OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.
It encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks.
Some of the new features include:
- Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) “UsePrivilegeSeparation=sandbox” mode that enables mandatory restrictions on the syscalls the privsep child can perform. This intention is to prevent a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface.
- Three concrete sandbox implementation are provided (selected at configure time): systrace, seatbelt and rlimit.
- The systrace sandbox uses systrace(4) in unsupervised “fast-path” mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option (only OpenBSD has this mode at present).
- The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a strict (kSBXProfilePureComputation) policy that disables access to filesystem and network resources.
- The rlimit sandbox is a fallback choice for platforms that don’t support a better one; it uses setrlimit() to reset the hard-limit of file descriptors and processes to zero, which should prevent the privsep child from forking or opening new network connections.
- Sandboxing of the privilege separated child process is currently experimental but should become the default in a future release. Native sandboxes for other platforms are welcome (e.g. Capsicum, Linux pid/net namespaces, etc.)