Joe Gurr

SSH

The ssh protocol is based on the client-server model, i.e. an ssh client must initiate an ssh session with an ssh server

Most of the connection setup is conducted by the client.

Public key cryptography is used to verify the identity of the ssh server, and then symmetric key encryption and hashing algorithms are used to maintain data transmission in cyphertext.

The steps involved in creating an ssh session are:

  1. Client connects to server to initiate a connection
  2. The server responds by sending the client a public cryptographic key
  3. The client is able to authenticate the server by comparing this host key against a local database or by receiving the verification of a Certified Authority
  4. The client then shares their public key, a negotiation begins, and if successful a secure open channel will be open for the client
  5. The user, through their client logs into the server
  6. New, ephemeral keys are generated and used to encrypt ssh session traffic

OpenSSH is a fork of the original SSH protocol by the OpenBSD community. This is what is usually installed as the original SSH program is now proprietary.

SSH-Agent

The ssh-agent is a central part of OpenSSH. shh-agent is a key manager for ssh, it holds your keys and certificates in memory, unencrypted, and ready for use by ssh. It saves you from typing in a passphrase every time you connect to a server

It runs in the background, separately from ssh. The ssh-agent keeps private keys safe because (1) it doesn't write any key material to disk and (2) it does not allow private keys to be exported.

Private keys stored in the agent can only be used for one thing: authenticating during the initial handshake!

ssh-add is your gateway to the ssh-agent.

SSH-Agent Forwarding

ssh-agent forwarding allows your local ssh-agent to reach through an existing ssh connection and transparently authenticate on a more distance server.

ssh connections can have multiple channels: an interactive connection to a host is on one channel, when agent forwarding is enabled (usually ssh -A) a second channel is opened to forward any agent requests back to your local machine.

From ssh's perspective there is no difference between a local and a remote ssh-agent. ssh always looks at the $SSH_AUTH_SOCK environment variables to find the unix domain socket for the agent.

Agent forwarding comes with a risk: anyone with root access on the remote host can discreetly access your local ssh-agent through the socket.

Config

ssh obtains configuration data from the following sources in this order:

  1. Command line options
  2. User's configuration file (~/.ssh/config)
  3. System wide configuration file (/etc/ssh/ssh_config)

Look at the man pages to see how these files should be structured.