Advance and Be Mechanized

Let's take a look at a
Screenshot of beginning of SSH session

Taken with Ethereal and using Ubuntu Linux both in the client and the server, as can be seen in the first packet, along with the SSH version.

Note the declaration of supported algorithms in the client-server "Key Exchange Init" packet.

Ubuntu Linux comes with the SSH client by default (ssh-client). The server package openssh-server is easily installed with Synaptic or using the "apt-get install" command. The SSH server can be run with no further configuration; to get it started just do: /etc/init.d/ssh start.

The keys and configuration are under the /etc/ssh directory (both in client and server):

# ls -l /etc/ssh/
total 140
-rw-r--r-- 1 root root 111892 2004-10-07 14:29 moduli
-rw-r--r-- 1 root root 1185 2004-10-07 14:29 ssh_config
-rw-r--r-- 1 root root 1743 2005-06-15 18:54 sshd_config
-rw------- 1 root root 668 2005-06-15 18:54 ssh_host_dsa_key
-rw-r--r-- 1 root root 602 2005-06-15 18:54 ssh_host_dsa_key.pub
-rw------- 1 root root 887 2005-06-15 18:54 ssh_host_rsa_key
-rw-r--r-- 1 root root 222 2005-06-15 18:54 ssh_host_rsa_key.pub

SSH2 tries to authenticate in one of three ways (and in this order): 1) hostbased method (the server has a file of which hosts to trust) 2) public key (the client user generates a public/private key pair and the server knows the public key) and 3) sending the encrypted password of an existing user in the server, like in our case.

SSH also supports challenge-response authentication.

On the client side, the SSH server is added as a known host:

ls ~/.ssh/
known_hosts
# cat ~/.ssh/known_hosts
192.168.0.100 ssh-rsa AAAAB3NzaC...(rest of the server's public key)

If we make a second SSH connection, the server is authenticated if there's a mathing entry in this file.

Links:

Drink from Da source
Man pages and Internet Drafts
Wikipedia entry
OpenSSH Notes / Unix
Presentation