Secure Shell (SSH) is a cryptographic protocol that enables an admin to remotely, securely send commands to targeted machines — such as computers and servers — or access cloud services. These connections are typically made over unsecured networks or those outside of an organization's on-premises networking environment. Occasionally, they're also used to administer devices over a local network.
To ensure stronger security, SSH mandates encryption, authentication, and tunneling (optionally, also called "port forwarding") to help data packets traverse routes they normally couldn't take. It thus enables system administrators to transfer files, make configuration changes, or perform other management tasks as if they're controlling the machine directly.
SSH is an open protocol in the sense that it's embedded natively into many computing platforms. Following SSH's 1995 introduction by Tatu Ylönen, multiple open-source implementations of SSH have arisen (such as OpenSSH and Dropbear) to extend new features to the protocol — such as improved security, hardware acceleration, deeper administrative tools, and terminal support across various OSes.
How does Secure Shell (SSH) work?
SSH is nearly ubiquitous across machines and the greater internet, powering infrastructure management everywhere. While some similar protocols operate over UDP, SSH instead runs atop TCP to transmit data. This sacrifices some degree of performance to enable better compatibility and reliability.
Secure Shell (SSH) fundamentals
SSH operates over port 22 to safely bypass firewalls that would otherwise restrict client-server communication. SSH can therefore sidestep common packet-blocking measures while using port 22 to help forward traffic to other open ports. It also works at the application layer (Layer 7) of the OSI Model.
Admins use SSH commands mainly through the terminal or command line — though some solutions have emerged that add a UI layer atop the protocol for easier administration. While SSH is usable in a standalone window in this manner, browser wrappers are available to best fit the needs and technical knowledge of the user.
While encryption is a centerpiece of SSH, it's also worth noting that SSH can only facilitate secure communication for one application at a time. The protocol does not accept and process all network traffic, which differentiates it from something like a VPN. However, you can optionally use SSH multiplexing to open multiple channels over one connection.
Understanding Secure Shell (SSH) cryptography
An SSH session starts with the client and server telling each other which cryptographic algorithms they support — which includes multiple ciphers such as AES, chacha20, and others. Key exchange comes next using a specialized algorithm such as Diffie-Hellman or NTRU Prime to establish symmetric encryption and HMAC keys.
During this process, the client gets the public key of the SSH server and proof from the server that it has the associated private key. The client verifies that it's the same key it has used before — if it has already connected to said SSH server in the past — and alerts the user if the key has changed. A key change might suggest that an attacker is attempting to man-in-the-middle (MITM) the SSH connection.
Once the connection is encrypted, the client can authenticate to the server. In most cases, the client presents an elliptic curve or RSA public key stored within the user's authorized_keys file. SSH also supports passwords and other authentication methods; however as there are brute force bots searching the net for SSH servers to exploit, most secure SSH setups disable all methods other than public key authentication.
If you want to observe the setup of an SSH connection, OpenSSH will list every task it performs using the -v flag.
Teams with ample public key infrastructure (PKI) that are suffering from key management bloat may also opt for SSH certificates instead of key-based encryptions. This is a good option for larger organizations that require centralized, granular control over SSH functionality. However, this can incur additional overhead that's often prohibitive for smaller organizations.
Does HAProxy support Secure Shell (SSH)?
Yes! HAProxy and HAProxy Enterprise enable you to seamlessly route SSH traffic to a predefined list of backend servers, to individual servers, or add an RBAC-supported security layer. These behaviors are all configurable and easy to manage within HAProxy Fusion.
To learn more about SSH support in HAProxy, check out our Route SSH Connections With HAProxy blog post.