Table of Contents
Advertisement
Chapter 20. SSH Protocol
Caution
It is possible for an attacker to masquerade as an SSH server during the initial
contact since the local system does not know the difference between the
intended server and a false one set up by an attacker. To help prevent this, verify
the integrity of a new SSH server by contacting the server administrator before
connecting for the first time or in the event of a host key mismatch.
SSH is designed to work with almost any kind of public key algorithm or encoding format. After
an initial key exchange creates a hash value used for exchanges and a shared secret value, the
two systems immediately begin calculating new keys and algorithms to protect authentication
and future data sent over the connection.
After a certain amount of data has been transmitted using a given key and algorithm (the exact
amount depends on the SSH implementation), another key exchange occurs, generating
another set of hash values and a new shared secret value. Even if an attacker is able to
determine the hash and shared secret value, this information is only useful for a limited period of
time.
3.2. Authentication
Once the transport layer has constructed a secure tunnel to pass information between the two
systems, the server tells the client the different authentication methods supported, such as
using a private key-encoded signature or typing a password. The client then tries to
authenticate itself to the server using one of these supported methods.
SSH servers and clients can be configured to allow different types of authentication, which gives
each side the optimal amount of control. The server can decide which encryption methods it
supports based on its security model, and the client can choose the order of authentication
methods to attempt from the available options. Thanks to the secure nature of the SSH
transport layer, even seemingly insecure authentication methods, such as a host and
password-based authentication, are safe to use.
3.3. Channels
After a successful authentication over the SSH transport layer, multiple channels are opened via
a technique called multiplexing
terminal sessions and for forwarded X11 sessions.
Both clients and servers can create a new channel. Each channel is then assigned a different
number on each end of the connection. When the client attempts to open a new channel, the
clients sends the channel number along with the request. This information is stored by the
4
A multiplexed connection consists of several signals being sent over a shared, common medium. With SSH, different
channels are sent over a common secure connection.
358
4
. Each of these channels handles communication for different
Advertisement
Table of Contents
