source: trunk/third/ssh/README @ 12646

Revision 12646, 21.5 KB checked in by danw, 26 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r12645, which included commits to RCS files with non-trunk default branches.
Line 
1SSH (Secure Shell) is a program to log into another computer over a
2network, to execute commands in a remote machine, and to move files
3from one machine to another.  It provides strong authentication and
4secure communications over insecure channels.  It is intended as a
5replacement for rlogin, rsh, rcp, and rdist.
6
7See the file INSTALL for installation instructions.  See COPYING for
8license terms and other legal issues.  See RFC for a description of
9the protocol.  There is a WWW page for ssh; see http://www.cs.hut.fi/ssh.
10
11This file has been updated to match ssh-1.2.26 / f-secure ssh 1.3.6.
12
13
14FEATURES
15
16 o  Strong authentication.  Closes several security holes (e.g., IP,
17    routing, and DNS spoofing).  New authentication methods: .rhosts
18    together with RSA based host authentication, and pure RSA
19    authentication.
20
21 o  Improved privacy.  All communications are automatically and
22    transparently encrypted.  RSA is used for key exchange, and a
23    conventional cipher (normally IDEA, Blowfish, or triple-DES) for
24    encrypting the session.  Encryption is started before
25    authentication, and no passwords or other information is
26    transmitted in the clear.  Encryption is also used to protect
27    against spoofed packets.
28
29 o  Secure X11 sessions.  The program automatically sets DISPLAY on
30    the server machine, and forwards any X11 connections over the
31    secure channel.  Fake Xauthority information is automatically
32    generated and forwarded to the remote machine; the local client
33    automatically examines incoming X11 connections and replaces the
34    fake authorization data with the real data (never telling the
35    remote machine the real information).
36
37 o  Arbitrary TCP/IP ports can be redirected through the encrypted channel
38    in both directions (e.g., for e-cash transactions).
39
40 o  No retraining needed for normal users; everything happens
41    automatically, and old .rhosts files will work with strong
42    authentication if administration installs host key files.
43
44 o  Never trusts the network.  Minimal trust on the remote side of
45    the connection.  Minimal trust on domain name servers.  Pure RSA
46    authentication never trusts anything but the private key.
47
48 o  Client RSA-authenticates the server machine in the beginning of
49    every connection to prevent trojan horses (by routing or DNS
50    spoofing) and man-in-the-middle attacks, and the server
51    RSA-authenticates the client machine before accepting .rhosts or
52    /etc/hosts.equiv authentication (to prevent DNS, routing, or
53    IP-spoofing).
54
55 o  Host authentication key distribution can be centrally by the
56    administration, automatically when the first connection is made
57    to a machine (the key obtained on the first connection will be
58    recorded and used for authentication in the future), or manually
59    by each user for his/her own use.  The central and per-user host
60    key repositories are both used and complement each other.  Host
61    keys can be generated centrally or automatically when the software
62    is installed.  Host authentication keys are typically 1024 bits.
63
64 o  Any user can create any number of user authentication RSA keys for
65    his/her own use.  Each user has a file which lists the RSA public
66    keys for which proof of possession of the corresponding private
67    key is accepted as authentication.  User authentication keys are
68    typically 1024 bits.
69
70 o  The server program has its own server RSA key which is
71    automatically regenerated every hour.  This key is never saved in
72    any file.  Exchanged session keys are encrypted using both the
73    server key and the server host key.  The purpose of the separate
74    server key is to make it impossible to decipher a captured session by
75    breaking into the server machine at a later time; one hour from
76    the connection even the server machine cannot decipher the session
77    key.  The key regeneration interval is configurable.  The server
78    key is normally 768 bits.
79
80 o  An authentication agent, running in the user's laptop or local
81    workstation, can be used to hold the user's RSA authentication
82    keys.  Ssh automatically forwards the connection to the
83    authentication agent over any connections, and there is no need to
84    store the RSA authentication keys on any machine in the network
85    (except the user's own local machine).  The authentication
86    protocols never reveal the keys; they can only be used to verify
87    that the user's agent has a certain key.  Eventually the agent
88    could rely on a smart card to perform all authentication
89    computations.
90
91 o  The software can be installed and used (with restricted
92    functionality) even without root privileges.
93
94 o  The client is customizable in system-wide and per-user
95    configuration files.  Most aspects of the client's operation can
96    be configured.  Different options can be specified on a per-host basis.
97
98 o  Automatically executes conventional rsh (after displaying a
99    warning) if the server machine is not running sshd.
100
101 o  Optional compression of all data with gzip (including forwarded X11
102    and TCP/IP port data), which may result in significant speedups on
103    slow connections.
104
105 o  Complete replacement for rlogin, rsh, and rcp.
106
107
108WHY TO USE SECURE SHELL
109
110Currently, almost all communications in computer networks are done
111without encryption.  As a consequence, anyone who has access to any
112machine connected to the network can listen in on any communication.
113This is being done by hackers, curious administrators, employers,
114criminals, industrial spies, and governments.  Some networks leak off
115enough electromagnetic radiation that data may be captured even from a
116distance.
117
118When you log in, your password goes in the network in plain
119text.  Thus, any listener can then use your account to do any evil he
120likes.  Many incidents have been encountered worldwide where crackers
121have started programs on workstations without the owners knowledge
122just to listen to the network and collect passwords.  Programs for
123doing this are available on the Internet, or can be built by a
124competent programmer in a few hours.
125
126Furthermore, it is possible to hijack connections going though the
127network.  This means that an intruder can enter in the middle of an
128existing connection, and start modifying data in both directions.
129This can, e.g., be used to insert new commands in sessions
130authenticated by one-time passwords.  A consequence is that no
131security method based on purely authenticating the user is safe.
132Furthermore, routing spoofing can be used to bring almost any
133connection in the Internet to a location where it can be attacked.
134
135Encryption and cryptographic authentication and integrity protection
136are required to secure networks and computer systems.  SSH uses strong
137cryptographic algorithms to achieve these goals.
138
139Ease of use is critical to the acceptance of a piece of software.  SSH
140attempts to be *easier* to use than its insecure counterparts.
141
142SSH has gained very wide acceptance.  It is currently (late 1996)
143being used in approximately 50 countries at probably tens of thousands
144of organizations.  Its users include top universities, research
145laboratories, banks, major corporations, and numerous smaller
146companies and individuals.
147
148SSH is available for almost all Unix platforms, and commercial
149versions are available for Windows (3.1, 95, NT) and Macintosh.  For
150more information, see http://www.datafellows.com/f-secure.
151
152
153OVERVIEW OF SECURE SHELL
154
155The software consists of a number of programs.
156
157   sshd         Server program run on the server machine.  This
158                listens for connections from client machines, and
159                whenever it receives a connection, it performs
160                authentication and starts serving the client.
161
162   ssh          This is the client program used to log into another
163                machine or to execute commands on the other machine.
164                "slogin" is another name for this program.
165
166   scp          Securely copies files from one machine to another.
167
168   ssh-keygen   Used to create RSA keys (host keys and user
169                authentication keys).
170
171   ssh-agent    Authentication agent.  This can be used to hold RSA
172                keys for authentication.
173
174   ssh-add      Used to register new keys with the agent.
175
176   make-ssh-known-hosts
177                Used to create the /etc/ssh_known_hosts file.
178
179
180Ssh is the program users normally use.  It is started as
181
182  ssh host
183
184or
185
186  ssh host command
187
188The first form opens a new shell on the remote machine (after
189authentication).  The latter form executes the command on the remote
190machine.
191
192When started, the ssh connects sshd on the server machine, verifies
193that the server machine really is the machine it wanted to connect,
194exchanges encryption keys (in a manner which prevents an outside
195listener from getting the keys), performs authentication using .rhosts
196and /etc/hosts.equiv, RSA authentication, or conventional password
197based authentication.  The server then (normally) allocates a
198pseudo-terminal and starts an interactive shell or user program.
199
200The TERM environment variable (describing the type of the user's
201terminal) is passed from the client side to the remote side.  Also,
202terminal modes will be copied from the client side to the remote side
203to preserve user preferences (e.g., the erase character).
204
205If the DISPLAY variable is set on the client side, the server will
206create a dummy X server and set DISPLAY accordingly.  Any connections
207to the dummy X server will be forwarded through the secure channel,
208and will be made to the real X server from the client side.  An
209arbitrary number of X programs can be started during the session, and
210starting them does not require anything special from the user.  (Note
211that the user must not manually set DISPLAY, because then it would
212connect directly to the real display instead of going through the
213encrypted channel).  This behavior can be disabled in the
214configuration file or by giving the -x option to the client.
215
216Arbitrary IP ports can be forwarded over the secure channel.  The
217program then creates a port on one side, and whenever a connection is
218opened to this port, it will be passed over the secure channel, and a
219connection will be made from the other side to a specified host:port
220pair.  Arbitrary IP forwarding must always be explicitly requested,
221and cannot be used to forward privileged ports (unless the user is
222root).  It is possible to specify automatic forwards in a per-user
223configuration file, for example to make electronic cash systems work
224securely.
225
226If there is an authentication agent on the client side, connection to
227it will be automatically forwarded to the server side.
228
229For more information, see the manual pages ssh(1), sshd(8), scp(1),
230ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1)
231included in this distribution.
232
233
234X11 CONNECTION FORWARDING
235
236X11 forwarding serves two purposes: it is a convenience to the user
237because there is no need to set the DISPLAY variable, and it provides
238encrypted X11 connections.  I cannot think of any other easy way to
239make X11 connections encrypted; modifying the X server, clients or
240libraries would require special work for each machine, vendor and
241application.  Widely used IP-level encryption does not seem likely for
242several years.  Thus what we have left is faking an X server on the
243same machine where the clients are run, and forwarding the connections
244to a real X server over the secure channel.
245
246X11 forwarding works as follows.  The client extracts Xauthority
247information for the server.  It then creates random authorization
248data, and sends the random data to the server.  The server allocates
249an X11 display number, and stores the (fake) Xauthority data for this
250display.  Whenever an X11 connection is opened, the server forwards
251the connection over the secure channel to the client, and the client
252parses the first packet of the X11 protocol, substitutes real
253authentication data for the fake data (if the fake data matched), and
254forwards the connection to the real X server.
255
256If the display does not have Xauthority data, the server will create a
257unix domain socket in /tmp/.X11-unix, and use the unix domain socket
258as the display.  No authentication information is forwarded in this
259case.  X11 connections are again forwarded over the secure channel.
260To the X server the connections appear to come from the client
261machine, and the server must have connections allowed from the local
262machine.  Using authentication data is always recommended because not
263using it makes the display insecure.  If XDM is used, it automatically
264generates the authentication data.
265
266One should be careful not to use "xin" or "xstart" or other similar
267scripts that explicitly set DISPLAY to start X sessions in a remote
268machine, because the connection will then not go over the secure
269channel.  The recommended way to start a shell in a remote machine is
270
271  xterm -e ssh host &
272
273and the recommended way to execute an X11 application in a remote
274machine is
275
276  ssh -n host emacs &
277
278If you need to type a password/passphrase for the remote machine,
279
280  ssh -f host emacs
281
282may be useful.
283
284
285
286RSA AUTHENTICATION
287
288RSA authentication is based on public key cryptography.  The idea is
289that there are two encryption keys, one for encryption and another for
290decryption.  It is not possible (on human time scale) to derive the
291decryption key from the encryption key.  The encryption key is called
292the public key, because it can be given to anyone and it is not
293secret.  The decryption key, on the other hand, is secret, and is
294called the private key.
295
296RSA authentication is based on the impossibility of deriving the
297private key from the public key.  The public key is stored on the
298server machine in the user's $HOME/.ssh/authorized_keys file.  The
299private key is only kept on the user's local machine, laptop, or other
300secure storage.  Then the user tries to log in, the client tells the
301server the public key that the user wishes to use for authentication.
302The server then checks if this public key is admissible.  If so, it
303generates a 256 bit random number, encrypts it with the public key,
304and sends the value to the client.  The client then decrypts the
305number with its private key, computes a 128 bit MD5 checksum from the
306resulting data, and sends the checksum back to the server.  (Only a
307checksum is sent to prevent chosen-plaintext attacks against RSA.)
308The server checks computes a checksum from the correct data,
309and compares the checksums.  Authentication is accepted if the
310checksums match.  (Theoretically this indicates that the client
311only probably knows the correct key, but for all practical purposes
312there is no doubt.)
313
314The RSA private key can be protected with a passphrase.  The
315passphrase can be any string; it is hashed with MD5 to produce an
316encryption key for 3DES, which is used to encrypt the private part of
317the key file.  With passphrase, authorization requires access to the key
318file and the passphrase.  Without passphrase, authorization only
319depends on possession of the key file.
320
321RSA authentication is the most secure form of authentication supported
322by this software.  It does not rely on the network, routers, domain
323name servers, or the client machine.  The only thing that matters is
324access to the private key. 
325
326All this, of course, depends on the security of the RSA algorithm
327itself.  RSA has been widely known since about 1978, and no effective
328methods for breaking it are known if it is used properly.  Care has
329been taken to avoid the well-known pitfalls.  Breaking RSA is widely
330believed to be equivalent to factoring, which is a very hard
331mathematical problem that has received considerable public research.
332So far, no effective methods are known for numbers bigger than about
333512 bits.  However, as computer speeds and factoring methods are
334increasing, 512 bits can no longer be considered secure.  The
335factoring work is exponential, and 768 or 1024 bits are widely
336considered to be secure in the near future.
337
338
339RHOSTS AUTHENTICATION
340
341Conventional .rhosts and hosts.equiv based authentication mechanisms
342are fundamentally insecure due to IP, DNS (domain name server) and
343routing spoofing attacks.  Additionally this authentication method
344relies on the integrity of the client machine.  These weaknesses is
345tolerable, and been known and exploited for a long time.
346
347Ssh provides an improved version of these types of authentication,
348because they are very convenient for the user (and allow easy
349transition from rsh and rlogin).  It permits these types of
350authentication, but additionally requires that the client host be
351authenticated using RSA. 
352
353The server has a list of host keys stored in /etc/ssh_known_host, and
354additionally each user has host keys in $HOME/.ssh/known_hosts.  Ssh
355uses the name servers to obtain the canonical name of the client host,
356looks for its public key in its known host files, and requires the
357client to prove that it knows the private host key.  This prevents IP
358and routing spoofing attacks (as long as the client machine private
359host key has not been compromised), but is still vulnerable to DNS
360attacks (to a limited extent), and relies on the integrity of the
361client machine as to who is requesting to log in.  This prevents
362outsiders from attacking, but does not protect against very powerful
363attackers.  If maximal security is desired, only RSA authentication
364should be used.
365
366It is possible to enable conventional .rhosts and /etc/hosts.equiv
367authentication (without host authentication) at compile time by giving
368the option --with-rhosts to configure.  However, this is not
369recommended, and is not done by default.
370
371These weaknesses are present in rsh and rlogin.  No improvement in
372security will be obtained unless rlogin and rsh are completely
373disabled (commented out in /etc/inetd.conf).  This is highly
374recommended.
375
376
377LEGAL ISSUES
378
379See the file COPYING for distribution conditions.  To summarize, you
380can use this software freely for non-commercial purposes.  However,
381this software cannot be sold or used for directly revenue-generating
382purposes without licensing.  THERE IS NO WARRANTY FOR THIS PROGRAM.
383
384In some countries, particularly Russia, Iraq, Pakistan, and France, it
385may be illegal to use any encryption at all without a special permit.
386
387This software may be freely imported into the United States; however,
388the United States Government may consider re-exporting it a criminal
389offense.  Thus, if you are outside the US, please retrieve this
390software from outside the US.
391
392Note that any information and cryptographic algorithms used in this
393software are publicly available on the Internet and at any major
394bookstore, scientific library, or patent office worldwide.
395
396
397MAILING LISTS AND OTHER INFORMATION
398
399There is a mailing list for ssh.  It is ssh@clinet.fi.  If you would
400like to join, send a message to majordomo@clinet.fi with "subscribe
401ssh" in body.
402
403The WWW home page for ssh is http://www.cs.hut.fi/ssh.  It contains an
404archive of the mailing list, and detailed information about new
405releases, mailing lists, and other relevant issues.
406
407For information about Windows, Macintosh, and commercial licensing,
408see http://www.datafellows.com/f-secure, or mail to
409f-secure-ssh-sales@datafellows.com.
410
411Bug reports should be sent to ssh-bugs@cs.hut.fi.
412
413
414ABOUT THE AUTHOR
415
416This software was originally written by Tatu Ylonen <ylo@cs.hut.fi> in
417Finland.  It is now being maintained by SSH Communications Security
418(http://www.ssh.fi) and Data Fellows (http://www.datafellows.com).
419
420
421ACKNOWLEDGEMENTS
422
423Many people have contributed to the development of this software.
424
425Martin Abadi, Jason Ackley, Satoshi Adachi, Tim Adam, Kazunori Ando,
426Andre April, Walker Aumann, E. Jay Barkenbilt, Steve Bellovin, Steve
427Birnbaum, Steve Bonds, Paul Borman, Stephane Bortzmeyer, Jim Bourne,
428Jurgen Botz, Hans-Werner Braun, Bill Broadley, Piete Brooks, Loren
429Buchanan, Donald Buczek, Joao Castro, Andrey Chernov, Adrian Colley,
430Michael Cooper, Brian Cully, Felix von Delius, David Dombek, Ian
431Donaldson, Sean Doran, Danek Duvall, Garance Drosehn, Niklas
432Edmundsson, Doug Engert, Jerome Etienne, Bill Fithen, Mike Friedman,
433Florian Fuchs, Mark Fullmer, Jean-Loup Gailly, Bert Gijsbers, Eivind
434Gjelseth, Bob Goellner, Ian Goldberg, Chuck Goodhart, Aaron Gowatch,
435Torbjorn Granlund, Teddy Grenman, Klaus Guntermann, Andreas
436Gustafsson, Kojima Hajime, Charles M. Hannum, Michael Henits, Ville
437Herva, Nick Hibma, Mark Horn, Ton Hospel, Antti Huima, Cedomir Igaly,
438Bradford W. Johnson, Steve Johnson, LaMont Jones, Arne Juul, Petri
439Kaukasoina, Charles Karney, Richard Kaszeta, Brendan Kehoe, Tero
440Kivinen, Philip Kizer, Mika Kojo, Georg-W. Koltermann, David Kågedal,
441Thomas König, Joseph Lappa, Felix Leitner, Ofer Licht, Gunnar
442Lindberg, Markus Linnala, Harald Lundberg, Glenn Machin, Andrew
443Macpherson, Marc Martinec, Paul Mauvais, David Mazieres, Harry
444McGavran Jr., Donald McKillican, Pedro Melo, Luke Mewburn, Leon
445Mlakar, Robert Muchsel, Kaj Mustikkamäki, Hannu Napari, Pekka
446Nikander, Bill O'Neill, Bryan O'Sullivan, John P.Speno, Andy Polyakov,
447Matt Power, Theo de Raadt, Andrew Raphael, Matt Richards, Michael
448Richardson, Timo Rinne, Ollivier Robert, Maciej W. Rozycki, Dima
449Ruban, Tomi Salo, Paul J. Sanchez, Corey Satten, Jakob Schlyter, Wayne
450Schroeder, Jay Schuster, Harry Shamansky, Janne Snabb, Harlan Stenn,
451Kevin Steves, Mikael Suokas, Heikki Suonsivu, Tomasz Surmacz, Holger
452Trapp, Mark Treacy, Andrew Tridgell, Rick Troxel, Dragan Vecerina,
453Wietse Venema, Witse Venema, Alvar Vinacua, Russell Vincent, Petri
454Virkkula, Michael Warfield, Brian Weaver, Peter Wemm, Raymund Will,
455Mike Williams, Christophe Wolfhugel and Craig Yap.
456
457My apologies to people whom I have forgotten to list.
458
459Thanks also go to Philip Zimmermann, whose PGP software and the
460associated legal battle provided inspiration, motivation, and many
461useful techniques, and to Bruce Schneier whose book Applied
462Cryptography has done a great service in widely distributing knowledge
463about cryptographic methods.
464
465
466Copyright (c) 1996,1997,1998 SSH Communications Security, Espoo, Finland.
Note: See TracBrowser for help on using the repository browser.