Secure Sessions for Windows
SecureShell is an implementation of SSH for Windows
A primary problem in the Unix world remote access is that there is no
real encryption to protect the user's session by default. So, in 1995,
a company called SSH Communications Security created a client-server protocol
to overcome this problem. SSH allows users to login remotely to a Unix
box. SSH creates a security structure that effectively replaces the DARPA
command set (ftp, tftp, and telnet) and the Berkeley remote commands (rsh,
rlogin, and rcp) with a client-server application. Although there are
plenty of SSH clients for different platforms (including Windows) there
aren't many SSH daemons (the server side of the equation) for Windows
Count Pragma Systems' SecureShell as one of the few. SecureShell conforms
to SSH1 and SSH2, which allows for secure connections across a public
network. The SSHD (secure shell daemon) process accepts requests from
any SSH client, regardless of platform, and provides sessions remotely.
The product also ships with an SSH client for all Win32 platforms. Now
since this tool provides services to Windows NT/2000 that are Unix-oriented,
I will refer to these services often as daemons. I hope I don't scare
the Microsoft acolytes too much. Just know that a daemon in Unix is synonymous
to a service in NT.
SecureShell runs initially as an InetD (Internet Daemon) service, listening
for requests on port 22 (by default; you can also customize this port)
to launch other daemons, such as SSH. When a call comes in to establish
a secure shell, InetD spawns SSHD, negotiates the connection using encryption
and presents the user with a logon prompt. The logons tie into NTLM/Kerberos,
so there is no need to remember additional passwords. After authentication,
the user is greeted by a command prompt, and can proceed with their work.
SecureShell performs port forwarding so other protocols, like SMTP and
POP, can be facilitated securely. This allows you to route all your traffic
through one secured port through the firewall. This is similar to the
way SOCKS works, except you get encryption along with it. You can use
this product to build quick VPN solutions, capable of providing a secure
extranet. If you're worried about someone sniffing your packets, and then
performing attacks such as Man In The Middle (MITM), intercept and spoofing,
this product will stop them cold.
On the server side, there are plenty of nifty GUI tools that you can
use to configure this product. You can configure daemons in much the same
way as you do in IIS. This means you can filter IPs, change ports, define
users, and create profiles. SecureShell supports multiple connections
from multiple users and you can manage all of these sessions to your InetD
and find out who is connected to your server.
So how does SecureShell compare with the competition? On the upside,
SecureShell is a standardized implementation of SSH. It's cost competitive
with other commercial offerings and is featured enough to use in a lot
of different situations. It's very easy to use. Literally install the
program, create your keys and you're done.
SecureShell is cross-platform. You can connect to a Windows machine from
a SSH client on Solaris or use the client from Windows to connect to a
FreeBSD sshd. Expanding on this, you can create simple SSH VPN's with
SecureShell. This serves as an alternative to IPSec, which although more
functional, can be much more complex. SecureShell is very easy to use.
On the downside, you need to worry about key management. SecureShell
doesn't have much in the line of information regarding importing and exporting
keys, which tells me that this probably will be a sore spot. Even if you
have a current RSA/x.509 Certificate Server in place, you must generate
your own key sets for SecureShell.
Also, SecureShell is not free. There is an open version of SSH called
OpenSSH that does the same thing, with implementations for many platforms
including Win32. Of course, you get the support you pay for.
Windows 2000 also adds functionality for IPSec right out of the box.
Although IPSec is harder to wield than SSH, wizards make it pretty easy
to get ramped up right away with IPSec. This means you have to want to
use SSH. But this is a nice product for NT 4.0.
SecureShell is a command line only product. Some implementations of SSH
for Unix can export a display for X11. However, neither the client nor
the server parts of SecureShell support this functionality. The alternatives,
such as IPSec VPNs or Terminal Services have the ability to create a GUI
environment for the remote user. You would have to use a console exporter
like VNC to get this functionality, although with Windows, you get only
So, to sum things up, SecureShell is a good product for what it is: an
SSH daemon running as a Windows service. The product is solid and easy
to use, with some good applicability; however, the alternatives to this
product could weigh heavily against it.
About the Author
Rick A. Butler, MCSE+I, is the Director of Information Services for the United States Hang Gliding Association.