SSH Protocols Explained

SSH combines a suite of protocols to provide comprehensive secure remote access capabilities used by millions globally. But how do handshakes negotiate encryption? How is identity proven cryptographically? What enables port forwarding or file transfers securely over SSH? 

Understanding the layers and flow of protocols that establish SSH connections unlocks flexible capabilities and robust configurations. This comprehensive guide helps demystify the inner workings of SSH protocols step-by-step. We’ll cover the transport layer, authentication, connection, file transfer protocolates, as well as additional protocols that facilitate agent forwarding and remote command execution. 

SSH Operation 

Let’s quickly recap how SSH works. SSH enables secure remote computing activities by establish encrypted SSH tunnels between clients and servers over untrusted networks. It relies on a client-server model where an SSH client connects to a remote host running an SSH server daemon (sshd). The client and server mutually authenticate one another and negotiate encryption ciphers and keys to facilitate encrypted data transmission over the insecure medium. 

This creates a securely encapsulated SSH tunnel through which other SSH protocol can provide various functionalities which we’ll get into below. 

Transport Layer Protocol 

The Transport Layer Protocol handles the fundamental requirements of establishing the tunnel before other SSH protocols for functionality can operate. This includes: 

• Server Authentication - Using asymmetric public key cryptography like ED25519, the transport layer authenticates the identity of the remote SSH server to ensure clients connect to legitimate hosts. 

• Encryption Negotiation - The transport layer agrees on algorithms, key exchange, and ciphers to enable encrypting data in transift between client and server via symmetric encryption. 

• Session Multiplexing - The transport can securely multiplex several logical data flows across a single physical SSH connection by requesting multiple channges which have their own encryption contexts. 

Overall, the SSH Transport Layer sets up the secure encrypted tunnels for all other SSH protocols, providing remote access capabilities you can then leverage. This is the foundation supporting encrypted remote terminal logins, file transfers via SFTP/SCP, port forwarding for tunneling traffic, and more. The transport later is the secure carrier of all SSH communications. 

Authentication Protocol 

The Authentication Protocol is used to authenticate the client to the SSH server to confirm the connecting party’s valid identity. This occurs adter the Transport Layer has set up the encrypted tunnel. SSH supports several authentication methods including: 

• Public Key Authentication - The client signs a crpytographic challenge from the server using its private key. The server checks this signature against the client’s public key to authenticate. This confirms possession of the corresponding private key. 

• Password Authentication - The client sends the user’s password which is checked by the server. This verifies knowledge of the expected password but is less secure than public keys. 

The Authentication Protocol is defined in detail by RFC 4252 published by the Internet Engineering Task Force (IETF), which outlines message flows for each authentication type. 

This cryptographic handshake allows the SSH server to definitively authenticate authorized clients before permitting further actions across the established encrpytred SSH transport layer tunnel. 

Connection Protocol

The Connection Protocol multiplexes and manages logical data flows over the encrypted transport layer tunnel using channels. Channels effectively provide tunnels within a tunnel. Each channel has its own encryption properties for compartmentalizing distinct data needs. For example. 

• Session channels for secure terminal access and remote command execution

• Direct TCP/IP channels for port forwarding destinations 

• X11 channels for securely forwarding graphic displays 

• Channel forwarding to proxy other channel types

As per RFC 4254 which defines it, these channels, which are accepted by the Connection Protocol, then enable various capabilities over the SSH encrypted connection like: 

• X11 Forwarding - allows you to securely redirect a graphical X11 application display over SSH.

• Port Forwarding - enables you to tunnel arbitrary TCP ports bidirectionally through SSH to access specific network services. 

• Terminal Access -  facilitates connecting to interactive remote terminal sessions. 

In summary, the Connection Protocol handles multiplexing the single encrypted SSH transport pipe into specialized channels that in turn provide functionality randing from remote command lines, dynamic port tunneling, forwarding X-enabled graphical applications, and more. 

By compartmentalizing logically separate tunnelled data flows, the Connection Protocol layers capacity expansion and added features over SSH’s foundation encryption and authentication. 

File Transfer Protocols

The File Transfer Protocols securely transfer files between networked hosts, leveraging the encryption and integrity of the SSH transport layer. The are two related protocols:  

SFTP (SSH File Transfer Protocol) 

SFTP is an encrypted alternative to insecure FTP that runs over an exusting SSH connection, leveraging SSH encryption to securely perform common file operations like transfers, directory listings, renaming, and permissions changes on remote filesystems accessed transparently as if local. 

SCP (Secure Copy Protocol) 

SCP is a simplified secure file transfer protocol that runs directly over an SSH encrypted connection, focused exclusively on streamline encrypted copying of files between remote hosts without extensive metadata or permissions handling beyond basic integrity verification. 

Both SFTP and SCP establish file transfer channels across existing SSH connections to tap into the confidentiality and integrity guarantees provided by SSH encryption between hosts. Whether you’re handling interactions for an entire remote filesystem secure by SFTP, or streamlining automated files copies with SCP, SSH’s file transfer protocols enable another layer of security capabilities by capitalizing on intrinsic SSH transport encryption mechanisms.  

Additional Protocols

Beyond the core protocols, additional SSH protocols extend its functionality even further. These include: 

• Agent Forwarding Protocol - enables the SSH client to forward public key authentication request to a local agent managing private keys, avoiding manual configuration of keys across individual systems and retyping passphrases. 

• Public Key Subsystem Protocol - isosolates SSH public key operations like adding keys to ~/.ssh/authorized_keys files into a separate ssh subcommand for streamlining key distribution across accounts and systems without neeting direct shell access. 

• Remote Execution Protocol - directly executes commands and scripts on remote hosts over an SSH connection using an automated request/response model without requiring manual login. 

Together these supplemental protocols enable additional capabilities to streamline authentication handling, automate public key installation, and execute remote commands without manual interaction. They aim to simplify administration workloads, facilitate automation potential, enhance ease-of use, and provide alternatives to SSH Connection Protocol terminal logins. While not utilized directly by end-users as often, these additional protocols quietly unlock added functionality the powers many SSH workflows. 

Conclusion

As we’ve explored, the SSH protocol suite provides layers of integrated encryption engines working in harmony, from foundational handshakes and transport security, to compartmentalized channels tailor-made for distinct access vectors like file transfers and dynamic port tunneling. Together these protocols deliver robust encryption precisely where needed while avoiding unnecessary redundancy. 

While SSH may seem just a simple remote terminal at firs glance, under the hood it provides building blocks for comprehensive secure remote access. As threats evolve, SSH’s cryptographic engines have grown increasingly versatile over three decades of innovation, cementing its ubiquity across the modern digital infrastructure landscape. 

Interested in trying out an SSH client and terminal that makes this easy? Start for free with Termius.

Top Articles: 

1. https://www.cloudflare.com/learning/access-management/what-is-ssh/

2. https://www.ssh.com/academy/ssh/protocol

3. https://en.wikipedia.org/wiki/Secure_Shell

4. https://www.n-able.com/blog/ssh-network-protocol-overview **

5. https://www.techtarget.com/searchsecurity/definition/Secure-Shell

6. https://www.keyfactor.com/blog/ssh-protocol/

7. https://goteleport.com/ssh/

8. https://www.ucl.ac.uk/isd/what-ssh-and-how-do-i-use-it

9. https://en.wikibooks.org/wiki/OpenSSH/SSH_Protocols

10. https://www.geeksforgeeks.org/introduction-to-sshsecure-shell-keys/