Annotation of src/usr.bin/ssh/README, Revision 1.3
1.3 ! markus 1:
! 2: [ Please note that this file has not been updated for OpenSSH and
! 3: covers the ssh-1.2.12 release from Dec 1995 only. ]
! 4:
1.1 deraadt 5: Ssh (Secure Shell) is a program to log into another computer over a
6: network, to execute commands in a remote machine, and to move files
7: from one machine to another. It provides strong authentication and
1.2 deraadt 8: secure communications over insecure channels. It is intended as a
1.1 deraadt 9: replacement for rlogin, rsh, rcp, and rdist.
10:
11: See the file INSTALL for installation instructions. See COPYING for
12: license terms and other legal issues. See RFC for a description of
13: the protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh.
14:
15: This file has been updated to match ssh-1.2.12.
16:
17:
18: FEATURES
19:
20: o Strong authentication. Closes several security holes (e.g., IP,
21: routing, and DNS spoofing). New authentication methods: .rhosts
22: together with RSA based host authentication, and pure RSA
23: authentication.
24:
25: o Improved privacy. All communications are automatically and
26: transparently encrypted. RSA is used for key exchange, and a
27: conventional cipher (normally IDEA, DES, or triple-DES) for
28: encrypting the session. Encryption is started before
29: authentication, and no passwords or other information is
30: transmitted in the clear. Encryption is also used to protect
31: against spoofed packets.
32:
33: o Secure X11 sessions. The program automatically sets DISPLAY on
34: the server machine, and forwards any X11 connections over the
35: secure channel. Fake Xauthority information is automatically
36: generated and forwarded to the remote machine; the local client
37: automatically examines incoming X11 connections and replaces the
38: fake authorization data with the real data (never telling the
39: remote machine the real information).
40:
41: o Arbitrary TCP/IP ports can be redirected through the encrypted channel
42: in both directions (e.g., for e-cash transactions).
43:
44: o No retraining needed for normal users; everything happens
45: automatically, and old .rhosts files will work with strong
46: authentication if administration installs host key files.
47:
48: o Never trusts the network. Minimal trust on the remote side of
49: the connection. Minimal trust on domain name servers. Pure RSA
50: authentication never trusts anything but the private key.
51:
52: o Client RSA-authenticates the server machine in the beginning of
53: every connection to prevent trojan horses (by routing or DNS
54: spoofing) and man-in-the-middle attacks, and the server
55: RSA-authenticates the client machine before accepting .rhosts or
56: /etc/hosts.equiv authentication (to prevent DNS, routing, or
57: IP-spoofing).
58:
59: o Host authentication key distribution can be centrally by the
60: administration, automatically when the first connection is made
61: to a machine (the key obtained on the first connection will be
62: recorded and used for authentication in the future), or manually
63: by each user for his/her own use. The central and per-user host
64: key repositories are both used and complement each other. Host
65: keys can be generated centrally or automatically when the software
66: is installed. Host authentication keys are typically 1024 bits.
67:
68: o Any user can create any number of user authentication RSA keys for
69: his/her own use. Each user has a file which lists the RSA public
70: keys for which proof of possession of the corresponding private
71: key is accepted as authentication. User authentication keys are
72: typically 1024 bits.
73:
74: o The server program has its own server RSA key which is
75: automatically regenerated every hour. This key is never saved in
76: any file. Exchanged session keys are encrypted using both the
77: server key and the server host key. The purpose of the separate
78: server key is to make it impossible to decipher a captured session by
79: breaking into the server machine at a later time; one hour from
80: the connection even the server machine cannot decipher the session
81: key. The key regeneration interval is configurable. The server
82: key is normally 768 bits.
83:
84: o An authentication agent, running in the user's laptop or local
85: workstation, can be used to hold the user's RSA authentication
86: keys. Ssh automatically forwards the connection to the
87: authentication agent over any connections, and there is no need to
88: store the RSA authentication keys on any machine in the network
89: (except the user's own local machine). The authentication
90: protocols never reveal the keys; they can only be used to verify
91: that the user's agent has a certain key. Eventually the agent
92: could rely on a smart card to perform all authentication
93: computations.
94:
95: o The software can be installed and used (with restricted
96: functionality) even without root privileges.
97:
98: o The client is customizable in system-wide and per-user
99: configuration files. Most aspects of the client's operation can
100: be configured. Different options can be specified on a per-host basis.
101:
102: o Automatically executes conventional rsh (after displaying a
103: warning) if the server machine is not running sshd.
104:
105: o Optional compression of all data with gzip (including forwarded X11
106: and TCP/IP port data), which may result in significant speedups on
107: slow connections.
108:
109: o Complete replacement for rlogin, rsh, and rcp.
110:
111:
112: WHY TO USE SECURE SHELL
113:
114: Currently, almost all communications in computer networks are done
115: without encryption. As a consequence, anyone who has access to any
116: machine connected to the network can listen in on any communication.
117: This is being done by hackers, curious administrators, employers,
118: criminals, industrial spies, and governments. Some networks leak off
119: enough electromagnetic radiation that data may be captured even from a
120: distance.
121:
122: When you log in, your password goes in the network in plain
123: text. Thus, any listener can then use your account to do any evil he
124: likes. Many incidents have been encountered worldwide where crackers
125: have started programs on workstations without the owners knowledge
126: just to listen to the network and collect passwords. Programs for
127: doing this are available on the Internet, or can be built by a
128: competent programmer in a few hours.
129:
130: Any information that you type or is printed on your screen can be
131: monitored, recorded, and analyzed. For example, an intruder who has
132: penetrated a host connected to a major network can start a program
133: that listens to all data flowing in the network, and whenever it
134: encounters a 16-digit string, it checks if it is a valid credit card
135: number (using the check digit), and saves the number plus any
136: surrounding text (to catch expiration date and holder) in a file.
137: When the intruder has collected a few thousand credit card numbers, he
138: makes smallish mail-order purchases from a few thousand stores around
139: the world, and disappears when the goods arrive but before anyone
140: suspects anything.
141:
142: Businesses have trade secrets, patent applications in preparation,
143: pricing information, subcontractor information, client data, personnel
144: data, financial information, etc. Currently, anyone with access to
145: the network (any machine on the network) can listen to anything that
146: goes in the network, without any regard to normal access restrictions.
147:
148: Many companies are not aware that information can so easily be
149: recovered from the network. They trust that their data is safe
150: since nobody is supposed to know that there is sensitive information
151: in the network, or because so much other data is transferred in the
152: network. This is not a safe policy.
153:
154: Individual persons also have confidential information, such as
155: diaries, love letters, health care documents, information about their
156: personal interests and habits, professional data, job applications,
157: tax reports, political documents, unpublished manuscripts, etc.
158:
159: One should also be aware that economical intelligence and industrial
160: espionage has recently become a major priority of the intelligence
161: agencies of major governments. President Clinton recently assigned
162: economical espionage as the primary task of the CIA, and the French
163: have repeatedly been publicly boasting about their achievements on
164: this field.
165:
166:
167: There is also another frightening aspect about the poor security of
168: communications. Computer storage and analysis capability has
169: increased so much that it is feasible for governments, major
170: companies, and criminal organizations to automatically analyze,
171: identify, classify, and file information about millions of people over
172: the years. Because most of the work can be automated, the cost of
173: collecting this information is getting very low.
174:
175: Government agencies may be able to monitor major communication
176: systems, telephones, fax, computer networks, etc., and passively
177: collect huge amounts of information about all people with any
178: significant position in the society. Most of this information is not
179: sensitive, and many people would say there is no harm in someone
180: getting that information. However, the information starts to get
181: sensitive when someone has enough of it. You may not mind someone
182: knowing what you bought from the shop one random day, but you might
183: not like someone knowing every small thing you have bought in the last
184: ten years.
185:
186: If the government some day starts to move into a more totalitarian
187: direction (one should remember that Nazi Germany was created by
188: democratic elections), there is considerable danger of an ultimate
189: totalitarian state. With enough information (the automatically
190: collected records of an individual can be manually analyzed when the
191: person becomes interesting), one can form a very detailed picture of
192: the individual's interests, opinions, beliefs, habits, friends,
193: lovers, weaknesses, etc. This information can be used to 1) locate
194: any persons who might oppose the new system 2) use deception to
195: disturb any organizations which might rise against the government 3)
196: eliminate difficult individuals without anyone understanding what
197: happened. Additionally, if the government can monitor communications
198: too effectively, it becomes too easy to locate and eliminate any
199: persons distributing information contrary to the official truth.
200:
201: Fighting crime and terrorism are often used as grounds for domestic
202: surveillance and restricting encryption. These are good goals, but
203: there is considerable danger that the surveillance data starts to get
204: used for questionable purposes. I find that it is better to tolerate
205: a small amount of crime in the society than to let the society become
206: fully controlled. I am in favor of a fairly strong state, but the
207: state must never get so strong that people become unable to spread
208: contra-offical information and unable to overturn the government if it
209: is bad. The danger is that when you notice that the government is
210: too powerful, it is too late. Also, the real power may not be where
211: the official government is.
212:
213: For these reasons (privacy, protecting trade secrets, and making it
214: more difficult to create a totalitarian state), I think that strong
215: cryptography should be integrated to the tools we use every day.
216: Using it causes no harm (except for those who wish to monitor
217: everything), but not using it can cause huge problems. If the society
218: changes in undesirable ways, then it will be to late to start
219: encrypting.
220:
221: Encryption has had a "military" or "classified" flavor to it. There
222: are no longer any grounds for this. The military can and will use its
223: own encryption; that is no excuse to prevent the civilians from
224: protecting their privacy and secrets. Information on strong
225: encryption is available in every major bookstore, scientific library,
226: and patent office around the world, and strong encryption software is
227: available in every country on the Internet.
228:
229: Some people would like to make it illegal to use encryption, or to
230: force people to use encryption that governments can break. This
231: approach offers no protection if the government turns bad. Also, the
232: "bad guys" will be using true strong encryption anyway. Good
233: encryption techniques are too widely known to make them disappear.
234: Thus, any "key escrow encryption" or other restrictions will only help
235: monitor ordinary people and petty criminals. It does not help against
236: powerful criminals, terrorists, or espionage, because they will know
237: how to use strong encryption anyway. (One source for internationally
238: available encryption software is http://www.cs.hut.fi/crypto.)
239:
240:
241: OVERVIEW OF SECURE SHELL
242:
243: The software consists of a number of programs.
244:
245: sshd Server program run on the server machine. This
246: listens for connections from client machines, and
247: whenever it receives a connection, it performs
248: authentication and starts serving the client.
249:
250: ssh This is the client program used to log into another
251: machine or to execute commands on the other machine.
252: "slogin" is another name for this program.
253:
254: scp Securely copies files from one machine to another.
255:
256: ssh-keygen Used to create RSA keys (host keys and user
257: authentication keys).
258:
259: ssh-agent Authentication agent. This can be used to hold RSA
260: keys for authentication.
261:
262: ssh-add Used to register new keys with the agent.
263:
264: make-ssh-known-hosts
265: Used to create the /etc/ssh_known_hosts file.
266:
267:
268: Ssh is the program users normally use. It is started as
269:
270: ssh host
271:
272: or
273:
274: ssh host command
275:
276: The first form opens a new shell on the remote machine (after
277: authentication). The latter form executes the command on the remote
278: machine.
279:
280: When started, the ssh connects sshd on the server machine, verifies
281: that the server machine really is the machine it wanted to connect,
282: exchanges encryption keys (in a manner which prevents an outside
283: listener from getting the keys), performs authentication using .rhosts
284: and /etc/hosts.equiv, RSA authentication, or conventional password
285: based authentication. The server then (normally) allocates a
286: pseudo-terminal and starts an interactive shell or user program.
287:
288: The TERM environment variable (describing the type of the user's
289: terminal) is passed from the client side to the remote side. Also,
290: terminal modes will be copied from the client side to the remote side
291: to preserve user preferences (e.g., the erase character).
292:
293: If the DISPLAY variable is set on the client side, the server will
294: create a dummy X server and set DISPLAY accordingly. Any connections
295: to the dummy X server will be forwarded through the secure channel,
296: and will be made to the real X server from the client side. An
297: arbitrary number of X programs can be started during the session, and
298: starting them does not require anything special from the user. (Note
299: that the user must not manually set DISPLAY, because then it would
300: connect directly to the real display instead of going through the
301: encrypted channel). This behavior can be disabled in the
302: configuration file or by giving the -x option to the client.
303:
304: Arbitrary IP ports can be forwarded over the secure channel. The
305: program then creates a port on one side, and whenever a connection is
306: opened to this port, it will be passed over the secure channel, and a
307: connection will be made from the other side to a specified host:port
308: pair. Arbitrary IP forwarding must always be explicitly requested,
309: and cannot be used to forward privileged ports (unless the user is
310: root). It is possible to specify automatic forwards in a per-user
311: configuration file, for example to make electronic cash systems work
312: securely.
313:
314: If there is an authentication agent on the client side, connection to
315: it will be automatically forwarded to the server side.
316:
317: For more infomation, see the manual pages ssh(1), sshd(8), scp(1),
318: ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1)
319: included in this distribution.
320:
321:
322: X11 CONNECTION FORWARDING
323:
324: X11 forwarding serves two purposes: it is a convenience to the user
325: because there is no need to set the DISPLAY variable, and it provides
326: encrypted X11 connections. I cannot think of any other easy way to
327: make X11 connections encrypted; modifying the X server, clients or
328: libraries would require special work for each machine, vendor and
329: application. Widely used IP-level encryption does not seem likely for
330: several years. Thus what we have left is faking an X server on the
331: same machine where the clients are run, and forwarding the connections
332: to a real X server over the secure channel.
333:
334: X11 forwarding works as follows. The client extracts Xauthority
335: information for the server. It then creates random authorization
336: data, and sends the random data to the server. The server allocates
337: an X11 display number, and stores the (fake) Xauthority data for this
338: display. Whenever an X11 connection is opened, the server forwards
339: the connection over the secure channel to the client, and the client
340: parses the first packet of the X11 protocol, substitutes real
341: authentication data for the fake data (if the fake data matched), and
342: forwards the connection to the real X server.
343:
344: If the display does not have Xauthority data, the server will create a
345: unix domain socket in /tmp/.X11-unix, and use the unix domain socket
346: as the display. No authentication information is forwarded in this
347: case. X11 connections are again forwarded over the secure channel.
348: To the X server the connections appear to come from the client
349: machine, and the server must have connections allowed from the local
350: machine. Using authentication data is always recommended because not
351: using it makes the display insecure. If XDM is used, it automatically
352: generates the authentication data.
353:
354: One should be careful not to use "xin" or "xstart" or other similar
355: scripts that explicitly set DISPLAY to start X sessions in a remote
356: machine, because the connection will then not go over the secure
357: channel. The recommended way to start a shell in a remote machine is
358:
359: xterm -e ssh host &
360:
361: and the recommended way to execute an X11 application in a remote
362: machine is
363:
364: ssh -n host emacs &
365:
366: If you need to type a password/passphrase for the remote machine,
367:
368: ssh -f host emacs
369:
370: may be useful.
371:
372:
373:
374: RSA AUTHENTICATION
375:
376: RSA authentication is based on public key cryptograpy. The idea is
377: that there are two encryption keys, one for encryption and another for
378: decryption. It is not possible (on human timescale) to derive the
379: decryption key from the encryption key. The encryption key is called
380: the public key, because it can be given to anyone and it is not
381: secret. The decryption key, on the other hand, is secret, and is
382: called the private key.
383:
384: RSA authentication is based on the impossibility of deriving the
385: private key from the public key. The public key is stored on the
386: server machine in the user's $HOME/.ssh/authorized_keys file. The
387: private key is only kept on the user's local machine, laptop, or other
388: secure storage. Then the user tries to log in, the client tells the
389: server the public key that the user wishes to use for authentication.
390: The server then checks if this public key is admissible. If so, it
391: generates a 256 bit random number, encrypts it with the public key,
392: and sends the value to the client. The client then decrypts the
393: number with its private key, computes a 128 bit MD5 checksum from the
394: resulting data, and sends the checksum back to the server. (Only a
395: checksum is sent to prevent chosen-plaintext attacks against RSA.)
396: The server checks computes a checksum from the correct data,
397: and compares the checksums. Authentication is accepted if the
398: checksums match. (Theoretically this indicates that the client
399: only probably knows the correct key, but for all practical purposes
400: there is no doubt.)
401:
402: The RSA private key can be protected with a passphrase. The
403: passphrase can be any string; it is hashed with MD5 to produce an
404: encryption key for IDEA, which is used to encrypt the private part of
405: the key file. With passphrase, authorization requires access to the key
406: file and the passphrase. Without passphrase, authorization only
407: depends on possession of the key file.
408:
409: RSA authentication is the most secure form of authentication supported
410: by this software. It does not rely on the network, routers, domain
411: name servers, or the client machine. The only thing that matters is
412: access to the private key.
413:
414: All this, of course, depends on the security of the RSA algorithm
415: itself. RSA has been widely known since about 1978, and no effective
416: methods for breaking it are known if it is used properly. Care has
417: been taken to avoid the well-known pitfalls. Breaking RSA is widely
418: believed to be equivalent to factoring, which is a very hard
419: mathematical problem that has received considerable public research.
420: So far, no effective methods are known for numbers bigger than about
421: 512 bits. However, as computer speeds and factoring methods are
422: increasing, 512 bits can no longer be considered secure. The
423: factoring work is exponential, and 768 or 1024 bits are widely
424: considered to be secure in the near future.
425:
426:
427: RHOSTS AUTHENTICATION
428:
429: Conventional .rhosts and hosts.equiv based authentication mechanisms
430: are fundamentally insecure due to IP, DNS (domain name server) and
431: routing spoofing attacks. Additionally this authentication method
432: relies on the integrity of the client machine. These weaknesses is
433: tolerable, and been known and exploited for a long time.
434:
435: Ssh provides an improved version of these types of authentication,
436: because they are very convenient for the user (and allow easy
437: transition from rsh and rlogin). It permits these types of
438: authentication, but additionally requires that the client host be
439: authenticated using RSA.
440:
441: The server has a list of host keys stored in /etc/ssh_known_host, and
442: additionally each user has host keys in $HOME/.ssh/known_hosts. Ssh
443: uses the name servers to obtain the canonical name of the client host,
444: looks for its public key in its known host files, and requires the
445: client to prove that it knows the private host key. This prevents IP
446: and routing spoofing attacks (as long as the client machine private
447: host key has not been compromized), but is still vulnerable to DNS
448: attacks (to a limited extent), and relies on the integrity of the
449: client machine as to who is requesting to log in. This prevents
450: outsiders from attacking, but does not protect against very powerful
451: attackers. If maximal security is desired, only RSA authentication
452: should be used.
453:
454: It is possible to enable conventional .rhosts and /etc/hosts.equiv
455: authentication (without host authentication) at compile time by giving
456: the option --with-rhosts to configure. However, this is not
457: recommended, and is not done by default.
458:
459: These weaknesses are present in rsh and rlogin. No improvement in
460: security will be obtained unless rlogin and rsh are completely
461: disabled (commented out in /etc/inetd.conf). This is highly
462: recommended.
463:
464:
465: WEAKEST LINKS IN SECURITY
466:
467: One should understand that while this software may provide
468: cryptographically secure communications, it may be easy to
469: monitor the communications at their endpoints.
470:
471: Basically, anyone with root access on the local machine on which you
472: are running the software may be able to do anything. Anyone with root
473: access on the server machine may be able to monitor your
474: communications, and a very talented root user might even be able to
475: send his/her own requests to your authentication agent.
476:
477: One should also be aware that computers send out electromagnetic
478: radition that can sometimes be picked up hundreds of meters away.
479: Your keyboard is particularly easy to listen to. The image on your
480: monitor might also be seen on another monitor in a van parked behind
481: your house.
482:
483: Beware that unwanted visitors might come to your home or office and
484: use your machine while you are away. They might also make
485: modifications or install bugs in your hardware or software.
486:
487: Beware that the most effective way for someone to decrypt your data
488: may be with a rubber hose.
489:
490:
491: LEGAL ISSUES
492:
493: As far as I am concerned, anyone is permitted to use this software
494: freely. However, see the file COPYING for detailed copying,
495: licensing, and distribution information.
496:
497: In some countries, particularly France, Russia, Iraq, and Pakistan,
498: it may be illegal to use any encryption at all without a special
499: permit, and the rumor has it that you cannot get a permit for any
500: strong encryption.
501:
502: This software may be freely imported into the United States; however,
503: the United States Government may consider re-exporting it a criminal
504: offence.
505:
506: Note that any information and cryptographic algorithms used in this
507: software are publicly available on the Internet and at any major
508: bookstore, scientific library, or patent office worldwide.
509:
510: THERE IS NO WARRANTY FOR THIS PROGRAM. Please consult the file
511: COPYING for more information.
512:
513:
514: MAILING LISTS AND OTHER INFORMATION
515:
516: There is a mailing list for ossh. It is ossh@sics.se. If you would
517: like to join, send a message to majordomo@sics.se with "subscribe
518: ssh" in body.
519:
520: The WWW home page for ssh is http://www.cs.hut.fi/ssh. It contains an
521: archive of the mailing list, and detailed information about new
522: releases, mailing lists, and other relevant issues.
523:
524: Bug reports should be sent to ossh-bugs@sics.se.
525:
526:
527: ABOUT THE AUTHOR
528:
529: This software was written by Tatu Ylonen <ylo@cs.hut.fi>. I work as a
530: researcher at Helsinki University of Technology, Finland. For more
531: information, see http://www.cs.hut.fi/~ylo/. My PGP public key is
532: available via finger from ylo@cs.hut.fi and from the key servers. I
533: prefer PGP encrypted mail.
534:
535: The author can be contacted via ordinary mail at
536: Tatu Ylonen
537: Helsinki University of Technology
538: Otakaari 1
539: FIN-02150 ESPOO
540: Finland
541:
542: Fax. +358-0-4513293
543:
544:
545: ACKNOWLEDGEMENTS
546:
547: I thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for
548: their help and comments in the design, implementation and porting of
549: this software. I also thank numerous contributors, including but not
550: limited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane
551: Bortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome
552: Etienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson,
553: Michael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar
554: Lindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald
555: McKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan
556: O'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz
557: Surmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and
558: Cristophe Wolfhugel.
559:
560: Thanks also go to Philip Zimmermann, whose PGP software and the
561: associated legal battle provided inspiration, motivation, and many
562: useful techniques, and to Bruce Schneier whose book Applied
563: Cryptography has done a great service in widely distributing knowledge
564: about cryptographic methods.
565:
566:
567: Copyright (c) 1995 Tatu Ylonen, Espoo, Finland.