OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. Here are a few things you need to tweak in order to improve OpenSSH server security.
TELNET (TELecommunication NETwork) is a network protocol used on the Internet or local area network (LAN) connections. It was developed in late 60s with RFC 15. Telnet is pretty old for login into remote system and it has serious security problem. Most admins will recommend using Open SSH (secure shell) for all remote activities. But you may find users who are still demanding telnet over ssh as they are comfortable with Telnet. Some users got scripts written in 90s and they don’t want to change it. So what do you do when users demands telnet?
Last week one or more of Red Hat’s servers got cracked. Now, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. The intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). This update has been rated as having critical security impact.
OpenSSH server and client version 5.1 has just been released and available for download.
One of the most popular remote server management service has just released security fix version. This version avoid possible hijacking of X11-forwarded connections by refusing to listen on a port unless all address families bind successfully. You can download OpenSHH Server from official project web site or wait for your distro to release updated version.
For regular user accounts, a properly configured chroot jail is a rock solid security system. I’ve already written about chrooting sftp session using rssh. According to OpenBSD journal OpenSSH devs Damien Miller and Markus Friedl have recently added a chroot security feature to openssh itself:
Unfortunately, setting up a chroot(2) environment is complicated, fragile and annoying to maintain. The most frequent reason our users have given when asking for chroot support in sshd is so they can set up file servers that limit semi-trusted users to be able to access certain files only. Because of this, we have made this particular case very easy to configure.
This commit adds a chroot(2) facility to sshd, controlled by a new sshd_config(5) option “ChrootDirectory”. This can be used to “jail” users into a limited view of the filesystem, such as their home directory, rather than letting them see the full filesystem.
OpenSSH is most prominent implementation of the SSH protocol. I canâ€™t imagine my life without OpenSSH. Almost all of my devices / server / network equipment such as routers and tiny embedded device has OpenSSH these days.
From OpenBSD journal:
Eight years ago today, Sept 26 1999, Theo de Raadt committed the initial source code for OpenSSH to the OpenBSD repository. The code was a fork of BjÃ¶rn GrÃ¶nvall’s OSSH, which was derived from an early version of the increasingly “less free” ssh from Tatu YlÃ¶nen.
ControlMaster is a new feature in OpenSSH v 4.x, that allows it to reuse an existing connection to a remote host when opening new connections to that host
“Using this feature you can increase performance as it result into the reduced connection times that the ControlMaster feature provides are particularly nice when you’re using tools that open multiple SSH connections to do work on a remote server…” Read more…
On a related note, here’s a short guide on reusing existing OpenSSH v4 connections written by steve.