Recently, a security flaw was discovered in OpenSSH. The double-free bug can result in memory being returned to the operating system for reuse, but then handed back again by another part of the program, leading to subtle bugs and potential exploits. The bug was found in a function called compat_kex_proposal() used to determine the key exchange algorithm during connection setup. The bug has been fixed, but it serves as a reminder to regularly check for security flaws in software, especially in the case of remote access tools that handle sensitive data.
OpenBSD is a free and open-source operating system inspired by the Berkeley Software Distribution (BSD) system. It is renowned for its stringent focus on security and privacy and its transparent source code. OpenBSD is equipped with several cryptographic tools, and its development process emphasizes security auditing and accurate coding.
OpenSSH: The History
The OS is best known for its remote access tool, OpenSSH. Developed in the late 1990s, OpenSSH is the OpenBSD implementation of the Secure Shell (SSH) protocol, which is used for secure remote access to network services and executing remote commands. SSH creates an encrypted communication channel between two hosts in an insecure network, making it a popular tool for remote login and command execution, as well as tunneling and forwarding TCP ports and X11 connections. There are two versions of the SSH protocol: SSH-1 and SSH-2, as defined in its protocol specification.
Tatu Ylönen, a computer scientist from Finland, created the SSH protocol in the mid-1990s as a secure alternative to the Telnet protocol. Telnet was simple and effective, but it lacked encryption, making it easy for hackers to intercept and modify the commands and data transmitted over the network. SSH added encryption and authentication to Telnet-like sessions, creating a secure shell. The OpenBSD team developed OpenSSH as a free and open-source protocol implementation, free of licensing and commercial issues.
OpenSSH is widely used today and is the default SSH implementation for many Linux distributions. It is now officially supported by Microsoft for Windows as both a client and server component. Other popular SSH implementations include libssh2, Dropbear, and PuTTY, each serving different purposes, such as providing SSH support for developers, a minimal SSH server for IoT devices, and a collection of SSH tools for Windows.
In conclusion, OpenBSD and OpenSSH are vital players in the secure remote access world and have greatly impacted how sysadmins work and communicate with remote servers. The focus on security and the commitment to creating a reliable and open-source implementation of the SSH protocol has made OpenSSH a trusted tool used globally.