English
HomeBlogSSH

SSH

Updated on Aug 16, 2024 by
  Howard
124

What Is SSH?

Secure Shell (SSH) is a network security protocol that uses encryption and authentication to enable secure services like remote access and file transfer. Unlike traditional methods such as Telnet and FTP, which send data in cleartext and are insecure, SSH encrypts and authenticates data to provide security in untrusted network environments. As cybersecurity becomes increasingly important, these older methods are falling out of favor. SSH serves as a secure alternative to Telnet and other unsafe remote shell protocols and is widely used globally, with most devices today supporting SSH.

Why Is SSH Needed?

In conventional internet communications, data is sent in cleartext, making it vulnerable to exposure if intercepted, which is highly insecure. SSH addresses this by using a client-server model to authenticate both parties and encrypt the data exchanged between them, creating a secure transmission channel for operating network services over an unsecured network.

SSH is most commonly used for remote login and file transfer. Before SSH was developed, Telnet was widely used for remote login, allowing for the remote management of network devices. FTP (File Transfer Protocol), a popular file transfer protocol, is known for its ease of use and high transmission efficiency. However, both Telnet and FTP have the significant drawback of transmitting data in cleartext, posing security risks. To mitigate these security issues, SSH employs encrypted data transmission and enhanced authentication methods, enabling secure remote login and file transfer services.

How Does SSH Work?

SSH operates on a client-server model. To create a secure SSH channel, both parties must establish a TCP connection, agree on the version number and algorithms, and generate a shared session key for symmetric encryption. Once user authentication is successful, the two parties can start a session for data exchange. The SSH process involves the following phases:

Connection Setup

SSH communicates using a specific port. Before establishing an SSH connection, the SSH server listens for connection requests on a designated port. When an SSH client sends a connection request to this port on the SSH server, a TCP connection is formed, allowing the client and server to communicate through that port. By default, SSH uses port 22. However, when SSH is used with NETCONF, you can specify either the default port 22 or port 830. The SSH port number can be changed to another available port on the device. Changing the port will disconnect all current connections, and the SSH server will then listen on the new port. Since port 22 is well-known, it is recommended to change the SSH port number for enhanced security during critical transmissions.

Version Negotiation

SSH comes in two versions: SSH1.X (earlier than SSH2.0) and SSH2.0. SSH2.0 offers a more advanced structure compared to SSH1.X, with additional authentication and key exchange methods and improved service capabilities. The SSH server and client negotiate the SSH version to use through the following steps:

  • The SSH server sends its supported SSH version information to the SSH client over the established connection.

  • Upon receiving the version information, the SSH client selects a version it supports and sends this choice back to the SSH server.

  • The SSH server verifies if it supports the client's chosen version; if it does, the version negotiation is successful.

Algorithm Negotiation

SSH employs various algorithms, including key exchange algorithms for generating session keys, symmetric encryption algorithms for data encryption, public key algorithms for digital signatures and authentication, and HMAC algorithms for data integrity protection. Both the SSH server and client support multiple algorithms of each type and must negotiate which algorithm to use for each category. The process is as follows:

  • The SSH server and client exchange lists of supported algorithms.

  • They negotiate to select the algorithm to be used in each category. During this negotiation, the server and client match the algorithms they both support and choose these as the final algorithms. Once algorithms for each category are successfully matched, the negotiation is complete. If no algorithms are matched in any category, the negotiation fails for that type. Consequently, the entire algorithm negotiation between the SSH server and client fails, leading to the termination of the SSH connection.

Key Exchange

The SSH server and client utilize a key exchange algorithm to dynamically generate a shared session key and session ID, which are used to establish an encrypted channel. The session key encrypts the data to be transmitted, while the session ID identifies the associated SSH connection during authentication. In this phase, the client also authenticates the server's identity. The server signs messages using its private key, and the client verifies the signature using the server's public key.

Both the SSH server and client need to have the same session key for subsequent symmetric encryption. To ensure the security of the key exchange process, SSH employs a secure method where the server and client collaboratively generate a session key. This process relies on mathematical principles that enable key exchange without transmitting the key directly, thereby eliminating the need to send the key through an unsecured channel. The following figure illustrates the detailed process.

SSH

User Authentication

The SSH client initiates an authentication request to the SSH server, which then authenticates the client. SSH supports several authentication modes:

  • Password authentication: The client sends an encrypted username and password to the server. The server decrypts these and compares them with the stored credentials, responding with a success or failure message.

  • Public key authentication: The client uses the username, public key, and public key algorithm to interact with the server for authentication.

  • Password + public key authentication: The client must be authenticated by both password and public key methods before accessing the system.

  • All: The client can authenticate using either password or public key authentication.

Password and key authentication are two fundamental SSH user authentication methods. In password authentication, the SSH client encrypts the password with a symmetric key, and the server decrypts it with the same key to verify its validity. This method is straightforward and requires a username and password for each login. Key authentication, which allows password-free login with higher security, involves the SSH client signing messages with its private key and the server verifying the signature with the client's public key. This method is widely used and recommended.

Session Request

Once authentication is successful, the SSH client sends a session request to the server, asking for a specific type of service. This involves the client requesting to establish a session with the server, which then responds accordingly.

Session Interaction

After establishing a session, the SSH server and client exchange data over it. This data is encrypted and decrypted using the session key.

Tags

You might be interested in

See profile for undefined.
FS Official
sFlow
See profile for undefined.
FS Official
NETCONF
See profile for undefined.
FS Official
WLAN
News Letter
Videos
Global Delivery Service | FS
01:11
Jun 26, 2024
87
Global Delivery Service | FS
Recent Trend
PicOS® Switch Software

PicOS® Switch Software

AmpCon™ Management Platform

AmpCon™ Management Platform

Hot Tags
Popular
FS.com About FS FS APP Contact Privacy Terms