HOME

TheInfoList



OR:

OpenSSH (also known as OpenBSD Secure Shell) is a suite of
secure Secure may refer to: * Security, being protected against danger or loss(es) ** Physical security, security measures that are designed to deny unauthorized access to facilities, equipment, and resources **Information security, defending information ...
networking Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematic ...
utilities based on the
Secure Shell The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH applications are based ...
(SSH) protocol, which provides a
secure channel In cryptography, a secure channel is a means of data transmission that is resistant to overhearing and tampering. A confidential channel is a means of data transmission that is resistant to overhearing, or eavesdropping (e.g., reading the conten ...
over an unsecured network in a client–server architecture. Network Working Group of the IETF, January 2006, RFC 4252, The Secure Shell (SSH) Authentication Protocol. OpenSSH started as a
fork In cutlery or kitchenware, a fork (from la, furca 'pitchfork') is a utensil, now usually made of metal, whose long handle terminates in a head that branches into several narrow and often slightly curved tine (structural), tines with which one ...
of the free SSH program developed by Tatu Ylönen; later versions of Ylönen's SSH were
proprietary software Proprietary software is software that is deemed within the free and open-source software to be non-free because its creator, publisher, or other rightsholder or rightsholder partner exercises a legal monopoly afforded by modern copyright and i ...
offered by SSH Communications Security. OpenSSH was first released in 1999 and is currently developed as part of the
OpenBSD OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project e ...
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
. OpenSSH is not a single computer program, but rather a suite of programs that serve as alternatives to unencrypted protocols like
Telnet Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. User data is interspersed in-band with Telnet control i ...
and FTP. OpenSSH is integrated into several operating systems, namely
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...
,
macOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and la ...
and most
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, whi ...
operating systems, while the
portable Portable may refer to: General * Portable building, a manufactured structure that is built off site and moved in upon completion of site and utility work * Portable classroom, a temporary building installed on the grounds of a school to provide ...
version is available as a package in other systems.


History

OpenBSD Secure Shell was created by
OpenBSD OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project e ...
developers as an alternative to the original SSH software by Tatu Ylönen, which is now
proprietary software Proprietary software is software that is deemed within the free and open-source software to be non-free because its creator, publisher, or other rightsholder or rightsholder partner exercises a legal monopoly afforded by modern copyright and i ...
. Although
source code In computing, source code, or simply code, is any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. The source code of a program is specially designed to facilitate the ...
is available for the original SSH, various restrictions are imposed on its use and distribution. OpenSSH was created as a
fork In cutlery or kitchenware, a fork (from la, furca 'pitchfork') is a utensil, now usually made of metal, whose long handle terminates in a head that branches into several narrow and often slightly curved tine (structural), tines with which one ...
of Björn Grönvall's OSSH that itself was a fork of Tatu Ylönen's original free SSH 1.2.12 release, which was the last one having a license suitable for forking. The OpenSSH developers claim that their application is more secure than the original, due to their policy of producing clean and
audit An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon.” Auditing ...
ed code and because it is released under the
BSD license BSD licenses are a family of permissive free software licenses, imposing minimal restrictions on the use and distribution of covered software. This is in contrast to copyleft licenses, which have share-alike requirements. The original BSD lice ...
, the
open-source license An open-source license is a type of license for computer software and other products that allows the source code, blueprint or design to be used, modified and/or shared under defined terms and conditions. This allows end users and commercial com ...
to which the word ''open'' in the name refers. OpenSSH first appeared in OpenBSD 2.6. The first portable release was made in October 1999. Developments since then have included the addition of ciphers (e.g.,
ChaCha20-Poly1305 ChaCha20-Poly1305 is an authenticated encryption with additional data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. Its usage in IETF protocols is standardized in RFC 8439. It has fast ...
in 6.5 of January 2014), cutting the dependency on
OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HT ...
(6.7, October 2014) and an extension to facilitate public-key discovery and rotation for trusted hosts (for transition from DSA to
Ed25519 In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature schem ...
public host keys, version 6.8 of March 2015). On 19 October 2015,
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washi ...
announced that OpenSSH will be natively supported on
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...
and accessible through
PowerShell PowerShell is a task automation and configuration management program from Microsoft, consisting of a command-line shell and the associated scripting language. Initially a Windows component only, known as Windows PowerShell, it was made open-sou ...
, releasing an early implementation and making the code publicly available. OpenSSH-based client and server programs have been included in
Windows 10 Windows 10 is a major release of Microsoft's Windows NT operating system. It is the direct successor to Windows 8.1, which was released nearly two years earlier. It was released to manufacturing on July 15, 2015, and later to retail on ...
since version 1803. The SSH client and key agent are enabled and available by default, and the SSH server is an optional Feature-on-Demand. In October 2019 protection for private keys at rest in RAM against speculation and memory side-channel attacks were added in OpenSSH 8.1.


Development

OpenSSH is developed as part of the OpenBSD
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
. Rather than including changes for other operating systems directly into OpenSSH, a separate portability infrastructure is maintained by the OpenSSH Portability Team, and "portable releases" are made periodically. This infrastructure is substantial, partly because OpenSSH is required to perform
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...
, a capability that has many varying implementations. This model is also used for other OpenBSD projects such as OpenNTPD. The OpenSSH suite includes the following command-line utilities and daemons: * , a replacement for . * , a replacement for to copy files between computers. * , a replacement for , and to allow shell access to a remote machine. * and , utilities to ease authentication by holding keys ready and avoid the need to enter passphrases every time they are used. * , a tool to inspect and generate the RSA, DSA and elliptic-curve keys that are used for user and host
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...
. * , which scans a list of hosts and collects their public keys. * , the SSH server daemon. The OpenSSH server can authenticate users using the standard methods supported by the SSH protocol: with a password; public-key authentication, using per-user keys; host-based authentication, which is a secure version of 's host trust relationships using public keys; keyboard-interactive, a generic challenge–response mechanism, which is often used for simple password authentication, but which can also make use of stronger authenticators such as tokens; and Kerberos/
GSSAPI The Generic Security Service Application Program Interface (GSSAPI, also GSS-API) is an application programming interface for programs to access security services. The GSSAPI is an IETF standard that addresses the problem of many similar but inc ...
. The server makes use of authentication methods native to the host operating system; this can include using the BSD Authentication system or pluggable authentication modules (PAM) to enable additional authentication through methods such as
one-time password A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid seve ...
s. However, this occasionally has side effects: when using PAM with OpenSSH, it must be run as
root In vascular plants, the roots are the organs of a plant that are modified to provide anchorage for the plant and take in water and nutrients into the plant body, which allows plants to grow taller and faster. They are most often below the su ...
, as root privileges are typically required to operate PAM. OpenSSH versions after 3.7 (16 September 2003) allow PAM to be disabled at run-time, so regular users can run sshd instances. On OpenBSD, OpenSSH uses a dedicated user by default to drop privileges and perform privilege separation in accordance with the
principle of least privilege In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction la ...
, applied throughout the operating system including the
Xenocara Xenocara is the OpenBSD build infrastructure for the project's customised X.Org Server that utilises a dedicated _x11 user by default to drop privileges and perform privilege separation in accordance to OpenBSD's " least privilege" policy. Unti ...
X server.


Features

OpenSSH includes the ability to set up a secured channel through which data sent to local, client-side
Unix domain sockets A Unix domain socket aka UDS or IPC socket (inter-process communication socket) is a data communications endpoint for exchanging data between processes executing on the same host operating system. It is also referred to by its address family AF_UN ...
or local, client-side TCP ports may be " forwarded" (sent across the secured channel) for routing on the server side; when this forwarding is set up, the server is instructed to send that forwarded data to some socket or TCP host/port (the host could be the server itself, "localhost"; or, the host may be some other computer, so that it appears to the other computer that the server is the originator of the data). The forwarding of data is bidirectional, meaning that any return communication is itself forwarded back to the client-side in the same manner; this is known as an " SSH tunnel", and it can be used to multiplex additional TCP connections over a single SSH connection since 2004, to conceal connections, to encrypt protocols that are otherwise unsecured, and to circumvent firewalls by sending/receiving all manner of data through one port that is allowed by the firewall. For example, an
X Window System The X Window System (X11, or simply X) is a windowing system for bitmap displays, common on Unix-like operating systems. X provides the basic framework for a GUI environment: drawing and moving windows on the display device and interacting wi ...
tunnel may be created automatically when using OpenSSH to connect to a remote host, and other protocols, such as
HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide We ...
and VNC, may be forwarded easily. Tunneling a TCP-''encapsulating'' payload (such as PPP) over a TCP-based connection (such as SSH's
port forwarding In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a ne ...
) is known as "TCP-over-TCP", and doing so can induce a dramatic loss in transmission performance (a problem known as "TCP meltdown"), which is why
virtual private network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The b ...
software may instead use for the tunnel connection a protocol simpler than TCP. However, this is often not a problem when using OpenSSH's port forwarding, because many use cases do not entail TCP-over-TCP tunneling; the meltdown is avoided because the OpenSSH client processes the local, client-side TCP connection in order to get to the actual payload that is being sent, and then sends that payload directly through the tunnel's own TCP connection to the server side, where the OpenSSH server similarly "unwraps" the payload in order to "wrap" it up again for routing to its final destination. In addition, some third-party software includes support for tunnelling over SSH. These include
DistCC In software development, distcc is a tool for speeding up compilation of source code by using distributed computing over a computer network. With the right configuration, distcc can dramatically reduce a project's compilation time. It is design ...
, CVS, rsync, and
Fetchmail Fetchmail is an open-source software utility for POSIX-compliant operating systems which is used to retrieve e-mail from a remote POP3, IMAP, or ODMR mail server to the user's local system. It was developed from thpopclientprogram, written by Car ...
. On some operating systems, remote
file system In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one larg ...
s can be mounted over SSH using tools such as sshfs (using
FUSE Fuse or FUSE may refer to: Devices * Fuse (electrical), a device used in electrical systems to protect against excessive current ** Fuse (automotive), a class of fuses for vehicles * Fuse (hydraulic), a device used in hydraulic systems to protect ...
). An ''ad hoc''
SOCKS A sock is a piece of clothing worn on the feet and often covering the ankle or some part of the calf. Some types of shoes or boots are typically worn over socks. In ancient times, socks were made from leather or matted animal hair. In the late ...
proxy server may be created using OpenSSH. This allows more flexible proxying than is possible with ordinary port forwarding. Beginning with version 4.3, OpenSSH implements an OSI layer 2/3
tun TUN or tun may refer to: Biology * Tun shells, large sea snails of the family '' Tonnidae'' * Tun, a tardigrade in its cryptobiotic state * Tun or Toon, common name for trees of the genus '' Toona'' Places * Tun, Sweden, a locality in Västra ...
-based VPN. This is the most flexible of OpenSSH's tunnelling capabilities, allowing applications to transparently access remote network resources without modifications to make use of SOCKS.


Supported public key types

OpenSSH supports the following public key types: * ssh- dss (disabled at run-time since OpenSSH 7.0 released in 2015) * ssh- rsa (disabled at run-time since OpenSSH 8.8 released in 2021) * ecdsa-
sha2 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...
-nistp256 (since OpenSSH 5.7 released in 2011) * ecdsa-
sha2 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...
-nistp384 (since OpenSSH 5.7) * ecdsa-
sha2 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...
-nistp521 (since OpenSSH 5.7) * ssh-
ed25519 In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature schem ...
(since OpenSSH 6.5 released in 2014) * rsa-
sha2 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...
-256 (since OpenSSH 7.2 released in 2016) * rsa-
sha2 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...
-512 (since OpenSSH 7.2) * ecdsa-sk (since OpenSSH 8.2 released in 2020) *
ed25519 In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature schem ...
-sk (since OpenSSH 8.2) * NTRU Prime- x25519 (since OpenSSH 9.0)


Vulnerabilities

Before version 5.2 of OpenSSH, it was possible for an attacker to recover up to 14 bits of plaintext with a success probability of 2−14. The vulnerability was related to the CBC encryption mode. The AES CTR mode and arcfour ciphers are not vulnerable to this attack. A local privilege escalation vulnerability existed in OpenSSH 6.8 to 6.9 () due to world-writable (622) TTY devices, which was believed to be a
denial of service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conne ...
vulnerability. With the use of the TIOCSTI
ioctl In computing, ioctl (an abbreviation of input/output control) is a system call for device-specific input/output operations and other operations which cannot be expressed by regular system calls. It takes a parameter specifying a request code; ...
, it was possible for authenticated users to inject characters into other users terminals and execute arbitrary commands on Linux. Malicious or compromised OpenSSH servers could read sensitive information on the client such as private login keys for other systems, using a vulnerability that relies on the undocumented connection-resuming feature of the OpenSSH client, which is called roaming, enabled by default on the client, but not supported on the OpenSSH server. This applies to versions 5.4 (released on 8 March 2010) to 7.1 of the OpenSSH client, and was fixed in OpenSSH 7.1p2, released on 14 January 2016. CVE numbers associated to this vulnerability are (information leak) and (buffer overflow).


Trademark

In February 2001, Tatu Ylönen, Chairman and CTO of SSH Communications Security informed the OpenSSH development mailing list that the company intended to assert its ownership of the "SSH" and "Secure Shell"
trademark A trademark (also written trade mark or trade-mark) is a type of intellectual property consisting of a recognizable sign, design, or expression that identifies products or services from a particular source and distinguishes them from ot ...
s, and sought to change references to the protocol to "SecSH" or "secsh", in order to maintain control of the "SSH" name. He proposed that OpenSSH change its name in order to avoid a lawsuit, a suggestion that developers resisted. OpenSSH developer Damien Miller replied urging Ylönen to reconsider, arguing that "SSH" had long since been a
generic trademark A generic trademark, also known as a genericized trademark or proprietary eponym, is a trademark or brand name that, because of its popularity or significance, has become the generic term for, or synonymous with, a general class of products ...
. At the time, "SSH", "Secure Shell" and "ssh" had appeared in documents proposing the protocol as an open standard. Without marking these within the proposal as registered trademarks, Ylönen ran the risk of relinquishing all exclusive rights to the name as a means of describing the protocol. Improper use of a trademark, or allowing others to use a trademark incorrectly, results in the trademark becoming a generic term, like
Kleenex Kleenex is a brand name for a variety of paper-based products such as facial tissue, bathroom tissue, paper towels, tampons, and diapers. Often used informally as a genericized trademark for facial tissue in the United States and Canada, the ...
or
Aspirin Aspirin, also known as acetylsalicylic acid (ASA), is a nonsteroidal anti-inflammatory drug (NSAID) used to reduce pain, fever, and/or inflammation, and as an antithrombotic. Specific inflammatory conditions which aspirin is used to treat inc ...
, which opens the mark to use by others. After study of the
USPTO The United States Patent and Trademark Office (USPTO) is an agency in the U.S. Department of Commerce that serves as the national patent office and trademark registration authority for the United States. The USPTO's headquarters are in Alexa ...
trademark database, many online pundits opined that the term "ssh" was not trademarked, merely the logo using the lower case letters "ssh". In addition, the six years between the company's creation and the time when it began to defend its trademark, and that only OpenSSH was receiving threats of legal repercussions, weighed against the trademark's validity. Both developers of OpenSSH and Ylönen himself were members of the IETF working group developing the new standard; after several meetings this group denied Ylönen's request to rename the protocol, citing concerns that it would set a bad precedent for other trademark claims against the IETF. The participants argued that both "Secure Shell" and "SSH" were generic terms and could not be trademarks.


See also

* Comparison of SSH clients *
Comparison of SSH servers An SSH server is a software program which uses the Secure Shell protocol to accept connections from remote computers. SFTP/ SCP file transfers and remote terminal connections are popular use cases for an SSH server. General Platform The ...
*
SSH File Transfer Protocol In computing, the SSH File Transfer Protocol (also known as Secure File Transfer Protocol or SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. It was designed by the Inte ...
(SFTP)


Notes


References


External links

* * *
OpenSSH
at the Super User's BSD Cross Reference (BXR.SU)
OpenGrok OpenGrok is a source code search and cross-reference engine. It helps programmers to search, cross-reference, and navigate source code trees to aid code comprehension. It can understand various program file formats and version control histories ...

SSH OpenSSH - Windows CMD - SS64.com
{{Windows commands Cross-platform free software Cryptographic software Free network-related software Free security software SSH Secure Shell Free software programmed in C