How SSH was freed

by Louis Bertrand, louis@bertrandtech.on.ca

"I bet a lot of people didn't know that ssh 1.2.12 had a nice license."

With this teaser in a CVS commit message September 26, OpenSSH made its first public appearance. Throughout September and early October, a group of developers led by Theo de Raadt worked to eradicate a long-standing annoyance: the Secure Shell protocol was not supported in the default distribution of OpenBSD, an operating system famous for its commitment to strong cryptography.

"I tried for over two years to find a way to integrate SSH into the OS", says de Raadt. "I asked everyone `what is the first thing you do after installing OpenBSD?' Everyone gave me the same answer: they installed SSH".

OpenSSH is a free and reusable implementation of the SSH suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.

The job of integrating SSH involved more than bringing the older code up to current standards. It also meant clearing the legal hurdles to free cryptography, namely government restrictions and patents. Most OpenBSD crypto developers live outside the US, thereby avoiding the well known US government export prohibition. The exception was Niels Provos, a German citizen attending university in Michigan. Scrupulous to keep the work free of all restrictions, Niels crossed the border to Windsor, Ontario and set up shop in a local computer lab to commit code to the CVS repository in Calgary.

Avoiding the US export restrictions of cryptographic 'munitions' is only one part of the US legal quagmire surrounding OpenSSH, or any other package based on the RSA public key algorithm. RSA's patent hobbles the use of OpenSSH by commercial interests in the USA. Non-commercial users in the USA are able to use the RSAREF library.

"With the free and reusable OpenSSH license, and the expiry of the RSA patent, we're going to see a flood of products with SSH built-in", says de Raadt. "Of course, US manufacturers won't be able to export those products. They're really cut off from the rest of the world".

While the USA waits for the RSA patent to expire in September 2000, the rest of the world doesn't have to worry about it. OpenSSH links with the OpenSSL library, released under an Apache-style license.

Integrated into OpenBSD, ported to FreeBSD and Linux

OpenSSH was first integrated into OpenBSD 2.6, released December 1, 1999. It was also promptly ported to FreeBSD and Linux, Solaris and other Unices. OS projects and distributions based in the USA currently do not integrate strong cryptography in their releases. OpenBSD uses a nifty system integration trick to release a single version of the CD-ROM for both the USA and the rest of the world.

SSH 1.2.12 was written by Tatu Ylönen and released under a free license. The current version, 1.2.27, is only free for non-commercial users. Earlier this year, Björn Grönvall re-discovered the earlier free release and started fixing bugs. His version of ssh is called OSSH. OpenSSH was created by Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song.

As detailed in the OpenSSH history page, much of the early work involved removing GPL'd or non-portable code. The simpler source code also meant that bugs and security holes became easier to spot. Most of the recent work was put into adding security fixes and features so that OpenSSH was up to the same standards as the current version, SSH 1.2.27 and protocol 1.5, as used by many Windows clients. OpenSSH avoided the serious remote buffer overflow vulnerability reported last month in SSH 1.2.27.

At 2:00 AM, Niels, a German citizen, cheers the last commit from Windsor.
Photo by Dug Song. Used with permission.