What is SSH?

The Secure Shell protocol version 2, or SSH2, specifies how a client can connect securely to an SSH server, and then use the resulting secure link to access the server's resources. Among other things, the client can run programs; transfer files; and forward other TCP/IP connections over the secure link.

The SSH2 protocol is a descendant of the SSH v1.x series of protocols. SSH version 2 is standardized at IETF, and the vast majority SSH implementations now support SSH version 2. SSH version 1 is less secure, and is almost no longer being used.

How secure is SSH?

The Secure Shell protocol provides the services of server authentication; encryption; data integrity verification; and client authentication. Server authentication is performed using RSA, DSA, or ECDSA public key algorithms. For encryption and data integrity verification, a number of algorithms are provided which every SSH product can implement in a modular fashion. Client authentication can be performed using a password, a public key, single sign-on Kerberos, and other methods.

The SSH2 protocol specification is publicly available and has been reviewed by several independent implementers. When properly used, the protocol is understood to be secure against all known cryptographic attacks, passive as well as active.

Client vs. server

In internet protocols, the terms client and server have specific technical meanings:

  • A client, when speaking of a program, is a program that initiates connections and requests to other computers.
  • A server is a program that waits to receive connections and handles requests.

A client may run all of the time or some of the time, depending on when a user needs it. A client may more likely run on a desktop computer, but can also run on a server computer if this computer needs to send out request or initiate connections.

A server usually runs all the time, in the background. A server may more likely run on a computer in a data center. However, it is also perfectly feasible to use server programs on a desktop computer.

If you are looking for SSH software, you are looking for a server if you want to set up a computer to receive connections from other people and their computers. You are looking for a client if you wish to connect, using SSH, to someone else's computer.

SSH compared to SSL/TLS

SSH and TLS/SSL are different protocols used for similar purposes. Both protocols are used to authenticate communicating parties and secure data during transport.

SSL/TLS tend to use X.509 certificates, is based on ASN.1 encodings, and is most commonly used to as a security layer for HTTP, SMTP, and FTP traffic.

The SSH protocol tends to use public keys without a certificate infrastructure, is based on a simpler binary encoding, and tends to be used as a security layer for SFTP and SCP file transfers, terminal shell access, and forwarding of connections for other applications.

SSH can be perceived as a less clunky version of TLS. Due to its deliberate independence from X.509 certificates, SSH lends itself well to connections between entities with an existing trust relationship, where TLS does poorly. TLS lends itself better to connections between strangers.

SSH features

SSH is a highly flexible protocol, and many different types of services can use it. The protocol's open architecture allows these services to run at the same time without impeding one another.

An SSH client and server can transfer files using the protocols SCP and SFTP, which run on top of an established SSH session. While SCP is the old Unix rcp utility transplanted onto a different transport, SFTP is a flexible remote file access protocol that can be used in advanced ways. SFTP is better standardized and widely supported, so often software that provides an SCP-like interface really uses SFTP instead.

Note that SFTP is unrelated to FTP, or to FTP over TLS/SSL. The protocols are independent and very different.

A frequently used service is the remote console. This involves allocating a channel within the SSH session, which is then used as transport for a terminal protocol such as vt100 or xterm. The client displays to the user a console window within which the user can execute command line programs on the server.

SSH also provides exec requests. An exec request executes a program on the server like a remote console, but without expectation of interactive input. Exec requests are useful for automated remote administration.

Another popular SSH function is port forwarding, or TCP/IP connection tunneling. With SSH port forwarding, it is possible to secure a TCP/IP connection established by an independent application that would otherwise be vulnerable to network attacks. To learn more, check out our introduction to port forwarding.