Secure Shell - Overview

The software consists of a number of programs.


Server program run on the server machine. This listens for connections from client machines, and whenever it receives a connection, it performs authentication and starts serving the client.


This is the client program used to log into another machine or to execute commands on the other machine. "slogin" is another name for this program.


Securely copies files from one machine to another.


Used to create RSA keys (host keys and user authentication keys).


Authentication agent. This can be used to hold RSA keys for authentication.


Used to register new keys with the agent.


Used to create the /etc/ssh_known_hosts file.

Ssh is the program users normally use. It is started as

ssh host


ssh host command

The first form opens a new shell on the remote machine (after authentication). The latter form executes the command on the remote machine.

When started, the ssh connects sshd on the server machine, verifies that the server machine really is the machine it wanted to connect, exchanges encryption keys (in a manner which prevents an outside listener from getting the keys), performs authentication using .rhosts and /etc/hosts.equiv, RSA authentication, or conventional password based authentication. The server then (normally) allocates a pseudo-terminal and starts an interactive shell or user program.

The TERM environment variable (describing the type of the user's terminal) is passed from the client side to the remote side. Also, terminal modes will be copied from the client side to the remote side to preserve user preferences (e.g., the erase character).

If the DISPLAY variable is set on the client side, the server will create a dummy X server and set DISPLAY accordingly. Any connections to the dummy X server will be forwarded through the secure channel, and will be made to the real X server from the client side. An arbitrary number of X programs can be started during the session, and starting them does not require anything special from the user. (Note that the user must not manually set DISPLAY, because then it would connect directly to the real display instead of going through the encrypted channel). This behavior can be disabled in the configuration file or by giving the -x option to the client.

Arbitrary IP ports can be forwarded over the secure channel. The program then creates a port on one side, and whenever a connection is opened to this port, it will be passed over the secure channel, and a connection will be made from the other side to a specified host:port pair. Arbitrary IP forwarding must always be explicitly requested, and cannot be used to forward privileged ports (unless the user is root). It is possible to specify automatic forwards in a per-user configuration file, for example to make electronic cash systems work securely.

If there is an authentication agent on the client side, connection to it will be automatically forwarded to the server side.

For more information, see the manual pages ssh(1), sshd(8), scp(1), ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1) included in this distribution.

Back to Info Page

Last modification: 12. 2. 1997 by Jiri Klouda