OpenSSH

OpenSSH
	Don't tell anyone that I'm free
Developer(s)	The OpenBSD Project
Stable release	4.7 / September 4 2007
Repository	anongit.mindrot.org/openssh.git ;
Operating system	Cross-platform
Type	Remote access
License	BSD license
Website	http://www.openssh.org

Template:Prerequisites header ! ssh and Computer networking |- ! Unix-like and Software licensing |- ! Computer insecurity Template:Prerequisites footer

OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is developed as part of the OpenBSD project, which is led by Theo de Raadt.^{[citation needed]}

OpenSSH is occasionally confused with the similarly named OpenSSL; however, the projects have different purposes and are developed by different teams, the similar name is drawn only from similar goals.^{[citation needed]}

History

OpenSSH was created by the OpenBSD team as an alternative to the original SSH software by Tatu Ylönen, which is now proprietary software.^[1] The OpenSSH developers claim that it is more secure than the original, due to their policy of producing clean and audited code and the fact, to which the word open in the name refers, that it is released under the open source BSD license. Although source code is available for the original SSH, various restrictions are imposed on its use and distribution.

OpenSSH first appeared in OpenBSD 2.6 and the first portable release was made in October 1999.^[2] OpenSSH 4.5 was released on November 8 2006.^[3]

Trademark

In February of 2001, Tatu Ylönen, Chairman and CTO of SSH Communications Security informed the OpenSSH development mailing list, that after speaking with key OpenSSH developers Markus Friedl, Theo de Raadt, and Niels Provos, the company would be asserting its ownership of the "SSH" and "Secure Shell" trademarks. Ylönen commented that the trademark "is a significant asset ... SSH Communications Security has made a substantial investment in time and money in its SSH mark"^[4] and sought to change references to the protocol to "SecSH" or "secsh", in order to maintain control of the "SSH" name. He proposed that OpenSSH change its name in order to avoid a lawsuit, a suggestion that developers resisted. OpenSSH developer Damien Miller replied that "SSH has been a generic term to describe the protocol well before your [Ylönen's] attempt to trademark it" and urged Ylönen to reconsider, commenting: "I think that the antipathy generated by pursuing a free software project will cost your company a lot more than a trademark."^[5]

At the time, "SSH," "Secure Shell" and "ssh" had appeared in documents proposing the protocol as an open standard and it was hypothesised that by doing so, without marking these within the proposal as registered trademarks, Ylönen was relinquishing all exclusive rights to the name as a means of describing the protocol. Improper use of a trademark, or allowing others to use a trademark incorrectly, results in the trademark becoming a generic term, like Kleenex or Aspirin, which opens the mark to use by others.^[6] After study of the USPTO trademark database, many online pundits opined that the term "ssh" was not trademarked, merely the logo using the lower case letters "ssh." In addition, the six years between the company's creation and the time when it began to defend its trademark, and that only OpenSSH was receiving threats of legal repercussions, weighed against the trademark's validity.^[7]

Both developers of OpenSSH and Ylönen himself were members of the IETF working group developing the new standard; after several meetings this group denied Ylonen's request to rename the protocol, citing concerns that it would set a bad precedent for other trademark claims against the IETF. The participants argued that both "Secure Shell" and "SSH" were generic terms and could not be trademarks.^[8]

Development and structure

File:Openssh.png

OpenSSH remotely controlling a server through Linux command line.

OpenSSH is developed as part of the OpenBSD operating system. Rather than including changes for other operating systems directly into OpenSSH, a separate portability infrastructure is maintained by the OpenSSH Portability Team and "portable releases" are made periodically. This infrastructure is substantial, partly because OpenSSH is required to perform authentication, a capability that has many varying implementations. This model is also used for other OpenBSD projects such as OpenNTPD.

The OpenSSH suite includes the following tools:

ssh, a replacement for rlogin and telnet to allow shell access to a remote machine.
scp, a replacement for rcp, and sftp, a replacement for ftp to copy files between computers.
sshd, the SSH server daemon.
ssh-keygen, a tool to generate the RSA and DSA keys that are used for user and host authentication.
ssh-agent and ssh-add, utilities to ease authentication by holding keys ready and avoid the need to enter passphrases every time they are used.
ssh-keyscan, which scans a list of hosts and collects their public keys.

The OpenSSH server can authenticate users using the standard methods supported by the ssh protocol: with a password; public-key authentication, using per-user keys; host-based authentication, which is a secure version of rlogin's host trust relationships using public keys; keyboard-interactive, a generic challenge-response mechanism that is often used for simple password authentication but which can also make use of stronger authenticators such as tokens; and Kerberos/GSSAPI. The server makes use of authentication methods native to the host operating system; this can include using the BSD authentication system (bsd auth) or PAM to enable additional authentication through methods such as one time passwords. However, this occasionally has side-effects: when using PAM with OpenSSH it must be run as root, as root privileges are typically required to operate PAM. OpenSSH versions after 3.7 allow PAM to be disabled at run-time, so regular users can run sshd instances.

Features

OpenSSH includes the ability to forward remote TCP ports over a secure tunnel. This is used to multiplex additional TCP connections over a single ssh connection, concealing connections and encrypting protocols which are otherwise unsecured, and for circumventing firewalls. An X Window System tunnel may be created automatically when using OpenSSH to connect to a remote host, and other protocols, such as http and VNC, may be forwarded easily.

In addition, some third-party software includes support for tunneling over SSH. These include DistCC, CVS, rsync, and fetchmail. On some operating systems, remote filesystems can be mounted over SSH using tools such as sshfs (using FUSE), shfs,^[9] lufs,^[10] and podfuk.^[11]

An ad hoc SOCKS proxy server may be created using OpenSSH. This allows more flexible proxying than is possible with ordinary port forwarding. For example, by using the single command:

ssh -D1080 user@example.com

A local SOCKS server is established that listens on "localhost:1080" and forwards all traffic via the "example.com" host.

Beginning with version 4.3, OpenSSH implements an OSI layer 2/3 tun-based VPN. This is the most flexible of OpenSSH's tunnelling capabilities, allowing applications to transparently access remote network resources without modifications to make use of SOCKS.

Books

Michael Stahnke, Pro OpenSSH. ISBN 1-59059-476-2.
Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes, SSH, The Secure Shell: The Definitive Guide, Second Edition. ISBN 0-596-00895-3 (first edition ISBN 0-596-00011-1).

References

^ "Project History and Credits". OpenBSD. Retrieved 2008-01-01.
^ Freshmeat announcement: Portable OpenSSH 1.0pre2
^ Miller, Damien. Mail to openssh-unix-announce mailing list: Announce: OpenSSH 4.5 released.
^ Ylönen, Tatu. Mail to the openssh-unix-dev mailing list: SSH trademarks and the OpenSSH product name. February 14, 2001. Accessed December 24, 2005.
^ Miller, Damien. Mail to the openssh-unix-dev mailing list: Re: SSH trademarks and the OpenSSH product name.February 14, 2001. Accessed August 4, 2007.
^ CNet News article: "Ssh! Don't use that trademark." February 14, 2001. Accessed August 4, 2007.
^ Newsforge article: "Ylönen: We own ssh trademark, but here's a proposal." February 16, 2001. Accessed August 4, 2007.
^ Network World article: "SSH inventor denied trademark request." March 21, 2001. Accessed August 4, 2007.
^ The shfs website.
^ The lufs website.
^ The podfuk website.

External links

[alternative-1] "Project History and Credits". OpenBSD. Retrieved 2008-01-01.

[2] Freshmeat announcement: Portable OpenSSH 1.0pre2

[3] Miller, Damien. Mail to openssh-unix-announce mailing list: Announce: OpenSSH 4.5 released.

[4] Ylönen, Tatu. Mail to the openssh-unix-dev mailing list: SSH trademarks and the OpenSSH product name. February 14, 2001. Accessed December 24, 2005.

[5] Miller, Damien. Mail to the openssh-unix-dev mailing list: Re: SSH trademarks and the OpenSSH product name.February 14, 2001. Accessed August 4, 2007.

[6] CNet News article: "Ssh! Don't use that trademark." February 14, 2001. Accessed August 4, 2007.

[7] Newsforge article: "Ylönen: We own ssh trademark, but here's a proposal." February 16, 2001. Accessed August 4, 2007.

[8] Network World article: "SSH inventor denied trademark request." March 21, 2001. Accessed August 4, 2007.

[9] The shfs website.

[10] The lufs website.

[11] The podfuk website.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

v t e The OpenBSD Project
Operating system	OpenBSD version history security features
Related projects	bio CARP doas httpd fdm LibreSSL mandoc mg OpenBGPD OpenIKED OpenNTPD OpenOSPFD OpenSMTPD OpenSSH PF pfsync sensors sndio spamd sudo tmux Xenocara cwm
People	Theo de Raadt Niels Provos
Organizations	OpenBSD Foundation
Publications	OpenBSD Journal