SSH™ allows users to log into host systems remotely. Unlike
rlogin or telnet SSH encrypts the
login session, making it impossible for intruders to collect clear-text
passwords.
SSH is designed to replace common methods for remotely logging into
another system through a command shell. A related program called
scp replaces older programs designed to copy files
between hosts such as ftp or
rcp. Because these older applications do not encrypt
passwords between the client and the server, you avoid them whenever
possible. Using secure methods to remotely log in to other systems will
decrease the security risks for both your system and the remote system.
SSH (or Secure SHell) is a
protocol for creating a secure connection between two systems. In the
SSH protocol, the client machine initiates a connection with a server
machine.
The following safeguards are provided by SSH:
After an initial connection, the client verifies it is
connecting to the same server during subsequent sessions.
The client transmits its authentication information to the
server, such as a username and password, in an encrypted format.
All data sent and received during the connection is transferred
using strong, 128 bit encryption, making it extremely difficult to
decrypt and read.
The client has the ability to use X11
[1] applications launched from the shell prompt. This
technique, called X11 forwarding, provides a
secure means to use graphical applications over a
network.
Because the SSH protocol encrypts everything it sends and receives, it
can be used to secure otherwise insecure protocols. Using a technique
called port forwarding, an SSH server can become
a conduit to secure insecure protocols, like POP, increasing
overall system and data security.
Red Hat Linux 7.3 includes the general OpenSSH package
(openssh), the OpenSSH server
(openssh-server) and client
(openssh-clients) packages. Please see the chapter
titled OpenSSH in the
Official Red Hat Linux Customization Guide for instructions on installing and
deploying OpenSSH. Also note that the OpenSSH packages require the
OpenSSL package (openssl). OpenSSL installs several
important cryptographic libraries that help OpenSSH provide encrypted
communications.
A large number of client and server programs can use the SSH
protocol. Several different SSH client versions are available for
almost every major operating system in use today. Even if the users
connecting to your system are not running Red Hat Linux, they can still find and
use an SSH client native for their operating system.
Threats to network traffic include packet sniffing, DNS and IP
spoofing
[2]
and the proliferation of fake routing information. In general
terms, these threats can be categorized as follows:
Interception of communication between two
systems — In this scenario, a third party exists
somewhere on the network between communicating entities and
makes a copy of the information being passed between them. The
intercepting party may intercept and keep the information, or it
may alter the information and send it on to the intended recipient.
Impersonation of a particular host —
Using this strategy, an intercepting system pretends to be the
intended recipient of a message. If the strategy works, the
client remains unaware of the deception and continues to
communicate with the interceptor as if its traffic had
successfully reached its destination.
Both techniques cause information to be intercepted, possibly for
hostile reasons. The results can be disastrous, whether
that goal is achieved by listening for all packets on a LAN or a
hacked DNS server pointing to a maliciously duplicated host.
If SSH is used for remote shell logins and file copying, these security
threats can be greatly diminished. A server's digital signature
provides verification for its identity. The entire communication
between client and server systems cannot be used if intercepted,
because each of the packets is encrypted. Attempts to spoof the
identity of either side of a communication will not work, since each
packet is encrypted using a key known only by the local and remote
systems.
