Specifications
The SSH Daemon (sshd) — Server-Side
To work with the SSH client programs ssh and scp, a server, the SSH dae-
mon, has to be running in the background. This waits for its connections on
TCP/IP port 22.
The daemon generates three key pairs when starting for the first time. The
key pairs consist of a private and a public key. Therefore, this procedure is
referred to as public key–based. To guarantee the security of the communica-
tion via SSH, only the system administrator can see the private key files. The
file permissions are restrictively defined by the default setting. The private
keys are only required locally by the SSH daemon and must not be given to
anyone else. The public key components (recognizable by the name extension
.pub) are sent to the communication partner and are readable for all users.
A connection is initiated by the SSH client. The waiting SSH daemon and the
requesting SSH client exchange identification data comparing the protocol and
software versions and preventing connection to the wrong port. Since a child
process of the original SSH daemon replies to the request, several SSH connec-
tions can be made simultaneously.
The SSH protocol is available in two versions, 1 and 2, for the communica-
tion between SSH server and SSH client.
When using SSH with version 1, the server will then send its public host key
and a server key, regenerated by the SSH daemon every hour. Both allow
the SSH client to encrypt a freely chosen session key then send it to the SSH
server. The SSH client also tells the server which encryption method (cipher)
to use.
SSH in version 2 does not require a server key. A Diffie-Helman algorithm is
employed instead for exchanging the keys.
The private host and server keys absolutely necessary for decoding the ses-
sion key cannot be derived from the public parts. Only the SSH daemon
contacted can decipher the session key using its propietary keys (see also
/usr/share/doc/packages/openssh/RFC.nroff). This initial connec-
tion phase can be watched closely using the SSH client program’s error search
option -v. Version 2 of the SSH protocol is used by default, which however
can be overridden to use version 1 of the protocol with the -1 switch. By
storing all public host keys after initial contact in ~/.ssh/known_hosts
on the client side, so-called “man-in-the-middle” access attempts can be pre-
vented. SSH servers that try to fraudulently use names and IP addresses of
others will be exposed by a clear indicator. They will either be noticed due to
a wrong host key which differs from ~/.ssh/known_hosts or they cannot
decipher the session key in the absence of an appropriate private counterpart.
192 SSH — Secure Shell, the Safe Alternative