IBM 10 SP1 EAL4 manual SSH client, SSH server daemon

mac = MAC (key, sequence_number unencrypted_packet)

where unencrypted_packet is the entire packet without MAC (the length fields, payload and padding), and sequence_number is an implicit packet sequence number represented as uint32. The sequence number is initialized to zero for the first packet, and is incremented after every packet, regardless of whether encryption or MAC is in use. It is never reset, even if keys or algorithms are renegotiated later. It wraps around to zero after every 2^32 packets. The packet sequence number itself is not included in the packet sent over the wire.

The MAC algorithms for each direction must run independently, and implementations must allow choosing the algorithm independently for both directions. The MAC bytes resulting from the MAC algorithm must be transmitted without encryption as the last part of the packet. The number of MAC bytes depends on the algorithm chosen. The default MAC algorithm defined is the hmac-sha1 (with digest length = key length = 20).

•Certificate format: The default certificate format used is ssh-dss signed with Simple DSS. Signing and verifying using this key format is done according to the Digital Signature Standard [FIPS-186] using the SHA-1 hash. A description can also be found in [SCHNEIR].

•Key exchange protocol: The default key exchange protocol is diffie-hellman-group1-sha1. The diffie-hellman-group1- sha1 method specifies Diffie-Hellman key exchange with SHA-1 as HASH.

Sections 5.12.2.1 and 5.12.2.2 briefly describe the implementation of SSH client and SSH server. For detailed information about the SSH Transport Layer Protocol, SSH Authentication Protocol, SSH Connection Protocol, and SSH Protocol Architecture, refer to the corresponding protocol documents at http://www.ietf.org/ids.by.wg/secsh.html.

5.12.2.1SSH client

The ssh client first parses arguments and reads the configuration (readconf.c), then calls

ssh_connect() (in sshconnect*.c) to open a connection to the server, and performs authentication (ssh_login() in sshconnect.c). Terminal echo is turned off while users type their passwords. SSH prevents the password from being displayed on the terminal as it is being typed. The SSH client then makes requests such as allocating a pseudo-tty, forwarding X11 connections, forwarding TCP-IP connections and so on, and might call code in ttymodes.c to encode current tty modes. Finally, the SSH client calls

client_loop() in clientloop.c.

The client is typically installed suid root. The client temporarily gives up this right while reading the configuration data. The root privileges are used to make the connection from a privileged socket, which is required for host-based authentication and to read the host key for host-based authentication using protocol version 1. Any extra privileges are dropped before calling ssh_login(). Because .rhosts support is not included in the TSF, SSH the client is not suid root on the system.

5.12.2.2SSH server daemon

The sshd daemon starts by processing arguments and reading the /etc/ssh/sshd_config configuration file. The configuration file contains keyword-argument pairs, one per line. Refer to the sshd_config man page for available configuration options. It then reads the host key, starts listening for connections, and generates the server key. An alarm regenerates the server key every hour.

When the server receives a connection, it forks a process, disables the regeneration alarm, and starts communicating with the client. The server and client first perform identification string exchange, and then negotiate encryption and perform authentication. If authentication is successful, the forked process sets the effective user ID to that of the authenticated user, performs preparatory operations, and enters the normal session mode by calling server_loop() in serverloop.c.

191