What is SSH? A detailed explanation of the principle is enough to read this article!

SSH (Secure Shell) is a network security protocol that implements secure access and file transfer through encryption and authentication mechanisms. Traditional remote login or file transfer methods, such as Telnet and FTP, use plain text to transmit data, which has many security risks.

As people pay more attention to network security, these methods have gradually become unacceptable. The SSH protocol provides secure login and other secure network services in an insecure network environment by encrypting and verifying network data. As a secure alternative to Telnet and other insecure remote shell protocols, the SSH protocol has been widely used around the world, and most devices support the SSH function.

What is the SSH port number?

When SSH is used for STelnet, SFTP, and SCP, the default SSH port used is 22. When SSH is used for NETCONF, you can specify the SSH port to be 22 or 830. The SSH port can be modified. After the modification, all current connections will be disconnected and the SSH server will start listening to the new port.

How does SSH work?

SSH consists of a server and a client. During the entire communication process, to establish a secure SSH channel, the following stages are involved:

(1) Connection establishment

The SSH server listens for the client's connection request on the specified port. After the client initiates a connection request to the server, the two parties establish a TCP connection.

(2) Version Negotiation

The SSH protocol currently has SSH1.X (versions before SSH2.0) and SSH2.0. Compared with the SSH1.X protocol, the SSH2.0 protocol has been expanded in structure to support more authentication methods and key exchange methods, while improving service capabilities. The SSH server and client determine the final SSH version number to be used through negotiation.

(3) Algorithm Negotiation

SSH supports multiple encryption algorithms. The two parties negotiate the key exchange algorithm used to generate session keys, the encryption algorithm used to encrypt data information, the public key algorithm used for digital signature and authentication, and the HMAC algorithm used to protect data integrity based on the algorithms they support.

(4) Key Exchange

The server and client dynamically generate a shared session key and session ID through a key exchange algorithm to establish an encrypted channel. The session key is mainly used to encrypt subsequent data transmission, and the session ID is used to identify the SSH connection during the authentication process.

(5) User Authentication

The SSH client sends an authentication request to the server, and the server authenticates the client. SSH supports the following authentication methods:

• Password authentication: The client authenticates using a username and password, and sends the encrypted username and password to the server. The server decrypts and compares the username and password with the locally saved username and password, and returns a message of authentication success or failure to the client.
• Publickey authentication: The client authenticates with the server using information such as username, public key, and public key algorithm.
• Password-publickey authentication: users must satisfy both password authentication and key authentication to log in.
• All authentication: Only one of password authentication and key authentication is required.

(6) Session Request

After authentication, the SSH client sends a session request to the server, requesting the server to provide a certain type of service, that is, requesting to establish a corresponding session with the server.

(7) Conversational Interaction

After the session is established, the SSH server and client exchange data information on the session.

Using PuTTY and OpenSSH

PuTTY is a classic free SSH connection tool on Windows, usually used to remotely log in to devices using the SSH protocol. The latest version can be downloaded from the PuTTY official website.

OpenSSH is an open source implementation of the SSH protocol that supports running on Unix operating systems. The latest version can be downloaded from the OpenSSH official website. Currently, Windows 10 already includes OpenSSH client and server software, which can be searched and installed in "Settings - Apps - Apps and Features - Optional Features".

SSH Keys

(1) Symmetric encryption and asymmetric encryption

The basic way to improve security is encryption. The encryption algorithm converts plain text into cipher text through a key for secure transmission. SSH uses a combination of symmetric encryption and asymmetric encryption algorithms in its working process, and uses pre-generated SSH keys to ensure the security of information transmission. The encryption and decryption process of the two encryption algorithms is shown in the figure below.

Symmetric encryption algorithm

Asymmetric encryption algorithm

Symmetric encryption algorithms use the same key to encrypt and decrypt data. The session key generated during the SSH connection establishment process is a symmetric key, which is generated by the client and server using a key exchange algorithm based on shared partial information and their respective private data. Because symmetric encryption algorithms encrypt and decrypt very quickly, they are suitable for scenarios where large amounts of data are transmitted.

The sending and receiving of asymmetric encryption requires the use of a pair of associated SSH keys, a public key and a private key. The private key is kept by the party that generates it, and the public key can be sent to anyone else who requests communication. The sender uses the received public key to encrypt the content of his communication, and only the receiver can use the private key to decrypt and obtain the content of the communication. The private key of asymmetric encryption does not need to be exposed to the network, which greatly increases security, but the encryption and decryption speed is much slower than that of symmetric keys.

Asymmetric encryption is used in two stages of the SSH connection process. One is the key exchange stage, where both the server and the client generate their own temporary public and private keys to calculate the same session key for subsequent encrypted communication content. The other is the user authentication stage, which uses the fact that only a matching private key can uniquely decrypt the content encrypted by the public key to verify the identity of the client through the client's public and private key pair.

(2) Key Authentication

The two most basic methods of SSH user authentication are password authentication and key authentication. Password authentication is to send your username and password to the server for authentication. This method is relatively simple, and you need to enter your username and password every time you log in. Key authentication uses a public key and private key pair for identity authentication to achieve secure password-free login. It is a widely used and recommended login method. The basic principle of key authentication is that the server uses the client's public key to encrypt random content, and the client uses its own private key to decrypt and send it to the server to verify its identity. The specific process is shown in the figure below:

SSH key authentication login process:

• Before establishing an SSH connection, the SSH client needs to generate its own public key and private key pair and store its public key on the SSH server.
• When the SSH client sends a login request, the SSH server searches for the client's public key locally based on the username and other information in the request, and uses the public key to encrypt a random number and sends it to the client.
• The client uses its own private key to decrypt the returned information and sends it to the server.
• The server verifies whether the information decrypted by the client is correct. If it is correct, the authentication is successful.