A deeper understanding of SSH: results from Internet-wide scans

Oliver Gasser, Ralph Holz, Georg Carle

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

9 Citations (Scopus)


Until recently, relatively little was known about the characteristics of the SSH protocol on the Internet, until two larger studies analysed the cryptographic properties of SSH host keys and identified weaknesses in a number of SSH devices. However, there is no succinct comprehensive image yet how the SSH landscape looks like from the point of view of deployment practices, especially with respect to key management. In this paper, we present the results of Internet-wide SSH scans that we carried out over a period of 7 months, which resulted in the largest data set to date. We enriched our data set with large-scale mappings obtained from DNS scans, AS and WHOIS lookups, and a geo-IP database. We analysed the distribution of server and protocol versions, and found that while SSH 2 has displaced SSH 1, the rate of software updates seems to be slow. We analysed the mentioned cryptographic weaknesses and found they have become fewer, but continue to persist one year after the disclosure. Finally, we investigated the reasons for duplicate yet cryptographically strong keys. We found these are used in very different setups at varying degrees of security. Some are indeed dangerous weaknesses, others are the result of a careful and centralised setup. By example of the ten most common keys, we show the circumstances in which they occur and assess the security of each deployment. Finally, we analysed the deployment of ciphers and associated key lengths and found good results in terms of security. As our scans are of a sensitive nature, we also document the ethical considerations that guided us.
Original languageEnglish
Title of host publication2014 IEEE Network Operations and Management Symposium (NOMS)
Place of PublicationPiscataway, NJ
Number of pages9
ISBN (Electronic)978-1-4799-0913-1
Publication statusPublished - 2014
Externally publishedYes
Event14th IEEE/IFIP Network Operations and Management Symposium, NOMS 2014 - Radisson Park Inn, Krakow, Poland
Duration: 5 May 20149 May 2014
Conference number: 14

Publication series

NameIEEE Network Operations and Management Symposium (NOMS)
ISSN (Print)1542-1201
ISSN (Electronic)2374-9709


Conference14th IEEE/IFIP Network Operations and Management Symposium, NOMS 2014
Abbreviated titleNOMS 2014
Internet address

Fingerprint Dive into the research topics of 'A deeper understanding of SSH: results from Internet-wide scans'. Together they form a unique fingerprint.

Cite this