Secure Shell (SSH) is a network protocol that ensures secure communication between two hosts. SSH is commonly used for remote server access, file transfers, and command execution.
To maintain security, SSH employs various mechanisms, including encryption, authentication, and compression. Below is a brief explanation of the algorithms and protocol extensions used in SSH:
Ciphers (Encryption Algorithms)
These encrypt data transmitted over the network to protect against unauthorized access.
Examples:
- AES-256-GCM – A symmetric encryption algorithm considered highly secure.
- ChaCha20-Poly1305 – A symmetric encryption algorithm that is faster than AES-256-GCM.
- ECDH-ECDSA-AES256-GCM-SHA512 – A set of algorithms used for encryption, authentication, and data compression in SSH.
Hostkey Formats
Used for authenticating SSH servers. A host key is a unique identifier for a server, allowing clients to verify they are connecting to the correct server.
Examples:
- RSA – An asymmetric encryption algorithm used for server authentication.
- DSA – An asymmetric encryption algorithm considered less secure than RSA.
- ECDSA – An asymmetric encryption algorithm considered more secure than RSA and DSA.
Key Exchange Protocols
Used to exchange encryption keys between the SSH client and the SSH server.
Examples:
- Diffie-Hellman – A key exchange protocol used for secure key exchange between two parties.
- ECDH – A newer key exchange protocol considered more secure than Diffie-Hellman.
Message Authentication Codes (MACs)
Used to verify the integrity of data transmitted between the SSH client and the SSH server, ensuring that no data has been altered during transmission.
Examples:
- HMAC-SHA256 – A message authentication code used to verify data integrity.
- HMAC-SHA512 – A message authentication code considered more secure than HMAC-SHA256.
User Authentication Methods
Used to authenticate users attempting to connect to an SSH server.
Examples:
- password – A method that requires users to enter a password.
- publickey – A method that uses an SSH key pair (public and private keys) for authentication.
- gssapi-keyex – A method that uses GSSAPI (Generic Security Services Application Program Interface) for key exchange between the client and server.
- gssapi-with-mic – A method that uses GSSAPI for key exchange and message authentication code (MAC) generation.
- hostbased – A method that authenticates clients based on the hostname.
- keyboard-interactive – A method that requires users to provide additional information, such as one-time passwords (TOTP) or answers to security questions.
Compression Formats
Compress data transmitted over the network to reduce its size.
Examples:
- ZLIB – A popular data compression format used in many applications.
- LZ4 – A newer data compression format considered faster than ZLIB.
Protocol Extensions
Add new functionalities to the SSH protocol.
Examples:
- delay-compression – Allows delaying the compression of data transmitted over SSH.
- elevation – Enables the client to request privilege escalation on the server.
- ext-auth-info – Allows the server to send additional authentication information to the client.
- global-requests-ok – Enables the client to send global requests to the server.
- no-flow-control – Disables flow control between the client and server.
- server-sig-algs – Allows the client to negotiate server signature algorithms with the server.