OpenSSH
2010-08-24 12:44:43 
阿炯
OpenSSH 是一组用于安全地访问远程计算机的连接工具,它可以作为 rlogin、rsh、rcp 以及 telnet 的直接替代品使用。更进一步,其他任何TCP/IP连接都可以通过 SSH 安全地进行隧道和转发。OpenSSH 是 100% 完整的 SSH 协议 2.0 版本的实现,并且包括 sftp 客户端和服务器支持,它用于远程登录的主要连接工具。它对所有流量进行加密,避免窃听、连接劫持等攻击。此外,OpenSSH 还提供了一整套安全隧道功能、多种身份验证方法和复杂的配置选项。它采用C语言开发并在BSD协议下授权使用。
OpenSSH 对所有的传输进行加密,从而有效地阻止了窃听、连接劫持,以及其他网络级的攻击。它使用SSH透过计算机网络加密通讯的实现。它是取代由SSH Communications Security所提供的商用版本的开放源代码方案。目前OpenSSH是OpenBSD的子计划。OpenSSH常常被误认以为与OpenSSL有关系,但实际上这两个计划的有不同的目的,不同的发展团队,名称相近只是因为两者有同样的软件发展目标--提供开放源代码的加密通信软件。OpenSSH是在1999年10月第一次在OpenBSD 2.6里出现,当初的计划是取代由SSH Communications Security所提供的SSH软件。
OpenSSH 由OpenBSD Project维护,它基于 SSH v1.2.12 并包含了最新的错误修复和更新,它同时兼容 SSH 协议的 1 和 2 两个版本。从 FreeBSD 4.0 开始,OpenSSH 成为了基本系统的一部分。通常使用 telnet 或 rlogin时,数据是以明码的形式发送的,并没有加密。在客户机和服务器之间的网络上运行的听包程序可以在会话中偷窃到传输的用户名、密码和数据,而 OpenSSH 提供了多种的身份验证和加密方法来防止这种情况的发生。
程序主要包括了几个部份:
* ssh
rlogin与Telnet的替代方案。
* scp、sftp
rcp的替代方案,将文件复制到其他电脑上。
* sshd
SSH服务器。
* ssh-keygen
产生RSA或DSA金钥,用来认证用。
* ssh-agent、ssh-add
帮助用户不需要每次都要输入金钥密码的工具。
* ssh-keyscan
扫描一群机器,并纪录其公钥。
OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.
The OpenSSH suite replaces rlogin and telnet with the ssh program, rcp with scp, and ftp with sftp. Also included is sshd (the server side of the package), and the other utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, ssh-keygen and sftp-server.
OpenSSH is developed by the OpenBSD Project. The software is developed in countries that permit cryptography export and is freely useable and re-useable by everyone under a BSD license. However, development has costs, so if you find OpenSSH useful (particularly if you use it in a commercial system that is distributed) please consider donating to help fund the project.
OpenSSH is developed by two teams. One team does strictly OpenBSD-based development, aim to produce code that is as clean, simple, and secure as possible. We believe that simplicity without the portability "goop" allows for better code quality control and easier review. The other team then takes the clean version and makes it portable (adding the "goop") to make it run on many operating systems -- the so-called -p releases, ie "OpenSSH 5.8p1".
Please take note of our Who uses it page, which list just some of the vendors who incorporate OpenSSH into their own products -- as a critically important security / access feature -- instead of writing their own SSH implementation or purchasing one from another vendor. This list specifically includes companies like Cisco, Juniper, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).
OpenSSH 增加对存储在 RAM 中的私钥的保护
Google 的 OpenBSD 开发人员和安全研究员 Damien Miller 对 OpenSSH 进行修改,增加了对存储在 RAM 中的私钥的保护,让攻击者更难利用硬件漏洞的侧通道攻击来提取私钥。他解释说,用于保护内存中私钥的对称密钥来自由随机数据(目前是 16 KB)组成的一个相对较大的 prekey。而工作方式是,密钥在加载到内存中时被加密,并在需要签名或必须保存时解密。虽然这种预防措施并不是应对硬件攻击的完整解决方案,但它确实会使攻击者更难获得成功。Damien Miller 分析说,“攻击者必须以高精度恢复整个 prekey,然后才能尝试解密被屏蔽的私钥,但是目前的攻击具有比特错误率,要想累加到整个prekey,这显然是不可能的。”这并不是长久之计,Damien 表示,当计算机架构变得安全的时候,才可以彻底消除这个问题。
OpenSSH更新记录集
OpenSSH中高危漏洞集合
项目主页:http://www.openssh.com/
OpenSSH 对所有的传输进行加密,从而有效地阻止了窃听、连接劫持,以及其他网络级的攻击。它使用SSH透过计算机网络加密通讯的实现。它是取代由SSH Communications Security所提供的商用版本的开放源代码方案。目前OpenSSH是OpenBSD的子计划。OpenSSH常常被误认以为与OpenSSL有关系,但实际上这两个计划的有不同的目的,不同的发展团队,名称相近只是因为两者有同样的软件发展目标--提供开放源代码的加密通信软件。OpenSSH是在1999年10月第一次在OpenBSD 2.6里出现,当初的计划是取代由SSH Communications Security所提供的SSH软件。
OpenSSH 由OpenBSD Project维护,它基于 SSH v1.2.12 并包含了最新的错误修复和更新,它同时兼容 SSH 协议的 1 和 2 两个版本。从 FreeBSD 4.0 开始,OpenSSH 成为了基本系统的一部分。通常使用 telnet 或 rlogin时,数据是以明码的形式发送的,并没有加密。在客户机和服务器之间的网络上运行的听包程序可以在会话中偷窃到传输的用户名、密码和数据,而 OpenSSH 提供了多种的身份验证和加密方法来防止这种情况的发生。
程序主要包括了几个部份:
* ssh
rlogin与Telnet的替代方案。
* scp、sftp
rcp的替代方案,将文件复制到其他电脑上。
* sshd
SSH服务器。
* ssh-keygen
产生RSA或DSA金钥,用来认证用。
* ssh-agent、ssh-add
帮助用户不需要每次都要输入金钥密码的工具。
* ssh-keyscan
扫描一群机器,并纪录其公钥。
OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.
The OpenSSH suite replaces rlogin and telnet with the ssh program, rcp with scp, and ftp with sftp. Also included is sshd (the server side of the package), and the other utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, ssh-keygen and sftp-server.
OpenSSH is developed by the OpenBSD Project. The software is developed in countries that permit cryptography export and is freely useable and re-useable by everyone under a BSD license. However, development has costs, so if you find OpenSSH useful (particularly if you use it in a commercial system that is distributed) please consider donating to help fund the project.
OpenSSH is developed by two teams. One team does strictly OpenBSD-based development, aim to produce code that is as clean, simple, and secure as possible. We believe that simplicity without the portability "goop" allows for better code quality control and easier review. The other team then takes the clean version and makes it portable (adding the "goop") to make it run on many operating systems -- the so-called -p releases, ie "OpenSSH 5.8p1".
Please take note of our Who uses it page, which list just some of the vendors who incorporate OpenSSH into their own products -- as a critically important security / access feature -- instead of writing their own SSH implementation or purchasing one from another vendor. This list specifically includes companies like Cisco, Juniper, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).
OpenSSH 增加对存储在 RAM 中的私钥的保护
Google 的 OpenBSD 开发人员和安全研究员 Damien Miller 对 OpenSSH 进行修改,增加了对存储在 RAM 中的私钥的保护,让攻击者更难利用硬件漏洞的侧通道攻击来提取私钥。他解释说,用于保护内存中私钥的对称密钥来自由随机数据(目前是 16 KB)组成的一个相对较大的 prekey。而工作方式是,密钥在加载到内存中时被加密,并在需要签名或必须保存时解密。虽然这种预防措施并不是应对硬件攻击的完整解决方案,但它确实会使攻击者更难获得成功。Damien Miller 分析说,“攻击者必须以高精度恢复整个 prekey,然后才能尝试解密被屏蔽的私钥,但是目前的攻击具有比特错误率,要想累加到整个prekey,这显然是不可能的。”这并不是长久之计,Damien 表示,当计算机架构变得安全的时候,才可以彻底消除这个问题。
OpenSSH更新记录集
OpenSSH中高危漏洞集合
项目主页:http://www.openssh.com/
该文章最后由 阿炯 于 2023-12-20 15:25:09 更新,目前是第 2 版。