- Secure Shell (SSH)
- Secure Shell was designed as a more secure protocol for remote access to computer systems. It was created as a replacement for Telnet, rlogin (remote login) and rsh (remote shell). SSH encrypts all communication between two SSH endpoints. Secure Shell has its origins in SSH-1. An SSH client connects to the SSH server on TCP port 22.
Tutorial Table of Contents
There are two versions of the SSH protocol:
- SSH-1 - The original, developed by Tatu Ylönen.
- SSH-2 - An open standard developed and outlined in RFC-4251.
- SSH-1 is the first version of the SSH protocol family. SSH-1 was created as a research project by Tatu Ylönen at the University of Helsinki in 1995 as a response to a man-in-the-middle attack that occurred at the University. SSH-1 is a single protocol which handles all transport, authentication and security functions.
- SSH-2 is a newer protocol developed according to recommendations in RFC-4251. SSH-2 divides its functions into transport, authentication and connection protocols. The transport layer protocol has provisions to better guarantee that communications will be confidential by protecting it with encryption and will have integrity in that it will guarantee the data has not been tampered with during transport between endpoints. The authentication layer has provisions for guaranteeing the identity of the host system and user using public encryption key exchange, user logins and Message Authentication Codes (MACs).
- Message Authentication Codes (MACs)
- Diffie Hellman Key Exchange
- Public Key Certificate support
- Separate Transport, Authentication and Connection layer protocols
- Multiple Shell sessions over a single connection
SSH-2 is more secure from the standpoint that the communication is encrypted and some attempt has been made to guarantee the authenticity of the users , the client and 'server' applications haven't been compromised and that the data being transferred has not been tampered with during transport between the two endpoints. SSH software, like all software, is vulnerable to attacks and should not be used to guarantee security of communication or the systems communicating.
Tunnelling / Port Forwarding
Sometimes, you need to use an communicate with a remote computer when there is a security device between you and a remote computer. By establishing a single SSH connection, other traffic may be forwarded over the SSH connection--in essence, tunneled over the SSH connection. This reduces the number of 'open' ports on the firewall and allows software and programs to function even when there is a firewall or proxy in place.
Securing Insecure Protocols
Often, SSH will be used to transport an insecure protocol, such as X-11, more securely. The X protocol is used for allowing a remote user to view and control the desktop graphical user interface on a remote system. The X-11 protocol has no provisions for security--which means that it could be intercepted and someone else could steal control of the machine. By transporting the X-11 protocol over an SSH connection from the remote desktop machine to your local machine, you prevent anyone else from 'stealing' the connection and gaining control of the remote computer.
The OpenSSH client has the following command line options:
ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D port] [-e escape_char] [-F configfile] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path] [user@]hostname [remote-command]
Using OpenSSH from the command line looks something like this:
% ssh user@system
- OpenSSH Command Line
- SecureCRT GUI
- Secure CRT Command Line
- PuTTY GUI
- PuTTY Command Line
OpenSSH Command Line
Forwarding your POP mail downloads via the SSH client would look something like this:
(mycomputer% is the command line prompt on the local computer where you are running the SSH command).
mycomputer% ssh -f -L 888:mail.somewhere.com:110 myserver
- Launches the SSH client
- Connects via SSH to host myserver
- Any local attempts to connect to port 888 on mycomputer will be forwarded to myserver which will open a TCP connection on port 110 on behalf of mycomputer.