Apart from enhanced authentication options offered by SSH, is there any difference between basic working of SSH and SSL protocols ?
I am asking since we can use SFTP or FTP over SSL, both would require authentication.
+5
A:
Cryptographically they are both equally secure (given that same ciphers are used). Other than that they are entirely different protocols...
Serguei
2009-04-06 20:54:52
+1 for equal security. Choose the method that's easier to use.
Chase Seibert
2009-04-06 20:56:38
Hehe ... short and succinct, I like that.
Joachim Sauer
2009-04-06 20:58:51
+7
A:
The main difference is that SSL lets you use a PKI (via signed certificates). In SSH you have to exchange the key fingerprints out-of-band. But you might want to do without a PKI anyway, in which case it's a tie.
For a nice explanation, see http://www.snailbook.com/faq/ssl.auto.html
sleske
2009-04-06 21:03:38
A:
SSL (or more properly, TLS) is the basic underlying encryption layer, as used by SSH, SMTPS, HTTPS, etc.
SSH is then run on top of that, and provides the authentication, session handling, and all the rest of the telnet-style "options" that an interactive login requires.
Alnitak
2009-04-08 12:38:46
That is wrong. SSH does not use TLS, it has its own crypto stack. SMTPS and HTTPS do use TLS. For an explanation see: http://www.snailbook.com/faq/ssl.auto.html
sleske
2009-04-12 00:30:39
ok - I think you're half right. (Open)SSH does have its own on-the-wire protocol, but it uses the encryption code from OpenSSL.
Alnitak
2009-04-12 07:49:47
+2
A:
SSH uses SSL under the hood, so they are both as secure as each other. One advantage of SSH is that using key-pair authentication is actually quite easy to do, and built right into the protocol.
With SSL it's a bit of a mess involving CA certificates and other things. After you have the PKI in place you also need to configure your services to use the PKI for authentication instead of its internal password database; this is a nightmare on some services and a piece of cake on others. It also means you need to go to the hassle of signing all of your user's keys so they can log in with them.
Most competent users can grok SSH keys in no time but it takes a bit longer to get their heads around SSL keys (the extra CA certs and key certs confused me when I first discovered it).
Pick what's supportable. SSH+SFTP is great for Unix people, but FTP over SSL is probably easier to do if your users are Windows-based and are pretty clueless about anything other than Internet Exploiter (and you don't mind risking that your users will choose insecure passwords).
Adam Hawes
2009-04-08 13:06:32
"SSH uses SSL under the hood": that seems very unlikely to me; I think the implementations are independent. Do you have any source for that?
sleske
2009-04-29 00:21:56
My only reference was the dependence on OpenSSL packages of SSH the last time I installed it manually, which was admittedly a long time ago.
Adam Hawes
2009-04-29 01:33:00
SSH absolutely DOES NOT use SSL under the hood. It has its own transport protocol - see RFC 4253.
Tom Anderson
2010-01-14 16:44:40