Previous Topic

Next Topic

Book Contents

Book Index

SSH - Protocol Discussion

This section introduces you to SSH and SSH/FTP by comparing and contrasting these protocols to FTP over SSL.

SSH/FTP is often referred to as "SFTP". Despite the unfortunate similarity in name, SFTP is a completely different protocol than FTP over SSL, which is commonly known as FTPS.

Standards

SSH is a proposed Internet standard documented in RFC 4251 while SSH/FTP is a proposed Internet standard currently in "draft" (pre-RFC) status. SSL (the term popularly includes the more recent version of Secure Socket Layer known as TLS) is a proposed standard documented in RFC 2246, and FTP is an official Internet standard documented in RFC 959.

The overall SSH protocol comes in two major versions, SSH1 and SSH2. MOVEit DMZ SSH supports only the more common SSH2 protocol. Although the SSH2 protocol is fairly well-established, the SSH/FTP protocol is still undergoing significant revisions, some of which are incompatible with previous versions. This situation reflects the fact that the SSH/FTP protocol has not yet achieved "RFC" status.

The SSH file transfer protocol comes in versions 1, 2, 3, and 4. As of this writing, version 4 is brand new and has not been implemented by any known clients or servers. MOVEit DMZ SSH implements version 3 of the protocol.

Command Structure

SSH/FTP sessions consist of a series of command and response packets. The packets consist of structured binary information, including integer command codes and response codes. The commands correspond to file system I/O routines such as Open(), Read(), Write() and Close(). To download a file, for instance, the SSH/FTP client must open the file with an Open command followed by a number of Read commands and a Close command.

By contrast, FTP and FTP over SSL use ASCII commands delimited by CR LF. For example to download a file, the client would send a "PORT" or "PASV" command to set up the data connection, followed by a "RETR" command specifying the filename.

Port Number and Firewalls

SSH uses a single TCP port number - usually port 22 - for all types of connections. By contrast, SSL uses different port numbers for different applications. For instance, port 443 is typically used for HTTP over SSL, and port 990 is used for one version of FTP over SSL. Furthermore, FTP requires multiple port numbers during file transfers, as each individual file transfer creates a new connection on a new port.

The fact that port 22 is used for all SSH services makes it a bit difficult to have multiple SSH server products running on the same computer. But this is rarely an issue for systems running MOVEit DMZ. More importantly, the fact that port 22 is the only port required for SFTP - there are no separate data ports - makes SSH/FTP a more "firewall-friendly" protocol than FTP over SSL.

Encryption and Certificates

Both SSH and SSL use public key cryptography to exchange a session key, which is then used to encrypt the commands and data transmitted over the network. The security of the algorithms used by SSH is similar to those used by SSL, but SSH does NOT support the concept of a Certificate Authority (CA).

SSL requires a certificate, which is usually purchased from a Certificating Authority like www.thawte.com. A certificate vouches for the identity of the server. SSH uses a different approach, in which each server creates its own public key. There is no trusted authority to vouch for the identity of an SSH server. To make up for this, by convention, each SSH client remembers the public key of each server it has ever connected to. If, on a subsequent connection attempt, the server presents a different public key, the SSH client will warn the user that the SSH server may be a hostile server masquerading as the original server.

As a result of these differences, FTP over SSL (FTPS) servers can be more cumbersome to administer than SSH/FTP (SFTP) servers. But by virtue of the more sophisticated certificate scheme, FTPS servers are slightly more secure.