1. Community: Security
   1. Announcements
   2. News
   3. Blogs
   4. Discussions
   5. Community Projects
      1. Pluggable Authentication Module
      2. Trusted Extensions
         1. History
         2. Trusted Extensions Developer Guide
         3. Installing the Solaris Trusted Extensions Software on a Laptop Computer
         4. Experimental Java Classes for Trusted Extensions Labeling APIs
      3. Secure By Default
         1. Secure by Default Design
      4. Privilege Debugging
      5. RBAC - Role Based Access Control
      6. Auditing
      7. Basic File Privs
      8. Kerberos
      9. Java
      10. SSH
      11. Cryptographic Framework
   6. Library
      1. HOWTO Documents
         1. Privilege Bracketing
      2. Username length
   7. Presentations
   8. Events
   9. Leaders
   10. Observers
   11. Files
   12. Contributor Grants

Solaris Secure Shell (SunSSH)

SunSSH is a program for logging into a remote machine and for executing commands on a remote machine. It's based on OpenSSH and it is intended to replace unsecured rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel.

X.509v3 support for SunSSH design document.

Contents

History of SunSSH
Security
Current development
Future plans
Developing SunSSH
Patches
Useful links
Documentation
Community

History of SunSSH

SunSSH was integrated into Solaris in 2001 as PSARC/2001/212 project and we have these versions so far:

• 1.0 - initial version which was based on OpenSSH 2.3 and integrated into Solaris 9
• 1.0.1 - backport of SSH_BUG_EXTEOF compatibility flag from OpenSSH (S9 only).
• 1.1 - our changes and fixes were reapplied and some new code added using OpenSSH 3.5p1 as a base version. This version was integrated into Solaris 10 from its beginning.
• 1.2 - SSH_OLD_FORWARD_ADDR compatibility flag resynced from OpenSSH and integrated into Nevada build 77.

From then we occasionally resync individual features and fixes and add new code.

You can also use 1.1 version on Solaris 9 through 6176256 S9 ssh backporting project, see patches section on how to upgrade your SunSSH 1.0 to 1.1. Solaris 8 and below were not shipped with SunSSH. If you have such a version we suggest to use OpenSSH there.

SunSSH versus OpenSSH

These parts of SunSSH 1.2 are quite different from OpenSSH code:

• PAM
• GSS-API
• privilege separation implementation
• auditing code
• g11n (not present in OpenSSH)

Security

Since SunSSH is still in many parts very similar to OpenSSH code, we always examine every security vulnerability found in OpenSSH and if applicable to SunSSH, we fix it ASAP.

Current development

Active PSARC cases

Currently, there are no unfinished PSARC cases. We expect to file a case for X.509v3 support for SunSSH (6357779) soon.

Finished PSARC cases

• PSARC/2007/032 ssh disable banner (snv_73)
• PSARC/2007/033 sftp resync with OpenSSH (snv_75)
• PSARC/2004/505 ssh_config(4) option compatibility (snv_76)
• PSARC/2007/610 ssh(1) binding address for port forwarding (snv_77)
• PSARC/2007/034 ssh/sshd resync with OpenSSH (last RFE from this case integrated into snv_80)

Open RFE's

There are several significant RFE's (Request for enhancement) that are open:

• 6474758 make sftp(1) able to upload files from command line
• 6428469 enhance ssh logging (this is closed now but it will be reopened)
• 6480741 command line editing is desired for sftp(1)
• 6439383 resync connection sharing functionality
• 6467008 implement -l option in scp(1) for limiting bandwidth
• 6445288 ssh needs to be OpenSSL engine aware

Future plans

There are some of our future plans and ideas:

• replace OpenSSL API with PKCS#11 API. That way SunSSH could make use of Solaris Crypto Framework and it should be then easier to get FIPS-140-2 certification for SunSSH which is what some of our customers ask for. This one may replace 6445288.
• rewrite the code so that we have a true libssh library that could be used from other applications to make SSH connections.
• rewrite SSH debugging. OpenSSH debugging is intended more for developers then for ordinary users. It's true that SSH protocol is not simple at all but if we improve the debugging code so that more users can understand it when debugging their problem, the easier for them will be to use SunSSH.

Developing SunSSH

Bugs can be filed using solaris/ssh category. Source code tree is easily accessible through OpenSolaris source code browser.

Patches

This section is not too relevant to OpenSolaris project but we will include it here so that this information is listed together with other sections.

(while trying to keep the list of patches current please always make sure there is not a newer version of each patch. Patch list last updated: 2008-01-28)

For S10 apply these patches:

SPARC: 120011-14, 120011-14
x86: 120012-14, 120012-14

For S9, apply these patches to upgrade to SunSSH 1.1:

SPARC: 112908-31, 117177-02, 114356-12, 113273-19
x86: 114858-19, 117178-02, 114357-11, 115168-16

Useful links

• Recent SunSSH Enhancements in OpenSolaris -- presentation slides on what was done in SunSSH during 2007
• Using SunSSH with Kerberos Authentication
• How the SCP Protocol Works

Documentation

FAQ

You can participate and work with us on SunSSH FAQ.

Manual pages

• sshd(1M), ssh-keysign(1M)
• ssh(1), ssh-add(1), ssh-agent(1), ssh-http-proxy-connect(1), ssh-keygen(1), ssh-socks5-proxy-connect(1)
• sftp(1), scp(1)
• ssh_config(4), sshd_config(4)

docs.sun.com

• Using Solaris Secure Shell
• Solaris Secure Shell (Reference)

RFC's

There are more RFC's related to SSH protocol but these are the most important ones:

• 4250 The Secure Shell (SSH) Protocol Assigned Numbers
• 4251 The Secure Shell (SSH) Protocol Architecture
• 4252 The Secure Shell (SSH) Authentication Protocol
• 4253 The Secure Shell (SSH) Transport Layer Protocol
• 4254 The Secure Shell (SSH) Connection Protocol
• 4256 Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)
• 4419 Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol
• 4432 RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol
• 4462 Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol
• 4344 The Secure Shell (SSH) Transport Layer Encryption Modes
  
  
• The SSH (Secure Shell) Remote Login Protocol, the initial SSH draft written by Tatu Ylonen on SSH Protocol 1.

Community

If you want to reach us, please use security-discuss mailing list, you can subscribe here. Any feedback, ideas or patches are welcome.