Red Hat ENTERPRISE LINUX 3 Reference Manual

Also see for ENTERPRISE LINUX 3 - SECURITY GUIDE: Tuning guide Installation guide Installation guide Installation guide Manual

Contents

Chapter 19.SSH ProtocolSSH™ (or Secure SHell) is a protocol which facilitates secure communications between two systemsusing a client/server architecture and allowing users to log into server host systems remotely. Butunlike other remote communication protocols such as FTP or Telnet, SSH encrypts the login session,making it impossible for intruders to collect unencrypted passwords.SSH is designed to replace older, less secure terminal applications used to log into remote hosts,such as telnet or rsh. A related program called scp replaces older programs designed to copy filesbetween hosts, such as rcp. Because these older applications do not encrypt passwords transmittedbetween the client and the server, avoid them whenever possible. Using secure methods to log intoremote systems decreases the risks for both the client system and the remote host.19.1. Features of SSHThe SSH protocol provides the following safeguards:• After an initial connection, the client can verify that it is connecting to the same server it hadconnected to previously.• The client transmits its authentication information to the server using strong, 128-bit encryption.• All data sent and received during a session is transferred using 128-bit encryption, making inter-cepted transmissions extremely difficult to decrypt and read.• The client can forward X111 applications from the server. This technique, called X11 forwarding,provides a secure means to use graphical applications over a network.Because the SSH protocol encrypts everything it sends and receives, it can be used to secure otherwiseinsecure protocols. Using a technique called port forwarding, an SSH server can become a conduit tosecure otherwise insecure protocols, like POP, and increasing overall system and data security.Red Hat Enterprise Linux includes the general OpenSSH package (openssh) as well as theOpenSSH server (openssh-server) and client (openssh-clients) packages. Refer to thechapter titled OpenSSH in the Red Hat Enterprise Linux System Administration Guide forinstructions on installing and deploying OpenSSH. Also note that the OpenSSH packages require theOpenSSL package (openssl) which installs several important cryptographic libraries, enablingOpenSSH to provide encrypted communications.19.1.1. Why Use SSH?Nefarious computer users have a variety of tools at their disposal enabling them to disrupt, intercept,and re-route network traffic in an effort to gain access to a system. In general terms, these threats canbe categorized as follows:• Interception of communication between two systems — In this scenario, the attacker can be some-where on the network between the communicating entities, copying any information passed be-tween them. The attacker may intercept and keep the information, or alter the information and sendit on to the intended recipient.This attack can be mounted through the use of a packet sniffer — a common network utility.1. X11 refers to the X11R6 windowing display system, traditionally referred to as the X Window System or X.Red Hat Enterprise Linux includes XFree86, an open source X Window System.