The Old Joel on Software Forum: Part 4 (of 5)

Difference of SSH and SSL

SSH - a Unix command for logging onto remote computers

SSL - A protocol to provide secure communication over HTTP (or is it over TCP/IP)

My questions - Is SSH a form of encryption as well?

Thanks,

D

Dimwit
Thursday, February 5, 2004

SSH uses encryption algorithms to secure communications over a shell connection. By itself, SSH is not a communications algorithm.

Ankur
Thursday, February 5, 2004

SSH is basically "telnet + SSL", isn't it? Actually it's a bit more complex as, in the classic "throw everything in", SSH also includes port tunneling much like IPSec.

Dennis Forbes
Thursday, February 5, 2004

SSL is a secure transport for TCP/IP in general, typically used by browsers for secure pages.

SSH is a secure transport used for remote login and file transfer, particularly on Unix systems.

OpenSSH is an open-source implementation of SSH that relies on OpenSSL, an open-source implementation of SSL.

David Jones
Thursday, February 5, 2004

SSL (really "TLS") is a secure protocol that roughly sits at the same layer as TCP. Other higher level protocols, like http, etc, can be made to run over TLS instead of TCP to add in security.

Contrast that with IPSec with is similar but at roughly the same level as IP. Thus, you can run regular TCP (and everything that runs on top of TCP) on top of IPSec instead of regular IP to add in security.

(The tradeoffs between the two are more complicated than will fit in this post ;-)

SSH, on the other hand, is a "secure" replacement for Telnet. It also allows the tunneling of other protocols (such as X) etc, over it. SSH typically sits on top of regular TCP.

Michael Kale
Thursday, February 5, 2004

SSH was initially a product.

application + transport (+ library)

the visibility was initially just the application... then people started using the VPN capabilities (and it was advocated as a transport) and people started to link the library that the SSH application depended on to other applications and it became known as a library. The code audits that people are so concerned about with SSH also help selling the library--everyone wants to use a library that has more eye balls on it--especially a security library.

SSL follows the same story, at first, just an s on the end of the http that no one understood but knew they had to get on their webserver, then the transport became kinda famous because you could pipe most anything over it, then people started figuring OpenSSL would be an excellent library (it's free) to use over the commercial stuff RSA and friends were pushing.

Li-fan Chen
Thursday, February 5, 2004

But observe Michael Kale's _very_ important explanations of the differences.

Li-fan Chen
Thursday, February 5, 2004

SSH is one of my favorite programs. You can do some cool things with it:

Establish a VNC connection to a computer behind a firewall, from outside:
ssh -C -L5905:ssh.server.name:5900 internal.server.name
Then start VNC and connect to localhost:5. Voila, a compressed, secure VNC session to a computer behind the firewall.

Monitor a Unix mail server on your local screen:
ssh mail.server.name tail -f /path/to/maillog
Now you can debug your SMTP session "live".

Print a man page from a remote computer on a local PostScript printer:
ssh remote.server.name man -t manpage | lpr

If you are using public key authentication you won't need a password, although you will have to prove your identity (the server knows your public key, your SSH client knows the private key). This makes SSH scriptable.

SSH is also the basis for SFTP (secure FTP).

Nate Silva
Friday, February 6, 2004