Secure Shell Background
What is Secure Shell
Secure Shell is new industry standard of accessing remote systems securely using strong encryption and cryptography. It is designed to replace popular telnet, ftp and UC Berkeley UNIX 'r' commands with secured versions with encryption. Secure Shell is designed in client-server form. The server side is called Secure Shell server or daemon (sshd). The client side is called Secure Shell client (ssh). A ssh client is used to connect to a remote machine running sshd server and run any character mode programs in the sshd server. All data and passwords are encrypted in an ssh-sshd session, thus eliminating virtually any risks associated with remote access.
The Secure Shell standard was created in 1995 by SSH Communications Security
Ltd. of
Why is it Important
Remote access of systems is one of the most common tasks performed by most professionals and IT staff. It is very rare in these days of the internet for one to work with one local computer alone. Quite frequently, one has to login into another machine and start some task or monitor the progress of some tasks started earlier. This other computer could be in the next room or in the next continent.
The Internet and TCP/IP standards for doing the remote access are telnet, rsh, rexec or rlogin. But the flaws in them are that they are not secure as the password is sent in clear text and data is not encrypted. A hacker can simply sniff the data exchanges and pick the password up or look at data that may be sensitive. Secure shell puts an end to all of these security flaws. It introduces a single client (ssh) and a single server (sshd), which can authenticate users based on any of the means used in telnet(password), rsh, rexec(password) and rlogin. It does these securely by establishing a secure channel using public key cryptography and strong encryption. Once a secure channel is established, credentials like password and data can be sent without worry as they are all encrypted. Additionally, new authentication means like RSA/X.509 certificate, kerberos based schemes can be supported allowing even greater security in the system overall using Secure Shell. Further, with the port forwarding feature of Secure Shell, a software VPN tunnel is established between the ssh client and sshd server node over which non-secured TCP/IP applications like SMTP, POP, Telnet, ftp, X-windows, etc. can be run making them run securely without any change! All these capabilities make the users' task easy and secured when Secure Shell is introduced in an organization. User's can do the task they are used to, but do it with a proven cryptographic secured way.
The bottom line is that ssh is a new generation protocol (1995) allowing the ssh designers the freedom to architect ssh so that it fixed the flaws that older TCP/IP application protocols proved to be problem areas in security and features.
How is Secure Shell used
Secure Shell is designed in TCP/IP client-server model. The Secure Shell Server (sshd) runs as a daemon in UNIX and service in Windows NT/2000/XP, and listens for a connection from ssh clients on TCP port 22. A Secure Shell Client (ssh) is run to connect to a given sshd server identified by the host name of the sshd server machine. The client and server exchange RSA\DSA certificates to identify each other and then establish a shared secret key dynamically and securely using RSA\DSA public key encryption. The new shared secret key is then used for encrypting all future data between the ssh and sshd nodes during that session. At this stage, since a secure pathway exists, password or other authentication information can be transferred safely for user authentication.
Once the user authentication is done, the sshd server typically provides the command shell of the operating system to the ssh client. Ssh client can type any command into this shell and get its output interactively. All input and output data are encrypted and optionally compressed during transit on the network. The session ends when a shell terminating command like "exit" or "logout" is typed on the ssh client. Thus ssh access works very much like telnet access. If you have used telnet, rsh, rexec or rlogin, you will be at ease with ssh use.
Secure File Transfer between systems is a common need for most users. Two subsystems are defined within Secure Shell standard to accomplish this task. One is Secure File Transfer(sftp) server subsystems accessed over a sftp client. The other is Secure Copy (scp) program which is designed to work as both a file copying server and client.
Another important use of Secure Shell is to use an ssh-sshd session as a secure tunnel to pass data from non-secure protocols like SMTP, POP, FTP, etc. to make them run secure without any change. In this case ports of the protocols to be protected are forwarded via proxy and listed when a ssh session is started. In the command line of ssh, -L option is used to list protocol ports to be forwarded.
How Pragma FortressSSH works
Pragma FortressSSH package is a full implementation of the sshd server and ssh client in the Windows environment. The sshd server runs in all Windows platforms 2000 and above. The ssh client runs all Windows platforms.
Pragma's FortressSSH is a native true multi-threaded implementation in Windows. It does not use UNIX emulation on Windows scheme like Cygnus Solutions (now part of RedHat) CYGWIN as they are low performance stopgap solutions only. Pragma's version is written directly to Microsoft WIN32 API interface giving you the maximum performance and feature in Windows environment.
Pragma uses its Inetd server to listen for ssh designated port 22 (can be changed to other ports). Inetd server is built as a service in Windows, so it is always running in the background. When a ssh client connects to the sshd port (generally 22), Inetd server accepts the connection and then starts the secure shell server process to serve this particular ssh client. Inetd passes the socket handle of the remote client to a started process via a well known environment variable "PRAGMASYS_INETD_SOCK". Inetd server then goes on to listening for the next client connection.
Pragma FortressSSH supports SSH2, while the clients, both command line and GUI, support both SSH1 and SSH2. Both clients and the server interoperate with any client and/or server available from other vendors in the industry for any operating system, UNIX and LINUX being the most widely used. SSH1 standard uses RSA public key cryptography to negotiate securely a symmetric key that is used for encrypting and decrypting all communications between two machines. SSH1 is the original standard and is not used as frequently as the newer SSH2 standard. The SSH2 standard, introduced by SSH Communications Security Ltd., generally uses DSA, but can also use RSA. The SSH2 protocol is newer and more secure, but it is incompatible with SSH1.
Pragma's ssh client and sshd server supports port forwarding feature allowing any TCP/IP based programs to run over ssh-sshd secure channel. This creates a powerful software VPN (Virtual Private Network) environment by just using our ssh package without any additional VPN software or hardware. Our solution is SSH standard based, so it will interoperate with any other vendors SSH port forwarding.
The client side of ssh is part of the Pragma FortressSSH ClientSuite package. It can be installed and used in any Windows machine (Windows 95/98/Me/NT 4/2000/XP/DataCenter). All the clients Pragma offers are part of the package.
|
Ssh.exe |
Console mode Secure Shell Client for Windows. VT and WYSE emulations are supported |
|
Sshkeygen.exe |
SSH RSA/DSA key generator |
|
Pragmaftp.exe |
Console mode Pragma ftp client that supports passive mode of FTP needed to transfer files over ssh sessions. |
|
Telnetc.exe |
Console mode telnet client that supports VT and WYSE emulations. |
|
Scp.exe |
Secure copy of files through a secure shell pipe |
|
Rexec.exe |
Remote execute client |
|
Rsh.exe |
Remote shell client |
|
FortressFX |
GUI SFTP client |
|
FortressCL |
GUI ssh/telnet client |