Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

131

132

133

134

135

136

137

138

139

140

132 Chapter 9. SSH Protocol

Servers can be conﬁgured to allow different types of authentication, which gives each side the opti-

mal amount of control. The server can decide which encryption methods it will support based on its

security model, and the client can choose the order of authentication methods to attempt from among

the available options. Thanks to the secure nature of the SSH transport layer, even seemingly insecure

authentication methods, such as a host-based authentication, are safe to use.

Most users requiring a secure shell will authenticate using a password. Since the password is encrypted

when moving over the the transport layer, it can be safely sent across any network.

9.3.3. Connection

After a successful authentication over the SSH transport layer, multiple channels are opened by multi-

plexing

the single connection between the two systems. Each of these channels handles communica-

tion for different terminal sessions, forwarded X11 sessions, or other services seeking to use the SSH

connection.

Both clients and servers can create a new channel. Each channel is then assigned a different number

for each end of the connection. When the client attempts to open a new channel, the clients sends

the channel number along with the request. This information is stored by the server and is used to

direct communication to that channel. This is done so that different types of sessions will not affect

one another and so that when a given session ends, its channel can be closed without disrupting the

primary SSH connection.

Channels also support ﬂow-control, which allows them to send and receive data in an orderly fashion.

In this way, data is not sent over the channel until the client receives a message that the channel is

open.

The client and server negotiate the characteristics of each channel automatically, depending on the

type of service the client requests and the way the user is connected to the network. This allows

great ﬂexibility in handling different types of remote connections without having to change the basic

infrastructure of the protocol.

9.4. OpenSSH Conﬁguration Files

OpenSSH has two different sets of conﬁguration ﬁles: one for client programs (ssh, scp, and sftp)

and one for the server daemon (sshd).

System-wide SSH conﬁguration information is stored in the /etc/ssh/ directory:

• moduli — Contains Difﬁe-Hellman groups used for the Difﬁe-Hellman key exchange which is

critical for constructing a secure transport layer. When keys are exchanged at the beginning of an

SSH session, a shared, secret value is created which cannot be determined by either party alone.

This value is then used to provide host authentication.

• ssh_config — The system-wide default SSH client conﬁguration ﬁle. It is overridden if one is

also present in the user’s home directory (~/.ssh/config).

• sshd_config — The conﬁguration ﬁle for the sshd daemon.

• ssh_host_dsa_key — The DSA private key used by the sshd daemon.

• ssh_host_dsa_key.pub — The DSA public key used by the sshd daemon.

• ssh_host_key — The RSA private key used by the sshd daemon for version 1 of the SSH pro-

tocol.

4. A multiplexed connection consists of several signals being sent over a shared, common medium. With SSH,

different channels are sent over a common secure connection.