MAGNUM 6K SWITCHES, MNS-6K USER GUIDE
strong algorithms such as blowfish, 3DES, IDEA etc.). Encryption provides confidentiality and
integrity of data. . The goal of SSH was to replace the earlier rlogin, Telnet and rsh protocols,
which did not provide strong authentication or guarantee confidentiality.
In 1995, Tatu Ylönen, a researcher at Helsinki University of Technology, Finland, designed the
first version of the protocol (now called SSH-1).
In 1996, a revised version of the protocol, SSH-2, was designed, incompatible with SSH-1. SSH-2
features both security and feature improvements over SSH-1. Better security, for example, comes
through Diffie-Hellman key exchange and strong integrity checking via MACs. New features of
SSH-2 include the ability to run any number of shell sessions over a single SSH connection. Since
SSH-1 has inherent design flaws which make it vulnerable to, e.g., man-in-the-middle attacks, it is
now generally considered obsolete and should be avoided by explicitly disabling fallback to SSH-
1. While most modern servers and clients support SSH-2, some organizations still use software
with no support for SSH-2, and thus SSH-1 cannot always be avoided.
In all versions of SSH, it is important to verify unknown public keys before accepting them as
valid. Accepting an attacker's public key as a valid public key has the effect of disclosing the
transmitted password and allowing man in the middle attacks.
SSH is most commonly used
With an SSH client that supports terminal protocols, for remote administration of the
SSH server computer via terminal (character-mode) console--can be used as an alternative
to a terminal on a headless server;
In combination with SFTP, as a secure alternative to FTP which can be set up more easily
on a small scale without a public key infrastructure and X.509 certificates
While there are other uses for SSH, the two most common uses are described above and are
relevant to this manual.
SSH uses port 22 as a default. Note – telnet uses port 23 as a default port.
The SSH-2 protocol has a clean internal architecture (defined in RFC 4251) with well-separated
layers. These are:
The transport layer (RFC 4253). This layer handles initial key exchange and server
authentication and sets up encryption, compression and integrity verification. It exposes
to the upper layer an interface for sending and receiving plaintext packets of up to 32,768
bytes each (more can be allowed by the implementation). The transport layer also arranges
for key re-exchange, usually after 1 GB of data has been transferred or after 1 hour has
passed, whichever is sooner.
45