More .NET components

Security

Server verification #

Once connected to an SSH server (and before authenticating), you should make sure you are indeed connected to the server you intended to connect to. Otherwise, you risk revealing sensitive data (such as your password) to a third-party.

This is done by checking the server's public key and its signature. The signature is validated by Rebex SSH automatically, but it's up to you to check the server's public key (or fingerprint).

In an ideal world, you should only connect to servers whose public keys (or fingerprints) you already have received securely. However, most real-world applications simply display the public key to the user when connecting for the first time, and make sure the key has not changed on subsequent connections. This has proved to be a decent compromise between security and usability.

Verifying server fingerprint #

A fingerprint (hash value) of the server key used to secure the current connection is available in the Fingerprint property. To verify it, simply compare the value with the one you've obtained from the server's administrator:

CSharp

// a fingerprint obtained from your server's administrator
string fingerprint = "e2:29:05:cd:7a:59:ee:03:fa:03:f5:72:61:77:e3:1c";

// connect to an SSH server
ssh.Connect(hostname);

// verify the server fingerprint
if (ssh.Fingerprint != fingerprint)
    throw new Exception("Invalid server key fingerprint.");

VisualBasic

' a fingerprint obtained from your server's administrator
Dim fingerprint As String = "e2:29:05:cd:7a:59:ee:03:fa:03:f5:72:61:77:e3:1c"

' connect to an SSH server
ssh.Connect(hostname)

' verify the server fingerprint
If ssh.Fingerprint <> fingerprint Then
    Throw New Exception("Invalid server key fingerprint.")
End If

Please note that Ssh.Fingerprint property provides an MD5 hash of the server's public key. To get SHA-1 or SHA-2 fingerprints, use Ssh.Session.Fingerprint.ToString(SignatureHashAlgorithm) method instead.

Verifying server key #

Instead of verifying a fingerprint of server's public key, it's possible to verify the public key itself. It's available in Ssh.Session.ServerKey property. Use GetPublicKey() to get the key as a byte array, or save it for further use using GetPublicKey method.

CSharp

// get the server key
var key = ssh.Session.ServerKey;

// save it to a file
key.SavePublicKey(@"C:\MyData\my_key.pub");

VisualBasic

' get the server key
Dim key = ssh.Session.ServerKey

' save it to a file
key.SavePublicKey("C:\MyData\my_key.pub")

Server key verification event #

Alternatively, you can check the server key or its fingerprint in a FingerprintCheck event handler which is raised by the Connect method. To accept a key, set event argument's Accept property to true.

CSharp

// handler for the FingerprintCheck event
void client_FingerprintCheck(object sender, SshFingerprintEventArgs e)
{
    // a fingerprint obtained from your server's provider
    string fingerprint = "e2:29:05:cd:7a:59:ee:03:fa:03:f5:72:61:77:e3:1c";

    // verify the server fingerprint
    if (e.Fingerprint.ToString() == fingerprint)
        e.Accept = true;
}

VisualBasic

' handler for the FingerprintCheck event
Private Sub client_FingerprintCheck(sender As Object, e As SshFingerprintEventArgs)
    ' a fingerprint obtained from your server's provider
    Dim fingerprint As String = "e2:29:05:cd:7a:59:ee:03:fa:03:f5:72:61:77:e3:1c"

    ' verify the server fingerprint
    If e.Fingerprint.ToString() = fingerprint Then
        e.Accept = True
    End If
End Sub

Registering the event handler:

CSharp

// register an event handler
ssh.FingerprintCheck += client_FingerprintCheck;

// connect to an SSH server (raises FingerprintCheck event)
ssh.Connect(hostname);
// ... this line is reached only if the fingerprint was accepted
//     (otherwise the Connect method throws an SshException)

VisualBasic

' register an event handler
AddHandler ssh.FingerprintCheck, AddressOf client_FingerprintCheck

' connect to an SSH server (raises FingerprintCheck event)
ssh.Connect(hostname)
' ... this line is reached only if the fingerprint was accepted
'     (otherwise the Connect method throws an SshException)

The FingerprintCheck event is raised during a key re-exchange process as well.

Security settings and algorithms #

Rebex SSH's underlying SSH core supports a number of security algorithms:

  • Authentication Methods (Password, Public key, Keyboard interactive, GSSAPI).
  • Encryption Algorithms (AES, Triple DES, Twofish, Blowfish, RC4).
  • Encryption Modes (CBC, CTR).
  • Host Key Algorithms (RSA, DSS, ECDSA with NIST P-256/384/521*, EdDSA with ED25519**).
  • Key Exchange Algorithms (Diffie-Hellman - Oakley group 2 or 14, group exchange with SHA-1 or SHA-256; Elliptic Curve Diffie-Hellman - over NIST P-256*, P-384*, P-521* or Curve25519** curves).
  • MAC Algorithms (SHA-2, SHA-1, MD5).

* Available on Windows (on Windows Vista and higher). External plugins are needed for other platforms.
** Plugin required on all platforms.

To explicitly enable or disable any of these algorithms, use Ssh.Settings.SshParameters object:

CSharp

// get SSH parameters object
SshParameters par = ssh.Settings.SshParameters;

// allow both DSS and RSA
par.HostKeyAlgorithms = SshHostKeyAlgorithm.DSS |
                        SshHostKeyAlgorithm.RSA;

// when the server supports both, prefer RSA
par.PreferredHostKeyAlgorithm = SshHostKeyAlgorithm.RSA;

// only allow AES and Twofish
par.EncryptionAlgorithms = SshEncryptionAlgorithm.AES |
                           SshEncryptionAlgorithm.Twofish;

// connect using the SSH parameters
ssh.Connect(hostname, Ssh.DefaultPort);

VisualBasic

' get SSH parameters object
Dim par As SshParameters = ssh.Settings.SshParameters

' allow both DSS and RSA
par.HostKeyAlgorithms = SshHostKeyAlgorithm.DSS Or SshHostKeyAlgorithm.RSA

' when the server supports both, prefer RSA
par.PreferredHostKeyAlgorithm = SshHostKeyAlgorithm.RSA

' only allow AES and Twofish
par.EncryptionAlgorithms = SshEncryptionAlgorithm.AES Or SshEncryptionAlgorithm.Twofish

' connect using the SSH parameters
ssh.Connect(hostname, Ssh.DefaultPort)