Secure Shell - Architecture

Architecture

The SSH-2 protocol has an internal architecture (defined in RFC 4251) with well-separated layers. These are:

  • The transport layer (RFC 4253). This layer handles initial key exchange as well as server authentication, and sets up encryption, compression and integrity verification. It exposes to the upper layer an interface for sending and receiving plaintext packets with sizes of up to 32,768 bytes each (more can be allowed by the implementation). The transport layer also arranges for key re-exchange, usually after 1 GB of data has been transferred or after 1 hour has passed, whichever is sooner.
  • The user authentication layer (RFC 4252). This layer handles client authentication and provides a number of authentication methods. Authentication is client-driven: when one is prompted for a password, it may be the SSH client prompting, not the server. The server merely responds to the client's authentication requests. Widely used user authentication methods include the following:
    • password: a method for straightforward password authentication, including a facility allowing a password to be changed. This method is not implemented by all programs.
    • publickey: a method for public key-based authentication, usually supporting at least DSA or RSA keypairs, with other implementations also supporting X.509 certificates.
    • keyboard-interactive (RFC 4256): a versatile method where the server sends one or more prompts to enter information and the client displays them and sends back responses keyed-in by the user. Used to provide one-time password authentication such as S/Key or SecurID. Used by some OpenSSH configurations when PAM is the underlying host authentication provider to effectively provide password authentication, sometimes leading to inability to log in with a client that supports just the plain password authentication method.
    • GSSAPI authentication methods which provide an extensible scheme to perform SSH authentication using external mechanisms such as Kerberos 5 or NTLM, providing single sign on capability to SSH sessions. These methods are usually implemented by commercial SSH implementations for use in organizations, though OpenSSH does have a working GSSAPI implementation.
  • The connection layer (RFC 4254). This layer defines the concept of channels, channel requests and global requests using which SSH services are provided. A single SSH connection can host multiple channels simultaneously, each transferring data in both directions. Channel requests are used to relay out-of-band channel specific data, such as the changed size of a terminal window or the exit code of a server-side process. The SSH client requests a server-side port to be forwarded using a global request. Standard channel types include:
    • shell for terminal shells, SFTP and exec requests (including SCP transfers)
    • direct-tcpip for client-to-server forwarded connections
    • forwarded-tcpip for server-to-client forwarded connections
  • The SSHFP DNS record (RFC 4255) provides the public host key fingerprints in order to aid in verifying the authenticity of the host.

This open architecture provides considerable flexibility, allowing SSH to be used for a variety of purposes beyond a secure shell. The functionality of the transport layer alone is comparable to Transport Layer Security (TLS); the user authentication layer is highly extensible with custom authentication methods; and the connection layer provides the ability to multiplex many secondary sessions into a single SSH connection, a feature comparable to BEEP and not available in TLS.

Read more about this topic:  Secure Shell

Famous quotes containing the word architecture:

    The two elements the traveler first captures in the big city are extrahuman architecture and furious rhythm. Geometry and anguish. At first glance, the rhythm may be confused with gaiety, but when you look more closely at the mechanism of social life and the painful slavery of both men and machines, you see that it is nothing but a kind of typical, empty anguish that makes even crime and gangs forgivable means of escape.
    Federico García Lorca (1898–1936)

    The principle of the Gothic architecture is infinity made imaginable.
    Samuel Taylor Coleridge (1772–1834)

    Polarized light showed the secret architecture of bodies; and when the second-sight of the mind is opened, now one color or form or gesture, and now another, has a pungency, as if a more interior ray had been emitted, disclosing its deep holdings in the frame of things.
    Ralph Waldo Emerson (1803–1882)