Flux rss

Cryptography - Secure Shell (SSH protocol)

The Internet makes it possible to carry out a wide variety of remote operations, and particularly server administration and file transfers. The Telnet protocol and the BSD r-commands (rsh, rlogin and rexec) that let users perform these remote tasks have the major disadvantage of circulating exchanged information in plaintext on the network, and particularly the login and password to access the remote machine. As such, a hacker who is located on a network between the user and the remote machine can monitor traffic, that is, use a tool called a sniffer that can capture packets circulating on the network and obtain the login and password to access the remote machine.

Even if the exchanged information does not have a high security level, the hacker obtains access to an account on the remote machine and can possibly escalate his privileges on the machine to obtain root access.

Given that it is impossiblie to control all physical infrastructures located between the user and the remote machine (the Internet being an open network by definition), the only solution is to rely on security at the logical level (at the data level).

The SSH (Secure Shell) protocol is a response to this problem in that it enables users (or TCP/IP services) to access a machine via an encrypted communication (called a tunnel).

The SSH protocol

The SSH (Secure Shell) protocol was developed in 1995 by Tatu Ylönen, from Finland.

It is a protocol that makes it possible for a client (a user or even a machine) to open an interactive session on a remote machine (server) to send commands or files over a secure channel:

  • The data circulating between the client and the server are encrypted, which guarantees their confidentiality (nobody other than the server and the client can read the information being sent on the network). As a result, it is not possible to monitor the network with a sniffer.
  • The client and server authenticate one another in order to make sure the two communicating machines are indeed those the parties believe them to be. A hacker can no longer take on the identity of the client or server (spoofing).

The goal of version 1 of the protocol (SSH1), which was proposed in 1995, was to offer an alternative to interactive sessions (shells) such as Telnet, rsh, rlogin and rexec. Yet this protocol had a flaw that enabled hackers to insert data in encrypted flows. This is why version 2 of the protocol (SSH2) was proposed in 1997 as a draft to the IETF. The documents defining the protocol can be accessed online at http://www.ietf.org/html.charters/secsh-charter.html.

Secure Shell Version 2 also includes a Secure File Transfer Protocol (SFTP).

SSH is a protocol, that is, a standard method enabling machines to establish a secure connection. As such, there are a variety of SSH client and server implementations. Some require a fee, while others are free or open source: you will find a certain number of SSH clients in the downloading section of CommentCaMarche.

How SSH works

An SSH connection is established in several phases:

  • Firstly, the server and client identify one another in order to establish a secure channel (secure transport layer).
  • Secondly, the client logs in to the server to obtain a session.

Establishing a secure channel

The establishment of a secure transport layer starts with a negotation phase between the client and server so they can agree on the encryption methods they want to use. The SSH protocol is designed to work with a large number of encryption algorithms, which is why the client and server must first exchange the algorithms they support.

Next, to establish a secure connection, the server sends its host key to the client. The client generates a 256-bit session key it encrypts with the server's public key, and sends the server the encrypted session key as well as the algorithm used. The server decrypts the session key with its private key and sends a confirmation message encrypted with the session key. After this point, the remaining communications are encrypted thanks to a symmetric encryption algorithm using the session key shared by the client and the server.

The transaction's security is based on the client and server's confidence that the other party's host keys are valid. As such, when first connecting to a server, the client generally displays a message asking to accept the connection (and possibly presents a hash of the server's host key): 

Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)?
In order to obtain a truly secure session, it is best to verbally ask the server's administrator to validate the public key presented. If the user validates the connection, the client saves the server's host key to keep from having to repeat this phase.

Conversely, depending on its configuration, the server can sometimes verify that the client is who it claims to be. If the server has a list of hosts authorized to connect, it will encrypt a message using the client's public key (which it has in its host key database) to verify whether the client is capable of decrypting it with its private key (this is called a challenge).

Authentication

Once the secure connection is established between the client and the server, the client has to log on to the server to obtain an access right. There are several methods:

  • the most well-known method is the traditional password. The client sends a login and a password to the server via the secure connection and the server checks whether the user in question has access to the machine and whether the password provided is valid.
  • a lesser known but more flexible method is the use of public keys. If the client chooses key authentication, the server will create a challenge and give access to the client if the latter is able to decrypt the challenge with its private key


Last update on Thursday October 16, 2008 02:43:18 PM.
This document entitled « Cryptography - Secure Shell (SSH protocol) » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.

Results for

File transfer via SSH SSH - Secure SHell SSH allows the use of pipelines controls, and use inputs / outputs pipes as any other commands , on the basis that redirection is done to or from the remote machine. This may be used to transfer files: ssh server... en.kioskea.net/faq/sujet-794-file-transfer-via-ssh
Cryptography - Secure HTTP (S-HTTP) S-HTTP (Secure HTTP) is a process that protects HTTP transactions and is based on an improvement to the HTTP protocol that was made in 1994 by EIT (Enterprise Integration Technologies). It makes it possible to establish a secure connection for e... en.kioskea.net/crypto/shttp.php3
Cryptography - Secure Sockets Layers (SSL) SSL (Secure Sockets Layers) is a process that manages the security of transactions made on the Internet. The SSL standard was developed by Netscape, together with Mastercard, Bank of America, MCI and Silicon Graphics. It is based on a public-key... en.kioskea.net/crypto/ssl.php3

Results for

Log in remotely with SSH (Linux)Log in remotely with SSH (Linux) The commands below are relevant only if you have an existing account on the PC you want to connect and that a SSH server is installed. When using Linux the syntax is quite simple as the client part is... en.kioskea.net/faq/sujet-604-log-in-remotely-with-ssh-linux
How to disable the security Center under windows XP?How to disable the security Center under windows XP? Intruduction Disable Alerts Turn off Windows Security Center Intruduction Windows security Center is a component that works under Windows XP service pack 2 for providing... en.kioskea.net/faq/sujet-617-how-to-disable-the-security-center-under-windows-xp
Securing your wireless networkSecuring your wireless network What is Wi-Fi? Ad-hoc mode Infrastructure mode connection Security and protection What is Wi-Fi? Wi-Fi regroups various IEEE802.11 standards and technologies, using radio waves to provide reliable... en.kioskea.net/faq/sujet-431-securing-your-wireless-network
Voir les réponses

Results for

Manet routing protocolsHello, Explain MANET ROUTING PROTOCOLS. Please help me. en.kioskea.net/forum/affich-8966-manet-routing-protocols
Windows security warning downloading spywareHello, I am new here. I would like to stop windows security warning in popping up always and telling i need to download anti-spyware because everytime i cick it, eset nod32 will have a warning that i am downloaidng a trojan file. it repeats again and... en.kioskea.net/forum/affich-20833-windows-security-warning-downloading-spyware
Second Hard Drive not recognizedHello, I had a hard drive failure and bought a new Segate SATA Internal Hard Drive. As you can see it works fine. But I cannot get my second Western Digitial EIDE Hard Drive recognized. It has no oeprating system just ALL my personal files and stuff.... en.kioskea.net/forum/affich-26671-second-hard-drive-not-recognized
Voir les réponses

Results for

Download CyberduckCyberduck runs on Mac OS X 10.3.9 or later. Cyberduck is a open source FTP and SFTP (SSH Secure File Transfer) browser licenced under the GPL. en.kioskea.net/telecharger/telecharger-84-cyberduck
Download AnalogX ProxyAnalogX Proxy is a waiter very light proxy (238 KB), who allows all machines of your network to have the access to Internet thanks to a machine exchange. It understands protocols HTTP (webs), HTTPS (secure Web), POP3 (accept from the mail), SMTP (Send... en.kioskea.net/telecharger/telecharger-163-analogx-proxy
Download Vista Live Shell Pack - PinkIf you want to have Vista on your computer but your shape is not rather powerful or if simply you cannot have to be paid this version yet? Then resolution is to change the appearance of your good old XP. Vista Live Shell Pack is a topic of office... en.kioskea.net/telecharger/telecharger-771-vista-live-shell-pack-pink
Voir les réponses

Results for

Swedish researchers find hole in 'flawless' encryption technologyA trader at the Philippine Stock Exchange in Manila's financial district in Makati monitors share prices on a computer. Quantum cryptography, a new technology until now considered 100 percent secure against attacks on sensitive data traffic, has... en.kioskea.net/actualites/swedish-researchers-find-hole-in-flawless-encryption-technology-10299-actualite.php3
BlackBerry vows to keep messages secret after India seeks codeA Research In Motion employee displays a BlackBerry at a product launch in Mumbai in 2007. The Canadian maker of BlackBerry, involved in a security scrap with India, has promised customers it will not allow New Delhi to read text messages sent on its... en.kioskea.net/actualites/blackberry-vows-to-keep-messages-secret-after-india-seeks-code-10406-actualite.php3
India says no security threat from BlackBerry: reportA woman sends text messages on her Blackberry phone. BlackBerry mobile devices do not pose a security threat and no permission is needed from the Indian government to make the service available, an official said Wednesday, according to media reports.... en.kioskea.net/actualites/india-says-no-security-threat-from-blackberry-report-10505-actualite.php3
Voir les réponses

Results for

Cryptography - Secret-key systems Symmetric encryption (also called private-key encryption or secret-key encryption) involves using the same key for encryption and decryption. Encryption involves applying an operation (an algorithm) to the data to be encrypted using the private key... en.kioskea.net/crypto/cleprivee.php3
Cryptography - The SET protocol SET (Secure Electronic Transaction) is a protocol that was developed by Visa and MasterCard and that uses the SSL standard. SET is based on the use of an electronic signature from the buyer and a transaction involving not only the buyer and the... en.kioskea.net/crypto/set.php3
Cryptography - Session keys Asymmetric algorithms (which come into play in public-key cryptosystems) make it possible to eliminate problems related to key sharing via a secure channel. However, they remain much less effective (in terms of calculation time) than symmetric... en.kioskea.net/crypto/cledesession.php3
Voir les réponses