[Articles publiés]
[Blog Affordance]
[LibreOffice en ligne]
[Journal d'Ophelia]
[Kim Khal]

[Rue 89]

DNS etc
Votre ID: 111
Login utilisateur
Mot de passe éditeur


Différence (depuis la version majeure précédente) (Pas d'autres comparaisons)

Ajouté: 6a7

Ajouté: 15a17,18

:article about cryptography of SSH

Fonctionnement des protocoles SSH

  • windows: PuTTY? Version 0.67 ou Version Snapshot 2016-10-10
  • zaphod: [OpenSSH 6]?.7p1 Debian-5+deb8u3, OpenSSL? 1.0.1t 3 May 2016
  • zombie: [OpenSSH 6]?.2p2, FreeBSD? 9.2, OpenSSL? 0.9.8y 5 Feb 2013


From a Cisco Article:

and a digitalocean article

A secure secure shell: how ssh works article from 2015

article about cryptography of SSH

SSH is organized as three protocols that typically run on top of TCP

Transport Layer Protocol: Provides server authentication, data confidentiality, and data integrity with forward secrecy (3rd layer of TCP/IP stack).

User Authentication Protocol: Authenticates the user to the server(4th layer of TCP/IP stack)

Connection Protocol: Multiplexes multiple logical communications channels over a single underlying SSH connection (4th layer of TCP/IP stack)

- CLient to server port 22: Client and server exchange messages (identifiers) thru TCP consisting of SSH version and OS version.

   RFC 4253: Key exchange will begin immediately after sending this
   identifier.  All packets following the identification string SHALL
   use the binary packet protocol, which is described in Section 6.
   This protocol is encrypted ? FIXME

- Initial key exchange process: both parties produce temporary key pairs and exchange the public key in order to produce the shared secret that will be used to negociate symmetrical encryption.

- Algorithm negociation: The client send its list of MAC algorithms, a list of Ciphers algorithms, a list of compression algorithm, and a list of Key exchange algorithms it supports. The server choose among these 4 lists, the first algorithm of each list it supports. Client and server have now a common MAC, Cipher, compressin and KEX algorithms.

-During this process, the server has been authentified by the client, because the server has used its host private key to negociate.

- Diffie-hellman: Using the DH (public-private key) protocol, the client and the server both calculate a shared symetrical secret key that will serve for the rest of the entire session.

- Service request. The client sends an SSH_MSG_SERVICE_REQUEST packet to request either the User Authentication or the Connection Protocol. Subsequent to this request, all data is exchanged as the payload of an SSH Transport Layer packet, protected by encryption and MAC.

- User identification: User Authentication Protocol provides the means by which the client is authenticated to the server. Using the public/private key of the user or the classic password authentication.

PuTTY? versions

PuTTY? 0.67 PuTTY? snapshot 2016-10-10
Kex: Diffie-Hellman group 14 Diffie-Hellman group 14
Diffie-Hellman group 1 ECDH key exchange
Diffie-Hellman group group exchange Diffie-Hellman group group exchange
RSA-based key exchange RSA-based key exchange
---warn below--
Diffie-Hellman group 1
Cipher: AES (SSH-2 only) AES (SSH-2 only)
- ChaCha20? (SSH-2 only)
Blowfish Blowfish
---warn below --- ---warn below ---
Arcfour (SSH-2 only) Arcfour (SSH-2 only)
Host keys: Ed25519
---warn below ---

TLS explained
a full illustrated explanation