Jump to content

OpenSSH/Overview

100% developed
From Wikibooks, open books for an open world

The OpenSSH suite provides secure remote access and file transfer. Since its initial release, it has grown to become the most widely used implementation of the SSH protocol. During the first ten years of its existence, ssh has largely replaced older corresponding unencrypted tools and protocols. The OpenSSH client is included by default in most operating system distributions, including MacOS, Linux, BSD, AIX and Solaris. Any day you use the Internet, you are using and relying on dozens if not hundreds of machines operated and maintained using OpenSSH. A survey in 2008 showed that of the SSH servers found running, just over 80% were OpenSSH. [1]

OpenSSH was first released towards the end of 1999. It is the latest step in a very long and useful history of networked commuting, remote access and telecommuting.

History of OpenSSH

[edit | edit source]

The first release of OpenSSH was in December 1999 as part of OpenBSD 2.6. The source code was originally derived from a re-write of the last available open version, ssh 1.2.12 specifically, of SSH[2]. SSH went on to become Tectia SSH.


Ongoing development of OpenSSH is done by the OpenBSD group. Core development occurs first on OpenBSD, then portability teams bring the changes to other platforms. OpenSSH is an integral part of as good as all server systems today and a good many network appliances such as routers, switches and networked storage. The first steps were in many ways the biggest.

The Early Days of Remote Access

[edit | edit source]

Some of the tools that inspired the need for SSH have been around since the beginning, too, or very near the beginning of the Internet. Remote access has been a fundamental part of the concept since the idea stage and the nature and capabilities of this access has evolved as the network has evolved in scale, scope and usage. See the web version of the Lévénez Unix Timeline[3] by Éric Lévénez for an overview of systems development and the web version of Hobbes' Internet Timeline[4] by Robert H Zakon for an overview of the development of the Internet.

1969

  • Telnet was one of the original ARPAnet application protocols, named in RFC 15 from September 1969. It was used to access a host at a remote site locally. Telnet was described starting two years later in RFC 137, RFC 139, RFC 318 and others, including RFC 97. That is as good a turning point as any to delineate Telnet.

1971

  • Thompson Shell, by Ken Thompson, was an improvement on the old text-based user interface, the shell. This new one allowed redirects but was only a user interface and not for scripting.
  • In the same year FTP, the file transfer protocol, was described in RFC 114. A key goal was to promote use of computers over the net by allowing users at any host on the network to use the file system of any cooperating host.

1978

  • Bill Joy created BSD's C shell which is named for the C-like syntax it uses. It allows job control, history substitution, and aliases, which features we find in today's interfaces.
  • In the same year, the Bourne Shell by Steve Bourne at Bell Labs [5] was created. It is the progenitor to the default shells used in most distros today: ksh and bash.

1983

  • The remote file copy utility, rcp, appeared in 4.2 BSD. rcp copied files across the net to other hosts using rsh, which also appeared staring 4.2 BSD, to perform its operations. Like telnet and ftp, all passwords, user names, and data are transmitted unencrypted in clear text. Both rsh and rcp were part of the rlogin suite.

1991

  • PGP, written at MIT by Philip Zimmermann[6], charted new waters for encrypted electronic communications with the goals of preserving civil liberties online, ensuring individual privacy, keeping encryption legal in the USA, and protecting business communications. Like SSH it uses asymmetric encryption with public / private key pairs.

1993

  • Kerberos V (RFC 1510) authentication service from MIT's project Athena [7] provides a means for authentication over an open, unsecure network. Kerberos got its original start in 1988.

SSH - open then closed

[edit | edit source]

1995

  • Tatu Ylönen at the then Helsinki University of Technology developed the first SSH protocol and programs, releasing them under an open license[8] as per the norm in computer science, software engineering, and advanced development. [9]

1995?

  • Björn Grönvall dug out the most recent open version of ssh, version 1.2.12[10] [11]. He and Holger Trapp did the initial work to free the distribution, resulting in OSSH

1996

  • The SSH2 protocol is defined

OpenSSH

[edit | edit source]

1999

  • OpenSSH begins based on OSSH. Niels Provos, Theo de Raadt, Markus Friedl developed the cryptographic components during the port to OpenBSD which became the OpenSSH we know today. Dug Song, Aaron Campbell and many others provided various non-crypto contributions. openssl library issues were sorted by Bob Beck. Damien Miller, Philip Hands, and others started porting OpenSSH to Linux. Finally OpenSSH 1.2.2 was release shipped with OpenBSD 2.6 in December 1, 1999.[12]

2000

  • Markus Friedl added SSH 2 protocol support to OpenSSH version 2.0, which was released in June.[13] OpenSSH 2.0 shipped with OpenBSD 2.7. Niels Provos and Theo de Raadt did most of the checking. Bob Beck updated OpenSSL. Markus also added support for the SFTP protocol later that same year.
  • In September of 2000, the long wait in the USA for the patents on the RSA algorithms to expire was over. In the European Union the European Patent Convention of 1972 frees software, algorithms, business methods or literature, unlike the unfortunate, anti-business situation in the USA. This freedom in Europe hangs by a thread at the moment.
  • SSH Tectia changes licenses again.

2001

  • Damien Miller completed the SFTP client which was released in February.
  • SSH2 became the default protocol

2008

  • Built-in chroot support for sshd.

2010

  • As of OpenSSH 5.4, the legacy protocol SSH1 is finally disabled by default.

2014

  • As of OpenSSH 6.7, both the base and the portable versions of OpenSSH can build against LibreSSL instead of OpenSSL for certain cryptographic functions.

2016

  • OpenSSH 7.4 removes server support for the SSH1 legacy protocol.

2023

  • OpenSSH 9.5 ssh-keygen(1) generates Ed25519 keys by default instead of old RSA keys.

Note: OpenSSH can be used anywhere in the whole world because it uses only algorithms unencumbered by software patents, business method patents, algorithm patents, and so on. These types of patents do not apply in Europe, only physical inventions can be patented in Europe, but there are regions of the world where these problems do occur. Small and medium businesses in Europe have been active in politics to keep the advantage.

Why Use OpenSSH?

[edit | edit source]

A lot has changed since the commercialization of the Internet began in 1996. It was once a University and Government research network and if you were on the net back then, odds were you were supposed to be there. Though it was far from being utopia, any misbehavior could usually be quickly narrowed down to the individuals involved and dealt with easily, usually with no more than a phone call or a few e-mails. Few, if any, sessions back then were encrypted and both passwords and user names were passed in clear text.

By then, the WWW was more than a few years under way and undergoing explosive growth. The estimated number of web servers online in 1996 grew from 100,000 at the beginning of the year to close to 650,000 by the end of the same year[14]. When other types of servers are included in those figures, the estimated year-end number was over 16,000,000 hosts, representing approximately 828,000 domains.[14]

Nowadays, hosts are subject to hostile scans from the moment they are connected to the network. Any and all unencrypted traffic is scanned and parsed for user names, passwords, and other sensitive information. Currently, the biggest espionage threats come from private companies, but governments, individuals, and organized crime are not without a presence.

Each connection from one host to another goes through many networks and each packet may take the same or a different route there and back again. This example shows thirteen hops among three organizations from a student computer to a search engine:

% /usr/sbin/traceroute -n www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 74.125.95.106
traceroute to www.l.google.com (74.125.95.106), 30 hops max, 40 byte packets
 1 xx.xx.xx.xx           0.419 ms	0.220 ms	0.213 ms	University of Michigan
 2 xx.xx.xx.xx           0.446 ms	0.349 ms	0.315 ms	Merit Network, Inc.
 3 xx.xx.xx.xx           0.572 ms	0.513 ms	0.525 ms	University of Michigan
 4 xx.xx.xx.xx           0.472 ms	0.425 ms	0.402 ms	University of Michigan
 5 xx.xx.xx.xx           0.647 ms	0.551 ms	0.561 ms	University of Michigan
 6 xx.xx.xx.xx           0.945 ms	0.912 ms	0.865 ms	University of Michigan
 7 xx.xx.xx.xx           6.478 ms	6.503 ms	6.489 ms	Merit Network, Inc.
 8 xx.xx.xx.xx	         6.597 ms	6.590 ms	6.604 ms	Merit Network, Inc.
 9 216.239.48.154       64.935 ms	6.848 ms	6.793 ms	Google, Inc.
10 72.14.232.141        17.606 ms	17.581 ms	17.680 ms	Google, Inc.
11 209.85.241.27        17.736 ms	17.592 ms	17.519 ms	Google, Inc.
12 72.14.239.193        17.767 ms	17.778 ms	17.930 ms	Google, Inc.
13 74.125.95.106        17.903 ms	17.835 ms	17.867 ms	Google, Inc.:


The net is big. It is not uncommon to find a trail of 15 to 20 hops between client and server nowadays. Any machine on any of the subnets the packets travel over can eavesdrop with little difficulty if the packets are not well encrypted.

What OpenSSH Does

[edit | edit source]

The OpenSSH suite gives the following:

  • Encrypted remote access, including tunneling insecure protocols.
  • Encrypted file transfer
  • Run remote commands, programs or scripts and, as mentioned,
  • Replacement for rsh, rlogin, telnet and ftp

More concretely, that means that the following undesirable activities are prevented:

  • Eavesdropping of data transmitted over the network.
  • Manipulation of data at intermediate elements in the network (e.g. routers).
  • Address spoofing where an attack hosts pretends to be a trusted host by sending packets with the source address of the trusted host.
  • IP source routing

As a free software project, OpenSSH provides:

  • Open Standards
  • Flexible License - freedom emphasized for developers
  • Strong Encryption using these ciphers:
    • AES
    • ChaCha20[15]
    • RSA
    • ECDSA
    • Ed25519
  • Strong Authentication, supported methods: gssapi-with-mic, hostbased, keyboard-interactive, none , password and publickey[16]
    • Public Key: can authenticate using multiple keys since March 2015 (OpenSSH 6.8)[17]
    • Single Use Passwords
    • Kerberos
    • Dongles
  • Built-in SFTP
  • Data Compression
  • Port Forwarding
    • Encrypt legacy protocols
    • Encrypted X11 forwarding for X Window System
  • Key Agents
  • Single Sign-on using
    • Authentication Keys
    • Agent Forwarding
    • Ticket Passing
    • Kerberos
    • AFS

What OpenSSH Doesn't Do

[edit | edit source]

OpenSSH is a very useful tool, but much of its effectiveness depends on correct use. It cannot protect from any of the following situations.

  • Misconfiguration, misuse, or abuse.
  • Compromised systems, particularly where the root account is compromised.
  • Insecure or inappropriate directory settings, particularly home directory settings.

OpenSSH must be properly configured and on a properly configured system in order to be of benefit. Arranging both is not difficult, but since each system is unique, there is no one-size-fits-all solution. The right configuration is dependent on the uses the system and OpenSSH are put to.

If you login from a host to a server and an attacker has control of root on either side, he can listen to your session by reading from the pseudo-terminal device because even though SSH is encrypted on the network it must communicate in clear text with the terminal device.

If an attacker can change files in your home directory, for example via a networked file system, he may be able to fool SSH.

Last but not least, if OpenSSH is set to allow everyone in, whether on purpose or by accident, it will.



References

[edit | edit source]
  1. "Statistics from the current scan results". OpenSSH.com. 2008.
  2. "OpenSSH History". OpenSSH. Retrieved 2012-11-17.
  3. "UNIX History Timeline". Éric Lévénez. Retrieved 2011-02-17.
  4. "Hobbes' Internet Timeline". Robert H'obbes' Zakon. Retrieved 2011-02-17.
  5. Howard Dahdah (2009). "The A-Z of Programming Languages: Bourne shell, or sh". Computerworld. Retrieved 2011-02-18.
  6. Phil Zimmermann (1991). "Why I Wrote PGP". Massachusetts Institute of Technology. Retrieved 2011-02-18.
  7. Bill Bryant; Theodor Ts'o (1988). "Designing an Authentication System: a Dialogue in Four Scenes". Retrieved 2011-02-17.
  8. "Help:SSH 1.0.0 license". FUNET. Retrieved 2013-04-13.
  9. Tatu Ylönen (1995-07-12). "ANNOUNCEMENT: Ssh (Secure Shell) Remote Login Program". news://comp.security.unix. Retrieved 2011-11-26. {{cite web}}: External link in |publisher= (help)
  10. "Help:SSH 1.2.12 license". friedl. Retrieved 2011-02-17.
  11. "Help:SSH 1.2.12.92 license". friedl. Retrieved 2011-02-17.
  12. https://www.openssh.com/history.html
  13. "OpenSSH Project History and Credits". OpenSSH. Retrieved 2011-03-10.
  14. a b Robert H'obbes' Zakon. "Hobbes' Internet Timeline". Zakon Group LLC. Retrieved 2011-02-17.
  15. Damien Miller (2013-11-29). "ChaCha20 and Poly1305 in OpenSSH". Retrieved 2014-04-26.
  16. https://linux.die.net/man/5/sshd_config
  17. https://lists.mindrot.org/pipermail/openssh-unix-announce/2015-March/000120.html