SSH usage Guide

Introduction to SSH

What is SSH?

Traditional network service programs, such as FTP, pop, and telnet are inherently unsafe because they transmit passwords and data in clear text on the network, and it is easy for people with ulterior motives to intercept passwords and data. Furthermore, the security authentication methods of these services have their own weaknesses, and are vulnerable to the "middleman" (Man-in-the-middle) attack in this manner. The so-called "middleman" mode of attack, is the "middleman" impersonating a real server to receive your data to the server, and then impersonate you to the data to the real server. The data transfer between the server and you has been tampered with by a "middleman", and there will be serious problems.

The English full name of SSH is secure SHell. By using SSH, you can encrypt all transmitted data so that the man-in-the-middle attack is not possible and can prevent DNS and IP spoofing. An additional benefit is that the data being transmitted is compressed, so the speed of transmission can be speeded up. SSH has many functions, which can replace Telnet, and can provide a secure "channel" for FTP, pop, or even PPP.

Originally, SSH was developed by a Finnish company. But because of the limitations of copyright and encryption algorithms, many people now turn to OpenSSH. OpenSSH is an alternative to SSH and is free to expect more and more people to use it than SSH in the future.

SSH is made up of client and server-side software, with two incompatible versions: 1.x and 2.x respectively. SSH 2.x client program is not connected to the SSH 1.x service program up. OpenSSH 2.x also supports SSH 1.x and 2.x.

How security authentication for SSH works

From a client perspective, SSH provides two levels of security authentication.

The first level (password based security authentication) you can log on to a remote host as long as you know your account number and password. All transmitted data will be encrypted, but it is not guaranteed that the server you are connecting to is the server you want to connect to. There may be other servers impersonating a real server, which is an attack by the "middleman" approach.

The second level (security verification based on the key) relies on the key, which means you have to create a pair of keys for yourself and place the public key on the server you need to access. If you are connecting to an SSH server, the client software sends a request to the server requesting security verification with your key. After the server receives the request, first locate your public key in the home directory of the server and compare it to the public key you sent over. If two keys are identical, the server encrypts the "Challenge" (challenge) with the public key and sends it to the client software. After the client software receives a "challenge", you can decrypt it and send it to the server with your private key.

In this way, you must know your secret key password. However, the second level does not require a password to be routed over the network, as compared to the first level.

The second level not only encrypts all the transmitted data, but also the "middleman" attack is impossible (because he doesn't have your private key). However, the entire login process may take 10 seconds.

Install and test OpenSSH

Because of the limitations of American law, OpenSSH is not included in many Linux distributions. However, you can download and install OpenSSH from the network (for OpenSSH installation and configuration please refer to: http://www.linuxaid.com.cn/engineer/brimmer/html/OpenSSH.htm).

After installing OpenSSH, test it with the following command:

Ssh-l [Your accountname on the remote host] [address of the remote host]

If the OpenSSH is working properly, you will see the following message:

The authenticity of host [hostname] can ' t be established.

Key fingerprint is 1024 5f:a0:0b:65:d3:82:df:ab:44:62:6d:98:9c:fe:e9:52.

Are you sure your want to continue connecting (yes/no)?