This document describes
lsh and related programs. The
lsh suite of programs is intended as a free replacement for
ssh suite of programs. In turn,
ssh was intended
as a secure replacement for the
programs for remote login over the Internet.
lsh is a component of the GNU system.
This manual explains how to use and hack
lsh; it corresponds to
lsh version 1.4.
--- The Detailed Node Listing ---
Related programs and techniques
What is this thing called computer security anyway? Why would you want
to use a program like
This chapter explains the threats
lsh tries to protect you from,
and some of the threats that remain. It also describes some of the
technologies used in
From time to time in this manual, I will speak about the enemy. This means anybody who is trying to eavesdrop or disturb your private communication. This usage is technical, and it does not imply that the enemy is somehow morally inferior to you: The enemy may be some awful criminals trying to eavesdrop on you, or it may be the police trying to eavesdrop on the same criminals.
The enemy can be a criminal, or a competitor, or your boss who's trying to find out how much you tell collegues at competing firms. It may be your own or somebody else's national security officials. Or your ex-boyfriend who happens to be too curious.
So what can the enemy do to your communications and your privacy? Remember that just because you're paranoid that doesn't mean that nobody is trying to get you...
When logging in to some other machine via the Internet, either in the same building or a few continents away, there are several things that may be under enemy attack.
And even without routing anomalies, it is possible that the enemy has
been able to take control of some nearby machine, and can listen in from
there. Of course, passive eavesdropping is most dangerous if you
transmit cleartext passwords. This is the main reason not to use vanilla
telnet to login to remote systems. Use a telnet with support for
SSL or Kerberos, or use a program like
A passive eavesdropper is assumed not to do anything nasty with your
packets beyond listening to them.
lsh makes no attempt to protect you from local attacks. You have
to trust the endpoint machines. It seems really difficult to uphold any
security if the local machine is compromised. This is important to keep
in mind in the "visitor"-scenario, where you visit a friend or perhaps an
Internet café and want to connect to some of the machines at home or at
work. If the enemy has been able to compromize your friend's or the
café's equipment, you may well be in trouble.
Protection from denial-of-service attacks is also a very difficult
lsh makes no attempt to protect you from that.
Instead, the aim of
lsh, and most serious tools for cryptographic
protection of communications across the net, is to isolate the
vulnerabilities to the communication endpoints. If you know that the
endpoints are safe, the enemy should not be able to compromize your
privacy or communications. Except for denial-of-service attacks (which
at least can't be performed without you noticing it).
First of all,
lsh provides protection against passive
eavesdropping. In addition, if you take the appropriate steps to make
sure that hostkeys are properly authenticated,
lsh also protects
against man-in-the-middle attacks and in particular against attacks on
the name resolution. In short, you need only trust the security at the
end points: Even if the enemy controls all other network equipment, name
resolution and routing infrastructure, etc, he can't do anything beyond
the denial-of-service attack.
And at last, remember that there is no such thing as absolute security. You have to estimate the value of that which you are protecting, and adjust the security measures so that your enemies will not find it worth the effort to break them.
lsh does not only provide more secure replacements for
rlogin, it also provides
some other features to make it convenient to communicate securely. This
section is expected to grow with time, as more features from the
wish-list are added to lsh. One goal for
lsh is to make it
reasonable easy to extend it, without messing with the core security
lsh can be configured to allow login based on a personal key-pair
consisting of a private and a public key, so that you can execute remote
commands without typing your password every time. You can also use
Thomas Wu's Secure Remote Password Protocol (SRP). Kerberos support is
on the wish list but not yet supported (see Kerberos).
The public-key authentication methods should also be extended to support Simple Public Key Infrastructure (SPKI) certificates, including some mechanism to delegate restricted logins.
Forwarding of arbitrary TCP/IP connections is provided. This
is useful for tunneling otherwise insecure protocols, like telnet and
pop, through an encrypted
Convenient tunneling of X was one of the most impressive
features of the original
ssh programs. The current version of
lsh implements X-forwarding, although the
lshd server doesn't provide that service yet.
Whan X forwarding is in effect, the remote process is started
in an environment where the
DISPLAY variable in the environment
points to a fake X server, connection to which are forwarded
to the X server in your local environment.
creates a new "fake"
MIT-MAGIC-COOKIE-1 for controlling access
control. Your real X authentication data is never sent to the
Other kinds of tunneling that may turn out to be useful include
ssh-agent), general forwarding of
UDP, and why not also general IP-tunneling.
This sections describes some other programs and techniques related to
lsh. The ssh family of programs use mostly the same kind of
lsh. Kerberos and IPSEC operate quite
differently, in particular when it comes to protection against
The first of the Secure shell programs was Tatu Ylönen's
The latest of the version 1 series is
ssh-1.33 which speaks
version 1.5 of the protocol. The "free" version of
does not allow commercial use without additional licensing, which makes
ssh-1.33 non-free software according to Debian's Free Software
Guidelines and the Open Source Definition.
The version 1 protocol has some minor weaknesses, in particular, all support for using stream ciphers was disabled by default a few versions back, for security reasons.
There also exists free implementations of
ssh-1, for both Unix
ossh and later OpenSSH are derived from earlier
version av Tatu Ylönen's
ssh, and are free software.
ssh2 implements the next generation of the Secure Shell
protocol, the development of which is supervised by the IETF
secsh Working Group.
lsh implements the required subset of
this protocol. It is intended to be compatible with the
series of programs distributed by F-Secure Corporation.
However, the existing versions of
ssh2 gets some details of the
protocol wrong (probably because it predates the protocol
specification), so there is some amount of bug-compatibility required.
Interoperability between independently developed implementations is one
necessary condition for the
ssh-2 protocol to become a Proposed
The license for F-Secure's
ssh2 programs is similar to that
for recent versions of
ssh1, but with a narrower definition of
lsh there are few free implementations of the
ssh-2 protocols. Since May 2000 it is supported also by
Kerberos is a key distribution system originally developed in the late 1980:s as a part of Project Athena at MIT. Recent development have been done at The Royal Institute of Technology, Stockholm (KTH).
Kerberos uses a central trusted ticket-granting server, and requires less trust on the local machines in the system. It does not use public-key technology.
Usually, Kerberos support is compiled into applications such as telnet, ftp and X-clients. The ssh family of programs, on the other hand, tries to do all needed magic, for instance to forward X securely, and then provides general TCP/IP forwarding as a kitchen sink.
I believe Kerberos' and lsh's protection against passive eavesdropping are mostly equivalent. The difference is in the set of machines and assumptions you have to trust in order to be safe from a man-in-the-middle attack.
I think the main advantage of
lsh over Kerberos is that it is
easier to install and use for on ordinary mortal user. In order to set
up key exchange between two different Kerberos systems (or Kerberos
realms), the respective system operators need to exchange keys. In the
case of two random users at two random sites, setting up
some other program in the ssh family is likely easier than to get the
operators to spend time and attention. So
lsh should be easier to
use in an anarchistic grass-roots environment.
Another perspective is to combine ssh features like X and TCP/IP forwarding with authentication based on Kerberos. Such an arrangement may provide the best of two worlds for those who happen to have an account at a suitable ticket-granting server.
IPSEC is a set of protocols for protecting general IP traffic. It is developed by another IETF working group, and is also a required part of IP version 6.
Again, the main difference between IPSEC and Kerberos and ssh is the set of machines that have to be secure and the keys that have to be exchanged in order to avoid man-in-the-middle attacks.
Current protocols and implementations of IPSEC only provide authentication of machines; there's nothing analogous to the user authentication in ssh or Kerberos.
On the other hand, IPSEC provides one distinct advantage over application level encryption. Because IP and TCP headers are authenticated, it provides protection against some denial-of-service attacks. In particular, it makes attacks that cause hangup of a TCP connection considerably more difficult.
So it makes sense to use both IPSEC and some application level cryptographic protocol.
Also note that it is possible to use the Point-to-Point Protocol (PPP) to tunnel arbitrary IP traffic accross an ssh connection. This arrangement provides some of the functionality of IPSEC, and is sometimes referred to as "a poor man's Virtual Private Network".
lsh with the usual
./configure && make &&
make install. For a full listing of the options you can give to
./configure --help. For example, use
--without-pty to disable pty-support.
The most commonly used option is
--prefix, which tells
configure where lsh should be installed. Default prefix is
lshd server is installed in
$prefix/sbin, all other programs and scripts are installed in
The configure script tries to figure out if the linker needs any special flags specifying where to find dynamically linked libraries at run time (one case where this matters is if you have a dynamic libz.so installed in a non-standard place). Usually, you can use
to specify extra library directories, and the configure script should do
the right thing. If it doesn't work, or you believe that you know your
system better than
./configure, just set LDFLAGS and/or
LD_LIBRARY_PATH to the right values instead.
This section tells you how to perform some common tasks using the
lsh suite of programs, without covering all options and
Several of the lsh programs requires a good pseudorandomness generator
for secure operation. The first thing you need to do is to create a
seed file for the generator. To create a personal seed file, stored as
To create a seed file for use by
as root. The seed file is stored as
lsh is the program you use for connection to a remote machine. A
few examples are:
sara.lysator.liu.se and starts an interactive shell.
In this example, and in the rest of the examples in this section, lsh
will ask for your password, unless you have public-key user
authentication set up.
The first time you try to connect between two machines,
typically complains about an "unknown host key". This is because it
has no reason to believe that it was the right machine that answered,
and not a machine controlled by the enemy (see Threats). The default
behaviour is to never ever accept a server that is not properly
authenticated. A machine is considered authentic if it follows the
protocol and has its public hostkey listed in
To make lsh less paranoid, use
lsh --sloppy-host-authentication sara.lysator.liu.se
lsh will display a fingerprint of the host key of the
remote machine, and ask you if it is correct. If so, the machine is
considered authentic and its key is appended to the file
~/.lsh/captured_keys. You can copy keys you have verified to
You can even use
lsh --sloppy-host-authentication --capture-to ~/.lsh/known_hosts
lsh to behave more like the traditional
You can create fingerprints for the hostkeys you need regularly, and keep with you (see sexp).
lsh -l omar sara.lysator.liu.se
Connects, like above, but tries to log in as the user "omar".
lsh sara.lysator.liu.se tar cf - some/dir | (cd /target/dir && tar -xf -)
Copies a directory from the remote machine, by executing one remote and
tar process and piping them together.
CVS_RSH=lsh cvs -d cvs.lysator.liu.se:/cvsroot/lsh co lsh
Checks out the
lsh source code from the CVS
One useful feature of
lsh and other ssh-like programs is the
ability to forward arbitrary connections inside the encrypted
connection. There are two flavors: "local" and "remote" forwarding.
An example of local forwarding is
lsh -L 4000:kom.lysator.liu.se:4894 sara.lysator.liu.se
lsh listen on port 4000 on the local machine. When
lsh asks the server to open a connection from
the remote machine (i.e.
sara) to port 4894 on another machine
kom). The two connections are piped together using an
There are a few things that should be noted here:
lsh only listens on the loopback interface, so only
clients on the same machine can use the tunnel. To listen on all
interfaces, use the
lsh listens on.
sara in this example.
Only the middle part is protected by
lsh: all data flowing
through the tunnel is sent across the first and last part in the
clear. So forwarding doesn't offer much protection unless the tunnel
endpoint and the ultimate target machine are close to eachother. They
should usually be either the same machine, or two machines connected by
a local network that is trusted.
lsh helps you get out through
the firewall in a secure way.
doing. In the example above, a tunnel is set up, but
also start an interactive shell for you. Just as if the
option was not present. If this is not what you want, the
-B option is for you (see Invoking lsh)
Remote forwarding is similar, but asks the remote machine to listen on a port. An example of remote forwarding is
lsh -g -R 8080:localhost:80 sara.lysator.liu.se
This asks the remote machine to listen on port 8080 (note that you are
probably not authorized to listen on port 80). Whenever someone
connects, the connection is tunnelled to your local machine, and
directed to port 80 on the same machine. Note the use of
the effect is to allow anybody in the world to use the tunnel to connect
to your local webserver.
The same considerations that apply to forwarded local ports apply also to forwarded remote ports.
At last, you can use any number of
on the same command line.
There are no global configuration files for
configuration is done with command line options (see Invoking lshd).
lshd, you must first create a hostkey, usually stored in
/etc/lsh_host_key. To do this, run
lsh-keygen --server | lsh-writekey --server
This will also create a file
containing the corresponding public key.
A typical command line for starting lshd in daemon mode is simply
You can find init script for
lshd tailored for Debian's and
RedHat's GNU/Linux systems in the
It is also possible to let
lshd, by adding it in
Public-key user authentication is a way to authenticate for login, without having to type any passwords. There are two steps: Creating a key pair, and authorizing the public key to the systems where you want to log in.
To create a keypair, run
lsh-keygen | lsh-writekey
This can take some time, but in the end it creates two files
If you want to use the key to login to some other machine, say
sara, you can do that by first copying the key,
lsh sara.lysator.liu.se '>my-key.pub' <~/.lsh/identity.pub
then authorizing it by executing, on
For security reasons, you should keep the private key
~/.lsh/identity secret. Anybody who can read that file will be
able to login in your name to any machine where the corresponding public
key is registered as an authorized key.
Naturally, you should also make sure not to authorize any keys but your
own. For instance, it is inappropriate to use an insecure mechanism such
as unauthenticated email,
http to transfer your
public key to the machines where you want to authorize it.
If you have accounts on several systems, you usually create a single keypair on each of the systems, and on each system you authorize some or all of your other public keys for login.
lsh-writekey does not currently encrypt your
private key in any way. That means that you can lose it if a backup tape
gets into the wrong hands, and if you use NFS it will likely be sent in
the clear across your local network. To encrypt the key using a pass
phrase, give the
-c 3des option to
The Secure Remote Password protocol is a fairly new protocol that provides mutual authentication based on a password. To use it, you must first choose a secret password. Next, you create a password verifier that is derived from the password. The verifier is stored on the target machine (i.e. the machine you want to log in to).
To create a verifier, you run the
srp-gen program and type
your new password. You have to do it on either the target machine,
redirecting the output to ~/.lsh/srp-verifier, or you can generate it on
some other machine and copy it to the target.
The main advantage of using SRP is that you use the password not only to get access to the remote machine, but you also use it to authenticate the remote machine. I.e. you can use it to connect securely, without having to know any hostkeys or fingerprints beforehand!
For instance, you could connect using SRP to fetch the hostkey fingerprint for the remote machine, as a kind of bootstrapping procedure, and then use traditional authentication methods for further connections.
For this to work, the verifier must be kept secret. If the enemy gets your verifier, he can mount some attacks:
If you use SRP to get the hostkey or fingerprint for the remote machine, as outlined above, the impersonation attack destroys security, you could just as well connect the hostkey presented by the remote server without verifying it at all.
If you use SRP exclusively, the situation seems somewhat different. As far as I can see, an attacker knowing your verifier can not mount a traditional man-in-the-middle-attack: He can play the server's part when talking to you, but in order to play your part when talking to the real server, he needs to know your password as well.
SRP support is disabled by default, but can be enabled by the
--srp-keyexchange option to
(naturally, it won't be used unless enabled on both sides). At the time
of this writing, SRP is too new to be trusted by conservative
cryptographers (and remember that conservatism is a virtue when it comes
And even if SRP in itself is secure, the way
integrates it into the
ssh protocol has not had much peer review.
The bottom line of this disclaimer is that the SRP support in
lsh should be considered experimental.
As far as I know, using SRP as a host authentication mechanism
is not supported by any other
ssh implementation. The protocol
lsh uses is described in the
Implementations that use SRP only as a user authentication
mechanism are not compatible with
Keys and most other objects
lsh needs to store on disk are
represented as so called S-expressions or sexps for short.
S-expressions have their roots in the Lisp world, and a variant of them
in used in the Simple Public Key Infrastructure (SPKI).
lsh's support for SPKI is quite limited,
but it uses SPKI's formats for keys and Access Control Lists
There are several flavours of the sexp syntax:
To see what your
~/.lsh/known_hosts file really contains, try
sexp-conv -i advanced < ~/.lsh/known_hosts
sexp-conv program can also be used to computes
fingerprints. The fingerprint of a key (or any sexp, for that matter) is
simply the hash of its canonical representation. For example,
sexp-conv --raw-hash </etc/lsh_host_key.pub
ssh2 and OpenSSH
If you are already using
ssh2 or OpenSSH, and have creating
one or more personal keypairs, you need to convert the public keys to
lsh's format before you can authorize them. Use the supplied
ssh-conv <openssh-key.pub >new-key.pub
You can then use the usual
lsh-authorize on the converted
ssh-conv supports both DSA and
Conversion of keys the other way is also possible, by using the
lsh-export-key program. It reads a public key in
lsh's SPKI format on stdin, and writes the key in
ssh2/OpenSSH format on stdout.
There are currently no tools for converting private keys.
lsh to login to a remote machine. Basic usage is
lsh [-p port number] sara.lysator.liu.se
which attempts to connect, login, and start an interactive shell on the
remote machine. Default port number is whatever your system's
/etc/services lists for
ssh. Usually, that is port 22.
There is a plethora of options to
lsh, to let you configure where
and how to connect, how to authenticate, and what you want to do once
properly logged in to the remote host. Many options have both long and
short forms. This manual does not list all variants; for a full listing
of supported options, use
Note that for many of the options to
lsh, the ordering of the
options on the command line is important.
Before a packet is sent, each packet can be compressed, encrypted and authenticated, in that order. When the packet is received, it is first decrypted, next it is checked that it is authenticated properly, and finally it is decompressed. The algorithms used for this are negotiated with the peer at the other end of the connection, as a part of the initial handshake and key exchange.
Each party provides a list of supported algorithms, and the first algorithm listed by the client, which is also found on the server's list, is selected. Note that this implies that order in which algorithms are listed on the server's list doesn't matter: if several algorithms are present on both the server's and the client's lists, it's the client's order that determines which algorithm is selected.
Algorithms of different types, e.g. data compression and message authentication, are negotiated independently. Furthermore, algorithms used for transmission from the client to the server are independent of the algorithms used for transmission from the server to the client. There are therefore no less than six different lists that could be configured at each end.
The command line options for lsh and lshd don't let you specify arbitrary lists. For instance, you can't specify different preferences for sending and receiving.
There is a set of default algorithm preferences. When you use a command
line option to say that you want to use algorithm for one of the
algorithms, the default list is replaced with a list containing the
single element algorithm. For example, if you use
arcfour to say that you want to use
arcfour as the encryption
algorithm, the connection will either end up using
algorithm negotiation will fail because the peer doesn't support
|The default preference list supports zlib compression, but
prefers not to use it.
|The default encryption algorithm is aes256. The default list
includes only quite old and well studied algorithms. There is a special
all to enable all supported encryption algorithms
|Both supported message authentication algorithms are of the
As a special case,
-z with no argument changes the compression
algorithm list to
none, which means that you want to
zlib if the other end supports it. This is different from
-zzlib which causes the negotiation to fail if the other end
zlib. A somewhat unobvious consequence of
-z having an optional argument is that if you provide an
argument, it must follow directly after the option letter, no spaces
As described earlier (see Threats), proper authentication of the
remote host is crucial to protect the connection against
man-in-the-middle attacks. By default,
lsh verifies the server's
claimed host key against the Access Control Lists in
~/.lsh/known_hosts. If the remote host cannot be authenticated,
the connection is dropped.
The options that change this behaviour are
lsh not to drop the connection if the server's key can not
be authenticated. Instead, it displays the fingerprint of the key, and
asks if it is trusted. The received key is also appended to the file
~/.lsh/captured_keys. If run in quiet mode,
lsh connects to any host, no
~/.lsh/captured_keys. For example,
lsh --sloppy-host-authentication --capture-to ~/.lsh/known_hosts
lsh behave more like the
LOGNAME environment variable is used.
~/.lsh/identity, if it exists. It ought to be possible to use
-i options to use more than one file, but that is
currently not implemented.
There are many things
lsh can do once you are logged in. There
are two types of options that control this: actions and
action modifiers. For short options, actions use uppercase letters
and modifiers use lowercase.
For each modifier
--foo there's also a negated form
--no-foo. Options can also be negated by preceding it with the
-n. This is mainly useful for negating short
options. For instance, use
-nt to tell
lsh not to
request a remote pseudo terminal. Each modifier and its negation can be
used several times on the command line. For each action, the latest
previous modifier of each pair apply.
First, the actions:
lsh to listen on listen-port on the local machine. When
someone conects to that port,
lsh asks the remote server to open
a connection to target-port on target-host, and if it
succeeds, the two connections are joined together through an the
lsh connection. Both port numbers should be given in decimal.
-L. But in this case
lsh asks the
remote server to listen on listen-port. When someone
connects to the remote hosts, the server will inform the local
lsh. The local
lsh then connects to target-port on
If there are trailing arguments after the name of the remote system,
this is equivalent to a
-E option, with a command string
constructed by catenating all the remaining arguments, separated by
spaces. This implies that the arguments are usually expanded first by
the local shell, and then the resulting command string is interpreted
again by the remote system.
If there are no trailing arguments after the name of the remote system,
-N option is not given, the default action is to start
a shell on the remote machine. I.e. this is equivalent to the
There are a few supported modifiers:
lsh asks the remote system to allocate
a pseudo terminal. If it succeeds, the local terminal is set to raw
mode. The default behaviour is to request a pty if and only if the
lsh process has a controlling terminal. This modifier
applies to actions that create remote processes, i.e.
-S, as well as the default actions.
Currently, this option is ignored if there is no local terminal.
S and the default actions.
lsh's stdin for the first process, and
/dev/null for the rest. This option applies to the
-S options as well as to the default actions. The option
applies to only one process; as soon as it is used it is reset to the
lsh's stdout. Like
--stdin, it is reset
after it is used.
-R. By default, only
connections to the loopback interface, ip 127.0.0.1, are forwared. This
implies that only processes on the same machine can use the forwarded
tunnel directly. If the -g modifier is in effect, the forwarding party
will listen on all network interfaces.
These options determines what messages
lsh writes on
lsh a little more verbose. The intention is
to provide information that is useful for ordinary trouble shooting,
and makes sense also to those not familiar with
lsh's flow of control.
messages, but you should still use it with care.
Note that all these options are orthogonal. If you use
you usually want to add
-v as well;
--trace does not
do that automatically.
lshd is a server that accepts connections from clients
speaking the Secure Shell Protocol. It is usually started automatically
when the systems boots, and runs with root privileges. However, it is
also possible to start
lshd manually, and with user
There are currently no configuration files. Instead, command line options
are used to tell
lshd what to do. Many options have
--no-foo variants. Options specifying the default behaviour
are not listed here.
Some of the options are the shared with
lsh. In particular, see
Algorithm options and Verbosity options.
Options specific to the
lshd server are:
lshd listens on all
implement version 1 of the Secure Shell Protocol. But it can fork an
ssh1 server when an old client connects. Falling back to
ssh1 is inefficient, and requires some special features of the
server fallen back to. It should work with the
supplied with reasonably new versions of F-Secure's
and with OpenSSH.
The optional argument provides the filename of the ssh1 daemon to use.
The default name is
/usr/local/sbin/sshd1, unless something else
was configured at compile time.
lshd forks into the background,
redirects its stdio file descriptors to
/dev/null, changes its
working directory to
/, and redirects any diagnostic or debugging
messages via syslog.
lshd should be able to deal with the environment it inherits
if it is started by
inetd, but this is not
lshd. The mandatory argument provides the filename.
This option is enabled by default when operating in daemonic mode, and
the default filename is
lshd disables core dumps, to avoid leaking sensitive
information. This option changes that behaviour, and allows
to dump core on fatal errors.
lsh-krb-checkpw helper program. Note that this does
not use the Kerberos infrastructure in the Right Way. Experimental.
lshd to use a helper program for verifying passwords.
This is a generalization of
--kerberos-passwords, and it could
be used for verifying passwords against any password database. See the
This chapters describes all files and all environment variables that
are used by
lshd, and related programs.
There are a few environment variables that modifies the behaviour of
lsh programs. And there are also a handful of variables
that are setup by
lshd when starting user processes.
DISPLAY specifies the
local display. Used by
~/.lsh directory. When
lshd starts a user program, it
HOME from the value in the
/etc/passwd file, except
lshd is running as an ordinary user process. In the
latter case, the new process inherits
lsh's own value of
lshd when starting new processes.
lshd and the client programs.
lshd starts a user process, it sets
SHELL to the value in
/etc/passwd, unless overridden by
--login-shell command line option.
TERM is transferred from client to
lshg is located in
lshd inherit the value of
this variable from the server.
Files used by the lsh client, stored in the
--sloppy-host-authentication. Or more precicely, each key is stored
together with an as SPKI (Simple Public Key Intrastructure) ACL:s
(Access Control Lists).
lsh-writekey. Read by
lsh. Should be kept secret.
Files used by
lshd, some of which are read from user home
lshd's randomness generator.