-
Notifications
You must be signed in to change notification settings - Fork 43
/
goals.html
62 lines (54 loc) · 2.29 KB
/
goals.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
<!doctype html>
<html lang=en>
<meta charset=utf-8>
<title>OpenSSH: Goals</title>
<meta name="description" content="the OpenSSH project goals page">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="canonical" href="https://www.openssh.com/goals.html">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<h2 id=OpenBSD>
<a href="/">
<i>Open</i><b>SSH</b></a>
Goals
</h2>
<hr>
<p>
Our goal is simple: Since telnet and rlogin are insecure, all
operating systems should ship with support for the SSH protocol
included.
<p>
The SSH protocol is available in two incompatible varieties:
SSH 1 and SSH 2.
<p>
The older SSH 1 protocol comes in two major sub-variants: protocol 1.3 and
protocol 1.5. Support for both has been removed from OpenSSH
as of the <a href="txt/release-7.6">7.6 release</a>.
Both of them used the asymmetric cryptography algorithm
<a href="https://man.openbsd.org/RSA_generate_key">RSA</a>
(for which the USA patent has expired, allowing full use by everyone)
for key negotiation and authentication, 3DES and
<a href="https://man.openbsd.org/blowfish">Blowfish</a> for privacy.
It used a simple CRC for data integrity, which turns out to be flawed.
<p>
The second major variety of SSH is the SSH 2 protocol. SSH 2 was
invented to avoid the patent issues regarding RSA (patent issues which
no longer apply, since the patent has expired), to fix the CRC data
integrity problem that SSH1 has, and for a number of other technical
reasons. By requiring only the asymmetric
<a href="https://man.openbsd.org/DSA_generate_key">DSA</a>
and
<a href="https://man.openbsd.org/DH_generate_key">DH</a>
algorithms, protocol 2 avoids all patents.
The CRC problem is also solved by using a real
<a href="https://man.openbsd.org/HMAC">HMAC</a>
algorithm.
The SSH 2 protocol supports many other choices for symmetric and asymmetric
ciphers, as well as many other new features.
<p>
OpenSSH relies on the <a href="https://www.libressl.org">LibreSSL</a>
library for some of its cryptographic routines, AES-GCM being one example.
<p>
Continuing that trend, the OpenBSD project members who worked on
OpenSSH made a push at supporting the SSH 2 protocol as well. This
work was primarily done by Markus Friedl. Around May 4, 2000, the
SSH 2 protocol support was implemented sufficiently to be usable.