Overview – SOE Openssh Dec 2013
What is SOE Openssh? It’s a FREE version of the SSH connectivity tools Provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. An Open Source replacement for both SSH and everything SSH can replace Implements v2 of the SSH protocol The SSH protocol encrypts all traffic between machines are encrypted. Telnet does not encrypt any information, passwords and account ids are passed in the clear. Using OpenSSH as a replacement for telnet, rlogin, rsh, rcp, ftp, X11.
What Security does SOE Openssh provide? Data Privacy through Encryption Data Integrity to guarantee unaltered communications Authentication of users and servers. Authorisation of user actions. Forwarding to protect other TCP/IP based applications Secure X11 sessions
How OpenSSH Differ from SSH? OpenSSH is Open Source OpenSSH has an active user community for support SSH offers commercial support contracts SSH has recently revised their license to allow for more free use on Linux and BSD platforms SSH is a commercial product with all the pros and cons associated with that An Open Source product can become an integral part of your security planning
SOE OpenSSH Composition Openssh-6.3p1 - Secure shell component OpenSSL-1.0.1e - Cryptography toolkit that implements Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Zlib-1.2.3 - Compression library that provides in-memory compression and de-compression functions Prngd-0.9.29 - Random number generator daemon for systems that lack the /dev/random device.
SOE OpenSSH Examples Remote host login $/opt/soe/local/bin/ssh Hostx File transfer $/opt/soe/local/bin/scp /etc/hosts hostx:/hosts.sourcehost Non-interactive file transfer without passphrase generate and distribute a public key $opt/soe/local/bin/ssh-keygen -t rsa –N "“ Copy the public key $/opt/soe/local/bin/scp ~/.ssh/id_rsa.pub hostx:~/.ssh/authorized_keys2 $/opt/soe/local/bin/scp /etc/hosts hostx:~/hosts.sourcehost Compression Test $ /opt/soe/local/bin/ssh -l userx -C hostx
SOE OpenSSH Supported OS Operating System Version Architecture Sun Solaris 8 Sun Sparc Solaris 9 Solaris 10 Sun Sparc/x86-64 Architecture Solaris 11 HP-UX HP-UX11i HP PA-RISC HP-UX11i V2 (11.23) HP PA-RISC/ HP Itanium HP-UX11i V3 (11.31) AIX AIX 5.3 IBM pSeries AIX 6.1 AIX 7.1 Linux RHEL Server 5.x x86-64 Architecture RHEL Server 6.x RHEL Workstation 6.x Suse 10 Suse11 Cent OS 5.x(5.5 onwards) Cent OS 6.x Oracle Enterprise Linux 5.x Oracle Enterprise Linux 6.x Zlinux Zlinux 6.x
UnixSOE Openssh 6.3p1– What is New? New features sshd(8): add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,or hostkeys on smartcards. ssh(1)/sshd(8): allow optional time-based rekeying via a second argument to the existing RekeyLimit option. RekeyLimit is now supported in sshd_config as well as on the client. sshd(8): standardise logging of information during user authentication. The presented key/cert and the remote username (if available) is now logged in the authentication success/failure message on the same log line as the local username, remote host/port and protocol in use. Certificates contents and the key fingerprint of the signing CA are logged too. Including all relevant information on a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. ssh(1): add the ability to query which ciphers, MAC algorithms, key types and key exchange methods are supported in the binary. ssh(1): support ProxyCommand=- to allow support cases where stdin and stdout already point to the proxy. ssh(1): allow IdentityFile=none ssh(1)/sshd(8): add -E option to ssh and sshd to append debugging logs to a specified file instead of stderr or syslog. sftp(1): add support for resuming partial downloads using the "reget" command and on the sftp commandline or on the "get" commandline using the "-a" (append) option. ssh(1): add an "IgnoreUnknown" configuration option to selectively suppress errors arising from unknown configuration directives. sshd(8): add support for submethods to be appended to required authentication methods listed via AuthenticationMethods.
UnixSOE Openssh 6.3p1– What is New (Contd.)? Bug Fixes sshd(8): fix refusal to accept certificate if a key of a different type to the CA key appeared in authorized_keys before the CA key. ssh(1)/ssh-agent(1)/sshd(8): Use a monotonic time source for timers so that things like keepalives and rekeying will work properly over clock steps. sftp(1): update progressmeter when data is acknowledged, not when it's sent. bz#2108 ssh(1)/ssh-keygen(1): improve error messages when the current user does not exist in /etc/passwd; bz#2125 ssh(1): reset the order in which public keys are tried after partial authentication success. ssh-agent(1): clean up socket files after SIGINT when in debug mode; bz#2120 ssh(1) and others: avoid confusing error messages in the case of broken system resolver configurations; bz#2122 ssh(1): set TCP nodelay for connections started with -N; bz#2124 ssh(1): correct manual for permission requirements on ~/.ssh/config; bz#2078 ssh(1): fix ControlPersist timeout not triggering in cases where TCP connections have hung. bz#1917 ssh(1): properly deatch a ControlPersist master from its controlling terminal. sftp(1): avoid crashes in libedit when it has been compiled with multi-byte character support. bz#1990 sshd(8): when running sshd -D, close stderr unless we have explicitly requested logging to stderr. bz#1976, ssh(1): fix incomplete bzero; bz#2100 sshd(8): log and error and exit if ChrootDirectory is specified and running without root privileges. Many improvements to the regression test suite. In particular log files are now saved from ssh and sshd after failures. Fix a number of memory leaks. bz#1967 bz#2096 and others sshd(8): fix public key authentication when a :style is appended to the requested username. ssh(1): do not fatally exit when attempting to cleanup multiplexing- created channels that are incompletely opened. bz#2079
Solution Pack Unix SOE & TI Services Questions & Feedback Product Support Helpline unixsoe@csc.com