Cryptography Reference
In-Depth Information
The user normally has to type only one command, which is
ssh-keygen
. If there
is a risk, even just theoretically (which is always the case), that somebody
might break into your computer, you should encrypt your private key with a
passphrase (the program pops up an opportunity). But you will then have to
enter this passphrase every time you use SSH, which is unacceptable for some
users. While users don't normally notice when they are given more security,
they get upset when requested to enter passwords.
This motivated Ylonen to write another program called
ssh-agent
, which keeps
the private key in memory, and can be executed within a regular UNIX ses-
sion. It speeds the connection establishment up considerably. (You can see in
Figure 7.3 that
ssh-agent
wasn't running when I logged the prompts: it requests
a passphrase.)
SSH can be easily configured such that every user can continue working in the
familiar way, except for the one-time entry of a password when they log in.
When communicating with computers that don't have Secure Shell installed,
SSH outputs a warning and automatically falls back on the customary tools,
i.e.,
rlogin, rcp
, and
rsh
.
Even the X-protocol is encrypted by default, and an integrated, undocumented
compression (switch
−
C)
comes in handy for slow transmission lines (mainly
when using the PPP network protocol over a modem). And finally, SSH can
also be used as a secure transmission channel for other applications.
Unfortunately, there is a painful drawback: security costs computation time.
The IP protocol slows down considerably on a regular PC (which you won't
notice on a Pentium-100 and better), and computations on 1024-bit keys are
time-consuming. On the configuration I used back then, the remote execution
of the
date
command took about 0.7 seconds (the IP connection has to first be
established and then torn down even for such a tiny command). When I used
SSH (and
ssh-agent
), this time increased to between 4 and 5 seconds.
This delay plays a subordinate role on modern computers when you log in or
copy long files. But it is a big deal when you use SSH and bad shell scripts
that transport 500 small files individually using
scp
. Regardless of the crypto-
graphic program you use, there are only two solutions: either you get yourself
a multiprocessor machine with eight kernels, or you improve the application by
packing all of these files into an archive and ship the archive across the network.
You should use SSH to log on to remote computers in any event, because short
additional wait times won't play a role there. And if encrypting the data traffic
