Table of Contents Benefits of OpenSSH
Scope of Article
SSH service is very widely used in the open source infrastructure setups. Due to its small footprint on network, as well as ease of installation and maintenance, SSH replaces many remote shells in the modern data centers. OpenSSH is a very famous flavor of this protocol, and this article talks about such challenges and solutions.
How OpenSSH Works
OpenSSH is a free Secure Shell software which provides great services in terms of protocol based connectivity as well as security. It replaces almost all legacy applications such as telnet, rlogin etc. It is important to understand how the protocol works and the bells and whistles provided in terms of features. Please refer to Fig1 which shows protocol stack which forms the OpenSSH protocol services.
For those who know how Telnet works, it is easy to understand the working operations of OpenSSH. Similar to Telnet, it runs as a daemon service on Linux servers, while the client uses an SSH client utility such as putty to connect to the server. SSH is available on Windows as well as Unix platforms, and is widely used on Linux infrastructures. By default it uses TCP port 22 for communication.
However unlike the telnet protocol, OpenSSH is primarily used to ensure data security and to that end it uses cryptography for authenticating client and server, and also for the data transfer purposes. This ensures confidentiality and integrity for the data which flows on the wire. Its communication has three basic steps: client-server handshake, authentication, and secure data exchange. During handshake phase, both the sides exchange information about OpenSSH protocol version and the cipher algorithms they support (which are typically the combinations of asymmetric, symmetric encryption and hashing algorithms) and compression algorithms. Unlike SSL, in this protocol the server sends the first data block to the client.
As for authentication, the server is authenticated using host key, whereas the client typically stores the key fingerprint at some predefined location and validates it later in the process. Please see the table below which shows supported client authentication methods.
Client Authentication Methods
| Client Authentication Method | Description |
|---|---|
| Public Authentication | Client and Server has key pairs and exchange public keys during authentication process |
| Password Authentication | Plain text password for the given login user is used for authentication |
| Host based Authentication | Limits client access to a particular host/hosts |
| Keyboard Authentication | Works on the basis of pre-stored security question challenge and answer |
It is often misunderstood that OpenSSH is a single utility which is installed on the server side, but that’s not true. In fact, it contains many small executables each for a specific feature or purpose. The following table lists such important tools from the protocol stack.
Important OpenSSH Tools
| Tool | Description |
|---|---|
| sshd | Server daemon service |
| ssh | Client program to connect to daemon |
| sftp | Secure FTP for file transfer |
| scp | Secure file copy utility |
| ssh-keygen | Helps create keys for public key and host key based authentication |
The bottom layer which rides on TCP protocol is the transport management layer which is very important, because it takes care of crypto operations such as key generation and management. The next one is user authentication layer which is responsible for authenticating end users to the sshd daemon services hosted on the server side. Once authentication is completed, a secure tunnel is created for data communication. This layer also ensures that users can use one of the multiple available ways of authentication such as the legacy username and password style or the more advanced smart cards. The topmost layer is connection management, which adds features such as session multiplexing and also ensures additional security by blocking application layered attacks.
Installation of OpenSSH
OpenSSH can be downloaded from openssh.com and the installation steps are as easy as installing any other binary installation on a Linux distro. On Windows machines, running the installable exe file guides you through the steps. It is advised to check if OpenSSH already exists on the machine, because many open source distributions come equipped with OpenSSH as a default SSH daemon.
It is also important to secure the OpenSSH protocol, because by default it runs services in an un-secure fashion. Securing it involves studying and manipulating multiple parameters in the configuration files, which is covered in some articles in the past.
Features of OpenSSH
- Supports almost all operating systems, from legacy OpenBSD to recent Linux or Windows distributions.
- Open source protocol stack available under free licensing.
- Strong authentication capabilities through encryption and built-in facilities blocking routing and DNS spoofing issues.
- Supports strong encryption standards such as 3DES and AES.
- Provides protocol privacy — seamless authentications with verbose logging and audit trails.
- Never trusts the network or remote connection by design.
- SFTP and SCP utilities allow secure file transfers.
- Supports data compression to optimize network bandwidth.
- Allows protocol tunneling for legacy protocols (e.g., Telnet, TFTP) over SSH tunnel.
- Supports advanced protocols such as Kerberos and AFS ticket passing.
Summary
While OpenSSH is a versatile, robust and secure protocol, it is imperative to tune it up in order to ensure security. OpenSSH is available on all Linux distros as well as various versions of Windows. Documentation needs to be followed to understand the right and secure way of installing and configuring the protocol.
About the Author
The author has over 22 years of experience in the field of IT hardware, networking, web technologies and IT security. Prashant runs his own firm named Valency Networks in India (www.valencynetworks.com) providing consultancy in IT security design, Security Penetration Testing, IT Audit, infrastructure technology and business process management. He can be reached at prashant@valencynetworks.com.
