Data Various orderings for encrypting by ls723a4r


                     SSH – Secure Shell

• SSH is a cryptographic protocol
   – Implemented in software originally for remote login
   – One most popular software implementing SSH is PuTTY
   – Download and test for free
   – You need a login account on a server (usually Linux)
     supporting logins through SSH
• Servers usually operate SSH at TCP port 22
   – What is a TCP port?
                       SSH Protocol Basics
• Host authentication (to the user)
   – Known hosts
      • Server on the list of trusted hosts on client machine
      • Danger of spoofing
• User authentication (to the server)
   – Password based
      • User enters a username and password
      • Sent encrypted with Server’s public key
   – RSA/DSA
      • Server maintains copy of user’s public key
      • Method 1: signed session id: The client signs a session id. The
         server verifies it with the corresponding public key
      • Method 2: challenge-response: Server encrypts a random number
         with the user’s public key; Client proves identity by decrypting it.
           Uses and Advantages of SSH

• SSH Overcomes limitation of Telnet
  – Of transmitting passwords in clear on networks on
    the way to the server
• Originally designed for remote login
  – But can also be used for encrypted file transfer
• Increasingly used to transport other applications
  – This is called SSH port forwarding or tunnelling

• Client-Server architecture
• An SSH server program listens on a computer’s TCP port 22
• An SSH Client program (e.g. PuTTY) requests connection to the
• Disconnects when finished
• Or when server announces time out

              SSH                         SSH
             Client               22
             On Desktop                      e.g. on
                          SSH - Software

• Several implementations for both SSH Client and
  Servers exist
   – PuTTY is just one of them (and the most popular)
• Linux:
   – Client: OpenSSH Client (most popular)
      • Run at the command line with the command “ssh”
   – Server: OpenSSH Server (most popular)
      • Either starts automatically at startup or by typing command “sshd”
        (stands for ssh daemon)
• Windows:
   – Client: PuTTY (most popular)-Has a GUI
   – Server: SSH Server by OpenSSH
      • Uncommon but not impossible to have SSH Server on Desktop

                    User Agent Role
• S/MIME uses Public-Key Certificates - X.509 version 3 signed
  by Certification Authority
• Functions:
   – Key Generation - Diffie-Hellman, DSS, and RSA key-pairs.
   – Registration - Public keys must be registered with X.509 CA.
   – Certificate Storage - Local (as in browser application) for different
   – Signed and Enveloped Data - Various orderings for encrypting and

                SSH Software usage

• SSH provides a virtual terminal
   – User almost feels as if she is using the remote system
   – In reality, she is only connected to the remote system
• Same in Telnet too but there transmitted data is unencrypted
   – In SSH, all data is encrypted
• SSH can also be used for remote command execution
   – Syntax: ssh –l username hostname command
   – E.g. ssh –l malladis ‘rm

             User Agent Role

• Example: Verisign (
  – Class-1: Buyer’s email address confirmed by
    emailing vital info.
  – Class-2: Postal address is confirmed as well, and
    data checked against directories.
  – Class-3: Buyer must appear in person, or send
    notarized documents.

               File transfer with SSH

• FTP transfers files in the clear
   – SSH can be used to do encrypted file transfer
   – Also termed SCP (Secure Copy)
• WinSCP is a software that implements SCP
   – available for free download
   – Has a GUI
• Command line SCP tools require the command
   – pscp    \teaching\

       Port Forwarding in SSH

• Use of SSH from a different port
• Enables the use of SSH for insecure TCP/IP
  applications (such as email, web browsing
• Also to bypass firewalls
  – How?
• Port forwarding can solve problems
  – See next slide

                        SSH Port forwarding

NOTE: Same host need not host SSH, Mail, Database and VNC (as in this picture).

                     A Problem

• Consider the situation
  – Say an employee at a company is away from office
  – Wants to access her IMAP email by connecting to
    an internal host in the corporate network, remotely
  – But the IMAP port (143) is blocked by the corporate
• Normally this would mean she cant read her

             A Problem ( continued)

• But say the SSH port (22) is open on the firewall
• And she has an account on an internal machine that runs SSH server
• She can then set up a “SSH tunnel” from a local port on her client
  PC, through the SSH server and on to the desired application (in this
  case, the mail server on port 143).
• Next she can connect her mail client on the local port (from which
  she set up an SSH tunnel to port 22)
   – The connection is forwarded to the desired application (the mail

                       Secure Tunnel

       Port                                              Company Network
                                               Port 22

                                                                Port 143

               Secure SSH Tunnel

Set up command (also possible in PuTTY):
ssh –l loginname –L 1143:mailserver:143
  (user is prompted for password)
•   To use it: In the email client settings, incoming mail server has to
    be set to and port number for IMAP email to 1143:
     – Note that host name localhost or IP address
       refer to the local machine

                  Port forwarding –
                   more examples

• Say your academic institution subscribed to journals and
  articles from various websites
   – Where authentication is based on the institution’s IP
      address range
   – Meaning that only people within the institution (physically)
      can get access
• But if you can forward a local port on the Web Proxy via a SSH
  server accessible from outside, you can appear to websites as
  though you are accessing from within your institution

                Security of port forwarding

• Good aspects of port forwarding
   – Secure access to insecure services
       • Can transport any kind of application – email, web browsing, file
         transfer etc.
   – Bypassing firewalls
       • Forces users to only access internal services securely
• Bad aspects
   – Gives users (consequently attackers) means to access arbitrary internal
   – Since only password authentication is used, all an attacker is need is
     password of any one user on SSH
       • And then for example, browse the company’s intranet


To top