Product Reviews

Secure Sessions for Windows

SecureShell is an implementation of SSH for Windows

• By Rick A. Butler
• 05/01/2002

A primary problem in the Unix world remote access is that there is no real encryption to protect the user's session by default. So, in 1995, a company called SSH Communications Security created a client-server protocol to overcome this problem. SSH allows users to login remotely to a Unix box. SSH creates a security structure that effectively replaces the DARPA command set (ftp, tftp, and telnet) and the Berkeley remote commands (rsh, rlogin, and rcp) with a client-server application. Although there are plenty of SSH clients for different platforms (including Windows) there aren't many SSH daemons (the server side of the equation) for Windows servers.

Count Pragma Systems' SecureShell as one of the few. SecureShell conforms to SSH1 and SSH2, which allows for secure connections across a public network. The SSHD (secure shell daemon) process accepts requests from any SSH client, regardless of platform, and provides sessions remotely. The product also ships with an SSH client for all Win32 platforms. Now since this tool provides services to Windows NT/2000 that are Unix-oriented, I will refer to these services often as daemons. I hope I don't scare the Microsoft acolytes too much. Just know that a daemon in Unix is synonymous to a service in NT.

SecureShell runs initially as an InetD (Internet Daemon) service, listening for requests on port 22 (by default; you can also customize this port) to launch other daemons, such as SSH. When a call comes in to establish a secure shell, InetD spawns SSHD, negotiates the connection using encryption and presents the user with a logon prompt. The logons tie into NTLM/Kerberos, so there is no need to remember additional passwords. After authentication, the user is greeted by a command prompt, and can proceed with their work.

SecureShell performs port forwarding so other protocols, like SMTP and POP, can be facilitated securely. This allows you to route all your traffic through one secured port through the firewall. This is similar to the way SOCKS works, except you get encryption along with it. You can use this product to build quick VPN solutions, capable of providing a secure extranet. If you're worried about someone sniffing your packets, and then performing attacks such as Man In The Middle (MITM), intercept and spoofing, this product will stop them cold.

On the server side, there are plenty of nifty GUI tools that you can use to configure this product. You can configure daemons in much the same way as you do in IIS. This means you can filter IPs, change ports, define users, and create profiles. SecureShell supports multiple connections from multiple users and you can manage all of these sessions to your InetD and find out who is connected to your server.

So how does SecureShell compare with the competition? On the upside, SecureShell is a standardized implementation of SSH. It's cost competitive with other commercial offerings and is featured enough to use in a lot of different situations. It's very easy to use. Literally install the program, create your keys and you're done.

SecureShell is cross-platform. You can connect to a Windows machine from a SSH client on Solaris or use the client from Windows to connect to a FreeBSD sshd. Expanding on this, you can create simple SSH VPN's with SecureShell. This serves as an alternative to IPSec, which although more functional, can be much more complex. SecureShell is very easy to use.

On the downside, you need to worry about key management. SecureShell doesn't have much in the line of information regarding importing and exporting keys, which tells me that this probably will be a sore spot. Even if you have a current RSA/x.509 Certificate Server in place, you must generate your own key sets for SecureShell.

Also, SecureShell is not free. There is an open version of SSH called OpenSSH that does the same thing, with implementations for many platforms including Win32. Of course, you get the support you pay for.

Windows 2000 also adds functionality for IPSec right out of the box. Although IPSec is harder to wield than SSH, wizards make it pretty easy to get ramped up right away with IPSec. This means you have to want to use SSH. But this is a nice product for NT 4.0.

SecureShell is a command line only product. Some implementations of SSH for Unix can export a display for X11. However, neither the client nor the server parts of SecureShell support this functionality. The alternatives, such as IPSec VPNs or Terminal Services have the ability to create a GUI environment for the remote user. You would have to use a console exporter like VNC to get this functionality, although with Windows, you get only one console.

So, to sum things up, SecureShell is a good product for what it is: an SSH daemon running as a Windows service. The product is solid and easy to use, with some good applicability; however, the alternatives to this product could weigh heavily against it.