Session Options/Connection/SSH2

SecureCRT


The SSH2 category of the Session Options dialog allows you to configure your SSH2 The second version of the SSH protocol which provides a way to encrypt network traffic between a client and a server, with a slightly different set of security features than the SSH1 protocol provides. connection A data path or circuit between two computers over a phone line, network cable, or other means. . The SSH2 category only appears when you have selected SSH2 or SFTP as your Protocol.

SSH2 Overview

SSH2 provides secure communication over an unsecure channel by encrypting the data channel using the cipher An algorithm used to encrypt data at varying levels of security. Examples include 3DES, AES, Blowfish, RC4, and Twofish. algorithm selected for the session A session is a set of options that are assigned to a connection to a remote machine. These settings and options are saved under a session name and allow the user to have different preferences for different hosts. by the user. The cipher selected must also be supported by the destination SSH2 server A computer program that provides services to other computer programs (called clients). Often the computer on which a server program runs is also called a server. The term host is often used as a synonym for server. (an error will be reported during a connection attempt if the chosen cipher is not supported by the server). A cipher is used to encrypt network traffic between the local machine and the SSH2 server, thus providing data privacy The concept that data should only be viewed or accessed by those with authorization to do so. Data privacy is achieved using a cipher to encrypt data. .

Port forwarding The concept of connecting a logical port on a local machine to a port on a remote machine over a secure (encrypted) channel. All requests for services sent to the local port are then forwarded across the secure channel to the corresponding port on the remote machine. is another feature based on SSH security. See Port Forwarding with SSH to learn more about encrypting connections for other applications (such as IMAP) that are not secure by default.

SSH2 connection settings include hostname, port, username, authentication The process of verifying that an individual truly is who he or she claims to be. Supplying a password is a very common method of authentication. The most secure method of authentication supported in SecureCRT is public-key authentication. See also: identity file, public-private key pair., and key exchange.

Hostname

The hostname or IP address of the remote machine that provides the SSH2 service.

Port

The port number of the SSH2 service on the remote machine. For SSH2, the default port is 22.

Firewall

If your connection involves a firewall, select your firewall from the list of firewalls that have been configured in the Global Options/Firewall dialog.

Note: You can also select an SSH2 session to be used as a firewall. When a session is specified as a firewall, the firewall session will be connected first.

Username

The username used to log on to the remote machine.

Authentication group

SecureCRT supports several authentication methods for connecting to SSH2 servers, and will attempt to connect using them in the order that you specify.

Password authentication transmits the user's password to the server to authenticate the connection. The transmitted password is protected from network eavesdropping, due to the cipher encryption The process of converting a data transmission into a secret format that cannot easily be read by unauthorized individuals. See also: decryption. of the data channel.

Note: If the remote machine supports both the SSH2 protocol and changing passwords at the protocol level, the password for an SSH2 session can be changed from the Password Properties dialog, which is accessed by selecting Password in the Authentication group and clicking on the Properties button.

PublicKey authentication uses a public/private key pair to authenticate the connection. During the authentication process, the client A computer or application that uses services provided by a server. and the server negotiate a public key to use for the connection. Once a public key has been determined, the client uses the corresponding private key to perform a signature operation over a unique connection identifier. This signature is then sent to the server for verification. If verification is successful, the client is given permission to connect to the server. The security of the mechanism requires that no one but the owner have access to the private key. The private key is stored locally in an identity file Identity files are two files containing the public-private key pair used to connect to an SSH server using RSA or DSA authentication. The Identity file contains the public and private key pair and is used by SecureCRT. The Identity.pub file contains only the public key which is usually appended to the authorized_keys file. . Also, prior to using public-key authentication, the public key must be made available to the SSH2 server. For more information on generating private-public key pairs, see Public-Key Authentication for SSH2.

Keyboard Interactive authentication allows you to use the keyboard to respond to challenges put forth by the server.

GSSAPI (Generic Security Services Application Program Interface) is a generic API for performing client/server authentication. GSSAPI allows SecureCRT to authenticate with a server without knowing anything about the specific authentication mechanism in use.  For more information about using GSSAPI, see the GSSAPI Properties dialog.

SecureCRT also supports the use of X.509 certificates.

Key exchange group

Key exchange is part of establishing trust between a client and a Secure Shell server. SecureCRT supports several algorithms for doing key exchange and will attempt to use them in the order that you specify.

Diffie-Hellman key exchange algorithms are common cryptographic protocols which are supported by Secure Shell servers.

GSSAPI key exchange algorithms can be used to connect to SSH2 servers that support GSSAPI. When a GSSAPI key exchange algorithm is specified and the server supports it, further authentication is not needed if you already have GSSAPI credentials (e.g., by logging onto a Windows machine that is part of an Active Directory domain).  

If a GSSAPI key exchange algorithm is specified and is not supported by the server, there could be a delay during connection because the server is waiting to time out. To prevent this delay, uncheck the GSSAPI key exchange algorithms.