Role of ssh in linux security

Secure Shell (SSH) is one of the most common system management tools. It allows you to log on to the remote system and execute commands on it. It uses powerful encryption technology and host keys to prevent network sniffing. It is the only network service enabled by default and receives remote access. The X option enables the program on the remote host to display the graphical interface in the local desktop environment. This facilitates the communication between the local host and the remote host and provides [root @ localhost ~] protection. # Ssh 192.168.1.1The authenticity of host' 192. 168.1.1 (192.168.1.1) 'Can't be established. RSA key fingerprint is83: 8f: 76: 3a: 42: 31: b0: 95: 49: 72: 8a: a7: 1c: 39: 08: e6.Are you sure you want to continue connecting (yes/no )? YesWarning: Permanently added '192. 168.1.1 '(RSA) to thelist of known hosts.root@192.168.1.1's password: Last login: Sun Aug 28 22:05:29 192 [root @ station1 ~] # [Root @ localhost ~] # Ssh user1@192.168.1.1user1 @ 192.168.1.1's password: Last login: Fri Jun 17 01:11:57 2011 from 192.168.1.254 [user1 @ station1 ~] $ *************************************** * ************************************ Security shell (SSH) allow authentication using the private key-public key. The private key is properly kept and the public key is used to notify anyone. SSH servers with public keys can publish questions that can be answered only by private keys. Therefore, it can be verified based on the key held. In this way, you do not need to enter a password every time you access the system, but the security is still guaranteed. You can use the ssh-keygen command to generate the key [root @ localhost ~] # Ssh-keygen-t rsaGenerating public/private rsa key pair. enterfile in which to save the key (/root /. ssh/id_rsa): Enter passphrase (empty for no passphrase): 123456 Enter same passphrase again: 123456 Your identification has been saved in/root /. ssh/id_rsa.Your public key has been saved in/root /. ssh/id_rsa.pub.The key fingerprint is: 0c: cf: fc: b0: e3: 00: 5a: dd: 6d: 7b: 1d: af: 9c: 8b: 05: 86root@localhost.locald During key generation, omain provides the option of using the specified password. You must provide a password to access the private key. This method makes it difficult to use a key even if the key is stolen. In this way, before attackers crack and use the private key, they can generate a new key and delete all content involving the old key. After an SSH key is generated, the key is stored by default in the. ssh/directory of the home directory [root @ localhost ~] # Ls ~ /. Ssh/id_rsa id_rsa.pub known_hosts you can use ssh-copy-id to copy your public key to the target system [root @ localhost ~] # Ssh-copy-id-I ~ /. Ssh/id_rsa.pubuser1@192.168.1.1user1 @ 192.168.1.1's password: Now try logging into the machine, with "ssh 'user1 @ 192.168.1.1 '", and check in :. ssh/authorized_key [root @ localhost ~] # Ssh user1@192.168.1.1Last login: Tue Sep 6 10:50:26 2011 from 192.168.1.254 [user1 @ station1 ~] $ SSH port forwarding ========================================== ========================================================== = SSH automatically encrypts and decrypts network data between all SSH clients and the server. However, SSH also provides a very useful function, which is port forwarding. It can forward network data of other TCP ports through SSH connections and automatically provides the corresponding encryption and decryption services. This process is sometimes called tunneling because SSH provides a secure channel for other TCP links for transmission. For example, TCP applications such as Telnet, SMTP, and LDAP can benefit from this, avoiding plaintext transmission of user names, passwords, and private information. At the same time, if the firewall in your work environment limits the use of some network ports, but allows SSH connections, you can also use SSH for communication by forwarding TCP ports. In general, SSH port forwarding provides two major functions: encrypt the communication data between the SSHClient and the SSHServer. Break through the limits of the firewall to complete some TCP connections that cannot be established before. Client <------------> SSHServer <------------> WEB Server SSH Server: 1.1.1.254/24 172.16.1.254/24 [root @ localhost ~] # Ssh-g-L 80: 172.16.1.1: 80172.16.1.254ssh-L <local port >:< remote host >:< remoteport> <SSH servername> If the-g parameter is not specified, port 80 only accepts local connections. Port 80 of the-g parameter SSH Server can accept connections from other hosts. WEB Server: 172.16.1.1/24 [root @ localhost ~] # Cat/var/www/html/index.html html test Client: 1.1.1.1/24 [root @ localhost ~] # Elinks -- dump http://1.1.1.254html Test