What is SSH?
SSH, or Secure Shell or Secure Socket Shell, is a network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network.
SSH also refers to the suite of utilities that implement the SSH protocol. Secure Shell provides strong password authentication, public key authentication, and encrypted data communications between two computers connecting over an open network, such as the Internet.
In addition to providing strong encryption, network administrators widely use SSH to manage systems and applications remotely, enabling them to log in to another computer over a network, execute commands, and move files from one computer to another.
SSH refers to the cryptographic network protocol and the suite of utilities that implement that protocol. SSH uses the client-server model, connecting a Secure Shell client application, which is the end where the session is displayed, with an SSH server, which is where the session runs. SSH implementations often include support for application protocols used for terminal emulation or file transfers.
SSH can also create secure tunnels for other application protocols, such as remotely running X Window System graphical sessions. An SSH server, by default, listens on the standard Transmission Control Protocol (TCP) port 22.
How does SSH work?
Secure Shell was created to replace insecure terminal emulation or login programs, such as Telnet, rlogin (remote login), and rsh (remote shell). SSH enables the same functions — logging in to and running terminal sessions on remote systems. SSH also replaces file transfer programs, such as File Transfer Protocol (FTP) and rcp (remote copy).
SSH’s most basic use is connecting to a remote host for a terminal session. The form of that command is the following:
ssh [email protected]
This command will cause the client to attempt to connect to the server named server.example.com using the user ID UserName. Suppose this is the first time negotiating a connection between the local host and the server. In that case, the user will be prompted with the remote host’s public key fingerprint and prompted to connect despite no prior connection: The authenticity of host ‘sample.ssh.com’ cannot be established.
DSA key fingerprint is 01:23:45:67:89:ab:cd:ef:ff:fe:dc:ba:98:76:54:32:10.
Are you sure you want to continue connecting (yes/no)?
Answering yes to the prompt will cause the session to continue, and the host key is stored in the local system’s known_hosts file. This file is stored by default in a hidden directory called /.ssh/known_hosts in the user’s home directory. Once the host key has been stored in the known_hosts file, the client system can connect directly to that server again without needing approvals; the host key authenticates the connection.
What is SSH used for?
Present in all data centers, SSH ships by default with every Unix, Linux, and Mac server. SSH connections have been used to secure many communications between a local machine and a remote host, including remote access to resources, remote execution of commands, delivery of software patches and updates, and other administrative or management tasks.
In addition to creating a secure channel between local and remote computers, SSH manages routers, server hardware, virtualization platforms, operating systems (OSes), and inside systems management and file transfer applications.
Secure Shell connects to servers, makes changes, performs uploads, and exits using tools or directly through the terminal. SSH keys can be employed to automate server access and often are used in scripts, backup systems, and configuration management tools.
Designed to be convenient and work across organizational boundaries, SSH keys provide single sign-on (SSO) so that users can move between their accounts without typing a password each time.
While playing pivotal roles in identity and access management, SSH does more than authenticate over an encrypted connection. All SSH traffic is encrypted. Whether users are transferring a file, browsing the web, or running a command, their actions are private.
While it is possible to use SSH with an ordinary user ID and password as credentials, SSH relies more often on public key pairs to authenticate hosts to each other. Individual users must still employ their user ID and password — or other authentication methods — to connect to the remote host. Still, the local machine and the remote machine authenticate separately to each other. This is accomplished by generating a unique public key pair for each host in the communication. A single session requires two public key pairs: one public key pair to authenticate the remote machine to the local machine and a second public key pair to authenticate the local machine to the remote machine.
Secure Shell Capabilities
Functions that SSH enables include the following:
- secure remote access to SSH-enabled network systems or devices for users, as well as automated processes;
- secure and interactive file transfer sessions;
- automated and secured file transfers;
- secure issuance of commands on remote devices or systems, and
- secure management of network infrastructure components.
SSH can be used interactively to enable terminal sessions and should be used instead of the less secure Telnet program. SSH is also commonly used in scripts and other software to enable programs and systems to remotely and securely access data and other resources.
The History of SSH
The first version of SSH appeared in 1995 and was designed by Tatu Ylönen, who was, at the time, a researcher at Helsinki University of Technology and later started SSH Communications Security, a cybersecurity vendor based in Finland.
Over time, various flaws were found in SSH-1. That version is now considered to be deprecated and not safe to use.
SSH-2, the current version of Secure Shell protocols, was adopted as a Standards Track specification by the Internet Engineering Task Force (IETF) in 2006. SSH-2 is incompatible with SSH-1 and uses a Diffie-Hellman key exchange and a stronger integrity check that uses message authentication codes to improve security.
SSH clients and servers can use several encryption methods, and the most widely used are Advanced Encryption Standard (AES) and Blowfish.
There are no known exploitable vulnerabilities in SSH-2, though information leaked by Edward Snowden in 2013 suggested the National Security Agency (NSA) may be able to decrypt some SSH traffic.
Secure Shell security issues
Enterprises using SSH should consider finding ways to manage host keys stored on client systems. These keys can accumulate over time, especially for information technology (IT) staff who need to be able to access remote hosts for management purposes.
Because the data stored in an SSH known_hosts file can be used to gain authenticated access to remote systems, organizations should be aware of the existence of these files. They should have a standard process for retaining control over the files, even after a system is taken out of commission, as the hard drives may have this data stored in plaintext.
Developers should be careful when incorporating SSH commands or functions in a script or other type of program. While it is possible to issue an SSH command that includes a user ID and password to authenticate the local machine user to an account on the remote host, it may expose the credentials to an attacker with access to the source code.
Shellshock, a security hole in the Bash command processor, can be executed over SSH but is a vulnerability in Bash, not in SSH.
The biggest threat to SSH is poor key management. Without the proper centralized creation, rotation, and removal of SSH keys, organizations can lose control over who has access to which resources and when particularly when SSH is used in automated application-to-application processes.
SSH vs. Telnet
Telnet was one of the first internet application protocols — the other is FTP. It initiates and maintains a terminal emulation session on a remote host.
SSH and Telnet are functionally similar, with the primary difference being that the SSH protocol uses public key cryptography to authenticate endpoints when setting up a terminal session and encrypting session commands and output.
While Telnet is primarily used for terminal emulation, SSH can be used to do terminal emulation — similar to the rlogin command — as well as for issuing commands remotely as with rsh, transferring files using SSH File Transfer Protocol (SFTP) and tunneling other applications.
SSH vs. SSL/TLS
The Transport Layer Security (TLS) protocol, which updates the Secure Sockets Layer (SSL) protocol, was designed to provide security for network transmissions at the transport layer. The SSH protocol also operates at or just above the transport layer, but there are important differences between the two protocols.
While both rely on public/private key pairs to authenticate hosts, only the server is authenticated with a key pair under TLS. SSH uses a separate key pair to authenticate each connection: one key pair from a local machine to a remote machine and a second key pair to authenticate the connection from the remote machine to the local machine.
Another difference between SSH and TLS is that TLS enables connections to be encrypted without authentication or authenticated without encryption. SSH encrypts and authenticates all connections.
SSH provides IT and information security (infosec) professionals a secure mechanism to manage SSH clients remotely. SSH authenticates the devices themselves rather than requiring password authentication to initialize a connection between an SSH client and server. IT staff can connect with remote systems and modify SSH configurations, including adding or removing host key pairs in the known_hosts file.
SSH implementations
SSH is an open protocol. It has been implemented for most computing platforms. The open-source OpenSSH implementation is commonly found on Linux, Unix, and other OSes based on Berkeley Software Distribution (BSD), including Apple’s macOS.
OpenSSH was ported to run in Windows PowerShell starting in 2015. In 2018, optional OpenSSH support was added to Windows 10. While SSH is directly accessible by default in most Unix-like OSes, Microsoft’s ported version of OpenSSH must be explicitly enabled in the Windows Settings app.
PuTTY is another open-source implementation of SSH. While it currently is available for Windows, macOS and Unix/BSD, PuTTY was originally written to run on Windows. It has long been one of the top options for using SSH on a Windows system.
Most implementations of the SSH suite comprise three utilities:
- slogin (secure login)
- ssh
- scp (secure copy)
These are secure versions of the earlier insecure Unix utilities: rlogin, rsh, and rcp.
SSH uses public key cryptography to authenticate the remote computer and enables the remote computer to authenticate the user, if necessary.
Dozens of SSH implementations are currently available for various platforms and under various open-source and proprietary licenses.
SSH commands
While there are graphical implementations of SSH, the program is usually invoked at the command line or executed as part of a script. Running the ssh command independently, with no arguments such as a destination host or user ID, returns a list of SSH command parameters and options.
The most basic form of SSH command is to invoke the program and the destination host name or Internet Protocol (IP) address:ssh server.example.org
This will connect to the destination, server.example.org. The destination host will respond by prompting for a password for the user ID of the account the client is running under. In other words, if the user ID is jsmith, the remote host will ask for a password associated with the account jsmith on the remote host.
In many cases, the user ID for the remote host will be different, in which case the command should be issued with the remote host user ID, like this:ssh [email protected]
SSH can also be used from the command line to issue a single command on the remote host and then exit — for example:
ssh example.org ls
This command executes the Unix ls command, which lists all contents of the current directory on the remote host. While this example is trivial, it demonstrates that SSH can be used to execute more interesting commands on a remote host. For example, a command can be crafted that initializes a server instance that will give a remote machine access to a single file — or other resource — and then terminate the server after the file is accessed by the specified remote host.
In addition to the ssh executable, SSH has other executable commands used at the command line for additional functions, including the following:
- sshd initiates the SSH server, which waits for incoming SSH connection requests and enables authorized systems to connect to the local host.
- ssh-keygen is a program to create a new authentication key pair for SSH, which can be used to automate logins, implement SSO, and authenticate hosts.
- ssh-copy-id is a program used to copy, install, and configure an SSH key on a server to automate passwordless logins and SSO.
- ssh-agent is a helper program that tracks identity keys and their passphrases — from which SSH derives an encryption key — and enables the user to use the identity keys to log in to different servers without reentering passwords or passphrases.
- ssh-add is used to add a key to the SSH authentication agent and with ssh-agent to implement SSO using SSH.
- scp is a program used for copying files from one computer to another and is an SSH-secured version of FTP.
- sftp is a program used to copy files from one computer to another and is an SSH-secured version of FTP, the original File Transfer Protocol. SFTP has become the preferred mechanism for file sharing over the internet, replacing FTP and FTP/S (FTP Secure), a protocol for using FTP over an SSL/TLS tunnel.
What is SSH tunneling?
SSH tunneling, also known as SSH port forwarding, is a technique that enables a user to open a secure tunnel between a local host and a remote host.
SSH port forwarding redirects network traffic to a particular port/IP address so that a remote host is made directly accessible by applications on the local host. The destination may be on the remote SSH server, or that server may be configured to forward to another remote host.
SSH tunnels are powerful tools for IT administrators and malicious actors because they can transit an enterprise firewall undetected. As a result, tools are available to prevent unauthorized use of SSH tunnels through a corporate firewall.