Secure Shell Protocol SSH is an application layer network protocol for secure remote access to UNIX systems. This protocol is effective in that it encrypts all information transmitted over the network. Basically, it is needed to remotely manage user data on the server, run service commands, work in console mode with databases.
The Secure Shell or Secure Socket Shell SSH is a cryptographic network protocol that allows you to remotely manage the operating system and tunnel TCP connections, for example, to transfer files. SFTP, the Secure File Transfer Protocol, is a separate protocol packaged built into SSH that can implement FTP commands over a secure connection.
SSH protocol is similar in functionality to the Telnet and rlogin protocols. But, unlike them, it encrypts all traffic, including transmitted passwords. SSH allows to choose many different encryption algorithms, for example RSA (Rivest–Shamir–Adleman) for asymmetric encryption and AES (Advanced Encryption Standard) for symmetric encryption. In client-server model SSH clients and SSH servers are available for most network operating systems. To use SSH securely, an SSH tunnel is created. This means that the data is encrypted on one end of the SSH connection and decrypted on the other.
SSH allows you to securely transfer almost any other network protocol in an insecure environment. Thus, you can not only work remotely on a computer through a command shell, but also transmit an audio stream or video from a webcam over an encrypted Secure Shell connection. SSH can also use compression of transmitted data for subsequent encryption.
Most hosting providers provide customers with SSH access to their home directory for a fee. This can be convenient both for working on the command line and for remotely launching programs, including graphical applications.
In 1995 Tatu Ylonen, a researcher at the Helsinki University of Technology, developed the first version of the SSH protocol to protect his university network from a password mining attack. The goal of SSH-1 was to replace earlier protocols that did not provide strong authentication and privacy. Ylönen released his implementation as free software in July 1995, and the tool quickly gained popularity. By the end of 1995 the SSH user base had grown to 20,000 users in fifty countries.
Ylonen went on to found SSH Communications Security to promote and develop SSH. The original version of the SSH software used various pieces of free software, but later versions have evolved into increasingly proprietary software. By 2000 the number of users had grown to 2 million.
The Secure Shell version 2 protocol (RFC 4251) was developed by the The Internet Engineering Task Force (IETF) working group “Secsh” and in 2006 an updated version of the SSH-2 protocol was adopted as the standard. This version is incompatible with SSH-1. SSH-2 has improved both security and functional features over SSH-1. For example, better security is achieved through Diffie-Hellman key exchange and strong integrity checking with authenticity of messages. New SSH-2 features include the ability to launch any number of shell sessions over a single SSH connection.
The SSH protocol has three layers:
Password authentication is the most common. Like https, every connection generates a shared secret key to encrypt the traffic.
With key pair authentication, a pair of public and private keys is pre-generated for a specific user. The private key is stored on the local machine from which you want to connect, , and the public key on the remote machine. These files are not transferred during authentication, the system only checks that the owner of the public key also owns the private one. With this approach, as a rule, automatic login on behalf of a specific user in the OS is configured.
Authentication by ip-address is not secure. This feature is most often disabled.
To create a shared secret – a session key – the Diffie-Hellman DH algorithm is used. To encrypt the transmitted data symmetric encryption bidirectional ciphers are used: AES, Blowfish or 3DES algorithms. Data transfer integrity is checked using CRC32 in SSH1 or HMAC-SHA1/HMAC-MD5 in SSH2.
To compress encrypted data the LempelZiv LZ77 algorithm can be used, which provides the same level of compression as the ZIP archiver. SSH compression is enabled only at the request of the client, and is rarely used in practice.
The SSH-1 protocol, unlike the telnet protocol, is resistant to eavesdropping attacks, but not to man-in-the-middle attacks. The SSH-2 protocol is also resistant to join-in-the-middle attacks, as it is impossible to join or hijack an already established session.
To prevent man-in-the-middle attacks, when connecting to a host whose key is not yet known to the client, the client software shows the user a “cast of the key”. It is recommended to carefully compare the “key cast” shown by the client software with the server key cast, preferably obtained via reliable communication channels or personally.
SSH support is available on all UNIX-like systems, and most of them have a SSH client and server as standard utilities. There are many implementations of SSH clients for non-UNIX operating systems as well. The protocol gained great popularity after the widespread development of traffic analyzers and methods for disrupting the operation of local networks, as an alternative to the insecure Telnet protocol for managing important nodes.
SSH requires an SSH server and an SSH client. The server listens for Secure Shell connections from client machines and, when a connection is established, performs authentication, after which it starts servicing the client. The client is used to log into a remote machine and execute commands.
Using an SSH connection has a number of advantages:
In order to use SSH securely, it is necessary to follow the recommendations for the best configuration of this protocol.
To connect to a remote computer, you need its IP address or name. Load up a terminal or any SSH client and type ssh followed by the IP address:
Type yes and press Enter. You may also need to enter your password.
SSH uses the current user when accessing a remote server. To specify a user for an SSH connection, run a command in the following format:
By default, the SSH server listens on port 22. If the port setting in the SSH configuration file has been changed, you need to specify the port.
To connect to a remote host with a custom SSH port number, use the -p flag. Example:
ssh test.server.com -p 3322
To setup Dynamic Port Forwarding, use the ssh command and the –D argument to make your SSH client to create a SOCKS proxy on your local machine.:
ssh –D local_port ssh_server_hostname
All traffic originating from the local resource will be directed through the SSH connections established for the defined port.
To improve the security of SSH connections, generate a key pair using the keygen utility. SSH key pairs are used to automatically authenticate clients to servers. When you create an SSH key pair, you no longer need to enter a password to access the server.
On the terminal of the host machine, use this command to generate a key pair:
ssh-keygen -t rsa
To use the default settings, press Enter when prompted for the file location and passphrase.
The most important advantage of SSH is the use of cryptographic algorithms. Thanks to them, it is possible to securely carry out authentication, encryption and data integrity control. To understand how they work you need to understand what the various encryption techniques are.
Symmetric encryption or symmetric-key algorithm is an encryption method in which the same cryptographic key is used for encryption and decryption. Before the invention of the asymmetric encryption scheme, the only method that existed was symmetric encryption. The key of the algorithm must be kept secret by both parties, measures must be taken to protect access to the channel, along the entire path of the cryptogram, or by the parties of interaction through crypto objects and messages. The encryption algorithm is chosen by the parties before the exchange of messages.
Data encryption algorithms are widely used in computer technology in systems for hiding confidential and commercial information from malicious use by third parties. The main principle in them is the condition that the transmitter and receiver know in advance the encryption algorithm, as well as the key to the message, without which the information is just a set of characters that do not make sense.
Most symmetric ciphers use a complex combination of a large number of substitutions and permutations. Many such ciphers are executed in multiple passes, using the pass key on each pass. The set of pass keys for all passes is called key schedule.
The complete loss of all statistical regularities of the original message is an important requirement for a symmetric cipher. To do this, the cipher must have an “avalanche effect”: a strong change in the cipher block must occur with a 1-bit change in the input data. Ideally, the values of 1/2 bits of the cipher block should change. Also an important requirement is the lack of linearity.
Public key cryptographic system or asymmetric encryption is an encryption or digital signature system in which the public key is transmitted over an open, unprotected channel and is used to verify the digital signing and for messages encryption. The private key is used to generate the digital signing and to decrypt the message.
Asymmetric public key encryption is based on the following principles:
It is possible to generate a pair of very large numbers (public key and private key) so that knowing the public key it is impossible to calculate the private key in a reasonable amount of time. In this case, the generation mechanism is well known.
Strong encryption methods are available to encrypt a message with the public key so that it can only be decrypted with the private key. The encryption mechanism is well known.
The owner of two keys does not disclose the private key to anyone,but does share the public key with counterparties or makes it publicly known.
If it is necessary to transmit an encrypted message to the owner of the keys, then the sender must receive the public key. The sender encrypts his message with the recipient’s public key and transmits it to the recipient owner of the keys over open channels. At the same time, no one can decrypt the message except the owner of the private key.
A cryptographic hash function is the implementation of the transformation of an array of input data of arbitrary length into an output bit string of a set length, performed by a certain algorithm.
Among the many existing hash functions, it is customary to single out cryptographically secure ones used in cryptography, since additional requirements are imposed on them. For a hash function H to be considered cryptographically secure it must satisfy three basic requirements on which most applications of hash functions in cryptography are based:
The security of a hash function can be ensured by the complexity of some mathematical problem, provided there is evidence that attacks aimed at violating the requirements for it are as difficult as the solution of this problem.
Hashing is often used in digital signature algorithms, where not the message itself is encrypted, but its hash code which reduces the calculation time and also increases cryptographic strength. Also instead of passwords the values of their hash codes are stored.
For encryption, SSH uses special keys that encode all data transmitted between the client and the host.
With symmetric encryption the same secret key is used to encrypt and decrypt the data packets of both the client and the host. Establishing a connection in this way involves a special key exchange algorithm with preliminary agreement on the encryption key and its subsequent use throughout the session.
Asymmetric encryption is associated with the use of a private and public key pair instead of a password for authorization. It is used in SSH during the connection setup phase. The public key is used to encrypt data and can be freely distributed, while the private key which cannot be shown or shared with anyone is used to decrypt it.
The connection algorithm with asymmetric keys looks like this:
Then the session continues using symmetric encryption.
Unlike other encryption schemes, SSH hashing is not used to decrypt data, but to generate unique encrypted keys to validate authentication messages. These hashes are used in the mechanism for symmetric encryption of the SSH session.
SSH provides normal access using a username and password. The biggest benefit of using a password for access is the ease of setup and use – it’s usually all available by default. However, the password has to be entered every time, the password can be entered by anyone, it is impossible to give access under the same username to different people with different passwords. And the need to have different passwords for different systems does not contribute to the choice of “strong” passwords.
SSH supports public key authentication. The user generates a private and public key pair and sets the public key in a file on the target server. The main problem of using access by key is “invisibility”. Using the Secure Shell client application that was not closed by the user just once, an attacker can inject his public key in addition to the existing one. And the user is objectively unlikely to notice it soon.
SSH has a number of advantages over similar protocols. The SSH protocol encrypts traffic in both directions, which helps prevent eavesdropping, spoofing, and password theft.
It is available for free for non-commercial use, which has made it popular. Thanks to this, the open-source version has received improvements that have been suggested by numerous users. These include bug fixes, patches and offers many additional features.
The SSH protocol can offer multiple services using the same connection. Since SSH runs on top of other applications, it can be used to secure unprotected protocols and applications such as SMTP, IMAP, POP3, and CVS. Port tunneling works well for simple VPNs as well.
SSH offers strong authentication and secure communication over insecure channels. This allows users to securely manage a remote computer even if it is on an insecure network.
SSH has a whole set of cryptographic algorithms to ensure the security of transmitted data. Message integrity is ensured in such a way that such messages cannot be tampered with. In turn, the presence of SSH authenticationhelps to confirm the identity of senders and recipients.
SSH has many configuration options for a variety of use cases. Among other things, the protocol allows the user to view the contents of directories, edit files, and access user database applications remotely.
The SSH protocol is one of the most convenient and secure alternative for remote access protocols. Not everyone who operates it thoroughly understands the secure SSH settings, such as using cryptographic keys for the authentication process. Because of this protocol remains one of the most popular targets. There are the following types of attacks:
Traffic decryption is a classic Man-in-the-Middle MitM attack, which is carried out in order to analyze all traffic passing through the attacker’s device, including passwords. The attacker receives the user’s authorization data and logs the entire communication session, the launch of commands and the result of their execution. To do this, the attacker’s software redirects the victim’s traffic to its own SSH server and, in case of successful authorization, proxies the connection to the original server.
Brute force attacks aimed at selecting the correct login-password combination to gain access to the device. You can reduce the risk of password guessing by using strong passwords and do not create passwords using personal information: date of birth and name, mobile phone. It will not be superfluous to change passwords regularly and not use the same passwords on different accounts.
Attacks on vulnerable versions of SSH are a rare type of attack that targets vulnerabilities in software. Most often, this attack affects old, non-updated versions of software.
Open Secure Shell OpenSSH is a set of programs that provide encryption of communication sessions over computer networks using the SSH protocol.
It was created under the leadership of Theo de Raadt as an open source alternative to the proprietary software from SSH Communications Security, which is still proprietary software. The developers of OpenSSH claim that it is more secure than the original Secure Shell due to their cleanup and code auditing policies.
Although source code was also available for the original SSH for a long time, its license restrictions initially made OpenSSH a more attractive project for most programmers. OpenSSH first appeared in OpenBSD 2.6. Since version 5.9, an experimental sandbox mode has appeared, with restrictions on certain system calls. The purpose of this is to prevent attacks on other nodes in the network, for example, by running a proxy or opening sockets.
OpenSSH server can authenticate users using built-in authentication mechanisms: public keys, passwords and challenge-response, Kerberos/GSS-API. In addition, OpenSSH Portable can usually use the authentication methods available on a particular operating system, such as BSD Authentication or PAM.
SSH keys allow you to authenticate without a password. The total key length is often between 1024 and 4096 bits. For authentication you need two SSH keys – public and private.
The public, or public key, is available to everyone. It is used to encrypt data when accessing the server. When transferring a public key, you do not need to make sure – even if it falls into the hands of attackers, they will not be able to use it. Without the second SSH key, it doesn’t make sense.
The private, or private SSH key, decrypts the data. You need to be much more careful with it: store it, observing safety rules, and not pass it on to third parties. When generating SSH keys, the private key can and should be password protected
When you create a user on the server, you can allow him to log in with an SSH key. To do this, you must specify the public key. When the user wants to connect, he will send a request to the server. After that, the server will respond with a random phrase that the user encrypts. Having a random phrase and the user’s public key, the server determines whether the phrase was signed by this particular user.
Key based login is considered the most secure and in most cases this feature is enabled on the server side. No superuser rights are required to use this feature. On the client machine you need to generate a key. To do this you must use the client program that you have chosen for your device.
After that you must enter a password to protect the key file. This is extremely necessary to reduce the risks in case the file falls into the wrong hands. Next, you need to transfer the key to the selected SSH server.
If you are using a non-standard port for your SSH don’t forget to configure it. It is also recommended to disable password for client authentication procedure on the server.
After installing the selected software for the SSH server, you need to run it with a command from the terminal or in any other convenient way. By itself, a misconfigured SSH server is a huge security vulnerability in a system because a potential attacker has the ability to gain almost unlimited access to the system.
Therefore, it makes sense, if possible, to limit the family of processed addresses to those actually used. If you use only IPv4, disable IPv6, and vice versa.
If your SSH serverer has access to the Internet or is located on an insecure network, it is advisable to change the standard port 22. This is due to the fact that numerous network scanners are constantly trying to connect to port 22 and at least gain access by enumerating logins and passwords from their database. Even if you have password authentication disabled, these attempts clog up the logs and can negatively affect the speed of the SSH server.
An SSH certificate is an alternative method that outperforms an SSH public/private key pair authentication. The user and host exchange certificates during an SSH connection (handshake). SSH Certificates are a kind of stripped-down version of the TLS X.509 certificate. They are exchanged in the same manner as a pair of SSH keys.
User certificates allow hosts to authenticate users, and host certificates help users authenticate hosts. The key difference is the Principals field. By default, during an SSH secure connection, the SSH Server will allow you to log in to the host using the username from the Principals field of the user’s certificate. Similarly, SSH expects to see the hostname it is looking up in the Principals field of the host certificate.
In addition, certificates can have extensions that allow SSH privileged features (such as agent forwarding and port forwarding) or force configuration directives.
SSH certificates are simpler than Transport Layer Security certificates. SSH CA simply allows you to delegate some of the responsibilities in the field of authentication and authorization of many hosts to one centralized service.
SSH-agent is a key manager for SSH. It stores keys and certificates in memory so they are ready to be used. This saves you from having to enter a password each time you connect to the server. It runs in the background on your system, separate from SSH, and is usually launched the first time you start SSH. The SSH agent keeps secret keys secure due to the following features:
Secret keys stored in the Agent can only be used for one purpose: signing a message.
SSH agents have a redirect feature for authenticity of host. It allows your local SSH agent to communicate through an existing SSH connection and authenticate transparently to a more remote server. For example, if you SSH into host 1 and want to clone the private repository from host 2. Without agent forwarding, you would have to keep a copy of your host 2 private key on host 1. With agent forwarding, the SSH client on host 1 can use the keys on your local computer to authenticate to host 2.
SSH tunneling or SSH port forwarding establishes a secure communication channel between the local worker node and a remote server.
Any important data should be transmitted over secure channels of information. But this is not always easy to implement, especially when the user needs to perform urgent operations on a remote server, and the only way to connect to the Internet is through public unsecured Wi-Fi.
In this case, SSH tunneling is used, which establishes a secure communication channel between the local working node and the remote server.
The main difference between SSH tunnels and their VPN counterparts is that information is not transferred in any direction. Such a communication channel has one entry point and works exclusively with TCP packets. Creating SSH tunnels is more like port forwarding over protocol than pure tunneling.
The SSH protocol is a widely used method for securing transmitted data. Due to the use of cryptographic algorithms, this protocol is resistant to many types of attacks. However, a misconfigured SSH server will become a tasty morsel for an attacker. Helenix has a unique experience in the development and implementation of information security tools. Our expertise will help you properly use SSH for any of your needs. You can learn more about our competencies in the Custom Development section.
SSH and SSL meet each other. SSH enables a secure tunnel between two applications, client and server. This allows you to remotely manage the collection and transmission of the commands. SSL only requires security in data transfer, it does not allow you to enter commands.
SSH keys are a pair of asymmetric cryptographic keys. They are used to identify the client when connecting to the server via the SSH protocol. Use this method instead of password authentication to increase security.
Different SSH clients are developed for the widest range of devices an OSs. They can be found for installation for any operating system of computers, laptops and servers. Also almost all versions of operating systems used on smartphones can have and SSH client installed.
SSH is a protocol that is based on a client-server architecture. The system the user is working on is the client, while the remote managed system is the server. OpenSSH is a set of utilities to use SSH protocol. They are designed to provide a secure and easy approach to remote system administration.