SSH ("secure shell") is an application-level network protocol that allows remote control of the operating system and file transfer. It is similar in functionality to Telnet and rlogin, but, unlike them, it encrypts all traffic, including passwords. SSH allows a choice of different encryption algorithms. SSH clients and SSH servers are available for most operating systems.
SSH allows almost any other network protocol to be transmitted over an insecure channel, so you can not only remotely work on your computer via a command shell, but also transmit a sound stream or video (e.g. from a webcam) over an encrypted channel using Port Forwarding a TCP connection. Also, SSH can use compression of the transmitted data for subsequent encryption, which is useful, for example, to remotely run X Window System clients.
Standards and Software Implementations
The first version of the protocol, SSH-1, was developed in 1995 by researcher Tatu Yl'nen of Helsinki University of Technology, Finland. SSH-1 was written to provide more privacy than the rlogin, telnet, and rsh protocols. In 1996, a more secure version of the protocol, SSH-2, was developed which was no longer compatible with SSH-1. The protocol became even more popular, and by 2000 about two million users were using it.
In 2006, the protocol was approved by the IETF working group as an Internet standard.
However, some countries (France, Russia, Iraq and Pakistan) still require special permission from the proper authorities to use certain encryption methods, including SSH. See Law of the Russian Federation "On Federal Government Communications and Information Authorities".
Two implementations of SSH are common: proprietary commercial, and free free. The free implementation is called OpenSSH. By 2006, 80% of Internet computers were using OpenSSH. The proprietary implementation is developed by SSH Inc., http://www.ssh.com/ it is free for non-commercial use. These implementations contain essentially the same set of commands
There are two versions of the SSH protocol: SSH-1 and SSH-2. The first version of the protocol has significant drawbacks, which is why SSH-1 is currently not used almost anywhere.
Many crackers scan the network looking for an open SSH port, especially the addresses of a hosting provider; usually trying to find the root password.
The SSH-2 protocol is resistant to man-in-middle attacks, unlike the telnet protocol. That is, sniffing the traffic does nothing for the attacker. The SSH-2 protocol is also resistant to man-in-the-middle attacks (session hijacking) and name server spoofing (DNS spoofing).
All UNIX-like systems support SSH, and most have the ssh client and server as standard utilities. There are many implementations of SSH clients on non-UNIX operating systems. The protocol gained popularity after the widespread development of traffic analyzers and methods of disrupting local networks, as an alternative to insecure telnet solution for managing important nodes
SSH servers
- OpenBSD: OpenSSH
- Debian GNU/Linux: dropbear, lsh-server, openssh-server, ssh
- MS Windows: freeSSHd, OpenSSH sshd, WinSSHD
SSH clients and shells
- Debian GNU/Linux: kdessh, lsh-client, openssh-client, putty, ssh
- MS Windows and Windows NT: PuTTY, SecureCRT, ShellGuard, Axessh, ZOC, SSHWindows, ProSSHD
- MS Windows Mobile: PocketPuTTy, mToken, sshCE, PocketTTY, OpenSSH, PocketConsole
- Mac OS: NiftyTelnet SSH
- Symbian OS: PuTTY
- Java: MindTerm, AppGate Security Server
- J2ME: MidpSSH
To use SSH you need an SSH server and an SSH client. The server listens for connections from client machines and authenticates when a connection is established, then starts serving the client. The client is used to log on to the remote machine and execute commands.
To connect, the server and client must create key pairs - public and private - and exchange public keys. Usually a password is also used
Security Recommendations for Using SSH
- Prohibit remote root access.
- Prohibit connection with blank password or disable password login.
- Choose a non-standard port for SSH server.
- Use of long SSH2 RSA keys (2048 bits or more). As of 2006, an RSA-based encryption system is considered secure if the key length is at least 1024 bits.
- Limiting the list of IP addresses from which access is allowed. For example by setting up a firewall.
- Deny access from some potentially unsafe addresses.
- Refuse to use common or widely known system logins for SSH access.
- Regularly review authentication error messages.
- Installing attack detectors (IDS, Intrusion Detection System).
- Use of SSH spoofing traps (honeypots).
Examples of SSH usage
The command to connect to a local SSH server from the GNU/Linux or FreeBSD command line for the user pacify (server listening on non-standard port 30000)
$ ssh -p 30000 pacify@127.0.0.1
Generating a pair of SSH-2 RSA keys 4096 bits long with puttygen
under UNIX-like operating systems
$ puttygen -t rsa -b 4096 -o sample
Some clients - like PuTTY - also have a graphical user interface.
There are modules like python-paramiko and python-twisted-conch to use SSH in Python
Technical information about the protocol
SSH is an application-layer (or application-layer) protocol. The SSH server normally listens for connections on TCP port number 22. The SSH-2 protocol specification is contained in RFC 4251. SSH uses the Diffie-Hellman algorithm to authenticate the server. For client authentication, it uses public key encryption (which is comparatively slow). Faster symmetric encryption is used to encrypt data in transit. Among public key encryption algorithms, RSA and DSA are most commonly used. Among symmetric algorithms - Advanced Encryption Standard (AES), Blowfish and 3DES. The integrity of transmitted data is checked using CRC32 in SSH1 or HMAC-SHA1/HMAC-MD5 in SSH2.
LempelZiv (LZ77) algorithm is used to compress encrypted data, which provides the same level of compression as the ZIP archiver
References
Standards
- RFC4251. The Secure Shell (SSH) Protocol Architecture
- RFC4251. The SSH Protocol Architecture (translation)
** Terminal Access Programs**
- OpenSSH - free library and set of utilities for encryption support, open source
- PuTTY - popular cross-platform SSH client
- ShellGuard - SSH client
- SecureCRT - SSH client
File Access Software
- FTP Commander Deluxe-a popular program that supports all secure protocols
- WinSCP - SFTP client for Microsoft Windows
- SSH Filesystem-allows you to connect a directory accessible on a remote machine via ssh as a local directory in GNU/Linux.
Other