Introduction to SSH
The network protocol Secure Shell (SSH) provides a cryptographically secure connection between two hosts, enabling data communication, remote administration, and remote command execution. SSH is widely used as a replacement for less secure network communication protocols that were invented several decades ago—before many of today’s security challenges. It provides privacy of data exchange and guarantees the integrity of the communication.
Devices using older protocols, such as Telnet and FTP, for example, communicate in clear text. The SSH protocol also provides authentication and authorization when establishing a secure connection, and can be used for tunneling of TCP/IP sessions.
Using SSH, organizations are able to protect themselves against attacks like IP & DNS spoofing and IP source routing, and securely control workloads running in cloud computing environments. SSH is used extensively in enterprise datacenters and in the cloud. By far, the largest percentage of SSH sessions is established automatically between systems.
How SSH works:
SSH establishes a secure tunnel between two entities, which are typically a client and a server. There are multiple authentication methods that can be chosen like public-key, hostbased or password. Before a client can authenticate a secure session, there needs to be setup.
First the client contacts the server where a decision is made on which SSH protocol version they will communicate. For SSH-1, the server provides the client with its public host key and server key. These are used by the client to encrypt the session key, which is sent to the server. The server uses the session key to establish the secure encrypted session.
In SSH-2 the client and server each create the same session key using Diffie-Hellman, as a result, neither the client nor the server can fully determine the session key, which provides protection against replay attacks. This is achieved by the server and client each generating the session key through the following procedure. Individually, using the same prime number, the client and server each generate a private key. They then generate their own public keys using the private key, the shared prime number and the same generator. The client and server share their public keys with each other. Both the client and server use the other parties’ public key and their own private key to generate a shared secret. As a result, the client and server each have the same shared secret without sending it across the network. The shared secret is used to create a session key that is used to establish the secure encrypted session.
User authentication can be achieved by public-key, host based or password. The most commonly implemented method is public-key authentication, which, for the purpose of this description, will be used. In this process the client sends the server the user’s public key. The server checks the authorized key file for the existence of the user’s public key and any restrictions associated with the key. If it is present, the server generates a random number encrypted with the user’s public key and returns it back to the client. The client then decrypts the random number with its private key, creates a hash of the number and returns it back to the server. The server also creates a hash of the same random number and checks if it corresponds with the hash received from the client. In the event it does, authentication is successful.