1.5. History of SSH
SSH1
and the
SSH-1 protocol were developed in 1995 by Tatu
Ylönen, a
researcher at the Helsinki University of Technology in Finland. After
his university network was the victim of a password-sniffing attack
earlier that year, Ylönen whipped up SSH1 for himself. When beta
versions started gaining attention, however, he realized that his
security product could be put to wider use.
In July 1995,
SSH1 was released to the public as free
software with source code, permitting people to copy and use the
program without cost. By the end of the year, an estimated 20,000
users in 50 countries had adopted SSH1, and Ylönen was fending
off 150 email messages per day requesting support. In response,
Ylönen founded
SSH Communications Security, Ltd., (SCS,
http://www.ssh.com/) in December
of 1995 to maintain, commercialize, and continue development of SSH.
Today he is chairman and chief technology officer of the company.
Also in 1995, Ylönen documented the
SSH-1 protocol as an
Internet Engineering Task
Force (IETF) Internet Draft, which essentially described the
operation of the SSH1 software after the fact. It was a somewhat ad
hoc protocol with a number of problems and limitations discovered as
the software grew in popularity. These problems couldn't be
fixed without losing backward compatibility, so in 1996, SCS
introduced a new, major version of the protocol, SSH 2.0 or
SSH-2, that
incorporates new algorithms and is incompatible with SSH-1. In
response, the IETF formed a working group called
SECSH (Secure Shell) to standardize the
protocol and guide its development in the public interest. The SECSH
working group submitted the first Internet Draft for the SSH-2.0
protocol in February 1997.
In 1998, SCS released the software product "SSH Secure
Shell" (
SSH2), based on the superior SSH-2
protocol. However, SSH2 didn't replace SSH1 in the field, for
two reasons. First, SSH2 was missing a number of useful, practical
features and configuration options of SSH1. Second, SSH2 had a more
restrictive license. The original SSH1 had been
freely available from Ylönen and
the Helsinki University of Technology. Newer versions of SSH1 from
SCS were still freely available for most uses, even in commercial
settings, as long as the software was not directly sold for profit or
offered as a service to customers. SSH2, on the other hand, was a
commercial product, allowing gratis use only for qualifying
educational and non-profit entities. As a result, when SSH2 first
appeared, most existing SSH1 users saw few advantages to SSH2 and
continued to use SSH1. As of this writing, three years after the
introduction of the SSH-2 protocol, SSH-1 is still the most widely
deployed version on the Internet, even though SSH-2 is a better and
more secure protocol.
This situation promises to change, however, as a result of two
developments: a loosening of the SSH2 license and the appearance of
free SSH-2 implementations. As this book went to press in late 2000,
SCS broadened the SSH2 license to permit free use by individual
contractors working for qualifying noncommercial entities. It also
extends free use to the Linux, NetBSD, FreeBSD, and OpenBSD operating
systems, in any context at all including a commercial one. At the
same time,
OpenSSH
(
http://www.openssh.com/) is
gaining prominence as an SSH implementation, developed under the
auspices of the
OpenBSD project
(
http://www.openbsd.org/) and
freely available under the OpenBSD license. Based on the last free
release of the original SSH, 1.2.12, OpenSSH has developed rapidly.
Though many people have contributed to it, OpenSSH is largely the
work of software developer Markus Friedl. It supports both SSH-1 and
SSH-2 in a single set of programs, whereas SSH1 and SSH2 have
separate executables, and the SSH-1 compatibility features in SSH2
require both products to be installed. While OpenSSH was developed
under OpenBSD, it has been ported successfully to Linux, Solaris,
AIX, and other operating systems, in tight synchronization with the
main releases. Although OpenSSH is relatively new and missing some
features present in SSH1 and SSH2, it is developing rapidly and
promises to be a major SSH flavor in the near future.
At press time, development of SSH1 has ceased except for important
bug fixes, while development of SSH2 and OpenSSH remains active.
Other SSH implementations abound, notably the commercial versions of
SSH1 and SSH2 maintained and sold by
F-Secure Corporation, and numerous
ports and original products for the PC, Macintosh, Palm Pilot, and
other operating systems. [
Section 13.3, "Table of Products"] It is estimated
there are over two million SSH users worldwide, including hundreds of
thousands of registered users of SCS products.
TIP:
Sometimes we use the term "SSH1/SSH2 and their
derivatives." This refers to SCS's SSH1 and SSH2,
F-Secure SSH Server (Versions 1 and 2), OpenSSH, and any other ports
of the SSH1 or SSH2 code base for Unix or other operating systems.
The term doesn't encompass other SSH products (SecureCRT,
NiftyTelnet SSH, F-Secure's Windows and Macintosh clients,
etc.).
| | |
1.4. Overview of SSH Features | | 1.6. Related Technologies |