OpenSSH
このページは現在翻訳中です。 どなたか、原文と比較し、チェック、修正をお願いします。
OpenSSH (Open Secure Shell) は、 SSH プロトコルを使い、コンピューターネットワーク越しの 暗号化された 通信セッションを実現するためのプログラムの集合です。これは、プロプライエタリな Secure Shell ソフトウェアの代替となるオープンソースプログラムとして開発されました。プロジェクトは、Calgary, Alberta の Theo de Raadt が指揮しています。
目次
歴史
OpenSSH は、 今やプロプライエタリなソフトになってしまった SSH の代替ソフトウェアとして、 OpenBSD のチームによって開発されました。OpenSSH の開発者たちは、彼らがクリーンで監査されたコードを書くための採用しているポリシーと、名前の通り オープン であること (open source BSD ライセンスを採用している) ことにより、今や OpenSSH は オリジナルの SSH より安全であると主張しています。オリジナルの SSH もソースコードを入手することはできますが、その使用と配布にはさまざまな制限が課せられており、それにより多くのソフトウェア開発者にとってOpenSSHの方がより魅力あるプロジェクトになっています。
OpenSSH は OpenBSD 2.6. で初めて登場しました。 OpenSSH 4.3 は 2006年2月1日にリリースされました。 [1].
Trademark
In February of 2001, Tatu Ylönen, Chairman and CTO of SSH Communications Security informed the OpenSSH development mailing list, openssh-unix-dev@mindrot.org, that after speaking with key OpenSSH developers Markus Friedl, Theo de Raadt, and Niels Provos, the company would have to assert its ownership of the SSH and Secure Shell trademarks in order to protect them. Tatu also sought to change references to the protocol to SecSH or secsh, in order to maintain control of the name, he proposed having OpenSSH change it's name in order to avoid a lawsuit. Theo de Raadt refused outright to consider changing the project's name.
At the time, "SSH", "Secure Shell" and "ssh" were used in the documents proposing the protocol as an open standard and it was hypothosised by many that by doing so, without marking these within the proposal as registered trademarks, Tatu was relinquishing all exclusive rights to the name as a means of describing the protocol. This is because in the United States it is imperative that trademarks be used in advertising copy as adjectives, never as nouns or verbs. Improper use of a trademark, or allowing others to use a trademark incorrectly, results in the trademark becoming generic a generic term, like Kleenex or Aspirin, which opens the mark to use by others, via the public domain.
Also brought into question was if the name "ssh" was trademarked, or mearly the logo using the lower case letters "ssh", many online pundits believed the latter, after study of the USPTO trademark database and also bringing doubt to the validity of the claim was the 6 years between the company's creation and the point in time when it began defending its trademark from free alternatives such as OpenSSH, and that only OpenSSH was receiving these threats of legal repercussions.
Both developers of OpenSSH and Ylönen himself were members of the IETF workgroup developing the new standard, which after several meetings, denied Ylonen's request for a renaming of the protocol, citing concerns that it would set a bad precedent for other trademark claims against the IETF. The working group participants argued that both Secure Shell SSH were generic terms and that they could not be trademarks.
移植性
Partly because OpenSSH is required to perform authentication, a capability that has many varying implementations between different operating systems, it requires a substantial portability infrastructure. Rather than including this directly into OpenBSD and OpenSSH, it is developed seperately as an addition under the auspices of the OpenSSH Portability Team and released as what are known as "portable releases". This model is also used for other OpenBSD projects such as OpenNTPD.
含まれるプログラム
OpenSSH スイートには、以下のツールが含まれています。
ssh_user@example.com
scp user@example.com:~/somefile .
sftp user@example.com
- sshd, the SSH daemon:
sshd
セキュアなトンネル
Port forwarding
Most programs making use of TCP connections can be passed over a secure tunnel using OpenSSH. This is used to multiplex additional TCP connections over a single ssh connection. It is useful for concealing connections and encrypting protocols which are otherwise unsecured, and for circumventing firewalls. UDP connections may sometimes be tunnelled with the aid of programs such as netcat. Examples of easily tunnelled programs include the X Window System, http using a proxy and VNC. An X Window System tunnel is often created automatically between two Unix computers, so GUI programs from remote computers can be run simply by typing their names:
ssh -Y user@example.com password: $ xclock
In addition, some software can be set to automatically make use of OpenSSH to create a tunnel. Examples include DistCC, CVS, rsync, and fetchmail. Programs where tunneling is possible but complex are ftp, which can often be replaced with sftp in any case, and SMB. On some operating systems, remote filesystems can be mounted over ssh using shfs, lufs or podfuk.
SOCKS
OpenSSH is capable of creating an ad hoc SOCKS proxy server to support more flexible proxying than is possible with ordinary port forwarding. For example:
ssh -D1080 user@example.com
establishes a local SOCKS server that listens on "localhost:1080".
tun-based VPN
Beginning with version 4.3, OpenSSH implements an OSI layer 2/3 "tun"-based VPN. This is the most flexible of OpenSSH's tunnelling capabilities, allowing applications to transparently access remote network resources without "socksification."
Authentication
OpenSSH server can authenticate users using its built-in authentication systems:
- public key,
- keyboard-interactive (passwords and challenge-response), and
- Kerberos/GSSAPI.
In addition, OpenSSH can often make use of additional authentication methods available on its host operating system. This can include using the BSD authentication system (bsd_auth) or PAM to enable authentication through methods such as one time passwords.
An unfortunate side-effect of using PAM with OpenSSH is that it must be run as root when PAM support is enabled, as root privileges are typically required to operate PAM. OpenSSH versions after 3.7 allow the usage of PAM to be disabled at run-time, so regular users can run sshd instances.