SSH now solves numerous vexing security problems relating to enterprise functions conducted over the inherently unsecure public Internet.
The challenges are separate but related:
• Authentication: Assures that the person accessing the server is known and trusted
• Secure file transfers: Creates encrypted tunnels to safely pass files between systems
• Secure remote administration: Permits administrators limited or full system access
• Cross-platform support: Allows users of one platform to easily access any another type
• Open network support: Facilitates secure access to distributed resources on localarea, wide-area, and public networks
SSH also provides encryption and performs other essential global business functions. Several different methods can authenticate users to remote SSH-protected systems:
• User public key (RSA or DSA)
• Kerberos (for SSH-1)
• Hostbased (.rhosts or /etc/hosts.equiv)
SSH security depends upon the proper usage of cryptographic keys, along with the proper configuration of SSH servers and clients. Before a client can log into a server protected by SSH, the systems must securely exchange, or agree upon, an encryption key and a cipher to authenticate and encrypt the communication session. Public key cryptography is used to facilitate the bilateral exchange/agreement process, providing the communicating systems with a variety of encryption algorithms and key lengths from which to choose. While this variability permits vastly disparate systems to always find a “common denominator” for exchange, it also can lead to undesirable variations in the robustness of the security provided from one SSH session to the next. Best security practices currently call for using RSA authentication with 2,048-bit keys or DSA authentication with 1,024-bit keys.
Nearly every vital corporate server today is secured using SSH. Thus, it is critical that SSH is properly understood by enterprise security professionals and their executive stakeholders. It must be deployed carefully, limited to truly trusted individuals, and maintained scrupulously. Companies rely upon the implicit trust of SSH systems for their very existence, and a breach of this trust could doom the entire enterprise. Security decisions always involve tradeoffs in performance, availability, and vulnerability to attack. Best practices continue to evolve as attackers hone their methods and off-the-shelf encryption-breaking capabilities improve.
Beneficial Use Cases
SSH enables a wide array of useful and productive applications that make cross-platform enterprise system access over mixed networks both practical and secure. SSH has largely replaced earlier less secure, fragmented, and standalone tools such as Telnet and rlogin for remote logins, rsh for remote shell connections, FTP for file transfers, and rsync for remote file syncing. Today, this one powerful protocol supports thousands of applications across every major computing platform, including most UNIX variants—Linux, Apple OS-X, and Solaris—plus Microsoft Windows. Below is a list of common SSH functions that users and administrators perform on remote systems:
• Log into a shell on a remote host
• Execute commands on a remote host
• Transfer files securely
• Backup, copy, and mirror files securely
• Forward or tunnel ports
• Encrypt VPN sessions
• Forward X-Windows from a remote host
• Browse the web via an encrypted proxy
• Mount a directory on a remote server securely
• Monitor and manage servers automatically
• Develop apps on mobile or embedded devices
SSH is instrumental in maintaining secure, trusted access to remote, distributed, and cloud-based systems from any location, on any platform, and across all kinds of networks. That is why enterprises must take bold steps to protect this trust at all times.