Knowledge Article on SSH

SSH – How it works :

  1. SSH client initiates connection. If it is first time then servers sends host key – verify and say YES OR NO.
  2. Once you accept it  – SSH server sends the versions it supports, Encryption ( AES256, 3DES) and Hash techniques ( SHA, MD5 ) it supports.
  3. Client should agree to version, encryption and hash.
  4. Each session requires unique symmetric key for encryption and decryption. ( Generate primary number, key pair etc )
  5. After generating symmetric key and sharing across server and client now comes authentication channel.
  6. Authentication can be Password, Key based, GSSAPI ( Kerberos , Single Sign On ).
  7. Most used – Key based autehtnication. ssh-keygen -t rsa -b 2048 on client, generated public key should be placed in authorized_keys on server.
  8. Client sends an ID, Server checks the authroized_keys for matching ID, if matching then genreates a random number encrypts using public key and challenges client to decrypt it.

So asymmetric key is used for authetication and symmetric key is used for session.

SSH – Configuration

ssh server side ( /etc/ssh/sshd_config )

# PermitRootLogin No – SSH as root user is not allowed

#X11 Forwarding No – Tunnel forward to any X11 application is not allowed

#PasswordAuthentication No – Do not allow password based authentication

ssh client side (~/.ssh/config )

#Hostname, IdentityFile, port, StrictHostKeyChecking

SSH -A is used to forward your credentials from one server to another.

SSH – Tunneling

Local Tunneling: connect to port 80 on remote-server over SSH

#ssh -f -L 9000:remote-server:80


Remote Tunneling: consider you have an intranet site running on port 8080 which is not allowed from outside but you are allowed to connect to a server exposed to internet on port 9000

# ssh -R 9000:intranet site:80 “home” ( run on work )

Dynamic Port Forwarding:

#ssh -f -N -D 7000 username@remote-host then configure your web browser as proxy.

Great articles : and

Then how can I stop this happening ??

AllowTCPForwarding No – (/etc/ssh/sshd_config)

“no-port-forwarding” to (~/.ssh/authorized_keys )





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s