imported>dial-213-168-89-189.netcologne.de No edit summary |
imported>mutante mNo edit summary |
||
| Line 1: | Line 1: | ||
| ⚫ | |||
| ⚫ | |||
Secure Shell FAQ |
|||
| ⚫ | |||
| ⚫ | |||
To quote the README file: |
To quote the README file: |
||
[SSSH]] (Secure Shell) is a program to log into another [[computer]] over a [[network]], to execute commands in a [[remote]] machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for [[rlogin]], rsh, and rcp. |
|||
| ⚫ | |||
| ⚫ | |||
2.2 Why should I use it? |
2.2 Why should I use it? |
||
The traditional BSD 'r' - commmands (rsh, rlogin, rcp) are vulnerable to different kinds of attacks. Somebody who has root access to machines on the network, or physical access to the wire, can gain unauthorized access to systems in a variety of ways. It is also possible for such a person to log all the traffic to and from your system, including passwords (which ssh never sends in the clear). |
The traditional [[BSD]] 'r' - commmands (rsh, rlogin, rcp) are vulnerable to different kinds of attacks. Somebody who has [[root]] access to machines on the network, or physical access to the wire, can gain unauthorized access to systems in a variety of ways. It is also possible for such a person to log all the [[traffic]] to and from your system, including [[passwords]] (which ssh never sends in the clear). |
||
The X Window System also has a number of severe vulnerabilities. With ssh, you can create secure remote X sessions which are transparent to the user. As a side effect, using remote X clients with ssh is more convenient for users. |
The [[X Window System]] also has a number of severe vulnerabilities. With ssh, you can create secure remote X sessions which are transparent to the user. As a side effect, using remote X clients with ssh is more convenient for users. |
||
Users can continue to use old .rhosts and /etc/hosts.equiv files; changing over to ssh is mostly transparent for them. If a remote site does not support ssh, a fallback mechanism to rsh is included. |
Users can continue to use old .rhosts and /etc/hosts.equiv files; changing over to ssh is mostly transparent for them. If a remote site does not support ssh, a fallback mechanism to rsh is included. |
||
2.3 What kinds of attacks does ssh protect against? |
2.3 What kinds of attacks does ssh protect against? |
||
SSH protects against: |
|||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
* Manipulation of data by people in control of intermediate hosts |
* Manipulation of data by people in control of intermediate hosts |
||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
The above only holds if you actually use encryption. Ssh does have an option to use encryption of type "none" this is only for debugging purposes, and should not be used. |
The above only holds if you actually use encryption. Ssh does have an option to use encryption of type "none" this is only for debugging purposes, and should not be used. |
||
2.4 What kind of attacks does ssh not protect against? |
2.4 What kind of attacks does ssh not protect against? |
||
Ssh will not help you with anything that compromises your host's security in some other way. Once an attacker has gained root access to a machine, he can then subvert ssh, too. |
Ssh will not help you with anything that compromises your host's security in some other way. Once an attacker has gained [[root]] access to a machine, he can then subvert ssh, too. |
||
| ⚫ | |||
| ⚫ | |||
2.5 How does it work? |
2.5 How does it work? |
||
For more extensive information, please refer to the README and RFC files in the ssh directory. The proposed RFC is also available as an Internet Draft from |
For more extensive information, please refer to the [[README]] and [[RFC]] files in the ssh directory. The proposed [[RFC]] is also available as an Internet Draft from |
||
# ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-ssh-00.txt . |
|||
| ⚫ | All communications are encrypted using IDEA or one of several other ciphers (three-key triple-DES, DES, RC4-128, TSS, Blowfish). Encryption keys are exchanged using RSA, and data used in the key exchange is destroyed every hour (keys are not saved anywhere). Every host has an RSA key which is used to authenticate the host when RSA host authentication is used. Encryption is used to protect against IP-spoofing; public key authentication is used to protect against DNS and routing spoofing. |
||
| ⚫ | All communications are encrypted using [[IDEA]] or one of several other [[ciphers]] (three-key triple-[[DES]], DES, RC4-128, TSS, [[Blowfish]]). [[Encryption]] keys are exchanged using [[RSA]], and data used in the key exchange is destroyed every hour (keys are not saved anywhere). Every host has an RSA key which is used to authenticate the host when RSA host authentication is used. Encryption is used to protect against IP-spoofing; public key authentication is used to protect against DNS and routing spoofing. |
||
RSA keys are also used to authenticate hosts. |
RSA keys are also used to authenticate hosts. |
||
| Line 48: | Line 54: | ||
man ssh |
man ssh |
||
http://sman.informatik.htw-dresden.de:6711/man?=ssh&=1 |
# http://sman.informatik.htw-dresden.de:6711/man?=ssh&=1 |
||
sh - OpenSSH SSH client (remote login program) |
sh - OpenSSH SSH client (remote login program) |
||
| Line 65: | Line 73: | ||
[[Putty]]: a free [[Win32]] [[telnet]]/ssh client |
|||
http://www.chiark.greenend.org.uk/~sgtatham/putty/ |
# [[http://www.chiark.greenend.org.uk/~sgtatham/putty/ Putty]] |
||
Revision as of 08:13, 7 February 2005
- http://www.uni-karlsruhe.de/~ig25/ssh-faq/ Secure Shell [[FAQ]
2.1 What is ssh?
To quote the README file:
[SSSH]] (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for rlogin, rsh, and rcp.
Additionally, ssh provides secure X connections and secure forwarding of arbitrary TCP connections.
2.2 Why should I use it?
The traditional BSD 'r' - commmands (rsh, rlogin, rcp) are vulnerable to different kinds of attacks. Somebody who has root access to machines on the network, or physical access to the wire, can gain unauthorized access to systems in a variety of ways. It is also possible for such a person to log all the traffic to and from your system, including passwords (which ssh never sends in the clear).
The X Window System also has a number of severe vulnerabilities. With ssh, you can create secure remote X sessions which are transparent to the user. As a side effect, using remote X clients with ssh is more convenient for users.
Users can continue to use old .rhosts and /etc/hosts.equiv files; changing over to ssh is mostly transparent for them. If a remote site does not support ssh, a fallback mechanism to rsh is included. 2.3 What kinds of attacks does ssh protect against?
SSH protects against:
* IP spoofing, where a remote host sends out packets which pretend to come from another, trusted host. Ssh even protects against a spoofer on the local network, who can pretend he is your router to the outside.
* IP source routing, where a host can pretend that an IP packet comes from another, trusted host.
* DNS spoofing, where an attacker forges name server records
* Interception of cleartext passwords and other data by intermediate hosts.
* Manipulation of data by people in control of intermediate hosts
* Attacks based on listening to X authentication data and spoofed connection to the X11 server.
In other words, ssh never trusts the net; somebody hostile who has taken over the network can only force ssh to disconnect, but cannot decrypted or play back the traffic, or hijack the connection.
The above only holds if you actually use encryption. Ssh does have an option to use encryption of type "none" this is only for debugging purposes, and should not be used. 2.4 What kind of attacks does ssh not protect against?
Ssh will not help you with anything that compromises your host's security in some other way. Once an attacker has gained root access to a machine, he can then subvert ssh, too.
If somebody malevolent has access to your home directory, then security is nonexistent. This is very much the case if your home directory is exported via NFS.
2.5 How does it work?
For more extensive information, please refer to the README and RFC files in the ssh directory. The proposed RFC is also available as an Internet Draft from
All communications are encrypted using IDEA or one of several other ciphers (three-key triple-DES, DES, RC4-128, TSS, Blowfish). Encryption keys are exchanged using RSA, and data used in the key exchange is destroyed every hour (keys are not saved anywhere). Every host has an RSA key which is used to authenticate the host when RSA host authentication is used. Encryption is used to protect against IP-spoofing; public key authentication is used to protect against DNS and routing spoofing.
RSA keys are also used to authenticate hosts.
--
man ssh
sh - OpenSSH SSH client (remote login program)
Synopsis
ssh [-l login_name] hostname | user@hostname [command]
ssh [-afgknqstvxACNPTX1246] [-b bind_address] [-c cipher_spec] [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec] [-o option] [-p port] [-F configfile] [-L port:host:hostport] [-R port:host:hostport] [-D port] hostname | user@hostname [command]
Description
ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel.
ssh connects and logs into the specified hostname. The user must prove his/her identity to the remote machine using one of several methods depending on the protocol version used:
Putty: a free Win32 telnet/ssh client
- [Putty]