SSH™ (or Secure
SHell) is a protocol which facilitates secure
communications between two systems using a client/server architecture and
allows users to log into server host systems remotely. Unlike other
remote communication protocols, such as FTP or Telnet, SSH encrypts the
login session, making it impossible for intruders to collect unencrypted
passwords.
SSH is designed to replace older, less secure terminal applications used
to log into remote hosts, such as telnet or
rsh. A related program called scp
replaces older programs designed to copy files between hosts, such as
rcp. Because these older applications do not encrypt
passwords transmitted between the client and the server, avoid them
whenever possible. Using secure methods to log into remote systems
decreases the risks for both the client system and the remote host.
The SSH protocol provides the following safeguards:
After an initial connection, the client can verify that it is
connecting to the same server it had connected to previously.
The client transmits its authentication information to the
server using strong, 128-bit encryption.
All data sent and received during a session is transferred using
128-bit encryption, making intercepted transmissions extremely
difficult to decrypt and read.
The client can forward X11[1]
applications from the server. This technique, called
X11 forwarding, provides a secure means to
use graphical applications over a network.
Because the SSH protocol encrypts everything it sends and receives, it
can be used to secure otherwise insecure protocols. Using a technique
called port forwarding, an SSH server can become
a conduit to securing otherwise insecure protocols, like POP, and increasing
overall system and data security.
Red Hat Enterprise Linux includes the general OpenSSH package
(openssh) as well as the OpenSSH server
(openssh-server) and client
(openssh-clients) packages. Refer to the chapter
titled OpenSSH in the
Red Hat Enterprise Linux System Administration Guide for instructions on installing and
deploying OpenSSH. Note, the OpenSSH packages require the
OpenSSL package (openssl) which installs several
important cryptographic libraries, enabling OpenSSH to provide encrypted
communications.
Nefarious computer users have a variety of tools at their disposal
enabling them to disrupt, intercept, and re-route network traffic in
an effort to gain access to a system. In general terms, these threats
can be categorized as follows:
Interception of communication between two
systems — In this scenario, the attacker can be
somewhere on the network between the communicating entities,
copying any information passed between them. The attacker may
intercept and keep the information, or alter the information and
send it on to the intended recipient.
This attack can be mounted through the use of a packet sniffer
— a common network utility.
Impersonation of a particular host
— Using this strategy, an attacker's system is configured to
pose as the intended recipient of a transmission. If this strategy
works, the user's system remains unaware that it is communicating
with the wrong host.
This attack can be mounted through techniques known as DNS
poisoning[2]
or IP spoofing[3].
Both techniques intercept potentially sensitive information and, if
the interception is made for hostile reasons, the results can be
disastrous.
If SSH is used for remote shell login and file copying, these security
threats can be greatly diminished. This is because the SSH client and
server use digital signatures to verify their identity. Additionally,
all communication between the client and server systems is
encrypted. Attempts to spoof the identity of either side of a
communication does not work, since each packet is encrypted using a
key known only by the local and remote systems.
X11 refers to the
X11R6.7 windowing display system, traditionally referred to as the X
Window System or X. Red Hat Enterprise Linux includes XFree86, an open source X
Window System.
