README revision 58582
158582Skris
258582Skris[ Please note that this file has not been updated for OpenSSH and 
358582Skris  covers the ssh-1.2.12 release from Dec 1995 only. ]
458582Skris
557429SmarkmSsh (Secure Shell) is a program to log into another computer over a
657429Smarkmnetwork, to execute commands in a remote machine, and to move files
757429Smarkmfrom one machine to another.  It provides strong authentication and
857429Smarkmsecure communications over insecure channels.  It is intended as a
957429Smarkmreplacement for rlogin, rsh, rcp, and rdist.
1057429Smarkm
1157429SmarkmSee the file INSTALL for installation instructions.  See COPYING for
1257429Smarkmlicense terms and other legal issues.  See RFC for a description of
1357429Smarkmthe protocol.  There is a WWW page for ssh; see http://www.cs.hut.fi/ssh.
1457429Smarkm
1557429SmarkmThis file has been updated to match ssh-1.2.12.
1657429Smarkm
1757429Smarkm
1857429SmarkmFEATURES
1957429Smarkm
2057429Smarkm o  Strong authentication.  Closes several security holes (e.g., IP,
2157429Smarkm    routing, and DNS spoofing).  New authentication methods: .rhosts
2257429Smarkm    together with RSA based host authentication, and pure RSA
2357429Smarkm    authentication.
2457429Smarkm
2557429Smarkm o  Improved privacy.  All communications are automatically and
2657429Smarkm    transparently encrypted.  RSA is used for key exchange, and a
2757429Smarkm    conventional cipher (normally IDEA, DES, or triple-DES) for
2857429Smarkm    encrypting the session.  Encryption is started before
2957429Smarkm    authentication, and no passwords or other information is
3057429Smarkm    transmitted in the clear.  Encryption is also used to protect
3157429Smarkm    against spoofed packets.
3257429Smarkm
3357429Smarkm o  Secure X11 sessions.  The program automatically sets DISPLAY on
3457429Smarkm    the server machine, and forwards any X11 connections over the
3557429Smarkm    secure channel.  Fake Xauthority information is automatically
3657429Smarkm    generated and forwarded to the remote machine; the local client
3757429Smarkm    automatically examines incoming X11 connections and replaces the
3857429Smarkm    fake authorization data with the real data (never telling the 
3957429Smarkm    remote machine the real information).
4057429Smarkm
4157429Smarkm o  Arbitrary TCP/IP ports can be redirected through the encrypted channel
4257429Smarkm    in both directions (e.g., for e-cash transactions).
4357429Smarkm
4457429Smarkm o  No retraining needed for normal users; everything happens
4557429Smarkm    automatically, and old .rhosts files will work with strong
4657429Smarkm    authentication if administration installs host key files.
4757429Smarkm
4857429Smarkm o  Never trusts the network.  Minimal trust on the remote side of
4957429Smarkm    the connection.  Minimal trust on domain name servers.  Pure RSA
5057429Smarkm    authentication never trusts anything but the private key.
5157429Smarkm
5257429Smarkm o  Client RSA-authenticates the server machine in the beginning of
5357429Smarkm    every connection to prevent trojan horses (by routing or DNS
5457429Smarkm    spoofing) and man-in-the-middle attacks, and the server
5557429Smarkm    RSA-authenticates the client machine before accepting .rhosts or
5657429Smarkm    /etc/hosts.equiv authentication (to prevent DNS, routing, or
5757429Smarkm    IP-spoofing).
5857429Smarkm
5957429Smarkm o  Host authentication key distribution can be centrally by the
6057429Smarkm    administration, automatically when the first connection is made
6157429Smarkm    to a machine (the key obtained on the first connection will be
6257429Smarkm    recorded and used for authentication in the future), or manually
6357429Smarkm    by each user for his/her own use.  The central and per-user host
6457429Smarkm    key repositories are both used and complement each other.  Host
6557429Smarkm    keys can be generated centrally or automatically when the software
6657429Smarkm    is installed.  Host authentication keys are typically 1024 bits.
6757429Smarkm
6857429Smarkm o  Any user can create any number of user authentication RSA keys for
6957429Smarkm    his/her own use.  Each user has a file which lists the RSA public
7057429Smarkm    keys for which proof of possession of the corresponding private
7157429Smarkm    key is accepted as authentication.  User authentication keys are
7257429Smarkm    typically 1024 bits.
7357429Smarkm
7457429Smarkm o  The server program has its own server RSA key which is
7557429Smarkm    automatically regenerated every hour.  This key is never saved in
7657429Smarkm    any file.  Exchanged session keys are encrypted using both the
7757429Smarkm    server key and the server host key.  The purpose of the separate
7857429Smarkm    server key is to make it impossible to decipher a captured session by
7957429Smarkm    breaking into the server machine at a later time; one hour from
8057429Smarkm    the connection even the server machine cannot decipher the session
8157429Smarkm    key.  The key regeneration interval is configurable.  The server
8257429Smarkm    key is normally 768 bits.
8357429Smarkm
8457429Smarkm o  An authentication agent, running in the user's laptop or local
8557429Smarkm    workstation, can be used to hold the user's RSA authentication
8657429Smarkm    keys.  Ssh automatically forwards the connection to the
8757429Smarkm    authentication agent over any connections, and there is no need to
8857429Smarkm    store the RSA authentication keys on any machine in the network
8957429Smarkm    (except the user's own local machine).  The authentication
9057429Smarkm    protocols never reveal the keys; they can only be used to verify
9157429Smarkm    that the user's agent has a certain key.  Eventually the agent
9257429Smarkm    could rely on a smart card to perform all authentication
9357429Smarkm    computations.
9457429Smarkm
9557429Smarkm o  The software can be installed and used (with restricted
9657429Smarkm    functionality) even without root privileges.
9757429Smarkm
9857429Smarkm o  The client is customizable in system-wide and per-user
9957429Smarkm    configuration files.  Most aspects of the client's operation can
10057429Smarkm    be configured.  Different options can be specified on a per-host basis.
10157429Smarkm
10257429Smarkm o  Automatically executes conventional rsh (after displaying a
10357429Smarkm    warning) if the server machine is not running sshd.
10457429Smarkm
10557429Smarkm o  Optional compression of all data with gzip (including forwarded X11
10657429Smarkm    and TCP/IP port data), which may result in significant speedups on
10757429Smarkm    slow connections.
10857429Smarkm
10957429Smarkm o  Complete replacement for rlogin, rsh, and rcp.
11057429Smarkm
11157429Smarkm
11257429SmarkmWHY TO USE SECURE SHELL
11357429Smarkm
11457429SmarkmCurrently, almost all communications in computer networks are done
11557429Smarkmwithout encryption.  As a consequence, anyone who has access to any
11657429Smarkmmachine connected to the network can listen in on any communication.
11757429SmarkmThis is being done by hackers, curious administrators, employers,
11857429Smarkmcriminals, industrial spies, and governments.  Some networks leak off
11957429Smarkmenough electromagnetic radiation that data may be captured even from a
12057429Smarkmdistance.
12157429Smarkm
12257429SmarkmWhen you log in, your password goes in the network in plain
12357429Smarkmtext.  Thus, any listener can then use your account to do any evil he
12457429Smarkmlikes.  Many incidents have been encountered worldwide where crackers
12557429Smarkmhave started programs on workstations without the owners knowledge
12657429Smarkmjust to listen to the network and collect passwords.  Programs for
12757429Smarkmdoing this are available on the Internet, or can be built by a
12857429Smarkmcompetent programmer in a few hours.
12957429Smarkm
13057429SmarkmAny information that you type or is printed on your screen can be
13157429Smarkmmonitored, recorded, and analyzed.  For example, an intruder who has
13257429Smarkmpenetrated a host connected to a major network can start a program
13357429Smarkmthat listens to all data flowing in the network, and whenever it
13457429Smarkmencounters a 16-digit string, it checks if it is a valid credit card
13557429Smarkmnumber (using the check digit), and saves the number plus any
13657429Smarkmsurrounding text (to catch expiration date and holder) in a file.
13757429SmarkmWhen the intruder has collected a few thousand credit card numbers, he
13857429Smarkmmakes smallish mail-order purchases from a few thousand stores around
13957429Smarkmthe world, and disappears when the goods arrive but before anyone
14057429Smarkmsuspects anything.
14157429Smarkm
14257429SmarkmBusinesses have trade secrets, patent applications in preparation,
14357429Smarkmpricing information, subcontractor information, client data, personnel
14457429Smarkmdata, financial information, etc.  Currently, anyone with access to
14557429Smarkmthe network (any machine on the network) can listen to anything that
14657429Smarkmgoes in the network, without any regard to normal access restrictions.
14757429Smarkm
14857429SmarkmMany companies are not aware that information can so easily be
14957429Smarkmrecovered from the network.  They trust that their data is safe
15057429Smarkmsince nobody is supposed to know that there is sensitive information
15157429Smarkmin the network, or because so much other data is transferred in the
15257429Smarkmnetwork.  This is not a safe policy.
15357429Smarkm
15457429SmarkmIndividual persons also have confidential information, such as
15557429Smarkmdiaries, love letters, health care documents, information about their
15657429Smarkmpersonal interests and habits, professional data, job applications,
15757429Smarkmtax reports, political documents, unpublished manuscripts, etc.
15857429Smarkm
15957429SmarkmOne should also be aware that economical intelligence and industrial
16057429Smarkmespionage has recently become a major priority of the intelligence
16157429Smarkmagencies of major governments.  President Clinton recently assigned
16257429Smarkmeconomical espionage as the primary task of the CIA, and the French
16357429Smarkmhave repeatedly been publicly boasting about their achievements on
16457429Smarkmthis field.
16557429Smarkm
16657429Smarkm
16757429SmarkmThere is also another frightening aspect about the poor security of
16857429Smarkmcommunications.  Computer storage and analysis capability has
16957429Smarkmincreased so much that it is feasible for governments, major
17057429Smarkmcompanies, and criminal organizations to automatically analyze,
17157429Smarkmidentify, classify, and file information about millions of people over
17257429Smarkmthe years.  Because most of the work can be automated, the cost of
17357429Smarkmcollecting this information is getting very low.  
17457429Smarkm
17557429SmarkmGovernment agencies may be able to monitor major communication
17657429Smarkmsystems, telephones, fax, computer networks, etc., and passively
17757429Smarkmcollect huge amounts of information about all people with any
17857429Smarkmsignificant position in the society.  Most of this information is not
17957429Smarkmsensitive, and many people would say there is no harm in someone
18057429Smarkmgetting that information.  However, the information starts to get
18157429Smarkmsensitive when someone has enough of it.  You may not mind someone
18257429Smarkmknowing what you bought from the shop one random day, but you might
18357429Smarkmnot like someone knowing every small thing you have bought in the last
18457429Smarkmten years.
18557429Smarkm
18657429SmarkmIf the government some day starts to move into a more totalitarian
18757429Smarkmdirection (one should remember that Nazi Germany was created by
18857429Smarkmdemocratic elections), there is considerable danger of an ultimate
18957429Smarkmtotalitarian state.  With enough information (the automatically
19057429Smarkmcollected records of an individual can be manually analyzed when the
19157429Smarkmperson becomes interesting), one can form a very detailed picture of
19257429Smarkmthe individual's interests, opinions, beliefs, habits, friends,
19357429Smarkmlovers, weaknesses, etc.  This information can be used to 1) locate
19457429Smarkmany persons who might oppose the new system 2) use deception to
19557429Smarkmdisturb any organizations which might rise against the government 3)
19657429Smarkmeliminate difficult individuals without anyone understanding what
19757429Smarkmhappened.  Additionally, if the government can monitor communications
19857429Smarkmtoo effectively, it becomes too easy to locate and eliminate any
19957429Smarkmpersons distributing information contrary to the official truth.
20057429Smarkm
20157429SmarkmFighting crime and terrorism are often used as grounds for domestic
20257429Smarkmsurveillance and restricting encryption.  These are good goals, but
20357429Smarkmthere is considerable danger that the surveillance data starts to get
20457429Smarkmused for questionable purposes.  I find that it is better to tolerate
20557429Smarkma small amount of crime in the society than to let the society become
20657429Smarkmfully controlled.  I am in favor of a fairly strong state, but the
20757429Smarkmstate must never get so strong that people become unable to spread
20857429Smarkmcontra-offical information and unable to overturn the government if it
20957429Smarkmis bad.  The danger is that when you notice that the government is
21057429Smarkmtoo powerful, it is too late.  Also, the real power may not be where
21157429Smarkmthe official government is.
21257429Smarkm
21357429SmarkmFor these reasons (privacy, protecting trade secrets, and making it
21457429Smarkmmore difficult to create a totalitarian state), I think that strong
21557429Smarkmcryptography should be integrated to the tools we use every day.
21657429SmarkmUsing it causes no harm (except for those who wish to monitor
21757429Smarkmeverything), but not using it can cause huge problems.  If the society
21857429Smarkmchanges in undesirable ways, then it will be to late to start
21957429Smarkmencrypting.
22057429Smarkm
22157429SmarkmEncryption has had a "military" or "classified" flavor to it.  There
22257429Smarkmare no longer any grounds for this.  The military can and will use its
22357429Smarkmown encryption; that is no excuse to prevent the civilians from
22457429Smarkmprotecting their privacy and secrets.  Information on strong
22557429Smarkmencryption is available in every major bookstore, scientific library,
22657429Smarkmand patent office around the world, and strong encryption software is
22757429Smarkmavailable in every country on the Internet.
22857429Smarkm
22957429SmarkmSome people would like to make it illegal to use encryption, or to
23057429Smarkmforce people to use encryption that governments can break.  This
23157429Smarkmapproach offers no protection if the government turns bad.  Also, the
23257429Smarkm"bad guys" will be using true strong encryption anyway.  Good
23357429Smarkmencryption techniques are too widely known to make them disappear.
23457429SmarkmThus, any "key escrow encryption" or other restrictions will only help
23557429Smarkmmonitor ordinary people and petty criminals.  It does not help against
23657429Smarkmpowerful criminals, terrorists, or espionage, because they will know
23757429Smarkmhow to use strong encryption anyway.  (One source for internationally
23857429Smarkmavailable encryption software is http://www.cs.hut.fi/crypto.)
23957429Smarkm
24057429Smarkm
24157429SmarkmOVERVIEW OF SECURE SHELL
24257429Smarkm
24357429SmarkmThe software consists of a number of programs.
24457429Smarkm
24557429Smarkm   sshd		Server program run on the server machine.  This
24657429Smarkm   		listens for connections from client machines, and
24757429Smarkm		whenever it receives a connection, it performs
24857429Smarkm		authentication and starts serving the client.
24957429Smarkm
25057429Smarkm   ssh		This is the client program used to log into another
25157429Smarkm		machine or to execute commands on the other machine.
25257429Smarkm		"slogin" is another name for this program.
25357429Smarkm
25457429Smarkm   scp		Securely copies files from one machine to another.
25557429Smarkm
25657429Smarkm   ssh-keygen	Used to create RSA keys (host keys and user
25757429Smarkm   		authentication keys).
25857429Smarkm
25957429Smarkm   ssh-agent	Authentication agent.  This can be used to hold RSA
26057429Smarkm   		keys for authentication.
26157429Smarkm
26257429Smarkm   ssh-add	Used to register new keys with the agent.
26357429Smarkm
26457429Smarkm   make-ssh-known-hosts
26557429Smarkm   		Used to create the /etc/ssh_known_hosts file.
26657429Smarkm
26757429Smarkm
26857429SmarkmSsh is the program users normally use.  It is started as
26957429Smarkm
27057429Smarkm  ssh host
27157429Smarkm
27257429Smarkmor
27357429Smarkm
27457429Smarkm  ssh host command
27557429Smarkm
27657429SmarkmThe first form opens a new shell on the remote machine (after
27757429Smarkmauthentication).  The latter form executes the command on the remote
27857429Smarkmmachine.
27957429Smarkm
28057429SmarkmWhen started, the ssh connects sshd on the server machine, verifies
28157429Smarkmthat the server machine really is the machine it wanted to connect,
28257429Smarkmexchanges encryption keys (in a manner which prevents an outside
28357429Smarkmlistener from getting the keys), performs authentication using .rhosts
28457429Smarkmand /etc/hosts.equiv, RSA authentication, or conventional password
28557429Smarkmbased authentication.  The server then (normally) allocates a
28657429Smarkmpseudo-terminal and starts an interactive shell or user program.
28757429Smarkm
28857429SmarkmThe TERM environment variable (describing the type of the user's
28957429Smarkmterminal) is passed from the client side to the remote side.  Also,
29057429Smarkmterminal modes will be copied from the client side to the remote side
29157429Smarkmto preserve user preferences (e.g., the erase character).
29257429Smarkm
29357429SmarkmIf the DISPLAY variable is set on the client side, the server will
29457429Smarkmcreate a dummy X server and set DISPLAY accordingly.  Any connections
29557429Smarkmto the dummy X server will be forwarded through the secure channel,
29657429Smarkmand will be made to the real X server from the client side.  An
29757429Smarkmarbitrary number of X programs can be started during the session, and
29857429Smarkmstarting them does not require anything special from the user.  (Note
29957429Smarkmthat the user must not manually set DISPLAY, because then it would
30057429Smarkmconnect directly to the real display instead of going through the
30157429Smarkmencrypted channel).  This behavior can be disabled in the
30257429Smarkmconfiguration file or by giving the -x option to the client.
30357429Smarkm
30457429SmarkmArbitrary IP ports can be forwarded over the secure channel.  The
30557429Smarkmprogram then creates a port on one side, and whenever a connection is
30657429Smarkmopened to this port, it will be passed over the secure channel, and a
30757429Smarkmconnection will be made from the other side to a specified host:port
30857429Smarkmpair.  Arbitrary IP forwarding must always be explicitly requested,
30957429Smarkmand cannot be used to forward privileged ports (unless the user is
31057429Smarkmroot).  It is possible to specify automatic forwards in a per-user
31157429Smarkmconfiguration file, for example to make electronic cash systems work
31257429Smarkmsecurely.
31357429Smarkm
31457429SmarkmIf there is an authentication agent on the client side, connection to
31557429Smarkmit will be automatically forwarded to the server side.
31657429Smarkm
31757429SmarkmFor more infomation, see the manual pages ssh(1), sshd(8), scp(1),
31857429Smarkmssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1)
31957429Smarkmincluded in this distribution.
32057429Smarkm
32157429Smarkm
32257429SmarkmX11 CONNECTION FORWARDING
32357429Smarkm
32457429SmarkmX11 forwarding serves two purposes: it is a convenience to the user
32557429Smarkmbecause there is no need to set the DISPLAY variable, and it provides
32657429Smarkmencrypted X11 connections.  I cannot think of any other easy way to
32757429Smarkmmake X11 connections encrypted; modifying the X server, clients or
32857429Smarkmlibraries would require special work for each machine, vendor and
32957429Smarkmapplication.  Widely used IP-level encryption does not seem likely for
33057429Smarkmseveral years.  Thus what we have left is faking an X server on the
33157429Smarkmsame machine where the clients are run, and forwarding the connections
33257429Smarkmto a real X server over the secure channel.
33357429Smarkm
33457429SmarkmX11 forwarding works as follows.  The client extracts Xauthority
33557429Smarkminformation for the server.  It then creates random authorization
33657429Smarkmdata, and sends the random data to the server.  The server allocates
33757429Smarkman X11 display number, and stores the (fake) Xauthority data for this
33857429Smarkmdisplay.  Whenever an X11 connection is opened, the server forwards
33957429Smarkmthe connection over the secure channel to the client, and the client
34057429Smarkmparses the first packet of the X11 protocol, substitutes real
34157429Smarkmauthentication data for the fake data (if the fake data matched), and
34257429Smarkmforwards the connection to the real X server.
34357429Smarkm
34457429SmarkmIf the display does not have Xauthority data, the server will create a
34557429Smarkmunix domain socket in /tmp/.X11-unix, and use the unix domain socket
34657429Smarkmas the display.  No authentication information is forwarded in this
34757429Smarkmcase.  X11 connections are again forwarded over the secure channel.
34857429SmarkmTo the X server the connections appear to come from the client
34957429Smarkmmachine, and the server must have connections allowed from the local
35057429Smarkmmachine.  Using authentication data is always recommended because not
35157429Smarkmusing it makes the display insecure.  If XDM is used, it automatically
35257429Smarkmgenerates the authentication data.
35357429Smarkm
35457429SmarkmOne should be careful not to use "xin" or "xstart" or other similar
35557429Smarkmscripts that explicitly set DISPLAY to start X sessions in a remote
35657429Smarkmmachine, because the connection will then not go over the secure
35757429Smarkmchannel.  The recommended way to start a shell in a remote machine is
35857429Smarkm
35957429Smarkm  xterm -e ssh host &
36057429Smarkm
36157429Smarkmand the recommended way to execute an X11 application in a remote
36257429Smarkmmachine is
36357429Smarkm
36457429Smarkm  ssh -n host emacs &
36557429Smarkm
36657429SmarkmIf you need to type a password/passphrase for the remote machine,
36757429Smarkm
36857429Smarkm  ssh -f host emacs
36957429Smarkm
37057429Smarkmmay be useful.
37157429Smarkm
37257429Smarkm
37357429Smarkm
37457429SmarkmRSA AUTHENTICATION
37557429Smarkm
37657429SmarkmRSA authentication is based on public key cryptograpy.  The idea is
37757429Smarkmthat there are two encryption keys, one for encryption and another for
37857429Smarkmdecryption.  It is not possible (on human timescale) to derive the
37957429Smarkmdecryption key from the encryption key.  The encryption key is called
38057429Smarkmthe public key, because it can be given to anyone and it is not
38157429Smarkmsecret.  The decryption key, on the other hand, is secret, and is
38257429Smarkmcalled the private key.
38357429Smarkm
38457429SmarkmRSA authentication is based on the impossibility of deriving the
38557429Smarkmprivate key from the public key.  The public key is stored on the
38657429Smarkmserver machine in the user's $HOME/.ssh/authorized_keys file.  The
38757429Smarkmprivate key is only kept on the user's local machine, laptop, or other
38857429Smarkmsecure storage.  Then the user tries to log in, the client tells the
38957429Smarkmserver the public key that the user wishes to use for authentication.
39057429SmarkmThe server then checks if this public key is admissible.  If so, it
39157429Smarkmgenerates a 256 bit random number, encrypts it with the public key,
39257429Smarkmand sends the value to the client.  The client then decrypts the
39357429Smarkmnumber with its private key, computes a 128 bit MD5 checksum from the
39457429Smarkmresulting data, and sends the checksum back to the server.  (Only a
39557429Smarkmchecksum is sent to prevent chosen-plaintext attacks against RSA.)
39657429SmarkmThe server checks computes a checksum from the correct data,
39757429Smarkmand compares the checksums.  Authentication is accepted if the
39857429Smarkmchecksums match.  (Theoretically this indicates that the client
39957429Smarkmonly probably knows the correct key, but for all practical purposes
40057429Smarkmthere is no doubt.)
40157429Smarkm
40257429SmarkmThe RSA private key can be protected with a passphrase.  The
40357429Smarkmpassphrase can be any string; it is hashed with MD5 to produce an
40457429Smarkmencryption key for IDEA, which is used to encrypt the private part of
40557429Smarkmthe key file.  With passphrase, authorization requires access to the key
40657429Smarkmfile and the passphrase.  Without passphrase, authorization only
40757429Smarkmdepends on possession of the key file.
40857429Smarkm
40957429SmarkmRSA authentication is the most secure form of authentication supported
41057429Smarkmby this software.  It does not rely on the network, routers, domain
41157429Smarkmname servers, or the client machine.  The only thing that matters is
41257429Smarkmaccess to the private key.  
41357429Smarkm
41457429SmarkmAll this, of course, depends on the security of the RSA algorithm
41557429Smarkmitself.  RSA has been widely known since about 1978, and no effective
41657429Smarkmmethods for breaking it are known if it is used properly.  Care has
41757429Smarkmbeen taken to avoid the well-known pitfalls.  Breaking RSA is widely
41857429Smarkmbelieved to be equivalent to factoring, which is a very hard
41957429Smarkmmathematical problem that has received considerable public research.
42057429SmarkmSo far, no effective methods are known for numbers bigger than about
42157429Smarkm512 bits.  However, as computer speeds and factoring methods are
42257429Smarkmincreasing, 512 bits can no longer be considered secure.  The
42357429Smarkmfactoring work is exponential, and 768 or 1024 bits are widely
42457429Smarkmconsidered to be secure in the near future.
42557429Smarkm
42657429Smarkm
42757429SmarkmRHOSTS AUTHENTICATION
42857429Smarkm
42957429SmarkmConventional .rhosts and hosts.equiv based authentication mechanisms
43057429Smarkmare fundamentally insecure due to IP, DNS (domain name server) and
43157429Smarkmrouting spoofing attacks.  Additionally this authentication method
43257429Smarkmrelies on the integrity of the client machine.  These weaknesses is
43357429Smarkmtolerable, and been known and exploited for a long time.
43457429Smarkm
43557429SmarkmSsh provides an improved version of these types of authentication,
43657429Smarkmbecause they are very convenient for the user (and allow easy
43757429Smarkmtransition from rsh and rlogin).  It permits these types of
43857429Smarkmauthentication, but additionally requires that the client host be
43957429Smarkmauthenticated using RSA.  
44057429Smarkm
44157429SmarkmThe server has a list of host keys stored in /etc/ssh_known_host, and
44257429Smarkmadditionally each user has host keys in $HOME/.ssh/known_hosts.  Ssh
44357429Smarkmuses the name servers to obtain the canonical name of the client host,
44457429Smarkmlooks for its public key in its known host files, and requires the
44557429Smarkmclient to prove that it knows the private host key.  This prevents IP
44657429Smarkmand routing spoofing attacks (as long as the client machine private
44757429Smarkmhost key has not been compromized), but is still vulnerable to DNS
44857429Smarkmattacks (to a limited extent), and relies on the integrity of the
44957429Smarkmclient machine as to who is requesting to log in.  This prevents
45057429Smarkmoutsiders from attacking, but does not protect against very powerful
45157429Smarkmattackers.  If maximal security is desired, only RSA authentication
45257429Smarkmshould be used.
45357429Smarkm
45457429SmarkmIt is possible to enable conventional .rhosts and /etc/hosts.equiv
45557429Smarkmauthentication (without host authentication) at compile time by giving
45657429Smarkmthe option --with-rhosts to configure.  However, this is not
45757429Smarkmrecommended, and is not done by default.
45857429Smarkm
45957429SmarkmThese weaknesses are present in rsh and rlogin.  No improvement in
46057429Smarkmsecurity will be obtained unless rlogin and rsh are completely
46157429Smarkmdisabled (commented out in /etc/inetd.conf).  This is highly
46257429Smarkmrecommended.
46357429Smarkm
46457429Smarkm
46557429SmarkmWEAKEST LINKS IN SECURITY
46657429Smarkm
46757429SmarkmOne should understand that while this software may provide
46857429Smarkmcryptographically secure communications, it may be easy to
46957429Smarkmmonitor the communications at their endpoints.
47057429Smarkm
47157429SmarkmBasically, anyone with root access on the local machine on which you
47257429Smarkmare running the software may be able to do anything.  Anyone with root
47357429Smarkmaccess on the server machine may be able to monitor your
47457429Smarkmcommunications, and a very talented root user might even be able to
47557429Smarkmsend his/her own requests to your authentication agent.
47657429Smarkm
47757429SmarkmOne should also be aware that computers send out electromagnetic
47857429Smarkmradition that can sometimes be picked up hundreds of meters away.
47957429SmarkmYour keyboard is particularly easy to listen to.  The image on your
48057429Smarkmmonitor might also be seen on another monitor in a van parked behind
48157429Smarkmyour house.
48257429Smarkm
48357429SmarkmBeware that unwanted visitors might come to your home or office and
48457429Smarkmuse your machine while you are away.  They might also make
48557429Smarkmmodifications or install bugs in your hardware or software.
48657429Smarkm
48757429SmarkmBeware that the most effective way for someone to decrypt your data
48857429Smarkmmay be with a rubber hose.
48957429Smarkm
49057429Smarkm
49157429SmarkmLEGAL ISSUES
49257429Smarkm
49357429SmarkmAs far as I am concerned, anyone is permitted to use this software
49457429Smarkmfreely.  However, see the file COPYING for detailed copying,
49557429Smarkmlicensing, and distribution information.
49657429Smarkm
49757429SmarkmIn some countries, particularly France, Russia, Iraq, and Pakistan,
49857429Smarkmit may be illegal to use any encryption at all without a special
49957429Smarkmpermit, and the rumor has it that you cannot get a permit for any
50057429Smarkmstrong encryption.
50157429Smarkm
50257429SmarkmThis software may be freely imported into the United States; however,
50357429Smarkmthe United States Government may consider re-exporting it a criminal
50457429Smarkmoffence.
50557429Smarkm
50657429SmarkmNote that any information and cryptographic algorithms used in this
50757429Smarkmsoftware are publicly available on the Internet and at any major
50857429Smarkmbookstore, scientific library, or patent office worldwide.
50957429Smarkm
51057429SmarkmTHERE IS NO WARRANTY FOR THIS PROGRAM.  Please consult the file
51157429SmarkmCOPYING for more information.
51257429Smarkm
51357429Smarkm
51457429SmarkmMAILING LISTS AND OTHER INFORMATION
51557429Smarkm
51657429SmarkmThere is a mailing list for ossh.  It is ossh@sics.se.  If you would
51757429Smarkmlike to join, send a message to majordomo@sics.se with "subscribe
51857429Smarkmssh" in body.
51957429Smarkm
52057429SmarkmThe WWW home page for ssh is http://www.cs.hut.fi/ssh.  It contains an
52157429Smarkmarchive of the mailing list, and detailed information about new
52257429Smarkmreleases, mailing lists, and other relevant issues.
52357429Smarkm
52457429SmarkmBug reports should be sent to ossh-bugs@sics.se.
52557429Smarkm
52657429Smarkm
52757429SmarkmABOUT THE AUTHOR
52857429Smarkm
52957429SmarkmThis software was written by Tatu Ylonen <ylo@cs.hut.fi>.  I work as a
53057429Smarkmresearcher at Helsinki University of Technology, Finland.  For more
53157429Smarkminformation, see http://www.cs.hut.fi/~ylo/.  My PGP public key is
53257429Smarkmavailable via finger from ylo@cs.hut.fi and from the key servers.  I
53357429Smarkmprefer PGP encrypted mail.
53457429Smarkm
53557429SmarkmThe author can be contacted via ordinary mail at
53657429Smarkm  Tatu Ylonen
53757429Smarkm  Helsinki University of Technology
53857429Smarkm  Otakaari 1
53957429Smarkm  FIN-02150 ESPOO
54057429Smarkm  Finland
54157429Smarkm
54257429Smarkm  Fax. +358-0-4513293
54357429Smarkm
54457429Smarkm
54557429SmarkmACKNOWLEDGEMENTS
54657429Smarkm
54757429SmarkmI thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for
54857429Smarkmtheir help and comments in the design, implementation and porting of
54957429Smarkmthis software.  I also thank numerous contributors, including but not
55057429Smarkmlimited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane
55157429SmarkmBortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome
55257429SmarkmEtienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson,
55357429SmarkmMichael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar
55457429SmarkmLindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald
55557429SmarkmMcKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan
55657429SmarkmO'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz
55757429SmarkmSurmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and
55857429SmarkmCristophe Wolfhugel.
55957429Smarkm
56057429SmarkmThanks also go to Philip Zimmermann, whose PGP software and the
56157429Smarkmassociated legal battle provided inspiration, motivation, and many
56257429Smarkmuseful techniques, and to Bruce Schneier whose book Applied
56357429SmarkmCryptography has done a great service in widely distributing knowledge
56457429Smarkmabout cryptographic methods.
56557429Smarkm
56657429Smarkm
56757429SmarkmCopyright (c) 1995 Tatu Ylonen, Espoo, Finland.
568