Ssh Protocol Versions; Event Sequence Of An Ssh Connection - Red Hat ENTERPRISE LINUX 3 Reference Manual

276
Impersonation of a particular host — Using this strategy, an attacker's system is configured to pose
•
as the intended recipient of a transmission. If this strategy works, the user's system will remain
unaware that it is communicating with the wrong host.
This attack can be mounted through techniques known as DNS poisoning
Both techniques intercept potentially sensitive information, and if the interception is made for hostile
reasons, the results can be disastrous.
If SSH is used for remote shell login and file copying, these security threats can be greatly diminished.
This is because the SSH client and server use digital signatures to verify their identity. Additionally,
all communication between the client and server systems is encrypted. Attempts to spoof the identity
of either side of a communication will not work, since each packet is encrypted using a key known
only by the local and remote systems.

19.2. SSH Protocol Versions

The SSH protocol allows any client and server programs built to the protocol's specifications to com-
municate securely and to be used interchangeably.
Two varieties of SSH (version 1 and version 2) currently exist. SSH version 1 makes use of several
patented encryption algorithms (however, some of these patents have expired) and is vulnerable to a
well known security exploit that allows an attacker to insert data into the communication stream. The
OpenSSH suite under Red Hat Enterprise Linux uses SSH version 2 by default because this version
of the protocol has an enhanced key exchange algorithm not vulnerable to the same exploit. However,
the OpenSSH suite does also support version 1 connections.
Important
It is recommended that only SSH version 2-compatible servers and clients are used whenever pos-
sible.

19.3. Event Sequence of an SSH Connection

The following series of events help protect the integrity of SSH communication between two hosts.
A cryptographic handshake is made so that the client can verify that it is communicating with the
•
correct server.
The transport layer of the connection between the client and remote host is encrypted using a
•
symmetric cipher.
The client authenticates itself to the server.
•
The remote client interacts with the remote host over the encrypted connection.
•
2. DNS poisoning occurs when an intruder cracks a DNS server, pointing client systems to a maliciously du-
plicated host.
3. IP spoofing occurs when an intruder sends network packets which falsely appear to be from a trusted host on
the network.
Chapter 19. SSH Protocol
2 3
or IP spoofing .