Shell is a protocol that provides authentication, encryption and data integrity to secure network communications. Implementations of Secure Shell offer the following capabilities: a secure command-shell, secure file transfer, and remote access to a variety of TCP/IP applications via a secure tunnel. Secure Shell client and server applications are widely available for most popular operating systems.
1995: Tatu Ylonen designed the first version of the protocol (SSH-1) Prompted by a password-sniffing attack at his university’s network Goal of SSH as to replace the earlier rlogin, TELNET and rsh protocols Did not provide strong authentication or guarantee confidentiality Ylonen released his implementation as freeware in July 1995 Tool quickly gained in popularity
Separate protocol layered over the Secure Shell protocol to handle file transfers.
a network protocol
allows secure communication between two
Shell-a command line interface present on
every computer, used to log into a remote
machine and execute commands
Encryption provides confidentiality and integrity
uses public-key cryptography
Tatu Ylonen designed the first version of the
protocol (SSH-1) in 1995
Goal of SSH is to replace the earlier rlogin,
TELNET and rsh
It was made as open source later and gained
In 1996 SSH-2 was designed which is
incompatible with previous version
SSH-2 featured both security and feature
improvements over SSH-1
Better security through Diffie-Hellman key
Strong integrity checking via message
Bjorn Gronvall's OSSH developed from this codebase
“Portability" branch was formed to port OpenSSH to other operating
As of 2005
OpenSSH is the single most popular ssh implementation
The default in a large number of operating systems.
OSSH meanwhile has become obsolete
In 2006, SSH-2 protocol became a proposed Internet standard
Allow you to edit files.
View the contents of directories.
Custom based applications.
Create user accounts.
Anything can be done from command
prompt can be done remotely and securely.
provide security to TCP/IP applications
including e-mail, sales and customer contact
databases, and in-house applications.
allows data from normally unsecured TCP/IP
applications to be secured.
A subsystem of the Secure Shell protocol.
to handle file transfers.
encrypts both the username/password and
the data being transferred.
Uses the same port as the Secure Shell
server, eliminating the need to open another
port on the firewall or router.
The SSH-2 protocol has a clean internal
architecture with well-separated layers:
User Authentication Layer
Defined in “RFC 4251”
Handles initial key exchange and server authentication
sets up encryption, compression and integrity
It exposes to the upper layer an interface for sending
and receiving plaintext packets of up to 32kb
also arranges for key re-exchange
It handles client authentication
Provides a number of authentication methods.
Authentication is client-driven
A method for straightforward password
Includes a facility allowing a password to be
A method for public key-based authentication
Symmetric key (secret)
Asymmetric key (public and private)
The server sends one or more prompts to enter
The client displays them and sends back responses
keyed-in by the user
Used to provide one-time password authentication
such as S/Key or SecurID.
Used by some OpenSSH configurations when PAM is
the underlying host authentication provider to
effectively provide password authentication
Stands for Generic Security Services
Application Program Interface.
the exchange of opaque messages (tokens)
which hide the implementation detail from the
Defines the concept of channels, channel requests and
global requests using which SSH services are provided.
A single SSH connection can host multiple channels
simultaneously, in duplex mode
Channel requests are used to relay out-of-band channel
specific data, such as the changed size of a terminal
window or the exit code of a server-side process.
The SSH client requests a server-side port to be forwarded
using a global request.
IP Source Routing
Dynamic ports cannot be forwarded.
Sometimes port forwarding also introduces
A client on the internet that uses SSH to access
the intranet, can expose the intranet by port
As compared to the other link, network, and application
security measures like IPsec, n PGP, Secure Shell is
relatively secure, reliable, quick and easy.
By deploying Secure Shell, companies create a
comprehensive general-purpose tunneling platform that
can be used to implement a wide variety of security
policies, ensuring the privacy, authenticity, authorization
and integrity of many different applications.
 Cusack, F. and Forssen, M. "Generic Message Exchange
Authentication for the Secure Shell Protocol (SSH)," RFC 4256,
 Lehtinen, S. and Lonvick, C., "The Secure Shell (SSH) Protocol
Assigned Numbers," RFC 4250, January 2006.
 JSchlyter, J. and Griffin, W. "Using DNS to Securely Publish Secure
Shell (SSH) Key Fingerprints," RFC 4255, January 2006.
 Ylonen, T., "SSH – Secure Login Connections over the Internet,"
Proceedings, Sixth USENIX UNIX Security Symposium, July 1996.