Secure Shell (SSH) is a network protocol architecture, which provides a secure channel over TCP for communications between applications using a layered architecture. SSH differs from SSL/TLS in the following aspects:
-
SSH provides a more flexible authentication mechanism, supporting other types of authentications such as usercode and password, and a user-held public key in addition to X.509 certificates.
-
SSH provides a method for remote initiation of applications and application subsystems, such as SSH terminal sessions, SFTP, and other user-definable programs.
The SSH protocol suite, for this release, supports
-
SFTP (for both inbound and outgoing file transfers)
-
An SSH client for executing commands at remote systems
-
Terminal services (SHELL)
How SSH Establishes Trust
As part of the SSH handshake, both the client and server authenticate each other. The server sends its public key to the client. The client is then responsible for validating that it trusts this public key coming from this server. Some clients might ask the user to validate that the public key is to be trusted and add it to a cache of trusted public keys. On the ClearPath MCP environment, Security Center provides the interface to add (import) and delete (remove) the list of trusted keys. The MCP Cryptographic Services Manager includes a node called SSH Keys, which contains the list of trusted keys for SSH. This list is organized by IP address. For example, to trust a SSH server at 192.168.16.1, its public key is imported into the MCP Cryptographic Services Manager of Security Center and assigned to that IP address. Security Center accepts the PEM and OpenSSH (RFC4716) file formats. The SSH Key Scan utility in the MCP Cryptographic Servers Manager node provides a simple way of retrieving and importing the SSH public key from a remote server.
Depending on how the server is configured, the client can be authenticated by Public Key ("publickey") or Password ("password"). For password-based authentication, the client must supply the usercode and the password. For public key authentication, the client can use current RSA keys (those found in MCP Cryptographic Services Manager under "Trusted Keys"), if the correct usercode is assigned. RSA-based keys used with SSH do not require a certificate associated with them, unlike SSL/TLS that requires a certificate.
For more information about configuring user credentials for SFTP, refer to the TCP/IP Distributed Systems Services Operations Guide. For more information about configuring user credentials for SSH Client, refer to the System Software Utilities Operations Reference Manual.
The TCPIPSECURITY library queries the AUTHBYPUBLICKEY and AUTHBYPASSWORD security (SECOPT) attributes and uses these values to determine which user authentications are supported. Each attribute has possible values of REQUIRED, DESIRED, ALLOWED, and DISABLED. Only one of the AUTHBYPUBLICKEY and AUTHBYPASSWORD options can be set as REQUIRED. If a command sets one of these options to REQUIRED, and does not change the other option, the option that is not changed is set to DISABLED. If a single command attempts to set one option to REQUIRED and the other option to a value other than DISABLED, the command is rejected.
