[OpenSSH]

Features


OpenSSH is a free SSH/SecSH protocol suite providing encryption for network services like remote login or remote file transfer.

The following is a list of OpenSSH features:


 Open Source Project

The OpenSSH source code is available free to everyone via the Internet. This encourages code reuse and code auditing. Code review ensures the bugs can be found and corrected by anyone. This results in secure code.

 Free Licensing

OpenSSH is not covered by any restrictive license. It can be used for any and all purposes, and that explicitly includes commercial use. The license for OpenSSH is included in the distribution. We feel that the world would be better if routers, network appliances, operating systems, and all other network devices had ssh integrated into them.

All components of a restrictive nature (i.e. patents, see ssl) have been removed from the source code; any licensed or patented components are chosen from external libraries (e.g. OpenSSL). The IDEA symmetric cipher is no longer available, since it is patented in many countries. Instead, we recommend people use any of the other ciphers available. (We see no justification for using a patented symmetric cipher, since there are many free ones).

 Strong Encryption

OpenSSH supports 3DES, Blowfish, AES and arcfour as encryption algorithms. These are patent free.
Triple DES is a time proven and well understood cipher that provides strong encryption.
Blowfish is a fast block cipher invented by Bruce Schneier that can be used by people that require faster encryption.
AES is the US Federal Information Processing Standard (FIPS) Advanced Encryption Standard developed as a replacement for DES. It is a fast block cipher.
Arcfour is a fast stream cipher. It is believed to be compatible with RC4[TM], a proprietary cipher of RSA Security Inc.

Encryption is started before authentication, and no passwords or other information is transmitted in the clear. Encryption is also used to protect against spoofed packets.

 X11 Forwarding

X11 forwarding allows the encryption of remote X windows traffic, so that nobody can snoop on your remote xterms or insert malicious commands. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel. Fake Xauthority information is automatically generated and forwarded to the remote machine; the local client automatically examines incoming X11 connections and replaces the fake authorization data with the real data (never telling the remote machine the real information).

 Port Forwarding

Port forwarding allows forwarding of TCP/IP connections to a remote machine over an encrypted channel. Standard Internet applications like POP can be secured with this.

 Strong Authentication

Strong authentication protects against several security problems, e.g., IP spoofing, fakes routes, and DNS spoofing. The authentication methods are: .rhosts together with RSA based host authentication, pure RSA authentication, one-time passwords with s/key, and finally authentication using Kerberos.

 Agent Forwarding

An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's RSA or DSA authentication keys. OpenSSH automatically forwards the connection to the authentication agent over any connections, and there is no need to store the RSA or DSA authentication keys on any machine in the network (except the user's own local machine). The authentication protocols never reveal the keys; they can only be used to verify that the user's agent has a certain key. Eventually the agent could rely on a smart card to perform all authentication computations.

 Interoperability

OpenSSH versions before 2.0 support the SSH 1.3 and SSH 1.5 protocols permitting communication with most UNIX, Windows and other commercial ssh implementations.

As of OpenSSH 2.0, as well as supporting SSH 1.3 protocol and SSH 1.5 protocol, OpenSSH also has support for the SSH 2.0 protocol. This protocol avoids using the RSA algorithm -- since at the time protocol 2.0 was invented the RSA patent was still in effect -- and uses the freely useable DH and DSA algorithms instead.

Thus, OpenSSH gives you the best of both worlds. You can interoperate with both types of ssh clients and servers!

 SFTP client and server support in both SSH1 and SSH2 protocols

As of OpenSSH 2.5.0, complete SFTP support is included, using the sftp(1) command as a client. The sftp-server(8) subsystem automatically works in both SSH1 and SSH2 protocol.

 Kerberos and AFS Ticket Passing

OpenSSH also passes tickets for Kerberos and AFS on to the remote machine. A user can thus access all his Kerberos and AFS services without the need to type in a password again.

 Data Compression

Data compression before encryption improves the performance for slow network links.


OpenSSH www@openbsd.org
$OpenBSD: features.html,v 1.23 2005/07/14 04:25:32 dtucker Exp $