View Source SSH Protocol Introduction
SSH is a protocol for secure remote logon and other secure network services over an insecure network.
Scope and Purpose
SSH provides a single, full-duplex, and byte-oriented connection between client and server. The protocol also provides privacy, integrity, server authentication, and man-in-the-middle protection.
The ssh application is an implementation of the SSH Transport, Connection and
Authentication Layer Protocols in Erlang. It provides the following:
- API functions to write customized SSH clients and servers applications
- The Erlang shell available over SSH
- An SFTP client (
ssh_sftp) and server (ssh_sftpd)
Prerequisites
It is assumed that the reader is familiar with the Erlang programming language, concepts of OTP, and has a basic understanding of public keys.
Protocol Overview
Conceptually, the SSH protocol can be partitioned into four layers:
---
title: SSH Protocol Architecture
---
block-beta
columns 2
l1["SSH Client/Server Applications"]:2
l2a["Connection Protocol"] l2b["Authentication Protocol"]
l3["Transport Protocol"]:2
l4["TCP/IP Stack"]:2Transport Protocol
The SSH Transport Protocol is a secure, low-level transport. It provides strong
encryption, cryptographic host authentication, and integrity protection. A
minimum of Message Authentication Code (MAC) and encryption algorithms are
supported. For details, see the ssh manual page in ssh.
Authentication Protocol
The SSH Authentication Protocol is a general-purpose user authentication
protocol run over the SSH Transport Layer Protocol. The ssh application
supports user authentication as follows:
- Using public key technology. RSA and DSA, X509-certificates are not supported.
- Using keyboard-interactive authentication. This is suitable for interactive authentication methods that do not need any special software support on the client side. Instead, all authentication data is entered from the keyboard.
- Using a pure password-based authentication scheme. Here, the plain text password is encrypted before sent over the network.
Several configuration options for authentication handling are available in ssh:connect/3,4 and ssh:daemon/2,3.
The public key handling can be customized by implementing the following
behaviours from ssh:
- Module
ssh_client_key_api. - Module
ssh_server_key_api.
Connection Protocol
The SSH Connection Protocol provides application-support services over the
transport pipe, for example, channel multiplexing, flow control, remote program
execution, signal propagation, and connection forwarding. Functions for handling
the SSH Connection Protocol can be found in the module ssh_connection in
ssh.
Channels
All terminal sessions, forwarded connections, and so on, are channels. Multiple
channels are multiplexed into a single connection. All channels are
flow-controlled. This means that no data is sent to a channel peer until a
message is received to indicate that window space is available. The initial
window size specifies how many bytes of channel data that can be sent to the
channel peer without adjusting the window. Typically, an SSH client opens a
channel, sends data (commands), receives data (control information), and then
closes the channel. The ssh_client_channel behaviour handles generic parts
of SSH channel management. This makes it easy to write your own SSH
client/server processes that use flow-control and thus opens for more focus on
the application logic.
Channels come in the following three flavors:
- Subsystem - Named services that can be run as part of an SSH server, such
as SFTP (ssh_sftpd), that is built into the SSH daemon
(server) by default, but it can be disabled. The Erlang
sshdaemon can be configured to run any Erlang- implemented SSH subsystem. - Shell - Interactive shell. By default the Erlang daemon runs the Erlang shell. The shell can be customized by providing your own read-eval-print loop. You can also provide your own Command-Line Interface (CLI) implementation, but that is much more work.
- Exec - One-time remote execution of commands. See function
ssh_connection:exec/4for more information.
Where to Find More Information
For detailed information about the SSH protocol, refer to the following Request for Comments(RFCs):