Sunday, November 11, 2007
at
7:32 AM
|
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; it can transfer files using the associated SFTP or SCP protocols.
An SSH server, by default, listens on the standard TCP port 22.
An ssh client program is typically used for establishing connections to an sshd daemon accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS X, Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.
In December 1995, Ylönen founded SSH Communications Security to market and develop SSH. The original version of the SSH software used various pieces of free software, such as GNU libgmp, but later versions released by SSH Secure Communications evolved into increasingly proprietary software.
In 1996, a revised version of the protocol, SSH-2, was designed, incompatible with SSH-1. SSH-2 features both security and feature improvements over SSH-1. Better security, for example, comes through Diffie-Hellman key exchange and strong integrity checking via message authentication codes. New features of SSH-2 include the ability to run any number of shell sessions over a single SSH connection.[1]
In 1999, developers wanting a free software version to be available went back to the older 1.2.12 release of the original ssh program, which was the last released under an open source license. Björn Grönvall's OSSH was subsequently developed from this codebase. Shortly thereafter, OpenBSD developers forked Björn's code and did extensive work on it, creating OpenSSH, which shipped with the 2.6 release of OpenBSD. From this version, a "portability" branch was formed to port OpenSSH to other operating systems.
It is estimated that, at the end of 2000, there were 2,000,000 users of SSH.[2]
As of 2005, OpenSSH is the single most popular ssh implementation, coming by default in a large number of operating systems. OSSH meanwhile has become obsolete.[3]
In 2006, the aforementioned SSH-2 protocol became a proposed Internet standard with the publication by the IETF "secsh" working group of RFCs (see references).
* with an SSH client that supports terminal protocols, for remote administration of the SSH server computer via terminal (character-mode) console--can be used as an alternative to a terminal on a headless server;
* In combination with SFTP, as a secure alternative to FTP which can be set up more easily on a small scale without a public key infrastructure and X.509 certificates;
* in combination with rsync to backup, copy and mirror files efficiently and securely
* in combination with SCP, as a secure alternative for rcp file transfers—more often used in environments involving Unix
* for port forwarding or tunneling, frequently as an alternative to a full-fledged VPN. In this type of use, a (non-secure) TCP/IP connection of an external application is redirected to the SSH program (client or server), which forwards it to the other SSH party (server or client), which in turn forwards the connection to the desired destination host. The forwarded connection is encrypted and protected on the path between the SSH client and server only. Uses of SSH port forwarding include accessing database servers, email servers, securing X11, Windows Remote Desktop and VNC connections or even forwarding Windows file shares. This is primarily useful for tunneling connections through firewalls which would ordinarily block that type of connection, and for encrypting protocols which are not normally encrypted (e.g. VNC).
* ssh and rdesktop. Three computers, the computer that will run rdesktop and ssh, a computer used to obtain access to a remote network, and the last will be the computer you want rdesktop to display. "ssh -L3389:mytarget.mycompany.net:3389 sshtarget.mycompany.net". Just log into the middle computer and do nothing on it. Open another shell from the first computer running ssh and type rdesktop localhost. This example uses the middle computer to port forward 3389 from the end computer to the first computer. If on Windows, run ssh using another local port, e.g. "ssh -L3390:mydesktop.mycompany.net:3389 sshserver.mycompany.net". Start the native Windows Remote Desktop client and type localhost:3390 to remote into "mydesktop.mycompany.net"
* sometimes you may log into one machine from your local host, then login from there to another machine, and run an X application (eg. xterm, matlab) on the last machine to display on your local display. This is especially useful for running X applications on a department host from off campus but to which you have had to connect through another department host which is available for ssh login through the campus firewall. Essentially, you want to channel the X-window through a series of logins back to the host at which you are sitting. The best way to do this is to make use of the X11-forwarding feature of ssh. For unix/linux to unix/linux, force an X11-forwarding request with the '-X' option (capitalized x). ssh -X host.com
* X11-forwarding for through multiple hosts ssh -X hostA.com → ssh -X hostB.com → ssh -X hostC.com ensure the tunnel is working every step of the way by running something like xterm on host B then C. If this does not work the -Y may be needed. ssh -X -Y hostA.com → ssh -X -Y hostB.com → ssh -X -Y hostC.com
* with an SSH client that supports dynamic port forwarding (presenting to other programs a SOCKS or HTTP 'CONNECT' proxy interface), SSH can even be used for generally browsing the web through an encrypted proxy connection, using the SSH server as a proxy;
* with an SSH client that supports SSH exec requests (frequently embedded in other software, e.g. a network monitoring program), for automated remote monitoring and management of servers.
* using just a normal ssh login on a server, the SSH Filesystem can securely mount a directory on the server as a filesystem on the local computer.
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; it can transfer files using the associated SFTP or SCP protocols.
An SSH server, by default, listens on the standard TCP port 22.
An ssh client program is typically used for establishing connections to an sshd daemon accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS X, Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.
History
In 1995, Tatu Ylönen, a researcher at Helsinki University of Technology, Finland, designed the first version of the protocol (now called SSH-1) prompted by a password-sniffing attack at his university network. The goal of SSH was to replace the earlier rlogin, TELNET and rsh protocols, which did not provide strong authentication or guarantee confidentiality. Ylönen released his implementation as freeware in July 1995, and the tool quickly gained in popularity. Towards the end of 1995, the SSH user base had grown to 20,000 users in fifty countries.In December 1995, Ylönen founded SSH Communications Security to market and develop SSH. The original version of the SSH software used various pieces of free software, such as GNU libgmp, but later versions released by SSH Secure Communications evolved into increasingly proprietary software.
In 1996, a revised version of the protocol, SSH-2, was designed, incompatible with SSH-1. SSH-2 features both security and feature improvements over SSH-1. Better security, for example, comes through Diffie-Hellman key exchange and strong integrity checking via message authentication codes. New features of SSH-2 include the ability to run any number of shell sessions over a single SSH connection.[1]
In 1999, developers wanting a free software version to be available went back to the older 1.2.12 release of the original ssh program, which was the last released under an open source license. Björn Grönvall's OSSH was subsequently developed from this codebase. Shortly thereafter, OpenBSD developers forked Björn's code and did extensive work on it, creating OpenSSH, which shipped with the 2.6 release of OpenBSD. From this version, a "portability" branch was formed to port OpenSSH to other operating systems.
It is estimated that, at the end of 2000, there were 2,000,000 users of SSH.[2]
As of 2005, OpenSSH is the single most popular ssh implementation, coming by default in a large number of operating systems. OSSH meanwhile has become obsolete.[3]
In 2006, the aforementioned SSH-2 protocol became a proposed Internet standard with the publication by the IETF "secsh" working group of RFCs (see references).
Uses of SSH
SSH is most commonly used:* with an SSH client that supports terminal protocols, for remote administration of the SSH server computer via terminal (character-mode) console--can be used as an alternative to a terminal on a headless server;
* In combination with SFTP, as a secure alternative to FTP which can be set up more easily on a small scale without a public key infrastructure and X.509 certificates;
* in combination with rsync to backup, copy and mirror files efficiently and securely
* in combination with SCP, as a secure alternative for rcp file transfers—more often used in environments involving Unix
* for port forwarding or tunneling, frequently as an alternative to a full-fledged VPN. In this type of use, a (non-secure) TCP/IP connection of an external application is redirected to the SSH program (client or server), which forwards it to the other SSH party (server or client), which in turn forwards the connection to the desired destination host. The forwarded connection is encrypted and protected on the path between the SSH client and server only. Uses of SSH port forwarding include accessing database servers, email servers, securing X11, Windows Remote Desktop and VNC connections or even forwarding Windows file shares. This is primarily useful for tunneling connections through firewalls which would ordinarily block that type of connection, and for encrypting protocols which are not normally encrypted (e.g. VNC).
* ssh and rdesktop. Three computers, the computer that will run rdesktop and ssh, a computer used to obtain access to a remote network, and the last will be the computer you want rdesktop to display. "ssh -L3389:mytarget.mycompany.net:3389 sshtarget.mycompany.net". Just log into the middle computer and do nothing on it. Open another shell from the first computer running ssh and type rdesktop localhost. This example uses the middle computer to port forward 3389 from the end computer to the first computer. If on Windows, run ssh using another local port, e.g. "ssh -L3390:mydesktop.mycompany.net:3389 sshserver.mycompany.net". Start the native Windows Remote Desktop client and type localhost:3390 to remote into "mydesktop.mycompany.net"
* sometimes you may log into one machine from your local host, then login from there to another machine, and run an X application (eg. xterm, matlab) on the last machine to display on your local display. This is especially useful for running X applications on a department host from off campus but to which you have had to connect through another department host which is available for ssh login through the campus firewall. Essentially, you want to channel the X-window through a series of logins back to the host at which you are sitting. The best way to do this is to make use of the X11-forwarding feature of ssh. For unix/linux to unix/linux, force an X11-forwarding request with the '-X' option (capitalized x). ssh -X host.com
* X11-forwarding for through multiple hosts ssh -X hostA.com → ssh -X hostB.com → ssh -X hostC.com ensure the tunnel is working every step of the way by running something like xterm on host B then C. If this does not work the -Y may be needed. ssh -X -Y hostA.com → ssh -X -Y hostB.com → ssh -X -Y hostC.com
* with an SSH client that supports dynamic port forwarding (presenting to other programs a SOCKS or HTTP 'CONNECT' proxy interface), SSH can even be used for generally browsing the web through an encrypted proxy connection, using the SSH server as a proxy;
* with an SSH client that supports SSH exec requests (frequently embedded in other software, e.g. a network monitoring program), for automated remote monitoring and management of servers.
* using just a normal ssh login on a server, the SSH Filesystem can securely mount a directory on the server as a filesystem on the local computer.
Posted by
admin
Labels:
Info IT
0 comments:
Post a Comment