The term SSH stands for Secure Shell and refers to a network protocol that establishes a secure connection between two computers (client and server).
In computer science, “shell” refers to a part of the operating system through which the user can access the computer. Often this is a command line or terminal, but also to the graphical user interface.
Since the network protocol establishes a connection to the shell of another computer, the process of establishing the connection is called Secure Shell. It can therefore be regarded as the secure successor to serial consoles and Telnet connections.
Various encryption and authentication methods prevent data transmissions from being read or manipulated unintentionally. Security plays a central role, especially on the Internet, and SSH enables a direct and secure connection within this potentially insecure network.
To do this, the SSH server and client must first authenticate each other. The server sends an encrypted certificate to the client to verify that it is indeed the correct server. Once the certificate has been exchanged, no other participant can contact the server.
Server authentication is followed by client authentication. A password can be used for this purpose, which is stored in encrypted on the server. The disadvantage, however, is that the password must be re-entered each time the server is changed.
As an alternative and preferred method, we therefore recommend using a key pair (public and private key). To increase security, the private key created by the client should be stored in a secure enclave or in a password manager and protected by a password. The public key, the counterpart to the private key, is sent by the client to the server and remains there. This means that the password only has to be entered once during a session to connect to any number of servers.
When the SSH client initiates an SSH connection request to the server, the server responds with a random message. The client encrypts this message with the private key and sends it back to the server. Using the public key, which is the counterpart to the client’s private key, the server decrypts the message and checks whether the public and private keys are part of a pair.
Following double authentication, both communication participants establish an encrypted connection (SSH tunnel) and agree on a common session key. The session key is created simultaneously but independently by the client and server, is only valid for the duration of the respective session, and should not be confused with the public and private key pairs. The session key is used to encrypt and decrypt all messages exchanged between the client and server. This makes it difficult for unauthorized parties to intercept or decrypt data.
In addition to remote access for remote system administration, SSH is also used for secure file transfer, backup management, and end-to-end encryption between two computers.
The first version of the protocol (now called SSH-1) was developed in 1995. Released as freeware, it quickly gained popularity. SSH-2 was released in 2006 after several vulnerabilities in the integrity check of SSH-1 became known.
To simplify and speed up the basic login and authentication process, we at Engity have developed an advanced SSH server called Bifröst. This allows administrators to log in using Single Sign-On (SSO) logic, using an OpenID Connect (or OAuth2) identity provider.
