温馨提示:本站仅提供公开网络链接索引服务,不存储、不篡改任何第三方内容,所有内容版权归原作者所有
AI智能索引来源:http://www.ssh.com/ssh/openssh
点击访问原文链接

What is OpenSSH?

What is OpenSSH? About us Investors Partners Careers Solutions SOLUTIONS Zero Trust Suite Quantum-Safe Cryptography (QSC) SalaX Secure Collaboration Security Risk Assessment, Quantification & Mitigation By Topic Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & multi-cloud access management Interactive tour: Privileged Access in the Cloud M2M connections IT Audits & Compliance Secure file transfer By Industry Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Products SECURE ACCESS & SECRETS MANAGEMENT SECURE FILE TRANSFER & ENCRYPTION NQX™ quantum-ready encryption Tectia™ SSH Client/Server Tectia™ z/OS SalaX Secure Collaboration Secure Mail 2024 Secure Messaging 2024 SalaX Secure Collaboration Solutions SOLUTIONS PrivX Zero Trust Suite SalaX Secure Collaboration Strong ID-based access with Entra ID & Zero Trust Suite Quantum-Safe Cryptography (QSC) Security Risk Assessment, Quantification & Mitigation Device trust & access and identity verification Identity-based authentication & converged IAM and PAM TOPICS Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & Multi-Cloud Access Management Interactive tour: Privileged Access in the Cloud M2M Connections Management IT Audits & Compliance Secure File Transfer INDUSTRIES Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Healthcare Data Security OT Security IT/OT convergence of data & systems Zero Trust Access and ZSP Workflow approvals Secure remote access  Secure patch management  OT Compliance Discovery and threat intelligence Phishing-resistant MFA & device trust Products SalaX SECURE COLLABORATION Secure Mail Secure Messaging Secure Sign SalaX Secure Collaboration FQX File Encryptor SECURE ACCESS & SECRETS MANAGEMENT PrivX™ PAM PrivX™ OT Edition PrivX Key Manager SECURE FILE TRANSFER & ENCRYPTION Tectia™ SSH Server Tectia™ SSH Server for IBM z/OS PrivX Desktop NQX™ quantum-safe encryption Services SSH Risk Assessment™ Professional Services Support Contact us Customer cases PrivX Zero Trust PAM Enterprise Key Management UKM Tectia SFTP for servers & mainframes SSH Secure Collaboration Resources SSH Academy Content library Blog References Press releases Downloads Manuals Events & Webinars Media Legal Report a vulnerability Solutions SOLUTIONS PrivX Zero Trust Suite SalaX Secure Collaboration Strong ID-based access with Entra ID & Zero Trust Suite Quantum-Safe Cryptography (QSC) Security Risk Assessment, Quantification & Mitigation Device trust & access and identity verification Identity-based authentication & converged IAM and PAM TOPICS Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & Multi-Cloud Access Management Interactive tour: Privileged Access in the Cloud M2M Connections Management IT Audits & Compliance Secure File Transfer INDUSTRIES Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Healthcare Data Security OT Security IT/OT convergence of data & systems Zero Trust Access and ZSP Workflow approvals Secure remote access  Secure patch management  OT Compliance Discovery and threat intelligence Phishing-resistant MFA & device trust Products SalaX SECURE COLLABORATION Secure Mail Secure Messaging Secure Sign SalaX Secure Collaboration FQX File Encryptor SECURE ACCESS & SECRETS MANAGEMENT PrivX™ PAM PrivX™ OT Edition PrivX Key Manager SECURE FILE TRANSFER & ENCRYPTION Tectia™ SSH Server Tectia™ SSH Server for IBM z/OS PrivX Desktop NQX™ quantum-safe encryption Services SSH Risk Assessment™ Professional Services Support Contact us Customer cases PrivX Zero Trust PAM Enterprise Key Management UKM Tectia SFTP for servers & mainframes SSH Secure Collaboration Resources SSH Academy Content library Blog References Press releases Downloads Manuals Events & Webinars Media Legal Report a vulnerability About us Investors Partners Careers SSH Academy Cloud Cloud Access Management Cloud Applications Cloud Computing Cloud Computing Models Cloud Computing Pros and Cons Cloud Computing Security Cloud Computing Services: Characteristics Cloud Infrastructure Entitlement Management (CIEM) Cloud Security Buyer's Guide Cloud Security Maturity Model Cloud Service Providers IaaS Immutable Infrastructure in Modern IT PaaS SaaS Virtualization Technology Compliance Cybersecurity Compliance Basics of SSH Compliance Basics of SSH Key Compliance Basel III Digital Operational Resilience Act (DORA) Ensuring ISO 27001 with PAM Fips 200 GDPR HIPAA ISACA ISO 27001 NIS Directive A Guide to NIS2 Directive NIST Cybersecurity Framework NIST 2.0 Cybersecurity Framework NIST 7966 NIST 800-53 PCI-DSS Sans Top 20 Sarbanes Oxley Understanding PAM Standards Cryptography Cryptography Explained Cryptography and the Quantum Threat Encryption Key Management Private & Public Keys Quantum Computing & Post-Quantum Algorithms What is File Encryption? Identity and Access Management (IAM) What is Identity and Access Management (IAM)? What is IAM Zero Trust Framework? What is Zero Trust Network Access (ZTNA)? A Guide to Zero Trust Architecture Active Directory Entra ID by Microsoft Ephemeral Certificates & Ephemeral Access Gartner CARTA How PAM Complements Existing IAM IAM vs PAM Identity Governance and Administration (IGA) Identity Management Jump Server Just-in-Time Access Just-in-Time Security Tokens Key IAM Concepts for IT Professionals Multi-Factor Authentication (MFA) OpenID Connect (OIDC) Privileged Identity Management (PIM) Radius Sudo User Account Types User IDs Unified IAM-PAM solution Internet of Things (IoT) IoT Security IoT: Accessing IoT devices for SSH What is IIoT? Operational Technology What is OT Security? Best OT Security Solutions Best Practices for Secure Remote OT Access Critical Infrastructure Cybersecurity: Key Concepts Explained How to Safeguard Your OT Network Without Separate IT/OT Solutions How to Secure IoT and OT Systems: A Practical Guide ICS OT Security Industrial Automation Cybersecurity: Key Considerations and Risks IT vs OT Navigating OT Security Standards OT, ICS, SCADA explained OT Risk Management: What It Is and Why You Need It OT Security Assessment OT Security Best Practices OT Security Essentials OT Governance: Key Principles for Effective Implementation PAM and IACS Integration PAM & IEC 62443 Access Control Standards PAM for Energy Sector PAM for Manufacturing PrivX for Energy Sector PrivX for Forestry Industry Remote Diagnostics for Ships Remote Maintenance of Pulp&Paper Machines SCADA Security Essentials: Your Need-to-Know Guide What Is OT Monitoring and Why Is It Important? What is the IT/OT Convergence? Why Is Zero Trust Access Important in OT? Password and Secrets Management A Guide to Passwordless and Keyless Authentication Break-Glass Access Credential Management System Password and Key Rotation Password Attack Types Password Generator Password Strength Best Practices Password Vaults Passwordless Authentication - Advantages Passwordless Authentication - Implementation Passwordless Explained pt. 1 Passwordless Explained pt. 2 Secrets Management Guide Secrets Vault Zero Standing Privileges (ZSP) Privileged Access Management AI in PAM for Predictive Security Automating PAM Best PAM Solutions 2025 Comparing PAM Solutions Challenges in Cross-Platform PAM Integrating PAM with SIEM KPIs for PAM Least Privilege PAM Best Practices PAM Checklist PAM Enhances Remote Work Security PAM Lifecycle Management PAM Vendors: Must-Have Capabilities for Effective Access Control Privileged Access Management (PAM) Privileged Access Management (PAM) in the Cloud PrivX MFA The Strategic Role of PAM PAM - IT Benefits for Different Industries PAM for Pharmaceuticals Data Security PAM for Healthcare PrivX PA; for Financial Industry Data PrivX PAM for Government and Public Sector PrivX PAM for Healthcare Industry PrivX PAM for Manufacturing PrivX PAM for Media and Entertainment Industry PrivX PAM for Pharmaceutical and Biotechnology Data Privileged Accounts and Sessions Privilege Elevation and Delegation Management Privileged Account PrivX Against Privileged Account Hijacking Privileged Account and Session Management (PASM) Root Accounts Public Key Infrastructure (PKI) What is Public Key Infrastructure (PKI)? PKI Background PKI Certificates X.509 Certificates Secure Information Sharing (SIS) Business Email Compromise (BEC) Business Email Compromise: How to Prevent BEC Attacks Digital Signatures Email Phishing Enterprise Email Security Secure Data Sharing Secure Email Gateways (SEGs) Secure Shell (SSH) What is Secure Shell (SSH)? What is the Secure Shell (SSH) Protocol? Automated M2M Connections Network Monitoring OpenSSH OpenSSH Server Process (SSHD) Port 22 Remote File Copy (RCP) Remote Login (rlogin) Remote Shell (RSH) Secure File Copy (SCP) Session Key Single Sign-On (SSO) Using SSH Agent SSH Command SSH Configuration SSH for Windows SSH Software Downloads SSH Server SSH Server Configuration Tectia SSH Server Telnet WinSCP SSH protocol Vs Microsoft: A Comprehensive Guide Security Orchestration Basics of Security Orchestration Data Loss Prevention (DLP) Security Information and Event Management (SIEM) Security Operations Center (SOC) Security Orchestration, Automation, and Response (SOAR) SFTP & Secure Remote Access File Transfer Protocol (FTP) Clients File Transfer Protocol (FTP) Legacy File Transfer Protocol (FTP) Servers Obsolescent Secure File Transfer Protocol (FTPS) Secure Remote Access (SRA) SSH File Transfer Protocol (SFTP) SSH Clients What are SSH Clients? Tectia SSH Client PuTTY Background PuTTY Download PuTTY for Linux PuTTY for Mac PuTTY for Windows PuTTY for Windows Installation PuTTY Public Keys PuTTYgen for Linux PuTTYgen for Windows SSH Keys A Basic Overview of SSH Keys Authorized Key Authorized Keys File Authorized Keys in OpenSSH CAC and PIV Smartcards Copy ID Passphrase Passphrase Generator Public Key Authentication SSH Host Key SSH Key SSH Key Identities SSH Key Management SSH Key Proliferation SSH Keys for SSO SSH Keygen SSH Tunneling SSH Tunneling SSH Tunneling Example Hacks, Threats & Vulnerabilities BothanSpy & Gyrafalcon Breaches in Operational Technology Breaches Involving Passwords & Credentials GoScanSSH Malware Man-in-the-Middle Prevent Data Exfiltration with PrivX PAM PrivX PAM Against Malware & Ransomware Password Sniffing What is OpenSSH? Contents What is OpenSSH? What is an SSH Key? What Risks Are Associated with SSH Keys? NIST Guidelines for SSH Key Management SSH Key Management Comparison to Tectia SSH User Interface Considerations - Command Line or Graphical OpenSSH Download OpenSSH Client - ssh OpenSSH Server - sshd What is OpenSSH? SSH (Secure Shell) is a tool for secure system administration, file transfers, and other communication across the Internet or other untrusted network. It encrypts identities, passwords, and transmitted data so that they cannot be eavesdropped and stolen.

OpenSSH is an open-source implementation of the SSH protocol. It is based on the free version by Tatu Ylonen and further developed by the OpenBSD team and the user community.

Tatu Ylonen founded SSH Communications Security to provide commercial support for enterprises, and the original version evolved into Tectia SSH. The commercial version also supports Windows and IBM mainframe (z/OS) platforms and includes full support for X.509 certificates and smartcard authentication (for example the CAC and PIV cards used by US government).

The open source version is delivered as source code or precompiled binaries under a BSD-style license. The project team provides no support services for end-users, but community-based support is available (on a voluntary basis) from various security web forums.

What is an SSH Key? SSH provides an authentication mechanism based on cryptographic keys, called public key authentication. One or more public keys may be configured as authorized keys; the private key corresponding to an authorized key serves as authentication to the server. Typically both authorized keys and private keys are stored in the .ssh directory in a user's home directory. Fundamentally, such keys are like fancy passwords, only the password cannot be stolen from the network and it is possible to encrypt the private key locally (so that using it requires both a file and a passphrase only known to a user). However, in practice most keys are used for automation and do not have a passphrase.

The keys used for user authentication are called user keys. SSH also uses host keys for authenticating hosts. Together these are called SSH keys.

SSH keys replaced the insecure .rhosts authentication that was vulnerable to active network-level attacks. Replacing .rhosts improved the security of the Internet and enterprise information systems tremendously. However, the vast success of the SSH protocol combined with the fact that OpenSSH shipped free with most operating systems led to a lack of policies and oversight in relation to SSH keys. Consequently, auditors and IT security managers did not pay enough attention to SSH keys.

SSH keys provide the same level of access as user names and passwords, and typically to privileged accounts with operating system access. It is common that there are 10 times as many SSH keys as there are passwords. Yet SSH keys have been ignored in most identity and access management projects. They require the same kind of provisioning and termination processes and audit attention as passwords or any other authentication method.

What Risks Are Associated with SSH Keys? SSH risks expose organizations to major security risks for a number of reasons:

Lack of provisioning, termination, and oversight processes and policies for SSH keys.

The number of existing legacy SSH keys seems to surprise everybody. In one customer case we found 3 million keys (750,000 distinct keypairs). In another case the customer found 4.5 million authorized keys. Most large enterprises seem to have at least hundreds of thousands of keys and don't know how many. Compromise of just one key is enough to gain illegitimate access.

Many keys are unused and represent access that was never properly terminated. In one typical major enterprise we have found that about 90% of all the SSH keys were not used during a six-month monitoring period.

Nobody knows who has the corresponding private keys. The keys can be kept offline.

SSH keys have typically never been changed. Like passwords, keys should be changed periodically (a key rotation period of six months is common).

SSH keys grant privileged access. In one typical major enterprise we found that 10% of all SSH keys granted root access.

Many recent malware packages have been collecting SSH keys.

SSH keys can be used to hide backdoors. Such backdoors are not likely to be ever discovered without SSH key management, and no-one can tell if it was a backdoor or a key that had been forgotten.

Given the vast number of keys, uncontrolled access graphs formed by the keys, and the fact that keys are used to copy data to disaster recovery sites and backup systems, they may be used to spread an attack throughout the server environment, including backup sites, in minutes in an automated fashion. This represents a major cyberwarfare and cyberterrorism threat.

Many publicized cybercrime incidents have involved rogue system administrators utilizing SSH keys and criminals outright buying SSH keys from insiders.

Improperly managed server keys expose hosts to network-level man-in-the-middle attacks.

NIST Guidelines for SSH Key Management NIST published guidelines in late 2015 for managing SSH keys for both automated and interactive access as NIST IR 7966. The NIST guidelines explain the problem and establish a framework for addressing SSH key management.

SSH Key Management OpenSSH presents several special challenges for SSH key management:

Common lack of policies and provisioning/termination processes. Users are commonly allowed to self-provision keys for themselves (and anyone they like).

The proprietary certificates supported by OpenSSH make auditing SSH key based access impossible. With them, you cannot tell which keys a server will accept by analyzing the server. Typically there are no reliable records or audits of which keys a certificate authority key has signed. We do not recommend the use of non-ephemeral OpenSSH certificates for user authentication.

Key locations are commonly configured in configuration files.

Some organizations use custom-compiled versions that have non-standard paths compiled in for specifying the location of SSH keys.

SSH keys may be stored in NFS (Network File System) volumes and a change may affect many hosts.

User accounts may come from Active Directory, NIS (Network Information System), or LDAP (Lightweight Directory Access Protocol) servers.

Keys may be stored in LDAP.

SELinux is enabled in many common Linux distributions, and it may not be possible to directly read authorized_keys files.

Configuration file syntax and the meaning of certain options has changed many times between versions.

Options in authorized_keys files are important for understanding what access is provided and for restricting the use of stolen/copied keys using from-stanzas.

The only solution that is currently able to practically address the SSH key management problem with the full complexity of enterprise environments is Universal SSH Key Manager.

For more information on SSH key management and what it involves, please see the generic SSH key management page.

Information security starts by controlling who is given access to systems. The rest is just enforcing the access. If there is no knowledge of who has been given access using SSH keys, there is no security. No confidentiality, no integrity, no guarantee of continued operation.

Comparison to Tectia SSH While the open source OpenSSH and commercial Tectia SSH implementations address the same underlying need for securing of logins, communications, and file transfers to hosts, there are some differences in their approaches.

Organizations requiring commercial support, 24x7 support, or smartcard authentication may wish to check out Tectia SSH.

User Interface Considerations - Command Line or Graphical Due to its history and heritage in the open source operating system community and its availability on primarily Linux/BSD the default user interface to the OpenSSH functionality is the command line. The figure below present a typical view of an OpenSSH client started from a Linux command line.

The users of the open source version are familiar with working in this environment, and the project team has not seen the need for graphical user interfaces that are the norm outside the system administration and certain software development market segments.

SSH client users that require graphical user interfaces have the option to use one of the commercial or non-commercial SSH client software packages, many of which provide a platform native GUI.

OpenSSH Download OpenSSH is available for source code download at the project website as well as on various operating systems and distribution-specific package management systems. Downloading and compiling the source code suits certain audiences (software developers and linux distribution developers). End users are advised to acquire OpenSSH via the operating system specific package managers, or to consider a commercially supported product such as Tectia SSH.

The project accepts contributions to the project via the OpenBSD Foundation.

OpenSSH Client - ssh The OpenSSH client program is called ssh. The SSH client generally uses information in the .ssh directory in the user's home directory. It also reads /etc/ssh/ssh_config, which contains system-wide configuration for it.

OpenSSH Server - sshd The OpenSSH server program is called sshd. The server is typically started during boot, and reads its configuration from /etc/ssh directory. Its main configuration file is usually /etc/ssh/sshd_config.

SSH is a leading defensive cybersecurity company that secures communications between humans, systems, and networks. We specialize in Zero Trust Privileged Access Controls and Quantum Safe Network Security. Our customers include a diverse range of enterprises, from multiple Fortune 500 companies to SMBs across various sectors such as Finance, Retail, Technology, Industrial, Healthcare, and Government. 25% of Fortune 100 companies rely on SSH’s solutions. Recent strategic focus has expanded SSH business to Defence, Critical Infrastructure Operators, Manufacturing OT Security and Public Safety.

Leonardo S.p.A invests 20.0 million EUR in SSH, becoming the largest shareholder of the company. SSH solutions form a Center of Excellence for Zero Trust privileged access management and quantum-safe network encryption in Leonardo - a global industrial group that creates multi-domain technological capabilities in the Aerospace, Defence and Security sector with 17.8 billion EUR revenue in 2024. SSH company’s shares (SSH1V) are listed on Nasdaq Helsinki.

 

Solutions Zero Trust Suite Zero Trust Suite & Entra ID Integration Quantum-Safe Cryptography (QSC) SalaX Secure Collaboration Security Risk Mitigation OT security MSP Security Device Trust Monitoring & Threat Intelligence Credentials & Secrets Management IT Audits & Compliance Products PrivX™ Hybrid PAM PrivX Key Manager Tectia SSH Client/Server™ Tectia™ z/OS Secure Messaging Secure Mail Secure Sign NQX™ Quantum-Safe Services SSH Risk Assessment™ Professional Services Support Resources Careers References Downloads Manuals Events & Webinars Blog Company About us Contact Investors Partners Press Stay on top of the latest in cybersecurity Be the first to know about SSH’s new solutions, product updates, new features, and other SSH news!

Thanks for submitting the form. © Copyright SSH • 2025 • Legal

智能索引记录