“OpenSSH”的意思、由来-开放百科全书

OpenSSH started as a fork of the free SSH program developed by Tatu Ylönen; later versions of Ylönen's SSH were proprietary software offered by SSH Communications Security.{{r|itworld}} OpenSSH was first released in 1999, and is currently developed as part of the OpenBSD operating system.

OpenSSH is not a single computer program, but rather a suite of programs that serve as alternatives to unencrypted protocols like Telnet and FTP. OpenSSH is integrated into several operating systems,^[6]^[7] while the portable version is available as a package in other systems.^[8]^[9]^[10]

History

OpenSSH was created by OpenBSD developers as an alternative to the original SSH software by Tatu Ylönen, which is now proprietary software.^[11] Although source code is available for the original SSH, various restrictions are imposed on its use and distribution. OpenSSH was created as a fork of Björn Grönvall's OSSH that itself was a fork of Tatu Ylönen's original free SSH 1.2.12 release, which was the last one having a license suitable for forking.^[12] The OpenSSH developers claim that their application is more secure than the original, due to their policy of producing clean and audited code and because it is released under the BSD license, the open source license to which the word open in the name refers.

OpenSSH first appeared in OpenBSD 2.6. The first portable release was made in October 1999.^[13] Developments since then have included the addition of ciphers (e.g., chacha20-poly1305 in 6.5 of January 2014^[14]), cutting the dependency on OpenSSL (6.7, October 2014^[15]) and an extension to facilitate public key discovery and rotation for trusted hosts (for transition from DSA to Ed25519 public host keys, version 6.8 of March 2015^[16]).

On 19 October 2015, Microsoft announced that OpenSSH will be natively supported on Windows and accessible through Windows PowerShell, releasing an early implementation and making the code publicly available.^[17]

Development

OpenSSH is developed as part of the OpenBSD operating system. Rather than including changes for other operating systems directly into OpenSSH, a separate portability infrastructure is maintained by the OpenSSH Portability Team and "portable releases" are made periodically. This infrastructure is substantial, partly because OpenSSH is required to perform authentication, a capability that has many varying implementations. This model is also used for other OpenBSD projects such as OpenNTPD.

The OpenSSH server can authenticate users using the standard methods supported by the ssh protocol: with a password; public-key authentication, using per-user keys; host-based authentication, which is a secure version of {{Mono|rlogin}}'s host trust relationships using public keys; keyboard-interactive, a generic challenge-response mechanism that is often used for simple password authentication but which can also make use of stronger authenticators such as tokens; and Kerberos/GSSAPI. The server makes use of authentication methods native to the host operating system; this can include using the BSD Authentication system or Pluggable authentication modules (PAM) to enable additional authentication through methods such as one-time passwords. However, this occasionally has side-effects: when using PAM with OpenSSH it must be run as root, as root privileges are typically required to operate PAM. OpenSSH versions after 3.7 (16 September 2003) allow PAM to be disabled at run-time, so regular users can run sshd instances.

On OpenBSD, OpenSSH uses a dedicated {{Mono|sshd}} user by default to drop privileges and perform privilege separation in accordance with the principle of least privilege, applied throughout the operating system including the Xenocara X server.

Features

OpenSSH includes the ability to set up a secured channel through which data sent to local, client-side Unix domain sockets or local, client-side TCP ports may be "forwarded" (sent across the secured channel) for routing on the server side; when this forwarding is set up, the server is instructed to send that forwarded data to some socket or TCP host/port (the host could be the server itself, "localhost"; or, the host may be some other computer, so that it appears to the other computer that the server is the originator of the data). The forwarding of data is bidirectional, meaning that any return communication is itself forwarded back to the client-side in the same manner; this is known as an "SSH tunnel",^[18] and it can be used to multiplex additional TCP connections over a single SSH connection since 2004^[19], to conceal connections, to encrypt protocols that are otherwise unsecured, and to circumvent firewalls by sending/receiving all manner of data through one port that is allowed by the firewall. For example an X Window System tunnel may be created automatically when using OpenSSH to connect to a remote host, and other protocols, such as HTTP and VNC, may be forwarded easily.^[20]

Tunneling a TCP-encapsulating payload (such as PPP) over a TCP-based connection (such as SSH's port forwarding) is known as "TCP-over-TCP", and doing so can induce a dramatic loss in transmission performance (a problem known as "TCP meltdown"),^[21]^[22] which is why virtual private network software may instead use for the tunnel connection a protocol simpler than TCP. However, this is often not a problem when using OpenSSH's port forwarding, because many use cases do not entail TCP-over-TCP tunneling; the meltdown is avoided because the OpenSSH client processes the local, client-side TCP connection in order to get to the actual payload that is being sent, and then sends that payload directly through the tunnel's own TCP connection to the server side, where the OpenSSH server similarly "unwraps" the payload in order to "wrap" it up again for routing to its final destination.^[23]

In addition, some third-party software includes support for tunnelling over SSH. These include DistCC, CVS, rsync, and Fetchmail. On some operating systems, remote file systems can be mounted over SSH using tools such as sshfs (using FUSE).

An ad hoc SOCKS proxy server may be created using OpenSSH. This allows more flexible proxying than is possible with ordinary port forwarding.

Beginning with version 4.3, OpenSSH implements an OSI layer 2/3 tun-based VPN. This is the most flexible of OpenSSH's tunnelling capabilities, allowing applications to transparently access remote network resources without modifications to make use of SOCKS.^[24]

Vulnerabilities

In the case of using default configuration, the attacker's success probability for recovering 14 bits of plaintext is 2⁻¹⁴.^[25] The OpenSSH 5.2 release modified the behavior of the OpenSSH server^[26]^[27] to further mitigate against this vulnerability.

A privilege escalation vulnerability existed in OpenSSH 6.8 to 6.9 (CVE-2015-6565) due to world-writable (622) TTY devices, which was believed to be a "Denial of Service" vulnerability.^[28] With the use of the TIOCSTI ioctl, it was possible to inject characters into other users terminals and execute arbitrary commands on Linux.^[29]

Malicious or compromised OpenSSH servers could steal private login keys for other systems, using a vulnerability that relies on the undocumented connection-resuming feature of the OpenSSH client, which is called roaming, enabled by default on the client, but not supported on the OpenSSH server. This applies to versions 5.4 (released on 8 March 2010^[30]) to 7.1 of the OpenSSH client, and was fixed in OpenSSH 7.1p2, released on 14 January 2016. CVE numbers associated to this vulnerability are CVE-2016-0777 (information leak) and CVE-2016-0778 (buffer overflow).^[31]^[32]

Trademark

In February 2001, Tatu Ylönen, Chairman and CTO of SSH Communications Security informed the OpenSSH development mailing list, that the company intended to assert its ownership of the "SSH" and "Secure Shell" trademarks,^[33] and sought to change references to the protocol to "SecSH" or "secsh", in order to maintain control of the "SSH" name. He proposed that OpenSSH change its name in order to avoid a lawsuit, a suggestion that developers resisted. OpenSSH developer Damien Miller replied urging Ylönen to reconsider, arguing that "SSH" had since long been a generic trademark.^[34]

At the time, "SSH," "Secure Shell" and "ssh" had appeared in documents proposing the protocol as an open standard and it was hypothesised{{by whom|date=October 2015}} that by doing so, without marking these within the proposal as registered trademarks, Ylönen was relinquishing all exclusive rights to the name as a means of describing the protocol. Improper use of a trademark, or allowing others to use a trademark incorrectly, results in the trademark becoming a generic term, like Kleenex or Aspirin, which opens the mark to use by others.^[35] After study of the USPTO trademark database, many online pundits opined that the term "ssh" was not trademarked, merely the logo using the lower case letters "ssh." In addition, the six years between the company's creation and the time when it began to defend its trademark, and that only OpenSSH was receiving threats of legal repercussions, weighed against the trademark's validity.^[36]

Both developers of OpenSSH and Ylönen himself were members of the IETF working group developing the new standard; after several meetings this group denied Ylönen's request to rename the protocol, citing concerns that it would set a bad precedent for other trademark claims against the IETF. The participants argued that both "Secure Shell" and "SSH" were generic terms and could not be trademarks.^[37]

See also

Notes

References

1. ^{{cite web | url = http://www.openssh.com/txt/release-7.9 | title = OpenSSH 7.9 Release Notes | date = 19 October 2018 | accessdate = 20 October 2018}}
2. ^{{Cite web| title=OpenSSH Portable Release |url=https://www.openssh.com/portable.html |publisher=OpenBSD |access-date=15 October 2015}}
3. ^{{Cite web |url=https://www.openssh.com/specs.html |title=Specifications implemented by OpenSSH |publisher=The OpenBSD Project |website= The OpenBSD Project |access-date=14 October 2015}}
4. ^{{cite journal|last1=Venkatachalam|first1=Girish|title=The OpenSSH Protocol under the Hood|journal=Linux Journal|date=April 2007|issue=156|pages=74–77|postscript=Accessed via the Discovery Database at LSU}}
5. ^ Network Working Group of the IETF, January 2006, RFC 4252, The Secure Shell (SSH) Authentication Protocol
6. ^{{cite web|title = dragonfly.git/blob - crypto/openssh/README|url = https://gitweb.dragonflybsd.org/dragonfly.git/blob/HEAD:/crypto/openssh/README|website = gitweb.dragonflybsd.org|accessdate = 19 May 2016|quote = This is the port of OpenBSD's excellent OpenSSH to Linux and other Unices.}}
7. ^{{cite web|title = src/crypto/external/bsd/openssh/dist/README - view - 1.4|url = http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/external/bsd/openssh/dist/README?rev=1.4&content-type=text/x-cvsweb-markup&only_with_tag=MAIN|website = NetBSD CVS Repositories|accessdate = 19 May 2016}}
8. ^{{cite web|url = https://software.opensuse.org/package/openssh|title = openssh|work = OpenSUSE|accessdate = 17 May 2016}}
9. ^{{cite web|url = https://packages.debian.org/jessie/openssh-client|title = Debian -- Details of package openssh-client in jessie|work = Debian|accessdate = 17 May 2016}}
10. ^{{cite web|url = https://www.archlinux.org/packages/core/x86_64/openssh/|title = Arch Linux - openssh 7.2p2-1 (x86_64)|work = Arch Linux|accessdate = 17 May 2016}}
11. ^{{cite web | url = https://www.openssh.com/history.html | title = Project History and Credits | publisher = OpenBSD | accessdate = 8 April 2008}}
12. ^{{cite web |url=https://www.openssh.com/history.html |title=OpenSSH: Project History and Credits |date=22 December 2004|accessdate=27 February 2014 |publisher=openssh.com}}
13. ^{{cite web|url=http://freshmeat.net/projects/openssh/?branch_id=8267&release_id=26745 |title=Portable OpenSSH – Freecode |publisher=Freshmeat.net |date= |accessdate=11 February 2014}}
14. ^{{cite web |url=http://it.slashdot.org/story/13/12/11/173213/openssh-has-a-new-cipher-chacha20-poly1305-from-dj-bernstein |title= OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein |first=Constantine A. |last=Murenin |editor=Unknown Lamer |date=11 December 2013 |accessdate=26 December 2014 |publisher=Slashdot}}
15. ^{{cite web |url=http://it.slashdot.org/story/14/04/30/1822209/openssh-no-longer-has-to-depend-on-openssl |title= OpenSSH No Longer Has To Depend On OpenSSL |first=Constantine A. |last=Murenin |editor=Soulskill |date=30 April 2014 |accessdate=26 December 2014 |publisher=Slashdot}}
16. ^{{cite web |url=http://it.slashdot.org/story/15/02/01/0533208/openssh-will-feature-key-discovery-and-rotation-for-easier-switching-to-ed25519 |title= OpenSSH Will Feature Key Discovery and Rotation For Easier Switching To Ed25519 |first=Constantine A. |last=Murenin |editor=Soulskill |date=1 February 2015 |accessdate=1 February 2015 |publisher=Slashdot}}
17. ^{{cite web |url=http://blogs.msdn.com/b/powershell/archive/2015/10/19/openssh-for-windows-update.aspx |title= OpenSSH for Windows Update |date=19 October 2015 |accessdate=23 October 2015}}
18. ^{{cite web | url = https://man.openbsd.org/ssh.1 | title = OpenBSD manual pages: SSH | date = 3 July 2014 | accessdate = 14 July 2014 | website = openbsd.org}}
19. ^https://www.openssh.com/releasenotes.html
20. ^{{cite web|title=Features|url=https://www.openssh.com/features.html|website=OpenSSH|accessdate=26 June 2016}}
21. ^{{cite web| url=http://sites.inka.de/bigred/devel/tcp-tcp.html| title=Why TCP Over TCP Is A Bad Idea| first=Olaf| last=Titz| date=2001-04-23| accessdate=2015-10-17}}
22. ^{{Cite conference|author1=Honda, Osamu |author2=Ohsaki, Hiroyuki |author3=Imase, Makoto |conference = Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III|volume=6011 |pages=60110H |author4=Ishizuka, Mika |author5=Murayama, Junichi | date=October 2005| doi=10.1117/12.630496|bibcode = 2005SPIE.6011..138H|title = Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency|series=Proceedings of Spie}}
23. ^{{cite mailing list| title=Re: Extensions for long fat networks?| date=2003-06-13| first=Dan| last=Kaminsky| author-link=Dan Kaminsky| mailing-list=openssh-unix-dev@mindrot.org| url=https://marc.info/?l=openssh-unix-dev&m=105554033415532| quote=the TCP forwarding code is pretty speedy as well. Just to pre-answer a question, ssh decapsulates and re-encapsulates TCP, so you don't have classic TCP-over-TCP issues.}}
24. ^{{cite web | url = https://www.openssh.com/txt/release-4.3 | title = OpenSSH 4.3 Release Notes | date = 1 February 2006 | accessdate = 14 July 2014 | website = openssh.com}}
25. ^[https://www.openssh.com/txt/cbc.adv OpenSSH Security Advisory CBC Attack]
26. ^[https://openssh.com/txt/release-5.2 OpenSSH 5.2 Release Notes]
27. ^{{cite web|url=https://bugzilla.redhat.com/show_bug.cgi?id=472068|title= Bug 472068 – CVE-2008-5161 OpenSSH: Plaintext Recovery Attack against CBC ciphers|website=Red Hat Bugzilla}}
28. ^[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6565 CVE-2015-6565]
29. ^OpenSSH PTY vulnerability
30. ^[https://lwn.net/Articles/377703/ OpenSSH 5.4 released]
31. ^{{cite web|url=https://www.theregister.co.uk/2016/01/14/openssh_is_wide_open_to_key_theft_thanks_to_roaming_flaw/|title=Evil OpenSSH servers can steal your private login keys to other systems – patch now|last=Thomson|first=Iain|work=The Register|date=14 January 2016}}
32. ^[https://www.openssh.com/txt/release-7.1p2 OpenSSH 7.1p2 has just been released.]
33. ^{{cite mailing list|url=http://marc.info/?l=openssh-unix-dev&m=98265248404463&w=2 |publisher=MARC |last=Ylonen |first=Tatu |title=SSH trademarks and the OpenSSH product name|mailing-list=openssh-unix-dev |date=14 February 2001|accessdate=11 February 2014}}
34. ^{{cite mailing list|url=http://marc.info/?l=openssh-unix-dev&m=98265248404477&w=2 |publisher=MARC |last=Miller|first=Damien|title=Re: SSH trademarks and the OpenSSH product name|mailing-list=openssh-unix-dev |date=14 February 2001|accessdate=11 February 2014}}
35. ^{{cite web|url=http://www.cnet.com/news/ssh-dont-use-that-trademark/|title=Ssh! Don't use that trademark - CNET News|last=Lemos|first=Robert|date=2 January 2002|website=CNET|accessdate=19 May 2016}}
36. ^{{Cite web|url=http://www.newsforge.com/article.pl?sid=01/02/16/1520247|title=NewsForge {{!}} Ylönen: We own ssh trademark, but here's a proposal|last=Ylonen|first=Tatu|date=1 March 2002|website=NewsForge|archive-url=https://web.archive.org/web/20020301095306/http://www.newsforge.com/article.pl?sid=01%2F02%2F16%2F1520247|archive-date=1 March 2002|access-date=20 May 2016|deadurl=yes|df=dmy-all}}
37. ^{{cite web|last=Duffy Marsan |first=Carolyn |url=http://www.itworld.com/itwnews-01322ssh |title=Secure Shell inventor denied trademark request |publisher=ITworld.com |date=22 March 2001|accessdate=8 September 2014}}