How does ssh exactly work??

[Kane274]

Ok, I kinda got myself confused. This is how it is:
I have 2 PCs, both have ssh installed. I know for sure that on the linux machine i have ssh server/client installed. On the iMAC i think its installed standard. If I connect using the ssh command (ssh name@machine) it asks me for the username and password.
--> Is this already encrypted when being sent over the network? If yes can't any PC that has ssh installed encrypt the data ?
Now I read using key pairs is used to encrypt, things going over the network. --> How does this encryption differ from the normal encryption? (if it is encrypted) Is it kind of a double encryption ?
--> Do both PCs need a private key and a public key? (otherwise isnt it only encrypted one way with the public key?)
--> What does the passphrase do? Is it to protect incase you forgot to lock/logout and someone uses ssh on your computer?

lots of questions But I'm really thankful if you answer me those. Thanks a lot! )

[burnit]

--> Is this already encrypted when being sent over the network? If yes can't any PC that has ssh installed encrypt the data ?
--> Do both PCs need a private key and a public key? (otherwise isnt it only encrypted one way with the public key?)
--> What does the passphrase do? Is it to protect incase you forgot to lock/logout and someone uses ssh on your computer?

Yes.. username and password are already encrypted. Over the network enviroment no one can decrypt data for communicating. The communication is exclusive.

When logging normally, I think ssh client/server create a temporary key to communicate that session.

A user can create public/private key. Registering the public key on the SSH server permits to use that create key to communicate. But if you create a private/public key, you're prompted for a passphrase: if you specify the passphrase, the SSH server will check you key, and then prompt for passphrase.

If you don't specify any passphrase, the communication is encrypted in anyway, and only YOU can logging the system without entering the passphrase (that's because SSH server recognize your key).

Actually I setup my SSH server to act only with public/private keys, without normal logins. In this way I don't worry about bruteforce attacks, because the login with username password is disabled: only me can login into the system because only my public key is registered on the system. And I login without typing any passphrase!

[Kane274]

thank you so much ! I at first thought the server sends the public key to the person who wants to connect. Now it all makes sense. And so it seems that ssh is encrypted all the time so sniffing won't help to see a pass in plaintext. And the keys are there so for example no bruteforce attacks can be done (like you said) that's how I understood and yes it makes sense thx again!

- Kane274

[sarumont]

I at first thought the server sends the public key to the person who wants to connect.

It does. This is how public key encryption works. If I give you my public key (http://www.sigil.org/~sarumont/.pubkey), you can encrypt a message with it, but you CANNOT decrypt that message. Only I can decrypt the message with my private key and passphrase that guards it.

SSH works in the same way; when the connection is initialized, the public key(s) are exchanged (in the case that the client has a host key to send the server). The client makes sure the host key matches its database (~/.ssh/known_hosts) and then creates a session (random 256-bit number, encrypted with both host and server keys from the server). (see man sshd)