SSH remote connection and encryption technology

Source: Internet
Author: User
Tags openssl enc asymmetric encryption

First, the classification of data encryption

Data encryption algorithms can usually be divided into three categories: symmetric encryption, asymmetric encryption, one-way encryption. Explain the difference and function of them first

1. Symmetric encryption algorithm

The so-called symmetric encryption algorithm is encryption and decryption using the same key. Its basic algorithm is DES, 3DES, AES and so on. Features: encryption, decryption using the same key, split the original data into fixed-size blocks, encrypted one by one. Defect: Too many keys, key distribution.

2. Asymmetric encryption

The key is paired up. The implementation algorithm has RSA, DSA, Elgama and so on. Public Key (PubKey): public to everyone; private key (secret key): it must be kept private. Features: Data encrypted with the public key can only be decrypted with the private key to which it is paired; The main application scenarios are:

Digital signature: Mainly in order to let the receiver confirm the sender identity;

Key exchange: The sender encrypts a symmetric key with the other's public key and sends it to the other party;

Data encryption: Due to the slow time of encrypting data, it is generally not used to encrypt data.

3. One-way encryption

Its basic algorithms are: MD5,SHA1 and so on. Features: Can only decrypt, cannot decrypt, can be used to extract data fingerprint, fixed-length output, avalanche effect (that is, the slightest change in the content of the data, may result in a huge change in output).

Ii. use of OpenSSL

OpenSSL is a tool for implementing encryption. It integrates the implementation of most cryptographic algorithms internally. Now make a note of its basic usage.

1. Symmetric Data encryption

Encrypt the fdisk.sh file data using the DES3 algorithm, and the encrypted file data is stored in Code.file
[[email protected] home]# OpenSSL enc-des3-a-salt-in fdisk.sh-out code.file; Encrypt enter DES-EDE3-CBC encryption password: Verifying-enter DES-EDE3-CBC encryption Password:[[email protected] home]# cat fdisk.sh Qeqweqeq[[email protected] home] # cat Code.file u2fsdgvkx1+jub/kio926cofrod0rrypfucymh+eiho=[[email protected] home]# OpenSSL enc-d-des3-a-salt-in Co De.file-out fdisk2.sh; Decrypt enter DES-EDE3-CBC decryption Password:[[email protected] home]# cat fdisk2.sh qeqweqeq[[email p Rotected] home]#

2. One-way encryption

Typically used to extract file signatures, small changes in file data can cause avalanche effects. [email protected] home]# cat fdisk.sh qeqweqeq[[email protected] home]# OpenSSL dgst-md5 fdisk.sh MD5 (fdisk.sh) = 44892AA               A22ea31022cf8af4e0521e3ff[[email protected] home]# echo "Qeqweqee" >fdisk.sh [[email protected] home]# cat fdisk.sh Qeqweqee[[email protected] home]# OpenSSL dgst-md5 fdisk.sh MD5 (fdisk.sh) = Bb123d0f209942acdb0d640c3e1c32f3[[e Mail protected] home]#

3. Asymmetric encryption

Mainly used for key exchange (the other party's public key), data encryption (the other party's public key), identity authentication (own private key) [[Email protected] home]# openssl genrsa -out  rsa.key; Generate private key generating rsa private key, 1024 bit long modulus.....+++ +++............................++++++e is 65537  (0x10001) [[email protected] home]#  cat rsa.key -----begin rsa private  KEY-----miicwwibaakbgqdpgea1ir63tb4c8tkruvevoqkpmk2ne5389ermtcb7t4njif7avvtwn1zc/ wwhfwawfrb4fndmcyv0alprvmcfw8tktd6thld0wj5niyawyoa4xn2ajz1o80/immkdx1tbju5sjvvopryrvebsta/x/hsdyo3f+ oshsmgbqdvv3qidaqabaogairbksuozgxkpldrcunddfjyng38pavzablr/zht3is0t8e5vzh19w5jmsl7yjpd3tx2g+ozbxwx/ Jnpzuk4gvhy2gmnrbi0cwqttr5onebfcmdeo9getvglclmwnsgdqso1ik1meerol7n2d8pbxoqedsxgyqakogt2miyqckwecqqd5benbzs3ddkh7qjjonxepx e3mslscjquwj6ei/zukcfxgiawjhpkny/oa5f/dr+apsjb34bws6g5lcltheijbakea1oir7tqoa1skfffwoyxrk/ c83xygjbu2gp594hapmrbczu6dyxhtj+uoz0cb9vrllfhmvzzg1d08ad10+hbyhqjamp5mh9kmc/qgcv05ivc+u+ Jfj9htusk14b0j11ugkxdakdbwpoqb544t352mwfcdymerzmzocci/7tyczutxgqjadozddgt+mr2qhyccrxxt+ 9jtobiqagdnehvd7mm5vtdvterjverbxsc8vom8oxfbqbycchn0e6yfjkkldnpnbqjapp+g+t8pvvzlyoyjptcr+h7ofylvgkgk3eh/ 6pwtyoxraj3mtoqydiplw3w1coidtnzof8hxxraja7imjf74ew==-----End rsa private key-----[[email  Protected] home]# [[email protected] home]# openssl rsa -in rsa.key  -pubout ; extracting public key Writing rsa key-----begin public  from the private key KEY-----migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqdpgea1ir63tb4c8tkruvevoqkpmk2ne5389ermtcb7t4njif7avvtwn1zc/ wwhfwawfrb4fndmcyv0alprvmcfw8tktd6thld0wj5niyawyoa4xn2ajz1o80/immkdx1tbju5sjvvopryrvebsta/x/hsdyo3f+ Oshsmgbqdvv3qidaqab-----End public key-----

Third, remote connection SSH service

1. SSH Remote Connection principle

Ssh:secure SHell, a security protocol based on the application layer and the transport layer. The communication and authentication process is encrypted. Listen for TCP port 22nd, which is a text protocol. Its main working principle is as follows:

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M02/86/EB/wKioL1fOvo-x_ir4AADvZhxfsYE407.png-wh_500x0-wm_3 -wmp_4-s_1605916075.png "title=" image 1.png "alt=" Wkiol1fovo-x_ir4aadvzhxfsye407.png-wh_50 "/>

The SSHV2 version is typically used for SSH service protocols. Sshv2 chooses the most secure MAC implementation mechanism based on the host negotiation between the two parties; the encryption mechanism and MAC mechanism are selected by both parties; based on DH, the key exchange is realized based on RSA or DSA, and the client determines whether to communicate with it further by checking the host key of the server.

2. SSH open Source Implementation tool OpenSSH

Configuration file/etc/ssh/ssh_config

SSH authentication mechanism: Based on password, based on secret key.

SSH [-P port][email protected] (login to remote host)

Ssh-l USERNAME HOST

SSH [email protected] ' COMMAND ' (do not log in to the remote host, operate the remote host)

SCP: Class CP command, replication across hosts based on SSH protocol

SCP [Email protected]:/path/to/somefile/path/to/local (remote copy to local)

scp/path/to/local [email protected]:/path/to/somewhere (Copy to remote host)

-r: The source file is used for directory, in order to achieve recursive replication; -P: Preserves the copy and modification timestamp of the source file, as well as the permissions;

-Q: Silent mode-P port: Specifies the server port;

3, secret-based encryption-free communication

[[email protected] home]# ssh 192.168.1.108the authenticity of host  ' 192.168.1.108  (192.168.1.108) '  can ' t be established. Rsa key fingerprint is 6b:d7:f0:61:fe:b9:b7:2c:93:f5:5b:be:80:49:77:7d. are you sure you want to continue connecting  (yes/no)?  yesWarning : permanently added  ' 192.168.1.108 '   (RSA)  to the list of known  hosts. [email protected] ' s password: last login: tue sep  6 21:13:57  2016 from 192.168.1.5[[email protected] ~]# ifconfig eth0       Link encap:Ethernet  HWaddr 00:0C:29:8B:8C:FE             inet addr:192.168.1.108  bcast : 192.168.1.255  MASK:255.255.255.0      &Nbsp;   inet6 addr: fe80::20c:29ff:fe8b:8cfe/64 scope:link           up broadcast running multicast  mtu:1500   Metric:1          RX packets:4372  errors:0 dropped:0 overruns:0 frame:0           TX packets:2446 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000            RX bytes:5094407  (4.8 MIB)   TX bytes:166449  ( 162.5 kib)           interrupt:19 base address :0x2000 lo        link encap:local loopback             inet addr:127.0.0.1  mask:255.0.0.0           inet6 addr: ::1/128 Scope:Host           UP LOOPBACK RUNNING  MTU:16436  Metric:1           RX packets:38 errors:0 dropped:0  overruns:0 frame:0          tx packets:38  errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:0           RX  bytes:3344  (3.2 kib)   TX bytes:3344  (3.2 kib)

Usually we use SSH to log in to the remote host when the password is required, when we want to be free to login to the other side of the host, then we need to use a secret-based authentication mechanism. The method of use is also very simple and requires only two steps:

1. Generate a pair of secret keys locally on the client

2. Transfer the public key to the remote server and append to the. ssh/authorized_keys file or. ssh/authorized_keys2 file that is saved to a user's home directory on the remote host.

Here I use 192.168.1.106-bit client. 192.168.1.108 as a remote server.

[[email protected] home]# ssh-keygen  -t rsa  ; generates a pair of secret keys generating  Public/private rsa key pair. enter file in which to save the key  (/ROOT/.SSH/ID_RSA):  Enter  passphrase  (empty for no passphrase): enter same passphrase  Again: your identification has been saved in /root/.ssh/id_rsa. your public key has been saved in /root/.ssh/id_rsa.pub.the key  Fingerprint is:e9:ae:a4:2c:bd:68:64:6a:ae:a4:81:20:39:9f:ac:2f [email protected]the key ' s  RANDOMART IMAGE IS:+--[ RSA 2048]----+|                  | |                  | |                  | |  .       .       | | =       s        | | ++o.   .         | | o=+.  . .        | | e+oo.o .         | | b=o.+....        |+-----------------+[[email protected] home ]# cd ~/.ssh/[[email protected] .ssh]# lsid_rsa  id_rsa.pub   known_hosts[[email protected] .ssh]# ssh-copy-id -i id_rsa.pub [email  protected] ; transferring the public key to the remote server [email protected] ' S password: now try logging into  the machine, with  "ssh  ' [email protected] '",  and check in:   .ssh/authorized_keysto make sure we haven ' T added extra keys  that you weren ' t expecting. [[email protected] .ssh]# ssh [email protected]  ; Password-Free login Success Last login:  tue sep  6 21:18:21 2016 from 192.168.1.106[[email protected]  ~]#




This article is from the "Wind and Drift" blog, please be sure to keep this source http://yinsuifeng.blog.51cto.com/10173491/1847001

SSH remote connection and encryption technology

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.