What is SSH?
Secure Shell, or SSH, is a network protocol through which users can establish secure remote connections to target resources over an unprotected network. Administrators primarily use the SSH protocol to log in remotely and access machines in their network, perform file transfers, execute commands, and manage applications.
Let's dive into the SSH protocol, its history, how it works, and its uses.
How does SSH work?
SSH uses a client-server architecture to establish secure, encrypted connections. The SSH client acts as a medium that facilitates secure connection to the SSH servers and runs where the session is displayed and controlled, and the server is the target machine that is accessed using the protocol. At the onset, when a connection needs to be established between two machines—an SSH client and a server—the SSH client initiates the connection by contacting the server.
The client then proceeds to fetch the public key from the server. Depending on the type of encryption used, the server and the SSH client negotiate parameters and establish a secure, encrypted channel. The user can then login to the server and perform the desired actions.
Let's look at this sequentially:
- SSH session is attempted from the SSH client.
- SSH client reaches out to the target server.
- The SSH clients gets the the public key from the SSH server, specifically from the .ssh/authorized_keys file.
- Client and server negotiate parameters and the encryption method, then formulate an encrypted session key using a suitable key exchange algorithm.
- The user then authenticates and logs in to the target server using the appropriate credentials.
- Secure connection is now established and the user can perform actions on the server.
A brief history of the Secure Shell (SSH) protocol
Although protocols like Telnet, FTP, and Remote Shell (rsh) existed to facilitate remote connections to Unix systems pre 1995, those connections weren't secure or encrypted. The pitfalls of this was consequentially evidenced by Tatu Ylönen at Helsinki Univerity of Technology when they discovered a password sniffing attack on their university network.
Tatu understood that secure connections are key preequisites for transmitting sensitive data like passwords over a public network to maintain confidentiality. To eliminate eavesdropping and prevent data tampering he deviced an encrypted method to launch remote connections Unix systems - the Secure Shell or the SSH protocol. The improved SSH-2, the dominant version today, was later adopted in 2006.
What is SSH used for?
The SSH protocol is primarily used to establish secure remote connections over an unsecured network. SSH connections are used to access, manage, and transfer data remotely on a target resource. This includes running commands, cleansing storage, transferring files, running and managing applications, deploying software patches, and more. The target resource could be any device that supports SSH, including remote servers, routers, and switches, among others.
SSH is primarily used to connect to Linux/Unix devices, as SSH usually comes as a readily installable package on most Linux distributions and can be installed in a matter of few commands. To connect securely to a Windows device, usually the remote desktop protocol (RDP) is used as it comes natively available with Windows devices.
How do you launch an SSH connection?
Unix, Linux, and macOS devices have an inbuilt SSH client that allows SSH connections to be launched directly from the Terminal. You can also use SSH clients like PuTTY to launch connections.
However, if you want to launch an SSH connection from Windows devices, you'll have to make use of an SSH clients like OpenSSH or PuTTY to launch connections. Alternatively, secure Windows-Windows connections can be established using RDP.
On the server end, the SSH server package needs to be installed and a server-side component called a SSH daemon needs to be installed and running. A SSH daemon checks for any SSH connection requests by listening to all connections on TCP port 22.
If you are using a Linux/macOS device or a SSH client on a Windows device, you can enter the following command to launch an SSH connection to a remote server from the terminal of your device:
ssh <user_name>@<host_name>
After establishing a connection with the server, proceed to authenticate yourself using the suitable credentials for the user account. The user can then proceed to execute commands on the target server, transfer files, manage applications, and so on.
SSH encryption methods
There are primarily 3 encryption methods that are used to establish secure connections using SSH:
01. Symmetric encryption
Symmetric encryption is usually done using a single shared key, although it could also use a pair of keys.
When the client reaches out to the server to establish an SSH connection, the client and the server negotiate a common method to generate a shared key independently using a key exchange algorithm. This agreed method is then used to generate the shared key. The shared key is then used to encrypt the entire session and the subsequent communication is secure.
This shared key is never communicated between the client and the server, therefore it cannot be intercepted. Even if the shared key is exposed, another machine cannot decrypt the communication as the agreed method is only known to the client and server.
02. Asymmetric encryption
Asymmetric encryption uses a public-private key pair to establish an encrypted connection. The enshrined security mechanism in asymmetric encryption is two-fold.
Firstly, the client and the server both independently generate their respective temporary public-private key pairs using a suitable algorithm (like the RSA algorithm). When the client tries to establish an SSH connection, the client and the server share their respective public keys with each other.
After which, an encrypted authentication message based on the receiver's public key is sent from the sender to the receiver. This is done to verify the identity of the client. The encrypted authentication message is then decrypted by the receiver using the receiver's private key and the identity is then authenticated.
Once the authentication is complete, the machines generate a suitable shared session key using a key exchange algorithm, with which the communication is then encrypted.
It's important to note that the private key remains private and isn't transmitted between the server and the client at any point. The private key acts as an authentication mechanism for the receiver to decrypt the authentication message, while the encryption happens using the shared key.
Given that the private keys are not shared with a third-party and add an authentication layer to the encryption, asymmetric encryption is considered a more secure method of encryption than its symmetrical counterpart.
03. Hashing
Hashing is when cryptographic hash functions are used to encrypt a message. This encrypted message is called a hash. Unlike symmetric and asymmetric forms of encryption, when hashing or cryptographic hash functions are utilized, the encrypted message is not meant to be decrypted by the receiver.
However, if the receiver knew the unhashed message prior, and the hash function used to hash, then the receiver can verify the message from the hash. This makes hashing a reliable method of encryption for data integrity checks and authentication purposes.
The encryption process for hashing happens similar to symmetric encryption, but along with the negotiation process for the shared secret, a message authentication code (MAC) algorithm is also selected. This is based on MAC compatibility of the client and the server. After which, once the secure communication channel is set up, every message is hashed using the MAC and the receiver verifies the integrity of the message after calculating the MAC. This is done based on the shared secret, the unhashed message content, and the corresponding packet sequence number of the message.
Commonly used SSH authentication methods
There are two commonly used types of user authentication methods to establish SSH connections: password authentication and SSH key authentication.
- 01
Password authentication
Password authentication is the more widely used method of authentication when establishing an SSH connection. After negotiation of shared secret and encryption, the server will prompt the user for the password of the user account that the client is trying to log in to.
Although the password is transmitted only after an encrypted connection is established, it could still be exploited by brute-forcing weak passwords, scripts, and so on. To avoid this, authentication using SSH keys is being increasingly adopted.
- 02
Authentication using SSH keys
Alternatively, authentication using SSH keys involves a public-private asymmetric SSH key pair. After symmetric encryption, the client generates a key pair ID and the server verifies this ID with by scouring the .ssh/authorized_keys file of the user. If the ID is a match, then a random number is generated and encrypted using the public key, which the client then decrypts using its private key.
The client then uses the decrypted number and the established shared secret during symmetric encryption to hash the number and sends it back to the server in the form of a MD5 hash value. The authentication is complete once the server uses the same shared key and number to calculate the MD5 hash value on its own and determines it to be a match.
The multiple layers makes authentication using a key pair a more secure form of encryption because the private key of the server isn't transmitted and the shared key is also needed to tamper with the authentication.
SSH vs Telnet
Telnet was the first protocol in existence to establish remote connections to target machines. The primary difference is that communication using SSH is encrypted using public key encryption or key-pair encryption, while communication using Telnet is not encrypted and hence less secure. Telnet was designed primarily for local area networks (LANs) and private networks, while SSH can be used over open networks and even for the internet.
Telnet's application starts and ends with being a terminal emulator for the target machine, whereas using SSH, a user can additionally issue commands, manage applications, and securely transfer files using SSH File Transfer Protocol (SFTP).
Add an extra layer of security to your SSH sessions with PAM360
Given the prominent use of the SSH protocol by enterprises to perform actions on privileged remote servers, it has become important to administer SSH sessions from a central console to protect sensitive data. Although SSH connections are the gold standard for secure, encrypted remote sessions, target resources could still be subjected to privilege abuse, data theft, and other insider threats. This is addressed by using a privileged access management (PAM) solution like PAM360 to manage your privileged resources and sessions.
PAM360 is ManageEngine's comprehensive enterprise-grade privileged access management solution. PAM360 provides organizations with a central console to manage all their privileged sessions, including but not limited to SSH keys and sessions.
From monitoring, shadowing, and managing SSH sessions, to managing, deploying, and rotating SSH keys, PAM360 provides you with the complete package. Additionally, PAM360 helps you provide privileged access, manage and rotate passwords, elevate access, manage RDP sessions, perform secure file transfers, manage SSL/TLS certificates, and much more.