6.4.1 Secure Shell Overview

You can configure Secure Shell connections when you need secure, encrypted communications between a trusted host and your PC over an insecure network. Secure Shell connections ensure that both the client user and the host computer are authenticated; and that all data is encrypted. Passwords are never sent over the network in a clear text format as they are when you use Telnet, FTP, or rlogin.

The following cryptographic algorithms are supported:

Data Encryption Standards

Encryption protects the confidentiality of data in transit. This protection is accomplished by encrypting the data before it is sent using a secret key and cipher. The received data must be decrypted using the same key and cipher. The cipher used for a given session is the cipher highest in the client's order of preference that is also supported by the server. You can use the Encryption tab of the Secure Shell Settings dialog box to specify which ciphers the Secure Shell connection should use.

The following data encryption standards are supported:

  • Arcfour, Arcfour128, and Arcfour258 (stream mode)

  • TripleDES (168-bit) CBC mode

  • Cast (128-bit)

  • Blowfish (128-bit) CBC mode

  • AES (also known as Rijndael) (128-, 192-,or 256-bit) CBC mode and CTR mode

Data Integrity

Data integrity ensures that data is not altered in transit. Secure Shell connections use MACs (message authentication codes) to ensure data integrity. The client and server independently compute a hash for each packet of transferred data. If the message has changed in transit, the hash values are different and the packet is rejected. The MAC used for a given session is the MAC highest in the client's order of preference that is also supported by the server. Reflection supports the following MAC standards:

  • hmac-sha1

  • hmac-md5

  • hmac-sha1-96

  • hmac-md5-96

  • hmac-ripemd-160

  • hmac-sha256

  • hmac-sha2-256

  • hmac-sha512

  • hmac-sha2-512

Digital Signatures

Digital signatures are used for public key authentication (including certificate authentication). The authenticating party uses the digital signature to confirm that the party being authenticated holds the correct private key. The Secure Shell client uses a digital signature to authenticate the host. The Secure Shell server uses a digital signature to authenticate the client when public key authentication is configured. Reflection supports the following digital signature algorithms:

  • x509v3-rsa2048-sha256

  • x509v3-sign-rsa

  • x509v3-sign-dss

  • ssh-rsa-sha2-256@attachmate.com

  • ssh-rsa

  • ssh-ds