Home Search Center IP Encyclopedia

What Is SSH?

Secure Shell (SSH) is a network security protocol that employs encryption and authentication mechanisms to implement services such as secure access and file transfer. Traditional remote login or file transfer methods, such as Telnet and FTP, transmit data in cleartext, which poses many security risks. As cyber security is becoming more important, these methods are gradually becoming less accepted. SSH encrypts and authenticates network data to provide a secure login and other secure network services in an insecure network environment. As a secure alternative solution to Telnet and other insecure remote shell protocols, the SSH protocol has been widely used around the world, and most devices support SSH.

What Are SSH Port Numbers?

When SSH is applied to STelnet, SFTP, and SCP, the default SSH port number is 22. When SSH is applied to NETCONF, you can set the SSH port number to 22 or 830. An SSH port can be modified. After an SSH port is modified, all current connections are disconnected, and the SSH server begins listening to the newly specified port.

How Does SSH Work?

SSH involves a server and a client. To establish a secure SSH channel, the server-client communication process consists of the following phases:

  1. Connection establishment

    The SSH server listens to a connection request sent by the client on a specific port. After the client sends a connection request to the server, a TCP connection is set up between the client and server.

  2. Version negotiation

    SSH has two versions: SSH1.X (earlier than SSH2.0) and SSH2.0. Compared with SSH1.X, SSH2.0 has an extended structure, supports more authentication methods and key exchange methods, and improves service capabilities. The SSH server and client negotiate with each other to determine an SSH version to be used.

  3. Algorithm negotiation

    SSH supports multiple encryption algorithms. Based on the algorithms supported by the two parties, they negotiate a key exchange algorithm for generating session keys, encryption algorithm for encrypting data, public key algorithm for digital signature and authentication, and HMAC algorithm for data integrity protection.

  4. Key exchange

    The server and client use a key exchange algorithm to dynamically generate a shared session key and session ID used to establish an encrypted channel. The session key is used to encrypt subsequent data for transmission, and the session ID is used to identify the related SSH connection during authentication.

  5. User authentication

    The client sends an authentication request to the server, and then the server authenticates the client. SSH supports the following authentication modes:

    • Password authentication: The client sends the encrypted username and password to the server. The server decrypts the username and password, compares them with the locally stored username and password, respectively, and returns an authentication success or failure message to the client.
    • Public key authentication: The client uses the username, public key, and public key algorithm to exchange data with the server for authentication.
    • Password+public key authentication: The client can log in to the system only after being authenticated by the server using both password authentication and public key authentication.
    • All: Either password authentication or public key authentication is required for the client.
  6. Session request

    After the authentication succeeds, the SSH client sends a session request to the server, requesting the server to provide a certain type of service. That is, the SSH client requests to establish a session with the server.

  7. Session interaction

    After a session is established, the SSH server and client exchange data.

Using PuTTY and OpenSSH

PuTTY is a classic SSH connection tool used for free on the Windows operating system. It is typically used to remotely log in to a device using SSH. The latest version can be downloaded from the official PuTTY website.

OpenSSH is an open-source implementation of the SSH protocol and can run on the Unix operating system. The latest version can be downloaded from the official OpenSSH website. The Windows 10 operating system already provides the OpenSSH client and server software. You can click Settings, and select Apps > Apps & Features. At the top of the page, select Add a feature, and click OpenSSH Client and OpenSSH Server to install them.

SSH Keys

Symmetric Encryption and Asymmetric Encryption

The basic method for improving security is encryption. An encryption algorithm uses a key to convert cleartext data into ciphertext data for secure transmission. SSH uses both symmetric and asymmetric encryption algorithms and pre-generated SSH keys to ensure data transmission security. The following figure shows the encryption and decryption processes of the two encryption algorithms.

Symmetric encryption algorithm
Symmetric encryption algorithm
Asymmetric encryption algorithm
Asymmetric encryption algorithm

The symmetric encryption algorithm uses the same key to encrypt and decrypt data. During SSH connection establishment, to generate a symmetric key which is used as a session key, the client and server use a key exchange algorithm to calculate the key based on some shared information and their own private data. The symmetric encryption algorithm is applicable to scenarios where a large amount of data needs to be transmitted because this algorithm delivers fast encryption and decryption.

In asymmetric encryption, sending and receiving information require a pair of associated SSH keys, that is, a public key and private key, respectively. The private key is kept by the party that generates it, and the public key can be sent to any party that requests communication. The sender uses the received public key to encrypt communication content. Only the receiver can use the private key to decrypt the communication content. The private key for asymmetric encryption does not need to be exposed on the network, which greatly improves security. However, encryption and decryption are much slower than those in the symmetric encryption algorithm scenario.

Asymmetric encryption is used in the two phases of the SSH connection. In the key exchange phase, both the server and client generate their own temporary public and private keys, which are used to calculate the same session key for encrypting subsequent communication content. In the user authentication phase, as only the matched private key can be used to decrypt the content encrypted using the public key, the server uses the public key and private key of the client to verify the identity of the client.

Key Authentication

Password authentication and key authentication are used as two basic SSH user authentication methods. For password authentication, the username and password are sent to the server for authentication. This method is simple and requires the username and password for each login. For key authentication, the server uses the client's public and private keys to verify a user's identity, implementing a secure, password-free login. It is a widely used and recommended login mode. The basic principle of key authentication is that the server uses the public key of the client to encrypt random content, and the client uses its private key to decrypt the content and sends the decrypted content to the server for identity verification. The following figure shows the detailed process.

SSH key authentication-based login process
SSH key authentication-based login process
  1. Before setting up an SSH connection, the SSH client needs to generate its own public and private key pair and store its public key on the SSH server.
  2. The SSH client sends a login request to the SSH server. The SSH server searches for the public key of the client based on the username in the request, encrypts a random number using the public key, and sends the encrypted random number to the client.
  3. Upon receipt, the client uses its own private key to decrypt the returned information before sending the decrypted information to the server.
  4. The server checks whether the decrypted information sent by the client is correct. If the information is correct, authentication is successful.
About This Topic
  • Author: Gu Peiyue, Feng Yuanyuan
  • Updated on: 2021-12-14
  • Views: 11142
  • Average rating: