English French
indexterm:[OpenSSH] `SSH` (Secure Shell) is a protocol which facilitates secure communications between two systems using a client-server architecture and allows users to log into server host systems remotely. Unlike other remote communication protocols, such as `FTP`, `Telnet`, or [command]#rlogin#, SSH encrypts the login session, rendering the connection difficult for intruders to collect unencrypted passwords.
The [application]*ssh* program is designed to replace older, less secure terminal applications used to log into remote hosts, such as [command]#telnet# or [command]#rsh#. A related program called [command]#scp# replaces older programs designed to copy files between hosts, such as [command]#rcp#. Because these older applications do not encrypt passwords transmitted between the client and the server, avoid them whenever possible. Using secure methods to log into remote systems decreases the risks for both the client system and the remote host.
{MAJOROS} includes the general OpenSSH package, [package]*openssh*, as well as the OpenSSH server, [package]*openssh-server*, and client, [package]*openssh-clients*, packages. Note, the OpenSSH packages require the OpenSSL package [package]*openssl-libs*, which installs several important cryptographic libraries, enabling OpenSSH to provide encrypted communications.
The SSH Protocol
Why Use SSH?
indexterm:[SSH protocol,security risks] Potential intruders have a variety of tools at their disposal enabling them to disrupt, intercept, and re-route network traffic in an effort to gain access to a system. In general terms, these threats can be categorized as follows:
Interception of communication between two systems
The attacker can be somewhere on the network between the communicating parties, copying any information passed between them. He may intercept and keep the information, or alter the information and send it on to the intended recipient.
This attack is usually performed using a _packet sniffer_, a rather common network utility that captures each packet flowing through the network, and analyzes its content.
Impersonation of a particular host
Attacker's system is configured to pose as the intended recipient of a transmission. If this strategy works, the user's system remains unaware that it is communicating with the wrong host.
This attack can be performed using a technique known as _DNS poisoning_, or via so-called _IP spoofing_. In the first case, the intruder uses a cracked DNS server to point client systems to a maliciously duplicated host. In the second case, the intruder sends falsified network packets that appear to be from a trusted host.
Both techniques intercept potentially sensitive information and, if the interception is made for hostile reasons, the results can be disastrous. If SSH is used for remote shell login and file copying, these security threats can be greatly diminished. This is because the SSH client and server use digital signatures to verify their identity. Additionally, all communication between the client and server systems is encrypted. Attempts to spoof the identity of either side of a communication does not work, since each packet is encrypted using a key known only by the local and remote systems.
Main Features
indexterm:[SSH protocol,features]indexterm:[OpenSSH,SSH] The SSH protocol provides the following safeguards:
No one can pose as the intended server
After an initial connection, the client can verify that it is connecting to the same server it had connected to previously.
No one can capture the authentication information
The client transmits its authentication information to the server using strong encryption.