OpenSSH
|
|
OpenSSH (Open Secure Shell), a set of computer programs providing encrypted communication sessions over a computer network, was created as an open alternative to Secure Shell (SSH).
| Contents |
History
OpenSSH was created by the OpenBSD team as an open alternative to SSH, which is now proprietary software. Its developers claim that OpenSSH is more secure than the original, partly due to the reputation of the OpenBSD developers in emphasising clean and well-audited code, which in turn contributes to security. Its security is further attributed to the fact that its source code is released under an Open Source license, the BSD license (to which the "Open" in the name refers). Although source code is available for the original SSH, various restrictions are imposed on its use and distribution, making OpenSSH a more attractive project for many software developers.
OpenSSH 4.1 was released on May 26, 2005.
Portability
Since OpenSSH performs authentication, in particular, it runs into a lot of differences between operating systems. The OpenSSH Portability Team is responsible for adding code necessary for portability and issuing "Portable releases".
Programs included
The OpenSSH suite includes:
- ssh (replaces rlogin and telnet)
ssh tero@example.com - scp (replaces rcp)
scp tero@example.com:~/somefile . - sftp (replaces ftp)
sftp tero@example.com - sshd (the SSH daemon)
sshd
Secure tunnels
Most programs can be secured with OpenSSH, making it a strong alternative for VPN systems.
Any program using TCP connections (and preferably a single tcp port) can be used through secure tunnel. Some examples of easily tunneled programs are X Window System, http using a proxy and VNC. X Window System tunnel is often created automatically between two Unix computers, so GUI programs from remote computers can be run simply by typing their names:
ssh -Y tero@example.com password: $ xclock
Programs whose tunneling is possible but slightly complex are ftp (not needed because of sftp) and SMB.
Some programs call OpenSSH to create the tunnel, such as DistCC, CVS, rsync, and fetchmail.
Remote filesystems can be mounted through ssh using shfs, lufs or podfuk.
Authentication
OpenSSH server authenticates users using its built-in authentication systems
- publickey (id.rsa, authorized_keys)
- keyboard-interactive (password: and challenge-response)
- Kerberos/GSSAPI
Portable OpenSSH can also use PAM for authentication. PAM allows run-time selection of authentication methods and policy, and allows advanced authentication methods such as one time passwords:
Portable OpenSSH versions older than 3.7 must run as root all the time when PAM support is enabled, as root privileges are typically required to operate PAM. More recent versions allow the usage of PAM to be disabled at run-time, so regular users can run sshd instances.
External links
- Home page: http://www.openssh.com/
- Portable releases: http://www.openssh.com/portable.html