Configure SSH in FreeBSD and use SSH to log on to a remote host

In FreeBSD, configure SSH and use SSH to log on to a remote host-Linux Enterprise Application-Linux server application. For more information, see the following. 1. What is SSH

Traditional network service programs, such as ftp, POP, and telnet, are inherently insecure because they transmit passwords and data in plain text on the network, people with ulterior motives can easily intercept these passwords and data. In addition, the security authentication methods of these service programs also have their weaknesses, that is, they are vulnerable to man-in-the-middle attacks. The so-called "man-in-the-middle" attack means that "man-in-the-middle" impersonates a Real Server to receive the data you send to the server, and then impersonates you to pass the data to the Real Server. When the data transfer between the server and you is transferred by a man-in-the-middle, a serious problem may occur.

Once upon a time, a name named Tatu Yl? Nen's Finnish programmer developed a network protocol and service software, known as SSH (short for Secure SHell ). By using SSH, You can encrypt all transmitted data so that the "man-in-the-middle" attack method is impossible and can also prevent DNS and IP spoofing. Another advantage is that the data transmitted is compressed, which can speed up transmission. SSH has many functions. Although many people regard Secure Shell as a substitute for Telnet, you can use it to protect the security of your network connection. You can forward other network communications, such as POP, X, PPP, and FTP, through the Secure Shell on the local or remote system. You can also forward other types of network communication, including CVS and any other TCP communication. In addition, you can use the Secure Shell with TCP packaging to enhance the connection security. In addition, Secure Shell has some other convenient functions that can be used for applications such as Oracle, remote backup, and additional authentication like a SecurID card.

2. SSH Working Mechanism

SSH is divided into two parts: client and server.

The server is a daemon that runs in the background and responds to connection requests from clients. The server is generally an sshd process that provides remote connection processing, including public key authentication, key exchange, symmetric key encryption, and non-secure connections.

Clients include ssh programs and other applications such as scp (Remote copy), slogin (remote login), sftp (Secure File Transfer.

Their working mechanism is that the local client sends a connection request to the remote server, and the server checks the requested package and IP address and then sends the key to the SSH client, the key is sent back to the server locally, and the connection is established since then. What I just talked about is the general process of SSH connection. There are some differences between SSH 1.x and SSH 2.x in the connection protocol.

SSH is designed to work on its own basis without using the super server (inetd). Although the SSH process can be run through tcpd on inetd, this is completely unnecessary. After the SSH server is started, sshd runs and listens on the default port 22 (you can use # ps-waux | grep sshd to check whether sshd has been correctly run) if SSH is not started through inetd, SSH will remain waiting for connection requests. When a request arrives, the SSH daemon generates a sub-process that processes the connection.

However, due to copyright and encryption algorithm restrictions, many people have switched to OpenSSH. OpenSSH is an alternative to SSH and is free of charge,

SSH is composed of the client and server software. There are two incompatible versions: 1.x and 2.x. The client program using SSH 2.x cannot connect to the service program of SSH 1.x. OpenSSH 2.x supports both SSH 1.x and 2.x.

3. install and use OpenSSH

Here we mainly talk about the configuration of FreeBSD-based OpenSSH. Other Unix and derived systems use OpenSSH in roughly the same way. FreeBSD integrates OpenSSH, which is not included in many Linux releases. However, you can download and install OpenSSH from the network, which is completely free of charge. (Access OpenSSH home page http://www.openssh.org)

Generate key pair

Use ssh-keygen to generate a key pair. For example, to generate a 4096Bit key pair using the DSA encryption algorithm, enter the following command (for detailed parameters, see man ssh-keygen ):

# Ssh-keygen-B 4096-t dsa

% Ssh-keygen-B 4096-t dsa

Generating public/private dsa key pair.
Enter file in which to save the key (/home/fdy84/. ssh/id_dsa ):


(The path of the key pair to be stored. The default path is in brackets)
Created directory '/home/fdy84/. ssh '.
Enter passphrase (empty for no passphrase ):
(Enter the password)
Enter same passphrase again:
(Enter the password again. Do not forget it. Otherwise, only the new key will be generated)
Your identification has been saved in/home/fdy84/. ssh/id_dsa.
(Your private key)
Your public key has been saved in/home/fdy84/. ssh/id_dsa.pub.
(Your public key)
The key fingerprint is:
Bb: 1b: f5: 1c: 77: 62: 90: 21: 59: 7e: c6: 65: e5: 24: c6: e5 fdy84 @ freebsd

Key Distribution

I just generated a pair of keys and put the private key on my machine ~ /. Ssh/directory and ensure that the access permission is "-rw -------" (that is, 600 ). Then place the generated public key on the remote host to be connected ~ The/. ssh/directory is renamed as authorized_keys, and the file is not authorized to be modified except for the owner.

4. Configure SSH

Configure the server

To start the SSH server, you only need to run

# Sshd

You can. Or add it to/etc/rc. conf.
Sshd_enable = "YES"
You can automatically run the SSH server at each startup.
The configuration file of the SSH server is "/etc/ssh/sshd_config", and the server configuration files of OpenSSH1.x and 2.x are all used for this file.

Configure the client

To connect a client to a remote server, you only need to enter
# Ssh domain name (or ip)
You can.

For example, use ssh to log on to the linux open lab lab.lpicn.org of Fudan University. The method is as follows (the user name is open)

Ssh open@lab.lpicn.org

In windows, you can use secureCRT for remote connection to use the ssh function.