Afficher la révision 6
Fonctionnement des protocoles SSH
- windows: PuTTY? Version 0.67 ou Version Snapshot 2016-10-10
- zaphod: [OpenSSH 6]?.7p1 Debian-5+deb8u3, OpenSSL? 1.0.1t 3 May 2016
- zombie: [OpenSSH 6]?.2p2, FreeBSD? 9.2, OpenSSL? 0.9.8y 5 Feb 2013
Fonctionnemanet
From a Cisco Article:
http://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-46/124-ssh.html
- and a digitalocean article https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process
- A secure secure shell: how ssh works article from 2015 https://stribika.github.io/2015/01/04/secure-secure-shell.html
SSH is organized as three protocols that typically run on top of TCP
Transport Layer Protocol: Provides server authentication, data
confidentiality, and data integrity with forward secrecy (3rd layer of
TCP/IP stack).
User Authentication Protocol: Authenticates the user to the server(4th
layer of TCP/IP stack)
Connection Protocol: Multiplexes multiple logical communications
channels over a single underlying SSH connection (4th layer of TCP/IP
stack)
- CLient to server port 22: Client and server exchange messages
(identifiers) thru TCP consisting of SSH version and OS version.
RFC 4253: Key exchange will begin immediately after sending this
identifier. All packets following the identification string SHALL
use the binary packet protocol, which is described in Section 6.
This protocol is encrypted ? FIXME
- Initial key exchange process: both parties produce temporary key pairs
and exchange the public key in order to produce the shared secret that
will be used to negociate symmetrical encryption.
- Algorithm negociation: The client send its list of MAC algorithms, a
list of Ciphers algorithms, a list of compression algorithm, and a
list of Key exchange algorithms it supports. The server choose among
these 4 lists, the first algorithm of each list it supports. Client and server have
now a common MAC, Cipher, compressin and KEX algorithms.
-During this process, the server has been authentified by the client,
because the server has used its host private key to negociate.
- Diffie-hellman: Using the DH (public-private key) protocol, the
client and the server both calculate a shared symetrical secret key
that will serve for the rest of the entire session.
- Service request. The client sends an SSH_MSG_SERVICE_REQUEST packet
to request either the User Authentication or the Connection
Protocol. Subsequent to this request, all data is exchanged as the
payload of an SSH Transport Layer packet, protected by encryption and
MAC.
- User identification: User Authentication Protocol provides the means
by which the client is authenticated to the server. Using the
public/private key of the user or the classic password authentication.
PuTTY? versions
|
PuTTY? 0.67 |
PuTTY? snapshot 2016-10-10
|
Kex: |
Diffie-Hellman group 14 |
Diffie-Hellman group 14
|
|
Diffie-Hellman group 1 |
ECDH key exchange
|
|
Diffie-Hellman group group exchange |
Diffie-Hellman group group exchange
|
|
RSA-based key exchange |
RSA-based key exchange
|
|
|
---warn below--
|
|
|
Diffie-Hellman group 1
|
|
|
|
Cipher: |
AES (SSH-2 only) |
AES (SSH-2 only)
|
|
- |
ChaCha20? (SSH-2 only)
|
|
Blowfish |
Blowfish
|
|
3DES |
3DES
|
|
---warn below --- |
---warn below ---
|
|
Arcfour (SSH-2 only) |
Arcfour (SSH-2 only)
|
|
DES |
DES
|
|
|
|
Host keys: |
|
Ed25519
|
|
|
ECDSA
|
|
|
RSA
|
|
|
DSA
|
|
|
---warn below ---
|
TLS explained
- a full illustrated explanation https://tls.ulfheim.net/
|