PD

NT

SP

A

By

B. Sai Anirudh

1005-11-735027

Introduction History Functions Architecture Protect against Disadvantages Conclusion References

a network protocol

allows secure communication between two

computers

Shell-a command line interface present on

every computer, used to log into a remote

machine and execute commands

Encryption provides confidentiality and integrity

of data

uses public-key cryptography

Tatu Ylonen designed the first version of the

protocol (SSH-1) in 1995

Goal of SSH is to replace the earlier rlogin,

TELNET and rsh

It was made as open source later and gained

popularity

In 1996 SSH-2 was designed which is incompatible with previous version

SSH-2 featured both security and feature improvements over SSH-1

Better security through Diffie-Hellman key exchange

Strong integrity checking via message authentication codes

Bjorn Gronvall's OSSH developed from this codebase

“Portability" branch was formed to port OpenSSH to other operating

systems

As of 2005

OpenSSH is the single most popular ssh implementation

The default in a large number of operating systems.

OSSH meanwhile has become obsolete

In 2006, SSH-2 protocol became a proposed Internet standard

1) Secure Command Shell

2) Port Forwarding

3) Secure file transfer.

Allow you to edit files. View the contents of directories. Custom based applications. Create user accounts. Change permissions. Anything can be done from command

prompt can be done remotely and securely.

provide security to TCP/IP applications

including e-mail, sales and customer contact

databases, and in-house applications.

allows data from normally unsecured TCP/IP

applications to be secured.

A subsystem of the Secure Shell protocol. to handle file transfers. encrypts both the username/password and

the data being transferred. Uses the same port as the Secure Shell

server, eliminating the need to open another port on the firewall or router.

The SSH-2 protocol has a clean internal

architecture with well-separated layers:

Transport Layer

User Authentication Layer

Connection Layer

Defined in “RFC 4251”

Handles initial key exchange and server authentication

sets up encryption, compression and integrity

verification.

It exposes to the upper layer an interface for sending

and receiving plaintext packets of up to 32kb

also arranges for key re-exchange

It handles client authentication

Provides a number of authentication methods.

Authentication is client-driven

Password

Public key

Keyboard-interactive

GSSAPI authentication

A method for straightforward password

authentication

Includes a facility allowing a password to be

changed

A method for public key-based authentication

Symmetric key (secret)

Asymmetric key (public and private)

The server sends one or more prompts to enter information

The client displays them and sends back responses keyed-in by the user

Used to provide one-time password authentication such as S/Key or SecurID.

Used by some OpenSSH configurations when PAM is the underlying host authentication provider to effectively provide password authentication

Stands for Generic Security Services

Application Program Interface.

the exchange of opaque messages (tokens)

which hide the implementation detail from the

higher-level application.

Defines the concept of channels, channel requests and

global requests using which SSH services are provided.

A single SSH connection can host multiple channels

simultaneously, in duplex mode

Channel requests are used to relay out-of-band channel

specific data, such as the changed size of a terminal

window or the exit code of a server-side process.

The SSH client requests a server-side port to be forwarded

using a global request.

IPS Spoofing

DNS Spoofing

IP Source Routing

Dynamic ports cannot be forwarded.

Sometimes port forwarding also introduces

security problems.

A client on the internet that uses SSH to access

the intranet, can expose the intranet by port

forwarding.

As compared to the other link, network, and application

security measures like IPsec, n PGP, Secure Shell is

relatively secure, reliable, quick and easy.

By deploying Secure Shell, companies create a

comprehensive general-purpose tunneling platform that

can be used to implement a wide variety of security

policies, ensuring the privacy, authenticity, authorization

and integrity of many different applications.

[1] Cusack, F. and Forssen, M. "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)," RFC 4256, January 2006.

[2] Lehtinen, S. and Lonvick, C., "The Secure Shell (SSH) Protocol Assigned Numbers," RFC 4250, January 2006.

[3] JSchlyter, J. and Griffin, W. "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints," RFC 4255, January 2006.

[4] Ylonen, T., "SSH – Secure Login Connections over the Internet," Proceedings, Sixth USENIX UNIX Security Symposium, July 1996.