Wiki code for SSH

Hide Line numbers
1: = Solaris Secure Shell (SunSSH) =
2: 
3: SunSSH is a program for logging into a remote machine and for executing commands on a remote machine. It’s based on [[OpenSSH>>http://www.openssh.org]] and it is intended to replace unsecured rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel.
4: 
5: |[[**X.509v3 support for SunSSH**>>attach:ssh-x509v3-design.html]] design document.
6: 
7: == Contents ==
8: 
9: [[History of SunSSH>>#history]]
10: [[Security>>#security]]
11: [[Current development>>#current_development]]
12: [[Future plans>>#future_plans]]
13: [[Developing SunSSH>>#developing_sunssh]]
14: [[Patches>>#patches]]
15: [[Useful links>>#useful_links]]
16: [[Documentation>>#documentation]]
17: [[Community>>#community]]
18: 
19: == History of SunSSH ==
20: 
21: SunSSH was integrated into Solaris in 2001 as PSARC/2001/212 project and we have these versions so far:
22: 
23: * 1.0 - initial version which was based on OpenSSH 2.3 and integrated into Solaris 9
24: * 1.0.1 - backport of SSH_BUG_EXTEOF compatibility flag from OpenSSH (S9 only).
25: * 1.1 - our changes and fixes were reapplied and some new code added using OpenSSH 3.5p1 as a base version. This version was integrated into [[Solaris 10>>http://www.sun.com/software/solaris/]] from its beginning.
26: * 1.2 - SSH_OLD_FORWARD_ADDR compatibility flag resynced from OpenSSH and integrated into Nevada build 77.
27: * 1.3 - version fixing [[CPNI-957037>>http://www.cpni.gov.uk
28: /Docs/Vulnerability_Advisory_SSH.txt]] security vulnerability. We have decided to bump up a version number every time a security fix is integrated so that users can more easily track whether they need to upgrade.
29: * 1.1.1 - S10’s version of the 1.3 fix
30: * 1.4 - version fixing [[6740240>>http://bugs.opensolaris.org
31: /bugdatabase/view_bug.do?bug_id=6740240]], "ssh: password prompt is garbled on ja_JP.PCK/ja_JP.eucJP locale". This should fix the problem when key exchange messages were sent in UTF-8 encoding.
32: * 1.1.2 - S10’s version of the 1.4 fix
33: * 1.5 - version fixing a problem with LoginGracePeriod keyword.
34: 
35: See the [[On SunSSH Versioning>>http://blogs.sun.com/janp/entry/on_sunssh_versioning]] blog entry for more information about the versioning, and why we must use different version numbers for S10 and Nevada.
36: 
37: From then we occasionally resync individual features and fixes and add new code.
38: 
39: You can also use 1.1 version on Solaris 9 through [[6176256 S9 ssh backporting project>>http://bugs.opensolaris.org/view_bug.do?bug_id=6176256]], see [[patches>>#patches]] section on how to upgrade your SunSSH 1.0 to 1.1. Solaris 8 and below were not shipped with SunSSH. If you have such a version we suggest to use OpenSSH there.
40: 
41: For more information about SunSSH versions see [[On SunSSH Versioning>>http://blogs.sun.com/janp/entry/on_sunssh_versioning]] blog entry.
42: 
43: === SunSSH versus OpenSSH ===
44: 
45: These parts of SunSSH 1.5 are quite different from OpenSSH code:
46: 
47: * [[PAM>>http://docs.sun.com/app/docs/doc/816-4557/6maosrjim?q=pam&a=view]]
48: * [[GSS-API>>http://docs.sun.com/app/docs/doc/819-2145/6n4f2qhjo?q=developers&s=t&a=view]]
49: * [[privilege separation>>http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/ssh/README.altprivsep]] implementation
50: * [[auditing>>http://docs.sun.com/app/docs/doc/816-4557/6maosrjog?a=view]] code
51: * [[g11n>>http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/ssh/libssh/common/g11n.c]] (not present in OpenSSH)
52: * we support HW acceleration through the OpenSSL PKCS#11 engine by default
53: 
54: == Security ==
55: 
56: Since SunSSH is still in many parts very similar to OpenSSH code, we always examine every security vulnerability found in OpenSSH and if applicable to SunSSH, we fix it ASAP.
57: 
58: == Current development ==
59: 
60: === Active PSARC cases ===
61: 
62: * PSARC/2009/531 sshd match block option
63: 
64: === Finished PSARC cases ===
65: 
66: * PSARC/2009/129 ChrootDirectory option for SunSSH server
67: * [[PSARC/2008/520>>Community Group arc.520]] SunSSH with the OpenSSL PKCS#11 engine support
68: * [[PSARC/2007/032>>Community Group arc.032]] ssh disable banner (snv_73)
69: * [[PSARC/2007/033>>Community Group arc.033]] sftp resync with OpenSSH (snv_75)
70: * PSARC/2004/505 ssh_config(4) option compatibility (snv_76)
71: * [[PSARC/2007/610>>Community Group arc.033]] ssh(1) binding address for port forwarding (snv_77)
72: * [[PSARC/2007/034>>Community Group arc.034]] ssh/sshd resync with OpenSSH (last RFE from this case integrated into snv_80)
73: 
74: === Open RFE’s ===
75: 
76: There are several significant RFE’s (Request for enhancement) that are open:
77: 
78: * [[6474758>>http://bugs.opensolaris.org/view_bug.do?bug_id=6474758]] make sftp(1) able to upload files from command line
79: * [[6428469>>http://bugs.opensolaris.org/view_bug.do?bug_id=6428469]] enhance ssh logging (this is closed now but it will be reopened)
80: * [[6439383>>http://bugs.opensolaris.org/view_bug.do?bug_id=6439383]] resync connection sharing functionality
81: * [[6467008>>http://bugs.opensolaris.org/view_bug.do?bug_id=6467008]] implement -l option in scp(1) for limiting bandwidth
82: * [[6749535>>http://bugs.opensolaris.org/view_bug.do?bug_id=6749535]] ssh could precompute AES-CTR stream in larger chunks and XOR data with it
83: * [[6357779>>http://bugs.opensolaris.org/view_bug.do?bug_id=6357779]] SSHv2 x.509 support desired
84: * [[6628064>>http://bugs.opensolaris.org/view_bug.do?bug_id=6628064]] High Performance SSH/SCP - HPN-SSH
85: 
86: == Future ideas ==
87: 
88: There are some of our future ideas:
89: 
90: * replace [[OpenSSL>>httpd://www.openssl.org]] API with [[PKCS#11>>http://www.rsa.com/rsalabs/node.asp?id=2133]] API. That way SunSSH could make use of [[Solaris Crypto Framework>>http://docs.sun.com/app/docs/doc/819-2145/6n4f2qhkl?a=view]] and it should be then easier to get [[FIPS-140-2>>http://en.wikipedia.org/wiki/FIPS-140]] certification for SunSSH which is what some of our customers ask for.
91: * rewrite the code so that we have a true libssh library that could be used from other applications to make SSH connections.
92: * rewrite SSH debugging. OpenSSH debugging is intended more for developers then for ordinary users. It’s true that SSH protocol is not simple at all but if we improve the debugging code so that more users can understand it when debugging their problem, the easier for them will be to use SunSSH.
93: 
94: == Developing SunSSH ==
95: 
96: Bugs can be filed using solaris/ssh category. [[Source code tree>>http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/ssh/]] is easily accessible through [[OpenSolaris source code browser.>>http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/]]
97: 
98: == Patches ==
99: 
100: This section is not too relevant to OpenSolaris project but we will include it here so that this information is listed together with other sections.
101: 
102: **(Patch list last updated: 2008-01-28)**
103: 
104: For S10 apply these patches:
105: 
106: SPARC: 120011-14, 120011-14
107:  x86: 120012-14, 120012-14
108: 
109: For S9, apply these patches to upgrade to SunSSH 1.1:
110: 
111: SPARC: 112908-31, 117177-02, 114356-12, 113273-16
112:  x86: 114858-19, 117178-02, 114357-11, 115168-16
113: 
114: == Useful links ==
115: 
116: * [[Closing Idle Sessions in SunSSH>>http://blogs.sun.com/janp/entry/closing_idle_sessions_in_sunssh]]
117: * [[SunSSH and OpenSSL Enhancements in OpenSolaris within 01/2008-06/2009>>http://blogs.sun.com/janp/entry/sunssh_and_openssl_enhancements_in]]
118: * [[ChrootDirectory option resynced to SunSSH>>http://blogs.sun.com/janp/entry/the_code_chrootdirectory_code_option]]
119: * [[On SunSSH Versioning>>http://blogs.sun.com/janp/entry/on_sunssh_versioning]]
120: * [[SSH messages: "Bad packet length", "Corrupted MAC on input">>http://blogs.sun.com/janp/entry/ssh_messages_code_bad_packet]]
121: * [[Recent SunSSH Enhancements>>http://mediacast.sun.com/details.jsp?id=4075]] in OpenSolaris ~-~- presentation slides on what was done in SunSSH during 2007
122: * [[Using SunSSH with Kerberos Authentication>>http://blogs.sun.com/janp/entry/configuring_sunssh_with_kerberos_authentication]]
123: * [[How the SCP Protocol Works>>http://blogs.sun.com/janp/entry/how_the_scp_protocol_works]]
124: 
125: == Documentation ==
126: 
127: === FAQ ===
128: 
129: You can participate and work with us on [[SunSSH FAQ>>http://wikis.sun.com/display/SunSSH/SunSSH+FAQ]].
130: 
131: === Manual pages ===
132: 
133: * [[sshd(1M)>>http://docs.sun.com/app/docs/doc/819-2240/6n4htdnko?q=reference+express&s=t&a=view]], [[ssh-keysign(1M)>>http://docs.sun.com/app/docs/doc/819-2240/6n4htdnkp?q=reference+express&s=t&a=view]]
134: * [[ssh(1)>>http://docs.sun.com/app/docs/doc/819-2239/6n4hsf6vp?q=reference+express&s=t&a=view]], [[ssh-add(1)>>http://docs.sun.com/app/docs/doc/819-2239/6n4hsf6vq?q=reference+express&s=t&a=view]], [[ssh-agent(1)>>http://docs.sun.com/app/docs/doc/819-2239/6n4hsf6vr?q=reference+express&s=t&a=view]], [[ssh-http-proxy-connect(1)>>http://docs.sun.com/app/docs/doc/819-2239/6n4hsf6vs?q=reference+express&s=t&a=view]], [[ssh-keygen(1)>>http://docs.sun.com/app/docs/doc/819-2239/6n4hsf6vt?q=reference+express&s=t&a=view]], [[ssh-socks5-proxy-connect(1)>>http://docs.sun.com/app/docs/doc/819-2239/6n4hsf6vv?q=reference+express&s=t&a=view]]
135: * [[sftp(1)>>http://docs.sun.com/app/docs/doc/819-2239/6n4hsf6un?a=view]], [[scp(1)>>http://docs.sun.com/app/docs/doc/819-2239/6n4hsf6un?a=view]]
136: * [[ssh_config(4)>>http://docs.sun.com/app/docs/doc/819-2251/6n4i7tdcr?q=reference+express&s=t&a=view]], [[sshd_config(4)>>http://docs.sun.com/app/docs/doc/819-2251/6n4i7tdcs?q=reference+express&s=t&a=view]]
137: 
138: === docs.sun.com ===
139: 
140: * [[Using Solaris Secure Shell>>http://docs.sun.com/app/docs/doc/819-3321/6n5i4b7bc?q=ssh&a=view]]
141: * [[Solaris Secure Shell (Reference)>>http://docs.sun.com/app/docs/doc/819-3321/6n5i4b7c3?q=ssh&a=view]]
142: 
143: === RFC’s ===
144: 
145: There are more RFC’s related to SSH protocol but these are the most important ones:
146: 
147: * [[4250>>http://www.faqs.org/rfcs/rfc4250.html]] The Secure Shell (SSH) Protocol Assigned Numbers
148: * [[4251>>http://www.faqs.org/rfcs/rfc4251.html]] The Secure Shell (SSH) Protocol Architecture
149: * [[4252>>http://www.faqs.org/rfcs/rfc4252.html]] The Secure Shell (SSH) Authentication Protocol
150: * [[4253>>http://www.faqs.org/rfcs/rfc4253.html]] The Secure Shell (SSH) Transport Layer Protocol
151: * [[4254>>http://www.faqs.org/rfcs/rfc4254.html]] The Secure Shell (SSH) Connection Protocol
152: * [[4256>>http://www.faqs.org/rfcs/rfc4256.html]] Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)
153: * [[4335>>http://www.faqs.org/rfcs/rfc4335.html]] The Secure Shell (SSH) Session Channel Break Extension
154: * [[4345>>http://www.faqs.org/rfcs/rfc4345.html]] Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol
155: * [[4419>>http://www.faqs.org/rfcs/rfc4419.html]] Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol
156: * [[4432>>http://www.faqs.org/rfcs/rfc4432.html]] RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol
157: * [[4462>>http://www.faqs.org/rfcs/rfc4462.html]] Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol
158: * [[4344>>http://www.ietf.org/rfc/rfc4344.txt]] The Secure Shell (SSH) Transport Layer Encryption Modes
159: * [[The SSH (Secure Shell) Remote Login Protocol>>http://www.snailbook.com/docs/protocol-1.5.txt]], the initial SSH draft written by Tatu Ylonen on SSH Protocol 1.
160: 
161: == Community ==
162: 
163: If you want to reach us, please use [[security-discuss>>http://www.opensolaris.org/jive/forum.jspa?forumID=37]] mailing list, you can subscribe [[here.>>Main.discussions]] Any feedback, ideas or patches are welcome.
OpenSolaris

Top Menu

Wiki code for SSH

Search

Collectives

Community Group

Project

User Group

Subsites

Community Group security Pages
