Skip to main content
Milav
  1. Resources/
  2. Study Materials/
  3. Information & Communication Technology Engineering/
  4. ICT Semester 5/
  5. Cyber Security (4353204)/

8 mins· ·
Milav Dabgar
Author
Milav Dabgar
Experienced lecturer in the electrical and electronic manufacturing industry. Skilled in Embedded Systems, Image Processing, Data Science, MATLAB, Python, STM32. Strong education professional with a Master’s degree in Communication Systems Engineering from L.D. College of Engineering - Ahmedabad.
SSH (Secure Shell)

SSH

Secure Shell - Secure Remote Access Protocol

The Standard for Secure Remote Administration

SSH Protocol Stack

SSH Definition

SSH (Secure Shell) is a cryptographic network protocol that provides secure remote access, command execution, and data communication over an unsecured network, replacing insecure protocols like Telnet and rlogin.

Core Functions:

  • Remote Login: Secure terminal access to remote systems
  • Command Execution: Run commands on remote machines
  • File Transfer: Secure file copying (SCP, SFTP)
  • Port Forwarding: Tunnel other protocols securely
  • X11 Forwarding: Remote GUI application display
  • Agent Forwarding: Forward authentication credentials
Default Port: TCP 22 (configurable for security)

SSH vs Telnet Comparison

Telnet (Insecure):

  • Encryption: None - plain text
  • Authentication: Password sent in clear
  • Port: TCP 23
  • Security: Vulnerable to eavesdropping
  • Integrity: No protection against tampering
  • Use Case: Legacy systems only
  • Status: Deprecated for security

SSH (Secure):

  • Encryption: Strong cryptographic protection
  • Authentication: Multiple secure methods
  • Port: TCP 22
  • Security: Resistant to network attacks
  • Integrity: Message authentication codes
  • Use Case: Modern systems standard
  • Status: Industry standard
Migration: All Telnet usage should be replaced with SSH for security reasons

SSH Protocol Architecture

SSH Protocol Stack: Three-layer architecture providing transport, authentication, and connection services.
SSH Protocol Layers:

SSH Connection Protocol (Layer 3):
• Multiplexes multiple channels over single connection
• Handles interactive sessions, file transfers, port forwarding
• Flow control and channel management

SSH User Authentication Protocol (Layer 2):
• Authenticates client to server
• Supports multiple authentication methods
• Password, public key, host-based, keyboard-interactive

SSH Transport Layer Protocol (Layer 1):
• Server authentication and key exchange
• Encryption, integrity, and compression
• Algorithm negotiation and session management

Underlying Transport: TCP (reliable, connection-oriented)

SSH Connection Establishment

SSH Handshake Process:

1. Protocol Version Exchange:
Client: "SSH-2.0-OpenSSH_8.0"
Server: "SSH-2.0-OpenSSH_7.9"

2. Algorithm Negotiation:
• Key exchange algorithms
• Encryption algorithms
• MAC algorithms
• Compression algorithms

3. Key Exchange (Diffie-Hellman):
• Server sends host key
• Both parties exchange DH values
• Shared secret computed
• Session keys derived

4. Server Authentication:
• Client verifies server's host key
• Host key checked against known_hosts

5. User Authentication:
• Client authenticates to server
• Multiple authentication methods available

6. Channel Setup:
• Request channel for shell/command/subsystem
• Begin encrypted communication

SSH Authentication Methods

Password Authentication:

  • Method: Username + password
  • Security: Vulnerable to brute force
  • Usability: Simple for users
  • Best Practice: Disable for servers
  • Use Case: Interactive user sessions

Public Key Authentication:

  • Method: Private/public key pairs
  • Security: Very strong
  • Usability: Automated access
  • Best Practice: Recommended method
  • Use Case: Automated systems, admin

Certificate Authentication:

  • Method: SSH certificates
  • Security: Excellent scalability
  • Usability: Centralized management
  • Best Practice: Enterprise environments
  • Use Case: Large deployments

Additional Methods:

  • Host-based Authentication: Trust relationships between hosts
  • Keyboard-interactive: Challenge-response (2FA, OTP)
  • GSSAPI/Kerberos: Single sign-on integration

SSH Key Types and Algorithms

Key TypeAlgorithmKey SizeSecurityPerformanceRecommendation
RSARSA2048-4096 bitsGoodSlowerUse 3072+ bits
DSADSA1024 bits❌ WeakFastDeprecated
ECDSAElliptic Curve256-521 bitsExcellentFastGood choice
Ed25519Edwards Curve256 bitsExcellentVery fast✅ Best choice
Ed448Edwards Curve448 bitsExcellentFastHigh security
Modern Recommendation: Use Ed25519 for new key generation - it's fast, secure, and has small key sizes

SSH Key Management

Key Generation:

  • ssh-keygen: Standard key generation tool
  • Strong entropy: Use hardware RNG when possible
  • Key length: Use appropriate key sizes
  • Passphrases: Protect private keys
  • Key comments: Identify key purpose/owner

Key Distribution:

  • authorized_keys: Server-side public key storage
  • ssh-copy-id: Automated public key installation
  • Configuration management: Ansible, Chef, Puppet
  • Certificate authorities: Centralized key management
  • Secure transfer: Never share private keys
Key Generation Examples:

# Generate Ed25519 key (recommended)
ssh-keygen -t ed25519 -C "user@host"

# Generate RSA key with strong size
ssh-keygen -t rsa -b 3072 -C "user@host"

# Copy public key to server
ssh-copy-id user@server.example.com

# Manual public key installation
cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys

SSH Configuration Files

Client Configuration (~/.ssh/config):

  • Host aliases: Shortcut names for servers
  • User settings: Default usernames
  • Key specifications: Which keys to use
  • Port configurations: Non-standard ports
  • Proxy settings: Jump hosts, tunnels

Server Configuration (/etc/ssh/sshd_config):

  • Port settings: Change default port
  • Authentication: Enable/disable methods
  • Access control: User/group restrictions
  • Security settings: Protocol versions
  • Logging: Audit and monitoring
Client Config Example:
Host webserver
    HostName web.example.com
    User admin
    Port 2222
    IdentityFile ~/.ssh/webserver_key

Server Config Example:
Port 2222
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
AllowUsers admin developer

SSH Port Forwarding (Tunneling)

Port Forwarding: SSH can create secure tunnels to forward network traffic through encrypted connections.

Local Port Forwarding:

  • Direction: Client → SSH Server → Target
  • Use Case: Access remote services
  • Example: Access internal web server
  • Command: ssh -L 8080:internal:80 server

Remote Port Forwarding:

  • Direction: SSH Server → Client → Target
  • Use Case: Expose local services
  • Example: Share local development
  • Command: ssh -R 8080:localhost:80 server

Dynamic Port Forwarding:

  • Direction: SOCKS proxy through SSH
  • Use Case: Browse through SSH server
  • Example: Secure browsing
  • Command: ssh -D 1080 server
Port Forwarding Examples:

# Local forwarding - access remote database
ssh -L 3306:db.internal:3306 jumphost.com
mysql -h localhost -P 3306 -u user database

# Remote forwarding - share local web server
ssh -R 8080:localhost:80 public-server.com

# Dynamic forwarding - SOCKS proxy
ssh -D 1080 proxy-server.com
# Configure browser to use localhost:1080 as SOCKS proxy

SSH File Transfer Methods

SCP (Secure Copy):

  • Protocol: Simple file transfer over SSH
  • Features: Recursive directory copying
  • Security: Uses SSH authentication/encryption
  • Performance: Good for simple transfers
  • Limitations: No resume, limited features

SFTP (SSH File Transfer Protocol):

  • Protocol: Full-featured file transfer over SSH
  • Features: Directory browsing, file management
  • Security: Same as SSH
  • Performance: Optimized for interactive use
  • Advantages: Resume, permissions, timestamps
File Transfer Examples:

SCP Examples:
# Copy file to remote server
scp file.txt user@server.com:/path/to/destination/

# Copy directory recursively
scp -r directory/ user@server.com:/path/to/destination/

# Copy from remote to local
scp user@server.com:/remote/file.txt ./local/path/

SFTP Examples:
# Interactive SFTP session
sftp user@server.com
sftp> put file.txt
sftp> get remote_file.txt
sftp> ls -la
sftp> quit

SSH Security Hardening

  1. Change Default Port: Use non-standard port (not 22)
  2. Disable Password Authentication: Use keys only
  3. Disable Root Login: Use sudo for privilege escalation
  4. Limit User Access: AllowUsers, AllowGroups directives
  5. Use Strong Ciphers: Disable weak encryption algorithms
  6. Enable Key-based Authentication: Disable password auth
  7. Set Idle Timeout: Automatically disconnect idle sessions
  8. Limit Connection Attempts: Prevent brute force attacks

Hardened sshd_config Example:

Port 2222
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
AllowUsers admin developer
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
X11Forwarding no
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com

SSH Agent and Key Management

SSH Agent: Program that holds private keys in memory, allowing passwordless authentication without exposing private keys.

SSH Agent Benefits:

  • Convenience: Single password for multiple keys
  • Security: Private keys not stored on disk
  • Agent Forwarding: Use keys through jump hosts
  • Timeout: Automatic key expiration
  • Selective Loading: Load only needed keys

Agent Management:

  • ssh-agent: Start agent process
  • ssh-add: Add keys to agent
  • ssh-add -l: List loaded keys
  • ssh-add -D: Remove all keys
  • ssh-add -t: Set key lifetime
SSH Agent Usage:

# Start SSH agent
eval "$(ssh-agent -s)"

# Add key to agent (enter passphrase once)
ssh-add ~/.ssh/id_ed25519

# Add key with timeout (1 hour)
ssh-add -t 3600 ~/.ssh/id_rsa

# List loaded keys
ssh-add -l

# Remove all keys from agent
ssh-add -D

SSH Certificates

SSH Certificates: Cryptographically signed public keys that provide scalable authentication without managing individual authorized_keys files.

Certificate Benefits:

  • Scalability: No authorized_keys management
  • Centralized Control: Single CA manages access
  • Temporary Access: Time-limited certificates
  • Principle Access: Username embedded in cert
  • Forced Commands: Restrict allowed operations
  • Audit Trail: Better logging and tracking

Certificate Types:

  • User Certificates: Authenticate users to hosts
  • Host Certificates: Authenticate hosts to users
  • Certificate Extensions: Restrictions and permissions
  • Critical Options: Enforced security constraints
Certificate Creation Example:

# Create CA key pair
ssh-keygen -t ed25519 -f ssh_ca

# Sign user's public key
ssh-keygen -s ssh_ca -I user1 -V +1w ~/.ssh/id_ed25519.pub

# Configure server to trust CA
echo "TrustedUserCAKeys /etc/ssh/ssh_ca.pub" >> /etc/ssh/sshd_config

Common SSH Attacks and Defenses

Common Attacks:

  • Brute Force: Password guessing attacks
  • Dictionary Attacks: Common password lists
  • Man-in-the-Middle: Fake SSH servers
  • Key Theft: Stolen private keys
  • Session Hijacking: TCP session takeover
  • Port Scanning: Discovery of SSH services

Defense Strategies:

  • Disable Passwords: Key-only authentication
  • Fail2ban/SSHGuard: Block brute force attempts
  • Host Key Verification: Check known_hosts
  • Key Rotation: Regular key replacement
  • Network Controls: Firewalls, VPNs
  • Monitoring: Log analysis and alerting

SSH Honeypots:

Deploy fake SSH services to detect and analyze attack attempts, gathering threat intelligence while protecting real systems.

SSH Monitoring and Logging

Server-Side Logging:

  • Auth logs: /var/log/auth.log
  • SSH daemon: /var/log/sshd.log
  • Syslog levels: INFO, DEBUG, VERBOSE
  • Failed attempts: Authentication failures
  • Connection details: Source IPs, users

Monitoring Metrics:

  • Connection attempts: Successful/failed logins
  • Geographic analysis: Connection sources
  • Time patterns: Unusual access times
  • User behavior: Command patterns
  • Session duration: Connection times

Security Tools:

  • Fail2ban: Automated IP blocking
  • OSSEC: Host-based intrusion detection
  • Logwatch: Log analysis and reporting
  • Splunk: Enterprise log management
  • ELK Stack: Elasticsearch, Logstash, Kibana

SSH Best Practices Summary

Authentication:

  • Use Ed25519 or RSA 3072+ bit keys
  • Disable password authentication
  • Implement multi-factor authentication
  • Use SSH certificates for large deployments
  • Protect private keys with passphrases

Configuration:

  • Change default port from 22
  • Disable root login
  • Use AllowUsers/DenyUsers directives
  • Enable strong ciphers and MACs
  • Set appropriate timeouts

Operational Security:

  • Regular key rotation and management
  • Comprehensive logging and monitoring
  • Network-level access controls
  • Regular security updates
  • Incident response procedures

SSH Implementations and Tools

ImplementationPlatformTypeKey Features
OpenSSHUnix/Linux/macOSOpen SourceMost widely used, full feature set
PuTTYWindowsFreePopular Windows SSH client
Windows OpenSSHWindows 10+Built-inNative Windows SSH support
DropbearEmbedded systemsLightweightSmall footprint SSH implementation
libsshCross-platformLibrarySSH library for applications
Commercial SSHVariousEnterpriseAdvanced management features

Key Takeaways

  • SSH provides secure remote access replacing insecure protocols
  • Public key authentication is more secure than passwords
  • SSH supports multiple services: shell access, file transfer, tunneling
  • Proper configuration hardening is essential for security
  • SSH agents improve usability without compromising security
  • SSH certificates provide scalable authentication for enterprises
  • Regular monitoring and key management are crucial
  • Ed25519 keys are recommended for new deployments
Remember: SSH security depends on proper key management, configuration hardening, and ongoing monitoring - not just using the protocol

Thank You

Questions & Discussion

Next: Wireless Access Points