README revision 58582
158582Skris 258582Skris[ Please note that this file has not been updated for OpenSSH and 358582Skris covers the ssh-1.2.12 release from Dec 1995 only. ] 458582Skris 557429SmarkmSsh (Secure Shell) is a program to log into another computer over a 657429Smarkmnetwork, to execute commands in a remote machine, and to move files 757429Smarkmfrom one machine to another. It provides strong authentication and 857429Smarkmsecure communications over insecure channels. It is intended as a 957429Smarkmreplacement for rlogin, rsh, rcp, and rdist. 1057429Smarkm 1157429SmarkmSee the file INSTALL for installation instructions. See COPYING for 1257429Smarkmlicense terms and other legal issues. See RFC for a description of 1357429Smarkmthe protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh. 1457429Smarkm 1557429SmarkmThis file has been updated to match ssh-1.2.12. 1657429Smarkm 1757429Smarkm 1857429SmarkmFEATURES 1957429Smarkm 2057429Smarkm o Strong authentication. Closes several security holes (e.g., IP, 2157429Smarkm routing, and DNS spoofing). New authentication methods: .rhosts 2257429Smarkm together with RSA based host authentication, and pure RSA 2357429Smarkm authentication. 2457429Smarkm 2557429Smarkm o Improved privacy. All communications are automatically and 2657429Smarkm transparently encrypted. RSA is used for key exchange, and a 2757429Smarkm conventional cipher (normally IDEA, DES, or triple-DES) for 2857429Smarkm encrypting the session. Encryption is started before 2957429Smarkm authentication, and no passwords or other information is 3057429Smarkm transmitted in the clear. Encryption is also used to protect 3157429Smarkm against spoofed packets. 3257429Smarkm 3357429Smarkm o Secure X11 sessions. The program automatically sets DISPLAY on 3457429Smarkm the server machine, and forwards any X11 connections over the 3557429Smarkm secure channel. Fake Xauthority information is automatically 3657429Smarkm generated and forwarded to the remote machine; the local client 3757429Smarkm automatically examines incoming X11 connections and replaces the 3857429Smarkm fake authorization data with the real data (never telling the 3957429Smarkm remote machine the real information). 4057429Smarkm 4157429Smarkm o Arbitrary TCP/IP ports can be redirected through the encrypted channel 4257429Smarkm in both directions (e.g., for e-cash transactions). 4357429Smarkm 4457429Smarkm o No retraining needed for normal users; everything happens 4557429Smarkm automatically, and old .rhosts files will work with strong 4657429Smarkm authentication if administration installs host key files. 4757429Smarkm 4857429Smarkm o Never trusts the network. Minimal trust on the remote side of 4957429Smarkm the connection. Minimal trust on domain name servers. Pure RSA 5057429Smarkm authentication never trusts anything but the private key. 5157429Smarkm 5257429Smarkm o Client RSA-authenticates the server machine in the beginning of 5357429Smarkm every connection to prevent trojan horses (by routing or DNS 5457429Smarkm spoofing) and man-in-the-middle attacks, and the server 5557429Smarkm RSA-authenticates the client machine before accepting .rhosts or 5657429Smarkm /etc/hosts.equiv authentication (to prevent DNS, routing, or 5757429Smarkm IP-spoofing). 5857429Smarkm 5957429Smarkm o Host authentication key distribution can be centrally by the 6057429Smarkm administration, automatically when the first connection is made 6157429Smarkm to a machine (the key obtained on the first connection will be 6257429Smarkm recorded and used for authentication in the future), or manually 6357429Smarkm by each user for his/her own use. The central and per-user host 6457429Smarkm key repositories are both used and complement each other. Host 6557429Smarkm keys can be generated centrally or automatically when the software 6657429Smarkm is installed. Host authentication keys are typically 1024 bits. 6757429Smarkm 6857429Smarkm o Any user can create any number of user authentication RSA keys for 6957429Smarkm his/her own use. Each user has a file which lists the RSA public 7057429Smarkm keys for which proof of possession of the corresponding private 7157429Smarkm key is accepted as authentication. User authentication keys are 7257429Smarkm typically 1024 bits. 7357429Smarkm 7457429Smarkm o The server program has its own server RSA key which is 7557429Smarkm automatically regenerated every hour. This key is never saved in 7657429Smarkm any file. Exchanged session keys are encrypted using both the 7757429Smarkm server key and the server host key. The purpose of the separate 7857429Smarkm server key is to make it impossible to decipher a captured session by 7957429Smarkm breaking into the server machine at a later time; one hour from 8057429Smarkm the connection even the server machine cannot decipher the session 8157429Smarkm key. The key regeneration interval is configurable. The server 8257429Smarkm key is normally 768 bits. 8357429Smarkm 8457429Smarkm o An authentication agent, running in the user's laptop or local 8557429Smarkm workstation, can be used to hold the user's RSA authentication 8657429Smarkm keys. Ssh automatically forwards the connection to the 8757429Smarkm authentication agent over any connections, and there is no need to 8857429Smarkm store the RSA authentication keys on any machine in the network 8957429Smarkm (except the user's own local machine). The authentication 9057429Smarkm protocols never reveal the keys; they can only be used to verify 9157429Smarkm that the user's agent has a certain key. Eventually the agent 9257429Smarkm could rely on a smart card to perform all authentication 9357429Smarkm computations. 9457429Smarkm 9557429Smarkm o The software can be installed and used (with restricted 9657429Smarkm functionality) even without root privileges. 9757429Smarkm 9857429Smarkm o The client is customizable in system-wide and per-user 9957429Smarkm configuration files. Most aspects of the client's operation can 10057429Smarkm be configured. Different options can be specified on a per-host basis. 10157429Smarkm 10257429Smarkm o Automatically executes conventional rsh (after displaying a 10357429Smarkm warning) if the server machine is not running sshd. 10457429Smarkm 10557429Smarkm o Optional compression of all data with gzip (including forwarded X11 10657429Smarkm and TCP/IP port data), which may result in significant speedups on 10757429Smarkm slow connections. 10857429Smarkm 10957429Smarkm o Complete replacement for rlogin, rsh, and rcp. 11057429Smarkm 11157429Smarkm 11257429SmarkmWHY TO USE SECURE SHELL 11357429Smarkm 11457429SmarkmCurrently, almost all communications in computer networks are done 11557429Smarkmwithout encryption. As a consequence, anyone who has access to any 11657429Smarkmmachine connected to the network can listen in on any communication. 11757429SmarkmThis is being done by hackers, curious administrators, employers, 11857429Smarkmcriminals, industrial spies, and governments. Some networks leak off 11957429Smarkmenough electromagnetic radiation that data may be captured even from a 12057429Smarkmdistance. 12157429Smarkm 12257429SmarkmWhen you log in, your password goes in the network in plain 12357429Smarkmtext. Thus, any listener can then use your account to do any evil he 12457429Smarkmlikes. Many incidents have been encountered worldwide where crackers 12557429Smarkmhave started programs on workstations without the owners knowledge 12657429Smarkmjust to listen to the network and collect passwords. Programs for 12757429Smarkmdoing this are available on the Internet, or can be built by a 12857429Smarkmcompetent programmer in a few hours. 12957429Smarkm 13057429SmarkmAny information that you type or is printed on your screen can be 13157429Smarkmmonitored, recorded, and analyzed. For example, an intruder who has 13257429Smarkmpenetrated a host connected to a major network can start a program 13357429Smarkmthat listens to all data flowing in the network, and whenever it 13457429Smarkmencounters a 16-digit string, it checks if it is a valid credit card 13557429Smarkmnumber (using the check digit), and saves the number plus any 13657429Smarkmsurrounding text (to catch expiration date and holder) in a file. 13757429SmarkmWhen the intruder has collected a few thousand credit card numbers, he 13857429Smarkmmakes smallish mail-order purchases from a few thousand stores around 13957429Smarkmthe world, and disappears when the goods arrive but before anyone 14057429Smarkmsuspects anything. 14157429Smarkm 14257429SmarkmBusinesses have trade secrets, patent applications in preparation, 14357429Smarkmpricing information, subcontractor information, client data, personnel 14457429Smarkmdata, financial information, etc. Currently, anyone with access to 14557429Smarkmthe network (any machine on the network) can listen to anything that 14657429Smarkmgoes in the network, without any regard to normal access restrictions. 14757429Smarkm 14857429SmarkmMany companies are not aware that information can so easily be 14957429Smarkmrecovered from the network. They trust that their data is safe 15057429Smarkmsince nobody is supposed to know that there is sensitive information 15157429Smarkmin the network, or because so much other data is transferred in the 15257429Smarkmnetwork. This is not a safe policy. 15357429Smarkm 15457429SmarkmIndividual persons also have confidential information, such as 15557429Smarkmdiaries, love letters, health care documents, information about their 15657429Smarkmpersonal interests and habits, professional data, job applications, 15757429Smarkmtax reports, political documents, unpublished manuscripts, etc. 15857429Smarkm 15957429SmarkmOne should also be aware that economical intelligence and industrial 16057429Smarkmespionage has recently become a major priority of the intelligence 16157429Smarkmagencies of major governments. President Clinton recently assigned 16257429Smarkmeconomical espionage as the primary task of the CIA, and the French 16357429Smarkmhave repeatedly been publicly boasting about their achievements on 16457429Smarkmthis field. 16557429Smarkm 16657429Smarkm 16757429SmarkmThere is also another frightening aspect about the poor security of 16857429Smarkmcommunications. Computer storage and analysis capability has 16957429Smarkmincreased so much that it is feasible for governments, major 17057429Smarkmcompanies, and criminal organizations to automatically analyze, 17157429Smarkmidentify, classify, and file information about millions of people over 17257429Smarkmthe years. Because most of the work can be automated, the cost of 17357429Smarkmcollecting this information is getting very low. 17457429Smarkm 17557429SmarkmGovernment agencies may be able to monitor major communication 17657429Smarkmsystems, telephones, fax, computer networks, etc., and passively 17757429Smarkmcollect huge amounts of information about all people with any 17857429Smarkmsignificant position in the society. Most of this information is not 17957429Smarkmsensitive, and many people would say there is no harm in someone 18057429Smarkmgetting that information. However, the information starts to get 18157429Smarkmsensitive when someone has enough of it. You may not mind someone 18257429Smarkmknowing what you bought from the shop one random day, but you might 18357429Smarkmnot like someone knowing every small thing you have bought in the last 18457429Smarkmten years. 18557429Smarkm 18657429SmarkmIf the government some day starts to move into a more totalitarian 18757429Smarkmdirection (one should remember that Nazi Germany was created by 18857429Smarkmdemocratic elections), there is considerable danger of an ultimate 18957429Smarkmtotalitarian state. With enough information (the automatically 19057429Smarkmcollected records of an individual can be manually analyzed when the 19157429Smarkmperson becomes interesting), one can form a very detailed picture of 19257429Smarkmthe individual's interests, opinions, beliefs, habits, friends, 19357429Smarkmlovers, weaknesses, etc. This information can be used to 1) locate 19457429Smarkmany persons who might oppose the new system 2) use deception to 19557429Smarkmdisturb any organizations which might rise against the government 3) 19657429Smarkmeliminate difficult individuals without anyone understanding what 19757429Smarkmhappened. Additionally, if the government can monitor communications 19857429Smarkmtoo effectively, it becomes too easy to locate and eliminate any 19957429Smarkmpersons distributing information contrary to the official truth. 20057429Smarkm 20157429SmarkmFighting crime and terrorism are often used as grounds for domestic 20257429Smarkmsurveillance and restricting encryption. These are good goals, but 20357429Smarkmthere is considerable danger that the surveillance data starts to get 20457429Smarkmused for questionable purposes. I find that it is better to tolerate 20557429Smarkma small amount of crime in the society than to let the society become 20657429Smarkmfully controlled. I am in favor of a fairly strong state, but the 20757429Smarkmstate must never get so strong that people become unable to spread 20857429Smarkmcontra-offical information and unable to overturn the government if it 20957429Smarkmis bad. The danger is that when you notice that the government is 21057429Smarkmtoo powerful, it is too late. Also, the real power may not be where 21157429Smarkmthe official government is. 21257429Smarkm 21357429SmarkmFor these reasons (privacy, protecting trade secrets, and making it 21457429Smarkmmore difficult to create a totalitarian state), I think that strong 21557429Smarkmcryptography should be integrated to the tools we use every day. 21657429SmarkmUsing it causes no harm (except for those who wish to monitor 21757429Smarkmeverything), but not using it can cause huge problems. If the society 21857429Smarkmchanges in undesirable ways, then it will be to late to start 21957429Smarkmencrypting. 22057429Smarkm 22157429SmarkmEncryption has had a "military" or "classified" flavor to it. There 22257429Smarkmare no longer any grounds for this. The military can and will use its 22357429Smarkmown encryption; that is no excuse to prevent the civilians from 22457429Smarkmprotecting their privacy and secrets. Information on strong 22557429Smarkmencryption is available in every major bookstore, scientific library, 22657429Smarkmand patent office around the world, and strong encryption software is 22757429Smarkmavailable in every country on the Internet. 22857429Smarkm 22957429SmarkmSome people would like to make it illegal to use encryption, or to 23057429Smarkmforce people to use encryption that governments can break. This 23157429Smarkmapproach offers no protection if the government turns bad. Also, the 23257429Smarkm"bad guys" will be using true strong encryption anyway. Good 23357429Smarkmencryption techniques are too widely known to make them disappear. 23457429SmarkmThus, any "key escrow encryption" or other restrictions will only help 23557429Smarkmmonitor ordinary people and petty criminals. It does not help against 23657429Smarkmpowerful criminals, terrorists, or espionage, because they will know 23757429Smarkmhow to use strong encryption anyway. (One source for internationally 23857429Smarkmavailable encryption software is http://www.cs.hut.fi/crypto.) 23957429Smarkm 24057429Smarkm 24157429SmarkmOVERVIEW OF SECURE SHELL 24257429Smarkm 24357429SmarkmThe software consists of a number of programs. 24457429Smarkm 24557429Smarkm sshd Server program run on the server machine. This 24657429Smarkm listens for connections from client machines, and 24757429Smarkm whenever it receives a connection, it performs 24857429Smarkm authentication and starts serving the client. 24957429Smarkm 25057429Smarkm ssh This is the client program used to log into another 25157429Smarkm machine or to execute commands on the other machine. 25257429Smarkm "slogin" is another name for this program. 25357429Smarkm 25457429Smarkm scp Securely copies files from one machine to another. 25557429Smarkm 25657429Smarkm ssh-keygen Used to create RSA keys (host keys and user 25757429Smarkm authentication keys). 25857429Smarkm 25957429Smarkm ssh-agent Authentication agent. This can be used to hold RSA 26057429Smarkm keys for authentication. 26157429Smarkm 26257429Smarkm ssh-add Used to register new keys with the agent. 26357429Smarkm 26457429Smarkm make-ssh-known-hosts 26557429Smarkm Used to create the /etc/ssh_known_hosts file. 26657429Smarkm 26757429Smarkm 26857429SmarkmSsh is the program users normally use. It is started as 26957429Smarkm 27057429Smarkm ssh host 27157429Smarkm 27257429Smarkmor 27357429Smarkm 27457429Smarkm ssh host command 27557429Smarkm 27657429SmarkmThe first form opens a new shell on the remote machine (after 27757429Smarkmauthentication). The latter form executes the command on the remote 27857429Smarkmmachine. 27957429Smarkm 28057429SmarkmWhen started, the ssh connects sshd on the server machine, verifies 28157429Smarkmthat the server machine really is the machine it wanted to connect, 28257429Smarkmexchanges encryption keys (in a manner which prevents an outside 28357429Smarkmlistener from getting the keys), performs authentication using .rhosts 28457429Smarkmand /etc/hosts.equiv, RSA authentication, or conventional password 28557429Smarkmbased authentication. The server then (normally) allocates a 28657429Smarkmpseudo-terminal and starts an interactive shell or user program. 28757429Smarkm 28857429SmarkmThe TERM environment variable (describing the type of the user's 28957429Smarkmterminal) is passed from the client side to the remote side. Also, 29057429Smarkmterminal modes will be copied from the client side to the remote side 29157429Smarkmto preserve user preferences (e.g., the erase character). 29257429Smarkm 29357429SmarkmIf the DISPLAY variable is set on the client side, the server will 29457429Smarkmcreate a dummy X server and set DISPLAY accordingly. Any connections 29557429Smarkmto the dummy X server will be forwarded through the secure channel, 29657429Smarkmand will be made to the real X server from the client side. An 29757429Smarkmarbitrary number of X programs can be started during the session, and 29857429Smarkmstarting them does not require anything special from the user. (Note 29957429Smarkmthat the user must not manually set DISPLAY, because then it would 30057429Smarkmconnect directly to the real display instead of going through the 30157429Smarkmencrypted channel). This behavior can be disabled in the 30257429Smarkmconfiguration file or by giving the -x option to the client. 30357429Smarkm 30457429SmarkmArbitrary IP ports can be forwarded over the secure channel. The 30557429Smarkmprogram then creates a port on one side, and whenever a connection is 30657429Smarkmopened to this port, it will be passed over the secure channel, and a 30757429Smarkmconnection will be made from the other side to a specified host:port 30857429Smarkmpair. Arbitrary IP forwarding must always be explicitly requested, 30957429Smarkmand cannot be used to forward privileged ports (unless the user is 31057429Smarkmroot). It is possible to specify automatic forwards in a per-user 31157429Smarkmconfiguration file, for example to make electronic cash systems work 31257429Smarkmsecurely. 31357429Smarkm 31457429SmarkmIf there is an authentication agent on the client side, connection to 31557429Smarkmit will be automatically forwarded to the server side. 31657429Smarkm 31757429SmarkmFor more infomation, see the manual pages ssh(1), sshd(8), scp(1), 31857429Smarkmssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1) 31957429Smarkmincluded in this distribution. 32057429Smarkm 32157429Smarkm 32257429SmarkmX11 CONNECTION FORWARDING 32357429Smarkm 32457429SmarkmX11 forwarding serves two purposes: it is a convenience to the user 32557429Smarkmbecause there is no need to set the DISPLAY variable, and it provides 32657429Smarkmencrypted X11 connections. I cannot think of any other easy way to 32757429Smarkmmake X11 connections encrypted; modifying the X server, clients or 32857429Smarkmlibraries would require special work for each machine, vendor and 32957429Smarkmapplication. Widely used IP-level encryption does not seem likely for 33057429Smarkmseveral years. Thus what we have left is faking an X server on the 33157429Smarkmsame machine where the clients are run, and forwarding the connections 33257429Smarkmto a real X server over the secure channel. 33357429Smarkm 33457429SmarkmX11 forwarding works as follows. The client extracts Xauthority 33557429Smarkminformation for the server. It then creates random authorization 33657429Smarkmdata, and sends the random data to the server. The server allocates 33757429Smarkman X11 display number, and stores the (fake) Xauthority data for this 33857429Smarkmdisplay. Whenever an X11 connection is opened, the server forwards 33957429Smarkmthe connection over the secure channel to the client, and the client 34057429Smarkmparses the first packet of the X11 protocol, substitutes real 34157429Smarkmauthentication data for the fake data (if the fake data matched), and 34257429Smarkmforwards the connection to the real X server. 34357429Smarkm 34457429SmarkmIf the display does not have Xauthority data, the server will create a 34557429Smarkmunix domain socket in /tmp/.X11-unix, and use the unix domain socket 34657429Smarkmas the display. No authentication information is forwarded in this 34757429Smarkmcase. X11 connections are again forwarded over the secure channel. 34857429SmarkmTo the X server the connections appear to come from the client 34957429Smarkmmachine, and the server must have connections allowed from the local 35057429Smarkmmachine. Using authentication data is always recommended because not 35157429Smarkmusing it makes the display insecure. If XDM is used, it automatically 35257429Smarkmgenerates the authentication data. 35357429Smarkm 35457429SmarkmOne should be careful not to use "xin" or "xstart" or other similar 35557429Smarkmscripts that explicitly set DISPLAY to start X sessions in a remote 35657429Smarkmmachine, because the connection will then not go over the secure 35757429Smarkmchannel. The recommended way to start a shell in a remote machine is 35857429Smarkm 35957429Smarkm xterm -e ssh host & 36057429Smarkm 36157429Smarkmand the recommended way to execute an X11 application in a remote 36257429Smarkmmachine is 36357429Smarkm 36457429Smarkm ssh -n host emacs & 36557429Smarkm 36657429SmarkmIf you need to type a password/passphrase for the remote machine, 36757429Smarkm 36857429Smarkm ssh -f host emacs 36957429Smarkm 37057429Smarkmmay be useful. 37157429Smarkm 37257429Smarkm 37357429Smarkm 37457429SmarkmRSA AUTHENTICATION 37557429Smarkm 37657429SmarkmRSA authentication is based on public key cryptograpy. The idea is 37757429Smarkmthat there are two encryption keys, one for encryption and another for 37857429Smarkmdecryption. It is not possible (on human timescale) to derive the 37957429Smarkmdecryption key from the encryption key. The encryption key is called 38057429Smarkmthe public key, because it can be given to anyone and it is not 38157429Smarkmsecret. The decryption key, on the other hand, is secret, and is 38257429Smarkmcalled the private key. 38357429Smarkm 38457429SmarkmRSA authentication is based on the impossibility of deriving the 38557429Smarkmprivate key from the public key. The public key is stored on the 38657429Smarkmserver machine in the user's $HOME/.ssh/authorized_keys file. The 38757429Smarkmprivate key is only kept on the user's local machine, laptop, or other 38857429Smarkmsecure storage. Then the user tries to log in, the client tells the 38957429Smarkmserver the public key that the user wishes to use for authentication. 39057429SmarkmThe server then checks if this public key is admissible. If so, it 39157429Smarkmgenerates a 256 bit random number, encrypts it with the public key, 39257429Smarkmand sends the value to the client. The client then decrypts the 39357429Smarkmnumber with its private key, computes a 128 bit MD5 checksum from the 39457429Smarkmresulting data, and sends the checksum back to the server. (Only a 39557429Smarkmchecksum is sent to prevent chosen-plaintext attacks against RSA.) 39657429SmarkmThe server checks computes a checksum from the correct data, 39757429Smarkmand compares the checksums. Authentication is accepted if the 39857429Smarkmchecksums match. (Theoretically this indicates that the client 39957429Smarkmonly probably knows the correct key, but for all practical purposes 40057429Smarkmthere is no doubt.) 40157429Smarkm 40257429SmarkmThe RSA private key can be protected with a passphrase. The 40357429Smarkmpassphrase can be any string; it is hashed with MD5 to produce an 40457429Smarkmencryption key for IDEA, which is used to encrypt the private part of 40557429Smarkmthe key file. With passphrase, authorization requires access to the key 40657429Smarkmfile and the passphrase. Without passphrase, authorization only 40757429Smarkmdepends on possession of the key file. 40857429Smarkm 40957429SmarkmRSA authentication is the most secure form of authentication supported 41057429Smarkmby this software. It does not rely on the network, routers, domain 41157429Smarkmname servers, or the client machine. The only thing that matters is 41257429Smarkmaccess to the private key. 41357429Smarkm 41457429SmarkmAll this, of course, depends on the security of the RSA algorithm 41557429Smarkmitself. RSA has been widely known since about 1978, and no effective 41657429Smarkmmethods for breaking it are known if it is used properly. Care has 41757429Smarkmbeen taken to avoid the well-known pitfalls. Breaking RSA is widely 41857429Smarkmbelieved to be equivalent to factoring, which is a very hard 41957429Smarkmmathematical problem that has received considerable public research. 42057429SmarkmSo far, no effective methods are known for numbers bigger than about 42157429Smarkm512 bits. However, as computer speeds and factoring methods are 42257429Smarkmincreasing, 512 bits can no longer be considered secure. The 42357429Smarkmfactoring work is exponential, and 768 or 1024 bits are widely 42457429Smarkmconsidered to be secure in the near future. 42557429Smarkm 42657429Smarkm 42757429SmarkmRHOSTS AUTHENTICATION 42857429Smarkm 42957429SmarkmConventional .rhosts and hosts.equiv based authentication mechanisms 43057429Smarkmare fundamentally insecure due to IP, DNS (domain name server) and 43157429Smarkmrouting spoofing attacks. Additionally this authentication method 43257429Smarkmrelies on the integrity of the client machine. These weaknesses is 43357429Smarkmtolerable, and been known and exploited for a long time. 43457429Smarkm 43557429SmarkmSsh provides an improved version of these types of authentication, 43657429Smarkmbecause they are very convenient for the user (and allow easy 43757429Smarkmtransition from rsh and rlogin). It permits these types of 43857429Smarkmauthentication, but additionally requires that the client host be 43957429Smarkmauthenticated using RSA. 44057429Smarkm 44157429SmarkmThe server has a list of host keys stored in /etc/ssh_known_host, and 44257429Smarkmadditionally each user has host keys in $HOME/.ssh/known_hosts. Ssh 44357429Smarkmuses the name servers to obtain the canonical name of the client host, 44457429Smarkmlooks for its public key in its known host files, and requires the 44557429Smarkmclient to prove that it knows the private host key. This prevents IP 44657429Smarkmand routing spoofing attacks (as long as the client machine private 44757429Smarkmhost key has not been compromized), but is still vulnerable to DNS 44857429Smarkmattacks (to a limited extent), and relies on the integrity of the 44957429Smarkmclient machine as to who is requesting to log in. This prevents 45057429Smarkmoutsiders from attacking, but does not protect against very powerful 45157429Smarkmattackers. If maximal security is desired, only RSA authentication 45257429Smarkmshould be used. 45357429Smarkm 45457429SmarkmIt is possible to enable conventional .rhosts and /etc/hosts.equiv 45557429Smarkmauthentication (without host authentication) at compile time by giving 45657429Smarkmthe option --with-rhosts to configure. However, this is not 45757429Smarkmrecommended, and is not done by default. 45857429Smarkm 45957429SmarkmThese weaknesses are present in rsh and rlogin. No improvement in 46057429Smarkmsecurity will be obtained unless rlogin and rsh are completely 46157429Smarkmdisabled (commented out in /etc/inetd.conf). This is highly 46257429Smarkmrecommended. 46357429Smarkm 46457429Smarkm 46557429SmarkmWEAKEST LINKS IN SECURITY 46657429Smarkm 46757429SmarkmOne should understand that while this software may provide 46857429Smarkmcryptographically secure communications, it may be easy to 46957429Smarkmmonitor the communications at their endpoints. 47057429Smarkm 47157429SmarkmBasically, anyone with root access on the local machine on which you 47257429Smarkmare running the software may be able to do anything. Anyone with root 47357429Smarkmaccess on the server machine may be able to monitor your 47457429Smarkmcommunications, and a very talented root user might even be able to 47557429Smarkmsend his/her own requests to your authentication agent. 47657429Smarkm 47757429SmarkmOne should also be aware that computers send out electromagnetic 47857429Smarkmradition that can sometimes be picked up hundreds of meters away. 47957429SmarkmYour keyboard is particularly easy to listen to. The image on your 48057429Smarkmmonitor might also be seen on another monitor in a van parked behind 48157429Smarkmyour house. 48257429Smarkm 48357429SmarkmBeware that unwanted visitors might come to your home or office and 48457429Smarkmuse your machine while you are away. They might also make 48557429Smarkmmodifications or install bugs in your hardware or software. 48657429Smarkm 48757429SmarkmBeware that the most effective way for someone to decrypt your data 48857429Smarkmmay be with a rubber hose. 48957429Smarkm 49057429Smarkm 49157429SmarkmLEGAL ISSUES 49257429Smarkm 49357429SmarkmAs far as I am concerned, anyone is permitted to use this software 49457429Smarkmfreely. However, see the file COPYING for detailed copying, 49557429Smarkmlicensing, and distribution information. 49657429Smarkm 49757429SmarkmIn some countries, particularly France, Russia, Iraq, and Pakistan, 49857429Smarkmit may be illegal to use any encryption at all without a special 49957429Smarkmpermit, and the rumor has it that you cannot get a permit for any 50057429Smarkmstrong encryption. 50157429Smarkm 50257429SmarkmThis software may be freely imported into the United States; however, 50357429Smarkmthe United States Government may consider re-exporting it a criminal 50457429Smarkmoffence. 50557429Smarkm 50657429SmarkmNote that any information and cryptographic algorithms used in this 50757429Smarkmsoftware are publicly available on the Internet and at any major 50857429Smarkmbookstore, scientific library, or patent office worldwide. 50957429Smarkm 51057429SmarkmTHERE IS NO WARRANTY FOR THIS PROGRAM. Please consult the file 51157429SmarkmCOPYING for more information. 51257429Smarkm 51357429Smarkm 51457429SmarkmMAILING LISTS AND OTHER INFORMATION 51557429Smarkm 51657429SmarkmThere is a mailing list for ossh. It is ossh@sics.se. If you would 51757429Smarkmlike to join, send a message to majordomo@sics.se with "subscribe 51857429Smarkmssh" in body. 51957429Smarkm 52057429SmarkmThe WWW home page for ssh is http://www.cs.hut.fi/ssh. It contains an 52157429Smarkmarchive of the mailing list, and detailed information about new 52257429Smarkmreleases, mailing lists, and other relevant issues. 52357429Smarkm 52457429SmarkmBug reports should be sent to ossh-bugs@sics.se. 52557429Smarkm 52657429Smarkm 52757429SmarkmABOUT THE AUTHOR 52857429Smarkm 52957429SmarkmThis software was written by Tatu Ylonen <ylo@cs.hut.fi>. I work as a 53057429Smarkmresearcher at Helsinki University of Technology, Finland. For more 53157429Smarkminformation, see http://www.cs.hut.fi/~ylo/. My PGP public key is 53257429Smarkmavailable via finger from ylo@cs.hut.fi and from the key servers. I 53357429Smarkmprefer PGP encrypted mail. 53457429Smarkm 53557429SmarkmThe author can be contacted via ordinary mail at 53657429Smarkm Tatu Ylonen 53757429Smarkm Helsinki University of Technology 53857429Smarkm Otakaari 1 53957429Smarkm FIN-02150 ESPOO 54057429Smarkm Finland 54157429Smarkm 54257429Smarkm Fax. +358-0-4513293 54357429Smarkm 54457429Smarkm 54557429SmarkmACKNOWLEDGEMENTS 54657429Smarkm 54757429SmarkmI thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for 54857429Smarkmtheir help and comments in the design, implementation and porting of 54957429Smarkmthis software. I also thank numerous contributors, including but not 55057429Smarkmlimited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane 55157429SmarkmBortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome 55257429SmarkmEtienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson, 55357429SmarkmMichael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar 55457429SmarkmLindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald 55557429SmarkmMcKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan 55657429SmarkmO'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz 55757429SmarkmSurmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and 55857429SmarkmCristophe Wolfhugel. 55957429Smarkm 56057429SmarkmThanks also go to Philip Zimmermann, whose PGP software and the 56157429Smarkmassociated legal battle provided inspiration, motivation, and many 56257429Smarkmuseful techniques, and to Bruce Schneier whose book Applied 56357429SmarkmCryptography has done a great service in widely distributing knowledge 56457429Smarkmabout cryptographic methods. 56557429Smarkm 56657429Smarkm 56757429SmarkmCopyright (c) 1995 Tatu Ylonen, Espoo, Finland. 568