secure shell protocol
TRANSCRIPT
a network protocol
allows secure communication between two
computers
Shell-a command line interface present on
every computer, used to log into a remote
machine and execute commands
Tatu Ylonen designed the first version of the
protocol (SSH-1) in 1995
Goal of SSH is to replace the earlier rlogin,
TELNET and rsh
It was made as open source later and gained
popularity
In 1996 SSH-2 was designed which is incompatible with previous version
SSH-2 featured both security and feature improvements over SSH-1
Better security through Diffie-Hellman key exchange
Strong integrity checking via message authentication codes
Bjorn Gronvall's OSSH developed from this codebase
“Portability" branch was formed to port OpenSSH to other operating
systems
As of 2005
OpenSSH is the single most popular ssh implementation
The default in a large number of operating systems.
OSSH meanwhile has become obsolete
In 2006, SSH-2 protocol became a proposed Internet standard
Allow you to edit files. View the contents of directories. Custom based applications. Create user accounts. Change permissions. Anything can be done from command
prompt can be done remotely and securely.
provide security to TCP/IP applications
including e-mail, sales and customer contact
databases, and in-house applications.
allows data from normally unsecured TCP/IP
applications to be secured.
A subsystem of the Secure Shell protocol. to handle file transfers. encrypts both the username/password and
the data being transferred. Uses the same port as the Secure Shell
server, eliminating the need to open another port on the firewall or router.
The SSH-2 protocol has a clean internal
architecture with well-separated layers:
Transport Layer
User Authentication Layer
Connection Layer
Defined in “RFC 4251”
Handles initial key exchange and server authentication
sets up encryption, compression and integrity
verification.
It exposes to the upper layer an interface for sending
and receiving plaintext packets of up to 32kb
also arranges for key re-exchange
It handles client authentication
Provides a number of authentication methods.
Authentication is client-driven
A method for straightforward password
authentication
Includes a facility allowing a password to be
changed
A method for public key-based authentication
Symmetric key (secret)
Asymmetric key (public and private)
The server sends one or more prompts to enter information
The client displays them and sends back responses keyed-in by the user
Used to provide one-time password authentication such as S/Key or SecurID.
Used by some OpenSSH configurations when PAM is the underlying host authentication provider to effectively provide password authentication
Stands for Generic Security Services
Application Program Interface.
the exchange of opaque messages (tokens)
which hide the implementation detail from the
higher-level application.
Defines the concept of channels, channel requests and
global requests using which SSH services are provided.
A single SSH connection can host multiple channels
simultaneously, in duplex mode
Channel requests are used to relay out-of-band channel
specific data, such as the changed size of a terminal
window or the exit code of a server-side process.
The SSH client requests a server-side port to be forwarded
using a global request.
Dynamic ports cannot be forwarded.
Sometimes port forwarding also introduces
security problems.
A client on the internet that uses SSH to access
the intranet, can expose the intranet by port
forwarding.
As compared to the other link, network, and application
security measures like IPsec, n PGP, Secure Shell is
relatively secure, reliable, quick and easy.
By deploying Secure Shell, companies create a
comprehensive general-purpose tunneling platform that
can be used to implement a wide variety of security
policies, ensuring the privacy, authenticity, authorization
and integrity of many different applications.
[1] Cusack, F. and Forssen, M. "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)," RFC 4256, January 2006.
[2] Lehtinen, S. and Lonvick, C., "The Secure Shell (SSH) Protocol Assigned Numbers," RFC 4250, January 2006.
[3] JSchlyter, J. and Griffin, W. "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints," RFC 4255, January 2006.
[4] Ylonen, T., "SSH – Secure Login Connections over the Internet," Proceedings, Sixth USENIX UNIX Security Symposium, July 1996.