Table of Contents
Advertisement
Section 10.3:Layers of SSH Security
The host key verification method used by OpenSSH is not perfect. An at-
tacker could masquerade as the server during the initial contact, as the lo-
cal system would not necessarily know the difference between the intended
server and the attacker at that point. But, until a better host key distribution
method becomes widely available, this initially insecure method is better than
nothing.
SSH is designed to work with almost any kind of public key algorithm or encoding format. After an
initial key exchange creates two values (a hash value used for exchanges and a shared secret value),
the two systems immediately begin calculating new keys and algorithms to protect authentication and
future data sent over the connection.
10.3.2 Authentication
Once the transport layer has constructed a secure tunnel to pass information between the two systems,
the server tells the client the different authentication methods supported, such as using a private key-
encoded signature or typing a password. The client will then try to authenticate itself to the server
using any of the supported methods.
Since servers can be configured to allow different types of authentication, this method gives each side
the optimal amount of control. The server can decide which encryption methods it will support based
on its security model, and the client can choose the order of authentication methods to attempt from
among the available options. Thanks to the secure nature of the SSH transport layer, even seemingly
insecure authentication methods, such as a host-based authentication, are safe to use.
Most users requiring a secure shell will authenticate using a password. Unlike other security authen-
tication schemes, the password is transmitted to the server in cleartext. However, since the entire
password is encrypted when moving over the the transport layer, it can be safely sent across any net-
work.
10.3.3 Connection
After a successful authentication over the SSH transport layer, multiple channels are opened by multi-
3
plexing
the single connection between the two systems. Each of these channels handles communica-
tion for a different terminal session, forwarded X11 information, or any other separate service seeking
to use the SSH connection.
3 A multiplexed connection consists of several signals being sent over a shared, common medium. With SSH,
different channels are sent over a common secure connection.
CAUTION
161
Advertisement
Table of Contents
Related Manuals for Red Hat LINUX 7.2
Related Products for Red Hat LINUX 7.2
- Red Hat LINUX 7.1 - ISERIES
- Red Hat CLUSTER FOR ENTERPRISE LINUX 5.0
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 4.6
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 5.1
- Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE
- Red Hat ENTERPRISE LINUX 3 - USING BINUTILS
- Red Hat ENTERPRISE LINUX 4 - LVM ADMINISTRATOR
- Red Hat ENTERPRISE LINUX 4 - DEVELOPER TOOLS GUIDE
- Red Hat ENTERPRISE LINUX 5 - DM MULTIPATH
- Red Hat ENTERPRISE LINUX 4.5.0 -
- Red Hat ENTERPRISE LINUX 5.1 DM MULTIPATH
- Red Hat ENTERPRISE LINUX 5.1 - LVM ADMINISTRATION
- Red Hat ENTERPRISE LINUX 5.1 - LINUX ORACLE
- Red Hat ENTERPRISE LINUX 5.3 - RELEASE MANIFEST
- Red Hat ENTERPRISE LINUX 5.5 - S 2010
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 5.2