4 A multiplexed connection consists of several signals being sent over a shared, common medium. With SSH, differentchannels are sent over a common secure connection.CautionIt is possible for an attacker to masquerade as an SSH server during the initialcontact since the local system does not know the difference between theintended server and a false one set up by an attacker. To help prevent this, verifythe integrity of a new SSH server by contacting the server administrator beforeconnecting for the first time or in the event of a host key mismatch.SSH is designed to work with almost any kind of public key algorithm or encoding format. Afteran initial key exchange creates a hash value used for exchanges and a shared secret value, thetwo systems immediately begin calculating new keys and algorithms to protect authenticationand future data sent over the connection.After a certain amount of data has been transmitted using a given key and algorithm (the exactamount depends on the SSH implementation), another key exchange occurs, generatinganother set of hash values and a new shared secret value. Even if an attacker is able todetermine the hash and shared secret value, this information is only useful for a limited period oftime.3.2. AuthenticationOnce the transport layer has constructed a secure tunnel to pass information between the twosystems, the server tells the client the different authentication methods supported, such asusing a private key-encoded signature or typing a password. The client then tries toauthenticate itself to the server using one of these supported methods.SSH servers and clients can be configured to allow different types of authentication, which giveseach side the optimal amount of control. The server can decide which encryption methods itsupports based on its security model, and the client can choose the order of authenticationmethods to attempt from the available options. Thanks to the secure nature of the SSHtransport layer, even seemingly insecure authentication methods, such as a host andpassword-based authentication, are safe to use.3.3. ChannelsAfter a successful authentication over the SSH transport layer, multiple channels are opened viaa technique called multiplexing4. Each of these channels handles communication for differentterminal sessions and for forwarded X11 sessions.Both clients and servers can create a new channel. Each channel is then assigned a differentnumber on each end of the connection. When the client attempts to open a new channel, theclients sends the channel number along with the request. This information is stored by theChapter 20. SSH Protocol358
