SSH principle and Installation

SH is the abbreviation for secure Shell, developed by the network Working group of the IETF, and SSH is a security protocol based on the application layer and the transport layer. SSH is currently a more reliable protocol that provides security for Telnet sessions and other network services. The use of SSH protocol can effectively prevent the information leakage in the remote management process. SSH was originally a program on a UNIX system, and later expanded quickly to other operating platforms. SSH can compensate for vulnerabilities in the network when it is used correctly. The SSH client is available on a variety of platforms.

One, from the client view, SSH provides two levels of security the first level is password-based security authentication

The first level is password-based security verification

As long as you know your account number and password, you can log on to the remote host. All transmitted data will be encrypted, but there is no guarantee that the server you are connecting to is the one you want to connect to. The process is as follows:
(1) The remote host receives the user's login request and sends its own public key to the user.
(2) The user uses this public key to encrypt the login password and send it back.
(3) The remote host with its own private key, decrypt the login password, if the password is correct, consent to user login. This way there may be other servers impersonating the real server, the public key is sent to the client, the client will encrypt the password sent to the impersonating server, the impersonating server can take its own private key to obtain the password, that is, the "man-in-the-middle" way of attack.
It is worth saying that when you first link to the remote host, you will be prompted for the current host's "Public key fingerprint", asking if you continue, if you choose to continue to enter a password to log in, when the remote host accepts, the server's public key will be saved to the ~/.ssh/known_hosts file.

The second level is key-based security verification

You need to rely on the key, which means you have to create a pair of keys for yourself and place the public key on the server you need to access. If you are connecting to an SSH server, the client software makes a request to the server requesting security verification with your key. After the server receives the request, look for your public key in your home directory on the server and compare it to the public key you sent. If the two keys are the same, the server encrypts the "challenge" with a public key and sends it to the client software. After the client software receives a "challenge", it can use your private key to decrypt it and send it to the server. In this way, you must know the password of your secret key. However, the second level does not require a password to be sent over the network compared to the first level. The second level not only encrypts all transmitted data, but the "man in the middle" approach is also impossible (because he does not have your private key). However, the entire login process may take up to 10 seconds, but not 10 seconds longer than the way you enter the password.

Second, SSH normal installation

(1) Determine if the SSH service is installed:

toport22: Connection refused

As shown above, there is no installation, Ubuntu default installed openssh-client, only need to install Ssh-server.

安装ssh-serversudo apt-get install openssh-server安装ssh-clientsudo apt-get install openssh-client

The system will be installed automatically, after the installation is complete, start the service first:

sudo /etc/init.d/ssh start

After you start, you can see if the service starts correctly with the following command

-e|grep ssh1673?       00:00:00 ssh-agent4366?       00:00:00 sshd

(2) If the above indicates the start OK. Note that the default SSH port is 22, you can change the port, stop before changing, and then start. The configuration is configured under/etc/ssh/sshd_config, as follows:

Packageconfigurationfile# See the sshd_config(5forandforPort22

Change the port parameter inside to the other, then restart the SSH service:

sudo /etc/init.d/ssh restar

Finally, it should be the time to connect. Take a look at the following command:

ssh 用户名@192.168.158.129-a查ip）

Third, SSH password-free installation

(1) Generate a public/private key pair under host A and B

ssh-keygen-t dsa  -P‘‘

Using the DSA encryption algorithm,-p for the password,-p "means the empty password, you can not use the-p parameter, so three cars to enter, with-P on a return. There are Id_rsa and id_rsa.pub under the/home/user/.ssh

(2) for a/b,id_dsa.pub as the public key, ID_DSA is the private key, and then the public key file is copied into the Authorized_keys file, this step is necessary, the process is as follows:

cat id_dsa.pub600 ~/.ssh/authorized_keys）

(3) Single loopback ssh password-free login test
That is, on the stand-alone node with SSH password-free login, to see if the login success. Log out after successful login, the process is as follows:

ssh localhost

(4) The id_rsa.pub under the a machine is copied to the B machine under the A_dsa.pub, under the B machine a_dsa.pub appended to the Authorized_keys file:

scp /home/A用户名/.ssh/id_dsa.pub B用户名@B主机ip:/home/B用户名/.ssh/A_dsa.pubcat A_dsa.pub >> authorized_keys

(5) Host A can password-free access to Host B:

ssh 主机B用户@主机B的ip

(6) Summary: Log on the machine can have a private key, the machine to be logged on to have the public key of the machine. This public/private key pair is typically generated on the private key host.

SSH principle and Installation