Trusted SF Member
Joined: 26 Aug 2003
Location: Warwickshire, England, UK
|Posted: Wed Apr 13, 2005 11:40 am Post subject: Book Review - SSH, The Secure Shell: The Definitive Guide
SSH, The Secure Shell: The Definitive Guide
Author: Daniel J. Barrett, Richard E. Silverman
Date Published: February 2001
Book Specifications: Softcover, 540 pages
Category: Networking/Computer Security
Publisher's Suggested User Level: None
Reviewer's Suggested User Level: Beginner - Advanced Users, System Administrators
Suggested Publisher Price: US$39.95 / CAN$38.95
Info from back cover:
Secure your computer network with SSH! With transparent, strong encryption, reliable public-key authentication, and a highly configuranle client/server architecture, SSH (Secure Shell) is a popular, robust, TCP/IP-based solution to many network security and privacy concerns. It supports secure remote logins, secure file transfer between computers, and a unique "tunneling" capability that adds encryption to otherwise insecure network applications. Best of all, SSH is free, with feature-filled commercial versions available as well.
SSH, the secure shell, is a replacement for the UNIX 'rsh' remote shell, adding much needed security.
The description above is perhaps the biggest understatement I've ever written. SSH is one of the most flexible tools in the history of computing. Aside from allowing secure shell access (hence the name), SSH provides a plethora of useful features for securing TCP connections in general.
Finally, if all of the above wasn't enough, it can be used to work around network problems, such as tunneling through firewalls and creating an "almost-VPN".
With all these features, its hard to know where to start with SSH, and it can be almost impossible to get the maximum usage out of such a flexible tool. "SSH, The Secure Shell: The Definitive Guide" is the book you need to enlighten you as to the almost infinite power of SSH.
Content & Overview
The book opens with an introduction to SSH, providing a whirlwind tour of SSH's many features. It covers the SSH-1 and SSH-2 protocols, the SSH1 and SSH2 packages, and, of course, OpenSSH.
Chapter 2 covers basic client usage. For those readers already familiar with SSH, this is mostly a refresher, but it serves equally as an introduction to readers new to SSH.
Chapter 3 covers the internals of SSH, the technical details and the protocols used. Although this chapter is very specific, and technically oriented, I'd recommend all readers persevere through it, since it covers important aspects of SSH, which are referred to later in the book.
Chapter 4 details installation of SSH, covering configuration options which must be set at compile-time. If you are not responsible for installing SSH, this chapter may be skipped on the first reading, but it does cover options which are, again, referred to in later chapters, so it may be worth a look.
Server-wide configuration is the topic of chapter 5. It covers aspects of SSH such as server configuration, authentication and access-control, SSH subsystems (a powerful and flexible way to secure other systems, for example the built-in sftp subsystem, which provides "FTP over SSH" [although it uses the scp (secure copy) program to perform the file transfers]). Chapter 5 also includes a discussion of the more complex issues of logging, debugging and compatibility between SSH-1 and SSH-2.
In Chapter 6, the discussion turns to key management. SSH can use cryptographic keys in a variety of ways, but one of the most useful is the public-key authentication mechanism. This allows you to authenticate to a server without actually transmitting your password, and is, therefore, much more secure. SSH adds flexibility to this security, providing a whole range of configuration options which apply only when using public-key authentication. This chapter also covers the ssh-agent program, which manages your keys and allows the ssh client to use them when you establish a connection to a server, allowing passwordless login (once you've added the key to the ssh-agent, that is!).
Chapter 7 goes into more detail about client use and configuration, especially covering the secure copy program, scp.
Chapter 8 expands on the server configuration chapters, providing details of per-account server configuration. It gives an in-depth look at configuration options available when using public keys.
Chapter 9 is a look into port forwarding, which is a feature provided by SSH but rarely used in practice. The book covers making an encrypted TCP "tunnel" through which your non-secure TCP programs can run. There are several security advantages to this, not least of which is the ability to open only one port on your firewall, the standard port for SSH (22) and still allow access to a myriad of internal services, only to those users with valid shell accounts. This chapter also covers X forwarding, an extension of port forwarding which is explicitly supported in SSH.
Chapter 10 presents a recommended setup. It is a useful reference for options which should (or shouldn't!) be used together. It also explains the perils of using remote home and configuration directories (e.g. NFS or SMB) with SSH.
Chapter 11 provides five detailed case studies, looking at specific uses of SSH in individual situations. Based on these, you can probably build an SSH-based solution to most network security problems!
Chapter 12 provides troubleshooting information. Such a chapter is rare in books, as it is more often found in online documentation maintained by the vendors, but this book provides some of that information between its covers. Of course, since it was published in 2001, you'd want to check the online documentation for the latest troubleshooting information anyway!
Chapters 13 through 17 are overviews of other implementations of SSH, covering a Windows port of SSH1, SecureCRT, F-Secure SSH Client, and NiftyTelnetSSH.
Appendix A provides the UNIX Manual Page for sshregex, and Appendix B is an SSH quick reference; useful for finding options, keywords, files and environment variables which affect the operation of SSH.
Style & Detail
As can be expected from an O'Reilly book, "SSH, The Secure Shell: The Definitive Guide" is well-presented and cleanly edited. The chapters are clearly and logically organised and the information is presented in an easy to read, yet comprehensive, format.
For what seems, at first glance, to be a book on a simple piece of software with just one use, this book is a thick volume, though as you progress through the book, it will become clear why. The many features of SSH are explored in a coherent manner, nothing being introduced before the foundation is there to support it.
Each chapter provides the information it promises in a flowing and engaging text, in which topics are separated into chapters and everything is in the right place.
Another excellent feature of this book is the appendix, the SSH Quick Reference. As should be expected from a quick reference, this provides charts showing which options apply to SSH1, SSH2 and OpenSSH. Together with the main text of the book, the appendix provides for those times when you can't remember whether OpenSSH uses one form of a keyword or another, or if SSH1 supports a feature you've been using for a while in SSH2.
The only negative comment I have about this book is that, printed in 2001, some of the information is now slightly outdated. The discussion on cryptography is affected to an extent by this, and the troubleshooting section would also be of little use in 2005!
In 2001, this book would have received a solid 10/10 in this review. As it is, however, now 4 years since it was published, I can award it no more than a 9, based on the age of some of the information presented. Most of the text is still valid, but those few aspects which rely on the latest information prevent the book obtaining a 10/10.
If the rating system here at SFDC allowed decimals, this book would be a prime candidate for a 9.5.
This book receives an honoured SFDC rating of 9/10
Note: There is a second edition of this book scheduled for release in May 2005.
Keywords: SSH, secure shell, encryption, port forwarding, x forwarding, configuration, network security
This review is copyright 2005 by the author, Andrew J. Bennieston, and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.