2.3. Compatibility

2.3.1. Internet Standards

2.3.1.1. Secure Shell Protocol (SSH)

The following Request for Comments (RFC) define SSHv2 as an Internet Standard:

• RFC 4250, The Secure Shell (SSH) Protocol Assigned Numbers

• RFC 4251, The Secure Shell (SSH) Protocol Architecture

• RFC 4252, The Secure Shell (SSH) Authentication Protocol

• RFC 4253, The Secure Shell (SSH) Transport Layer Protocol

• RFC 4254, The Secure Shell (SSH) Connection Protocol

• RFC 4255, Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints [*]

• RFC 4256, Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)

• RFC 4335, The Secure Shell (SSH) Session Channel Break Extension

• RFC 4344, The Secure Shell (SSH) Transport Layer Encryption Modes

• RFC 4345, Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol

It was later modified and expanded by the following RFCs:

• RFC 4419, Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol

• RFC 4432, RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol

• RFC 4462, Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol

• RFC 4716, The Secure Shell (SSH) Public Key File Format

• RFC 5647, AES Galois Counter Mode for the Secure Shell Transport Layer Protocol

• RFC 5656, Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer

• RFC 6594, Use of the SHA-256 Algorithm with RSA, DSA, and ECDSA in SSHFP Resource Records [†]

• RFC 6668, SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol

• RFC 8270, Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits

• RFC 8308, Extension Negotiation in the Secure Shell (SSH) Protocol [‡]

• RFC 8332, Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell (SSH) Protocol

[*]

currently not supported by suSSHi

[†]

not implemented in libssh

[‡]

only the “server-sig-algs” extension is implemented

2.3.1.2. Secure Shell File Transfer Protocol (SFTP)

The protocol is not an Internet standard, but it is still widely used. OpenSSH and most others implement version 3 of the protocol.

Starting with version 20.05 we do support all defined versions from 3 to 6 in suSSHi as defined in:

• draft-ietf-secsh-filexfer-02.txt, SSH File Transfer Protocol Version 3

• draft-ietf-secsh-filexfer-04.txt, SSH File Transfer Protocol Version 4

• draft-ietf-secsh-filexfer-05.txt, SSH File Transfer Protocol Version 5

• draft-ietf-secsh-filexfer-13.txt, SSH File Transfer Protocol Version 6

2.3.1.3. Secure Shell Extensions

suSSHi is making use of an extension to support Curve25519 by the libssh project which is also supported by the OpenSSH project.

• curve25519-sha256@libssh.org, Curve25519-SHA256 for ECDH KEX

The OpenSSH project has defined some extensions to the protocol. We support some of them:

• OpenSSH’s Deviations And Extensions

  Fully Supported by suSSHi

  • Protocol 2 compression algorithm zlib@openssh.com

  • Transport: Elliptic Curve cryptography

  • SFTP protocol changes / extensions

  • Channel write close extension eow@openssh.com

  • Disallow additional sessions extension no-more-sessions@openssh.com

• OpenSSH’s SSH Agent

  • Fully supported by suSSHi.

• OpenSSH’s Hostkey Update And Rotation Feature

  • Fully supported by suSSHi for gateway host key update to client.

• OpenSSH’s SFTP Extensions

  • Fully supported by suSSHi.

• OpenSSH’s Unix Domain Socket Forwarding

  • Fully supported by suSSHi.

2.3.2. Compatible Clients

suSSHi is RFC-compliant to the highest degree and therefore requires no special SSH client. All SSH clients that also work RFC-conform should work with suSSHi without any problems.

While the suSSHi Gateway is “only” an SSH server from the client’s point of view, we only make special demands that the gateway user, the target user and the actual target are encoded in the SSH username using a separator (different are possible, default is @).

Note

We would like to point out that the here used soft- and hardware designations and trade names of the corresponding companies are subject to the general brand, trademark or patent protection.

The following list of clients is known to work fully compatible with suSSHi:

• Bitvise SSH Client

• CyberDuck

• FileZilla

• ForkLift

• KiTTY

• MobaXterm

• OpenSSH

• OpenSSH for Windows (included in Windows 10)

• PuTTY / SuperPuTTY and all PuTTY based clients

• Tectia SSH Client

• VanDyke SecureCRT / SecureFX

• WinSCP

• Xshell

… and yes, the list is still incomplete and potentially all SSH clients should work without limitations.

2.3.3. Compatible Servers

The same applies to the servers as to the clients: From the target server’s view, the suSSHi Gateway is just a client, so all RFC-conform servers should work without any problems.

The following list of servers is known to work fully compatible with suSSHi:

• Axway Secure Transfer

• OpenSSH

• OpenSSH for Windows (included in Windows 10)

• VanDyke VShell server