Interaction between SSL & SSH? - Security

This is a discussion on Interaction between SSL & SSH? - Security ; Just when I thought I had figured out the differences between SSL and SSH. "SSL is a library, and SSH and application which happens to use the SSL library" some poster comes along and says that SSH doesn't even use ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Interaction between SSL & SSH?

  1. Interaction between SSL & SSH?

    Just when I thought I had figured out the differences between SSL and
    SSH.

    "SSL is a library, and SSH and application which happens to use the
    SSL library"

    some poster comes along and says that SSH doesn't even use the SSL
    library.

    So, what gives?

    Let me try and venture an explanation.

    Conceivably one could rewrite a version of SSH which takes advantage
    of the SSL library. It just happens that the SSH developers decided to
    "roll their own" implementation of the SSL protocols and bypassed
    libssl.{so,a}

    Did I get it right?

    -Ramon


  2. Re: Interaction between SSL & SSH?

    On Jun 11, 12:03 am, Ramon F Herrera wrote:
    > Just when I thought I had figured out the differences between SSL and
    > SSH.
    >
    > "SSL is a library, and SSH an application which happens to use the
    > SSL library"
    >
    > some poster comes along and says that SSH doesn't even use the SSL
    > library.
    >
    > So, what gives?
    >
    > Let me try and venture an explanation.
    >
    > Conceivably one could rewrite a version of SSH which takes advantage
    > of the SSL library. It just happens that the SSH developers decided to
    > "roll their own" implementation of the SSL protocols and bypassed
    > libssl.{so,a}
    >
    > Did I get it right?
    >
    > -Ramon


    I am referring to the versions normally found in Linux, BTW.

    -RFH



  3. Re: Interaction between SSL & SSH?

    Ramon F Herrera schreef:
    > On Jun 11, 12:03 am, Ramon F Herrera wrote:
    >> Just when I thought I had figured out the differences between SSL and
    >> SSH.
    >>
    >> "SSL is a library, and SSH an application which happens to use the
    >> SSL library"
    >>
    >> some poster comes along and says that SSH doesn't even use the SSL
    >> library.
    >>
    >> So, what gives?
    >>
    >> Let me try and venture an explanation.
    >>
    >> Conceivably one could rewrite a version of SSH which takes advantage
    >> of the SSL library. It just happens that the SSH developers decided to
    >> "roll their own" implementation of the SSL protocols and bypassed
    >> libssl.{so,a}
    >>
    >> Did I get it right?
    >>
    >> -Ramon

    >
    > I am referring to the versions normally found in Linux, BTW.
    >
    > -RFH
    >
    >

    You might want to look here
    http://www.rpatrick.com/tech/ssh-ssl/

  4. Re: Interaction between SSL & SSH?

    Ramon F Herrera writes:

    >Conceivably one could rewrite a version of SSH which takes advantage
    >of the SSL library. It just happens that the SSH developers decided to
    >"roll their own" implementation of the SSL protocols and bypassed
    >libssl.{so,a}


    >Did I get it right?


    SSH doesn't use SSL protocols.

    SSH and SSL however may share underlying crypto algorithms
    which can be implemented in the same library (e.g. libcrypto
    from OpenSSL). But that depends on how you build SSH.

    --
    --
    Michael van Elst
    Internet: mlelstv@serpens.de
    "A potential Snark may lurk in every tree."

  5. Re: Interaction between SSL & SSH?

    Ramon F Herrera wrote:
    > "SSL is a library, and SSH and application which happens to use the
    > SSL library"
    >
    > some poster comes along and says that SSH doesn't even use the SSL
    > library.
    >
    > So, what gives?


    It's a half-way situation.

    For a start, you are presumably referring to _Open_SSH and
    _Open_SSL, which are specific implementation of (respectively) SSH
    and SSL.

    OpenSSL comes in two halves: libssl.so, an implementation of the SSL
    protocol, and libcrypto.so, a collection of implementations of the
    individual underlying cryptographic primitives such as block
    ciphers, public-key encryption and signing, hashes, MACs,
    Diffie-Hellman key exchange, and so on.

    OpenSSH uses the libcrypto half of OpenSSL, but does not use the
    libssl half. Package-based Linux distributions (such as Debian)
    generally do not separate the two halves of OpenSSL, meaning that
    the OpenSSH package lists a dependency on the OpenSSL package and
    people therefore presume that it uses the whole of OpenSSL. But in
    fact, all OpenSSH uses is the same set of building blocks which
    OpenSSL does.

    > Conceivably one could rewrite a version of SSH which takes advantage
    > of the SSL library. It just happens that the SSH developers decided to
    > "roll their own" implementation of the SSL protocols and bypassed
    > libssl.{so,a}


    The SSH _protocol_ is not the same as the SSL protocol. They have a
    noticeable similarity of structure, simply because there's a
    standard list of things you have to do if you're building a secure
    network protocol at all (a key exchange phase, encryption, integrity
    protection, authentication), but they also have a lot of differences
    in the details.

    For this reason, libssl.so would be useless to anyone implementing
    an SSH server or client.

    Also, this means there's no particular reason why an SSH
    implementation _has_ to depend on an SSL library: it just so happens
    that the most convenient library of cryptographic primitives for
    OpenSSH to use happens to be in the bottom half of the OpenSSL
    package. But there's no reason it couldn't have been the other way
    around: if OpenSSH had been written first, it might have had all its
    crypto primitives built in and then OpenSSL might have been the one
    to borrow them.

    PuTTY is an example of an SSH client which has no connection
    whatsoever to any SSL implementation of any kind.
    --
    Simon Tatham "You may call that a cheap shot.
    I prefer to think of it as good value."

  6. Re: Interaction between SSL & SSH?

    On Sun, 10 Jun 2007 22:03:08 -0700, Ramon F Herrera wrote:
    > Just when I thought I had figured out the differences between SSL and
    > SSH.
    >
    > "SSL is a library, and SSH and application which happens to use the
    > SSL library"


    There may be a library named SSL, but SSL is first and foremost a
    protocol. After the very successful SSL Version 3, the name was
    changed from "Secure Sockets Layer" to "Transport Layer Security"
    (TLS). A decent Wikipedia article exists under "Transport Layer
    Security".

    --
    To email me, substitute nowhere->spamcop, invalid->net.

  7. Re: Interaction between SSL & SSH?

    Peter Pearson (07-06-11 16:04:59):

    > > Just when I thought I had figured out the differences between SSL
    > > and SSH.
    > >
    > > "SSL is a library, and SSH and application which happens to use the
    > > SSL library"

    >
    > There may be a library named SSL, but SSL is first and foremost a
    > protocol. After the very successful SSL Version 3, the name was
    > changed from "Secure Sockets Layer" to "Transport Layer Security"
    > (TLS).


    TLS is a new protocol. It's a container protocol, which currently only
    supports SSLv3.


    Regards,
    Ertugrul Söylemez.


    --
    Security is the one concept, which makes things in your life stay as
    they are. Otto is a man, who is afraid of changes in his life; so
    naturally he does not employ security.

  8. Re: Interaction between SSL & SSH?

    On Wed, 13 Jun 2007 07:11:48 +0200, Ertugrul Soeylemez wrote:
    > Peter Pearson (07-06-11 16:04:59):
    >
    >> There may be a library named SSL, but SSL is first and foremost a
    >> protocol. After the very successful SSL Version 3, the name was
    >> changed from "Secure Sockets Layer" to "Transport Layer Security"
    >> (TLS).

    >
    > TLS is a new protocol. It's a container protocol, which currently only
    > supports SSLv3.


    Ah! That explains a lot. Thanks.

    --
    To email me, substitute nowhere->spamcop, invalid->net.

+ Reply to Thread