FreSSH is a free implementation of the SSH communication protocol. It is compact, modular, portable, and designed for security and performance. It is a completely new implementation sharing no code with any other implementation of the SSH communication protocol. It is provided under a BSD-style license which permits redistribution in source or binary form. FreSSH currently implements SSH protocol version 1.5, with extensions which offer enhanced security when both sides of a connection are running FreSSH. The FreSSH homepage is located at: http://www.fressh.org/ _________________________________________________________________ ANNOUNCEMENT: FreSSH Version 0.3.1 and 0.8.1 Updates It was recently pointed out to us that in the absence of a good random source provided by the operating system (e.g. /dev/random) FreSSH would use an unsafe method of generating seed data. Since all systems that we currently run on support a randomness device, FreSSH will now refuse to run if it can not open or read from the device. What is FreSSH? FreSSH is an independent reimplementation of the SSH communication protocol. It is written in C and runs on Unix. It does not, unlike various other SSH implementations for Unix, trace its ancestry to the original SSH code written by Tatu Ylonen nor to any other known SSH codebase. FreSSH is distributed under a Berkeley-style license which permits you to redistribute modified or unmodified source or binaries, so long as you give credit to the copyright holders. We have always intended to publically distribute FreSSH but have put off the release due to a desire to "get it right the first time". As very busy people with high standards and short attention spans, we never have quite seemed to get everything to the state of completion we would prefer. However, a recent increase in the number of inquiries about the code has brought us to the conclusion that we should do a public pre-release. And if we're going to do one, why not two? Two is better than one, right? What's Available Now? So, we're announcing the pre-release of versions 0.3 and 0.8 of FreSSH. Why these two versions? Well, version 0.3 represents the last version of our original, server-only SSH protocol version 1 code. It is significantly smaller, simpler, and slightly faster than other SSH protocol version 1 implementations on the market and has a much more friendly memory footprint for small systems. We don't anticipate doing much, if any, future development on this code, but we realize that it may be useful to others and want to make it public. The later version we're pre-releasing, version 0.8, is what we intend to clean up, enhance further (e.g. by filling in the current skeleton of protocol version 2 support) and release as FreSSH 1.0. Version 0.8 includes both a client and server for SSH protocol version 1.5, and some local protocol enhancements intended to work-around various inherent problems of the 1.5 version of the SSH protocol. The code has been extensively restructured in preparation for multithreading and currently runs using separate send and receive processes for each session, which should enhance performance on multiprocessors. We hope to add both protocol version 2 support and real multithreading in full public releases which we hope to accomplish in the reasonably near future. Version 0.8 is still smaller and, we believe, simpler than other C implementations of the SSH protocol; where possible, we suggest that even those building small systems should use FreSSH version 0.8. FreSSH is extremely modular; this enhances portability and allows the easy addition of new cryptosystems, or the removal of some of those we supply (such as to produce a smaller run-time image). We ship FreSSH with a cryptographic module that uses underlying functionality provided by the OpenSSL project's "libcrypto"; others have created alternate modules such as one for the RSA BSAFE library. Adding a new cipher, if it is supported by OpenSSL, takes almost no time; writing an entire new cryptographic module takes well under a day. Careful attention has been paid to performance issues; we believe FreSSH 0.8 to be the fastest implementation of the SSH protocol version 1 currently available. To the extent of our knowledge, FreSSH does not suffer from any of the recently disclosed SSH server or client vulnerabilites. Our extensions to the SSH protocol version 1 also mitigate the impact of certain problems inherent to the protocol, such as the lack of a strong message authenticator and various poor choices of keying and cipher algorithms, if both the client and server are running FreSSH 0.8. However, because FreSSH is still very young software and performs security-critical functions, we recommend a careful examination of the source code before use, just as is good practice with any such software. FreSSH strives to use underlying operating system functionality wherever possible; you will not find an entire /bin/login implementation inside FreSSH that you need to validate before you can be confident in its security. FreSSH strives to run with privileges as little as possible, and we believe that we have done better in this regard than many other SSH protocol implementations. Thus, this pre-release. We know it's not entirely finished, and in some places not just unpolished but downright ugly. Nonetheless, it's been useful to us and we hope that it might be useful to you. Enjoy! Who to Blame FreSSH was originally written for RedBack Networks by Eric Haszlakiewicz and Thor Lancelot Simon. RedBack has generously given us permission to continue development and distribute the resulting code freely. Since the completion of the original RedBack work (which was only a v1 server), development has proceeded sporadically with help from many other similarly busy people, notably Andrew Brown (who wrote an entire client "from scratch" and put up with endless kibitzing about how it should work) and Jason Thorpe (who made many portability and functionality enhancements, including IPv6 support, RSA authentication support, and agent support). This product includes software developed by RedBack Networks, Inc. This product includes software developed by the University of California, Berkeley and its contributors.