8 SSH Lexicon
The section briefly explains some terms that have a specific meaning when used in the context of the ssh2 protocol.
Algorithm [link]
ssh2 algorithms are named and interchangeable software components used to secure the connection. They are negotiated during the key-exchange process.
See also Algorithms and methods, struct assh_algo_s and assh/assh_algo.h.
Channel [link]
A channel allows the application to transmit a stream of data over ssh2. The channel mechanism is specified as part of the connection protocol.
See also The connection protocol, struct assh_channel_s and Channels and requests.
Connection [link]
This term refers to the link used by the transport layer, established between a client and a server which lasts for the time of a session. The term transport layer connection is used in the specification. This must not be confused with the term connection protocol.
See also Transport layer and packets.
Connection protocol [link]
The connection protocol is a component of the ssh2 protocol specified as a service. It is the highest layer of the protocol. It provides the channel and request mechanisms used by the application.
See also The connection protocol and assh/assh_connection.h.
Connection sharing [link]
Some ssh2 implementations are able to run multiple interactive sessions over a single ssh2 session, as allowed by the specification.
Fingerprint [link]
The fingerprint of an SSH key is a human readable hash value that is used to let the user to visually check whether two host keys are the same.
Global request [link]
A global request is a request that is not associated to a channel.
See also The connection protocol and Channels and requests.
Host authentication [link]
The Host authentication mechanism allows the client to make sure it is establishing a session with the expected server. It takes place during the key-exchange process and involves the server host key.
See also Authentication algorithms.
Host based user authentication [link]
The host based user authentication method is one of the user authentication mechanisms optionally provided by the user authentication service. It allows the client application to authenticate its user on the server based on the host key of the host that is running the client.
See also SSH services.
Host key [link]
A host key is an SSH key kept by a server host. It is mainly used to perform host authentication during the key-exchange process and may also be involved in the Host based user authentication method.
Interactive session [link]
The term Interactive session relates to a feature of the connection protocol designed to let a client run a process remotely, on top of ssh2. Not to be confused with a session.
See also The connection protocol.
Key-exchange [link]
The key-exchange is a part of the ssh2 protocol designed to establish the server host authenticity and generate the session keys.
See also Key-exchange process and methods, Key-exchange algorithms and assh/assh_kex.h.
Keyboard interactive user authentication [link]
The keyboard interactive user authentication method is specified in rfc4256 as an extension to the original set of supported methods. It allows the server to request the client user to fill multiple text fields with custom prompt texts in order to authenticate.
Message [link]
Every ssh2 binary packets carries a single message that has a specific role in the protocol.
See also Transport layer and packets, enum assh_ssh_msg_e and assh/assh_packet.h.
Port forwarding [link]
The term Port forwarding relates to a feature of the connection protocol designed to make the server act as a proxy that issues and accepts some TCP connections on the behalf of the client.
See also The connection protocol.
Private extension [link]
The ssh2 specification allows private extensions to the protocol. This enables implementations to provide some specific or advanced features not described in the standard, provided that they are properly named and negotiated.
See also Protocol architecture.
Public key user authentication [link]
The public key user authentication method is one of the user authentication mechanism provided by the user authentication service. When selected, it allows the client application to authenticate its user on the remote server based on the ownership of an user key. The client user owns the private key. That private key is checked to match the public key known to the server.
See also SSH services and Authentication algorithms.
Request [link]
ssh2 requests are used by applications to transmit control messages to the remote host. These are specified as part of the connection protocol.
See also The connection protocol, struct assh_request_s and Channels and requests.
Service [link]
A service is a type of software component that runs on top of the transport layer.
See also Transport layer and packets and struct assh_service_s.
Session [link]
A session is initiated by a client when it connects to a server. It gets established when the key-exchange process produces an unique session identifier as well as the session keys. Not to be confused with interactive session.
See also struct assh_session_s.
SSH agent [link]
An SSH agent is an optional piece of software that manages use of user keys. It allows the user to enter the key passphrase only once, then keeps the private keys ready for use as long as it is running.
SSH agent forwarding [link]
SSH agent forwarding enables use of user keys belonging to a client by a remote server.
This allows the user to keep its keys on a single workstation while still being able to perform public key user authentication when initiating other ssh connections from a remote server.
It works by forwarding connections to the SSH agent service. Note that this also allows anyone who has gained administrator privileges on the server to use the keys. The attacker may therefore impersonate the user on any other host as long as the agent is reachable.
SSH key [link]
SSH keys are a long term cryptographic keys mainly used by signature algorithms. An SSH key can be used as an user key or as a host key. Because it relies on public key cryptography, it has a public part and a private part.
See also Key types and formats, struct assh_key_s and assh/assh_key.h.
Transport layer [link]
The transport layer is a component of the ssh protocol designed to enable secure communication over the connection during the whole session.
See also Transport layer and packets and assh/assh_transport.h.
User authentication [link]
The user authentication component is specified as a service of the ssh2 protocol. It allows the client application to authenticate its user on the remote server system. The service implements various user authentication methods.
See also SSH services, User authentication methods, assh/assh_userauth_server.h and assh/assh_userauth_client.h.
User key [link]
An user key is an SSH key used to authenticate the user on the remote server. It is only used when the public key user authentication method is selected.
Session keys [link]
Session keys are ephemeral keys used by symmetric cryptography algorithms to perform encryption and authentication of the ssh2 binary packets exchanged over the insecure connection.
See also Key-exchange process and methods.
Version string [link]
The client and the server both transmit their version strings when the connection is established. It allows to identify the remote ssh2 software.
See also Transport layer and packets.