OpenSSH

Jump to: navigation, search


OpenSSH (Open Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol. It was created as an open alternative to the proprietary Secure Shell software. The project is led by Theo de Raadt. Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. It was designed as secure replacement for telnet. It allows the user to login securely on a remote machine.
OpenSSH

Openssh.gif

openSSH gives you secure remote access to your computer


Developer: The OpenBSD Project
License: BSD License
Web: http://www.openssh.com

Tested on openSUSE


History

OpenSSH was created by the OpenBSD team as an alternative to SSH , which is now proprietary software. The OpenSSH developers claim that it is more secure than the original, due to their policy of producing clean and audited code and the fact, to which the word open in the name refers, that it is released under the open source BSD license. Although source code is available for the original SSH, various restrictions are imposed on its use and distribution, making OpenSSH a more attractive project for many software developers.

OpenSSH first appeared in OpenBSD 2.6. OpenSSH 4.3 was released on February 1, 2006 [1].


Trademark

In February of 2001, Tatu Ylönen, Chairman and CTO of SSH Communications Security informed the OpenSSH development mailing list, openssh-unix-dev@mindrot.org, that after speaking with key OpenSSH developers Markus Friedl, Theo de Raadt, and Niels Provos, the company would have to assert its ownership of the SSH and Secure Shell trademarks in order to protect them. Tatu also sought to change references to the protocol to SecSH or secsh, in order to maintain control of the name, he proposed having OpenSSH change it's name in order to avoid a lawsuit. Theo de Raadt refused outright to consider changing the project's name.

At the time, "SSH", "Secure Shell" and "ssh" were used in the documents proposing the protocol as an open standard and it was hypothesized by many that by doing so, without marking these within the proposal as registered trademarks, Tatu was relinquishing all exclusive rights to the name as a means of describing the protocol. This is because in the United States it is imperative that trademarks be used in advertising copy as adjectives, never as nouns or verbs. Improper use of a trademark, or allowing others to use a trademark incorrectly, results in the trademark becoming generic a generic term, like Kleenex or Aspirin, which opens the mark to use by others, via the public domain.

Also brought into question was if the name "ssh" was trademarked, or merely the logo using the lower case letters "ssh", many on-line pundits believed the latter, after study of the USPTO trademark database and also bringing doubt to the validity of the claim was the 6 years between the company's creation and the point in time when it began defending its trademark from free alternatives such as OpenSSH, and that only OpenSSH was receiving these threats of legal repercussions.

Both developers of OpenSSH and Ylönen himself were members of the IETF work-group developing the new standard, which after several meetings, denied Ylonen's request for a renaming of the protocol, citing concerns that it would set a bad precedent for other trademark claims against the IETF. The working group participants argued that both Secure Shell SSH were generic terms and that they could not be trademarks.


Portability

Partly because OpenSSH is required to perform authentication, a capability that has many varying implementations between different operating systems, it requires a substantial portability infrastructure. Rather than including this directly into OpenBSD and OpenSSH, it is developed separately as an addition under the auspices of the OpenSSH Portability Team and released as what are known as "portable releases". This model is also used for other OpenBSD projects such as OpenNTPD.


Software

In a normal openSUSE installation, the openSSH package is already installed. This package consists of the following software:

SSHD

This is the SSH Daemon. This daemon is run on the server side. As a default this program is already installed in openSUSE, but does not start during the boot process. Starting SSHD during boot can be set in Yast2 > System Services (Runlevels). Select “sshd” in the list and click enable.

The default listening port of SSHD is 22. Make sure this port is open in the Firewall. For configuration possibilities read "Configure openSSH"

SSH

This is the client side of the software. You can use this program to log on to any computer that is running the SSHD. Unless they restrict access on eg. host basis, of course.

SCP

SCP is based on RCP. It allows the user to copy files over a secure channel between computers. SCP is non interactive, meaning you will have to know where the file is you want to copy and you will have to make sure the destination path exists. It is a nice way to quickly transfer a single file or a directory (in recursive mode) to an other computer. If you are interested in a more interactive way of accessing, downloading and uploading your files, you probably want to use SFTP. Learn more about using SCP

SFTP

SFTP is designed as a replacement for FTP, it is not based on it. SFTP makes it possible to interactively transfer file between computers over a secure and encrypted channel. It is designed to be a replacement of tunneling FTP over and SSH connection, which can be a complicated thing. Learn more about using SFTP.


Secure tunnels / Port forwarding

Most programs making use of TCP connections can be passed over a secure tunnel using OpenSSH. This is used to multiplex additional TCP connections over a single ssh connection. It is useful for concealing connections and encrypting protocols which are otherwise unsecured, and for circumventing firewalls. UDP connections may sometimes be tunneled with the aid of programs such as netcat. Examples of easily tunneled programs include the X Window System, HTTP using a proxy and VNC. An X Window System tunnel is often created automatically between two Unix computers, so GUI programs from remote computers can be run simply by typing their names.

In addition, some software can be set to automatically make use of OpenSSH to create a tunnel. Examples include DistCC, CVS, rsync, and fetchmail. Programs where tunneling is possible but complex are FTP, which can often be replaced with SFTP in any case, and SMB. It is also possible to mount filesystems over ssh using sshfs.

OpenSSH has three kinds of tunneling options:

  • Local forward: allows te client to connect to a port on the server side.
  • Remote forward: allows the server to connect to a port on the client side.
  • Dynamic forward: acts like a ad-hoc SOCKS proxy, which connects to ports on te fly.
  • TUN based VPN: implements an OSI layer 2/3 "tun"-based VPN. This is the most flexible of OpenSSH's tunneling capabilities, allowing applications to transparently access remote network resources without "socksification."

Learn more about openSSH tunnels


Authentication methods

OpenSSH server can authenticate users using its built-in authentication systems:

In addition, OpenSSH can often make use of additional authentication methods available on its host operating system. This can include using the BSD authentication system (bsd_auth) or PAM to enable authentication through methods such as one time passwords.


See also


External links