-1.2.13 now available: copying policy changed (permission now required to sell ssh commercially, use is still permitted for any purpose)
  15. ^ "OpenSSH: Project History and Credits". openssh.com. 22 December 2004. Retrieved 27 February 2014.
  16. ^ "Portable OpenSSH – Freecode". Freshmeat.net. Retrieved 11 February 2014.
  17. ^ Murenin, Constantine A. (11 December 2013). Unknown Lamer (ed.). "OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein". Slashdot. Retrieved 26 December 2014.
  18. ^ Murenin, Constantine A. (30 April 2014). Soulskill (ed.). "OpenSSH No Longer Has To Depend On OpenSSL". Slashdot. Retrieved 26 December 2014.
  19. ^ Murenin, Constantine A. (1 February 2015). Soulskill (ed.). "OpenSSH Will Feature Key Discovery and Rotation For Easier Switching To Ed25519". Slashdot. Retrieved 1 February 2015.
  20. ^ "OpenSSH for Windows Update". 19 October 2015. Retrieved 23 October 2015.
  21. ^ Durr, Yosef (7 March 2018). "What's new for the Command Line in Windows 10 version 1803". Windows Command Line Tools For Developers.
  22. ^ "Protection for private keys at rest in RAM".
  23. ^ "OpenBSD manual pages: SSH". openbsd.org. 3 July 2014. Retrieved 14 July 2014.
  24. ^ "OpenSSH Release Notes".
  25. ^ "Features". OpenSSH. Retrieved 26 June 2016.
  26. ^ Titz, Olaf (23 April 2001). "Why TCP Over TCP Is A Bad Idea". Retrieved 17 October 2015.
  27. S2CID 8945952
    .
  28. ^ Kaminsky, Dan (13 June 2003). "Re: Extensions for long fat networks?". [email protected] (Mailing list). the TCP forwarding code is pretty speedy as well. Just to pre-answer a question, ssh decapsulates and re-encapsulates TCP, so you don't have classic TCP-over-TCP issues.
  29. ^ "OpenSSH 4.3 Release Notes". openssh.com. 1 February 2006. Retrieved 14 July 2014.
  30. ^ "SSHD(8) - Linux manual page".
  31. ^ "Sshd_config(5) - OpenBSD manual pages".
  32. ^ "OpenSSH 7.0 release notes". OpenSSH. 11 August 2015. Retrieved 13 November 2022.
  33. ^ "OpenSSH 8.8 release notes". OpenSSH. 26 September 2021. Retrieved 13 November 2022.
  34. ^ "OpenSSH 5.7 release notes". OpenSSH. 24 January 2011. Retrieved 13 November 2022.
  35. ^ "OpenSSH 6.5 release notes". OpenSSH. 29 January 2014. Retrieved 13 November 2022.
  36. ^ "OpenSSH 7.2 release notes". OpenSSH. 29 February 2016. Retrieved 13 November 2022.
  37. ^ "OpenSSH 8.2 release notes". OpenSSH. 14 February 2020. Retrieved 13 November 2022.
  38. ^ "Changes since OpenSSH 8.9 (OpenSSH 9.0 release notes)". OpenSSH developers. 8 April 2022.
  39. ^ OpenSSH Security Advisory CBC Attack
  40. CVE-2015-6565
  41. ^ OpenSSH PTY vulnerability
  42. ^ OpenSSH 5.4 released
  43. ^ Thomson, Iain (14 January 2016). "Evil OpenSSH servers can steal your private login keys to other systems – patch now". The Register.
  44. ^ OpenSSH 7.1p2 has just been released.
  45. ^ Ylonen, Tatu (14 February 2001). "SSH trademarks and the OpenSSH product name". openssh-unix-dev (Mailing list). MARC. Retrieved 11 February 2014.
  46. ^ Miller, Damien (14 February 2001). "Re: SSH trademarks and the OpenSSH product name". openssh-unix-dev (Mailing list). MARC. Retrieved 11 February 2014.
  47. ^ Lemos, Robert (2 January 2002). "Ssh! Don't use that trademark". CNET. Retrieved 19 May 2016.
  48. NewsForge. Archived from the original
    on 1 March 2002. Retrieved 20 May 2016.

External links

Wikibooks has more on the topic of: OpenSSH
Wikimedia Commons has media related to OpenSSH.
Retrieved from "https://en.wikipedia.org/w/index.php?title=OpenSSH&oldid=1217018948"