Security always plays a major role on the internet: That’s why the SSH security procedure is firmly anchored in the TCP/IP protocol stack. The SSH protocol allows users to establish a secure con­nec­tion between two computers. The network protocol has been in use since 1995 and has been revised several times since then. We explain the most important ter­min­o­logy of the SSH protocol and how en­cryp­tion works.

Fact

The shell is the part of the operating system that allows users to access the computer. Normally this is the text-based command line (or command prompt, terminal, or console), but the graphical user interface is also called a shell. The method of es­tab­lish­ing a con­nec­tion is called ‘secure shell’ because the protocol creates a secure con­nec­tion to the shell of another computer.

What do you need SSH for?

SSH enables two computers to establish a secure and direct con­nec­tion within a po­ten­tially unsecure network, such as the internet. This is necessary so that third parties can’t access the data stream, which would result in sensitive data falling into the wrong hands. Even before secure shell, there were ways to establish direct con­nec­tion between two computers, but the cor­res­pond­ing ap­plic­a­tions such as Telnet, Remote Shell, or rlogin were all unsecure. SSH encrypts the con­nec­tion between two computers and enables a second one to be operated from one computer.

SSH not only provides an encrypted con­nec­tion, but also ensures that only con­nec­tions are es­tab­lished between the des­ig­nated computers (i.e. no man-in-the-middle attack is possible) and that the cor­res­pond­ing data cannot be ma­nip­u­lated on its way to the recipient. The remote computer has always been accessed via the command line. They are used to send commands to the remote device. However, it is now also possible to use virtual network computing (VNC) to mirror a graphical user interface (which is not always available on servers) to your own computer and therefore control the other computer.

SSH has many different areas of ap­plic­a­tion:

  • Managing servers that cannot be accessed locally
  • Secure trans­mis­sion of files
  • Secure creation of backups
  • Con­nec­tion between two computers with end-to-end en­cryp­tion
  • Remote main­ten­ance from other computers

The de­vel­op­ment of SSH has also in­flu­enced other protocols. For example, the unsecure FTP protocol, which is used to download files to and from a server, has been further developed into the SSH file transfer protocol (SFTP).

An advantage of SSH is that the protocol runs on all common operating systems. Ori­gin­ally a Unix ap­plic­a­tion, it is also im­ple­men­ted on all Linux dis­tri­bu­tions and macOS. But SSH can also be used on Windows, if you install a relevant program.

SSH vs. OpenSSH

Secure shell was ori­gin­ally created in 1995 as an open source project. In the same year, however, the developer Tatu Ylönen founded a company that developed the protocol further. Therefore, the initially open project developed more and more into a pro­pri­et­ary software. However, the network community did not accept this and developed an open split based on the SSH-1 protocol: OpenSSH. However, since SSH community security is also con­tinu­ing to work on secure shell, two competing protocols now exist side by side. There is the pro­pri­et­ary SSH-2 protocol (a further de­vel­op­ment, since security vul­ner­ab­il­it­ies were found in SSH-1) and OpenSSH.

OpenSSH and com­mer­cial SSH are re­l­at­ively similar when it comes to func­tion­al­ity and scope. The dif­fer­ence is mainly with the cost and the support. If you choose the SSH com­mu­nic­a­tion security product, you will also receive 24/7 support. This can be par­tic­u­larly useful for large companies with al­tern­at­ing IT managers. OpenSSH, on the other hand, offers the advantage of an open source community, meaning that the project is con­stantly being developed further by many par­ti­cipants.

An ex­plan­a­tion of how SSH works

Secure shell uses multiple en­cryp­tion and au­then­tic­a­tion tech­niques. On the one hand, this ensures that data streams cannot be read or ma­nip­u­lated. On the other hand, only au­thor­ised par­ti­cipants can contact each other.

Au­then­tic­a­tion

The first step is that the SSH server and client au­then­tic­ate them­selves to one another. The server sends a cer­ti­fic­ate to the client to verify that it is the correct server. When making contact, there is the risk that a third party will get between the two par­ti­cipants and therefore intercept the con­nec­tion. Since the cer­ti­fic­ate itself is also encrypted, it cannot be imitated. Once the client knows what the correct cer­ti­fic­ate is, no third parties can contact the relevant server.

After server au­then­tic­a­tion, however, the client must also identify itself as being au­thor­ised to access the server. A password can be used for this purpose. This (or the encrypted hash value of it) is stored on the server. As a result, users must enter their password each time they log onto the different server during the same session. For this reason, there is an al­tern­at­ive method of client-side au­then­tic­a­tion using the key pair public key and private key.

The private key is created in­di­vidu­ally for your own computer and secured with a pass­phrase that should be longer than a typical password. The private key is stored ex­clus­ively on your own computer and always remains secret. If you want to establish an SSH con­nec­tion, just enter the pass­phrase and you will gain access to the private key.

There are also public keys on the server (just like on the client itself). The server creates a cryp­to­graph­ic problem with its public key and sends this to the client. The server then decrypts the problem with its own private key, sends the solution back, and informs the server that it is allowed to establish a le­git­im­ate con­nec­tion.

During a session, you only need to enter the pass­phrase once to connect to any number of servers, At the end of the session, users should log off from their local computers to ensure that no third party with physical access to the local computer can connect to the server.

En­cryp­tion

After mutual au­then­tic­a­tion, the two com­mu­nic­a­tion par­ti­cipants establish an encrypted con­nec­tion. To do this, a key is generated for the session, which expires when the session is over. This is not to be confused with the public/private key pairs, which are only used for key exchange. The key used for symmetric en­cryp­tion is only valid with this one session. Both client and server have the same key, so any messages that are exchanged can be encrypted and decrypted. Client and server create the key sim­ul­tan­eously, but in­de­pend­ently of one another. In the so-called key change algorithm, both parties use certain public and secret in­form­a­tion to create the key.

Another form of en­cryp­tion takes place in SSH through hashing. A hash is a form of signature for the trans­mit­ted data. An algorithm generates a unique hash from the data. If data is ma­nip­u­lated, the hash value changes auto­mat­ic­ally. This way the recipient can know whether data has been changed by third parties along the way. The hash values are designed in such a way that they cannot be easily simulated. It’s not possible to create two different trans­mis­sions with the same hash – this is known as collision pro­tec­tion.

SSH ports

TCP ports are endpoints that open servers and clients to enable com­mu­nic­a­tion. As with a port, the com­mu­nic­a­tion partners receive and send the data packets via these ports. TCP has an address space of 16 bits and therefore 65535 ports are available. However, the internet assigned numbers authority (IANA) has assigned a number of ports (exactly 1024) for certain ap­plic­a­tions, including the SSH port. By default, all SSH con­nec­tions run on port 22.

Note

Since the port that SSH con­nec­tions pass through is widely known and transmits sensitive data, the SSH port is a favorite des­tin­a­tion for cy­ber­crim­in­als. Therefore, some users think it makes sense to relocate the SSH port. However, this only offers short-term pro­tec­tion. With a port scanner, it is possible to find any ports used by a computer.

With SSH, port for­ward­ing is also possible: The SSH port of a client or server is used by another par­ti­cipant within a local network to create a secure con­nec­tion via the internet. The par­ti­cipants create a tunnel for this: The data is received via port 22 and then forwarded to the client in the local network.

SSH clients

The SSH client is usually your own PC that you want to use to establish a con­nec­tion to the server. To achieve this, you can or must (depending on the operating system) install separate software that es­tab­lishes an SSH con­nec­tion. These programs are also usually called SSH clients. The fee-based Tectia SSH comes from SSH com­mu­nic­a­tion security and ad­di­tion­ally contains a server software. But there are also numerous free al­tern­at­ives, such as the open source software, PuTTy for Windows and Linux, or lsh, which works on all operating systems based on Unix.

Tip

Some programs provide users with a graphical interface that sim­pli­fies the con­fig­ur­a­tion and de­ploy­ment of SSH. In principle, secure shell can also be executed from the command line – even without further in­stall­a­tion on macOS and other Unix operating systems.

SSH server

The SSH server is the coun­ter­part to the client. The term is also used here for the software. Much of the client software also works on servers. In addition, there is software designed ex­clus­ively for SSH servers. It is normal to start SSH on servers when you start up the computer. This guar­an­tees that you can access the server from outside at any time via SSH.

Strictly speaking, it isn’t necessary for the SSH server to be located in a remote data center. Users can also install an SSH server on their own PC at home to benefit from the ad­vant­ages of port for­ward­ing, for example.

Go to Main Menu