Traditional network service programs, such as ftp,pop,telnet, are inherently insecure because they transmit data, user accounts, and user passwords in clear text on the network, and are vulnerable to attack by a man-in-the-middle attack that would impersonate a real server to receive data from a user to the server. Then impersonate the user to pass the data to the real server.
To meet security requirements, the IETF Network Working Group developed Secure Shell (abbreviated as SSH), a security protocol created on the application and transport tiers to provide a secure transport and usage environment for the Shell on the computer.
SSH is currently a more reliable protocol that provides security for Telnet sessions and other network services. The use of SSH protocol can effectively prevent the information leakage in the remote management process. SSH allows you to encrypt all transmitted data, as well as to prevent DNS spoofing and IP spoofing.
This article will focus on the cryptographic algorithms used in SSH and the process of establishing a secure connection.
(In order to write the Xshell in the topic, the specific SSH introduction is put on the last side)
Using key login is divided into 3 steps:
1. Generate key (public key and private key);
2. Place the public key into the server ~/.ssh/authorized_key file;
3. Configure the SSH client to log in using the key.
1.1 Generate key (public key and private key)
Open Xshell, click "Tools" in the menu bar, select "(New User Key Generation Wizard)" In the popup menu, pop up the "New User Key Generation Wizard" dialog box, select "RSA" Public key encryption algorithm in "key Type" item, "Key Length" Select any key length, the longer the length, the higher the security, Click "Next" to wait for key generation
Continue to the next step, enter the name of the key in the "key name", I Am "id_rsa_2048 (2)"; Enter a password at "encryption password" such as 12345678 for encrypting the private key, and re-enter the password confirmation, click "Next", the key generation is complete (public Key format Select Ssh2-openssh format), here is the public key, we can copy the public key and then save, you can also directly save the public key to the file, such as.
Click on the "Save as File" button to save the public key to disk, the file name is "xxxxxxx", Standby. Finally click "Finish".
After the public key is saved, the private key file is next. Click "Export" and export it as a private key file to open the public key just now. Please keep it safe.
Click "Save", will pop up a box, enter the password you just set 12345678. Click "OK".
1.2 Place the public key into the server ~/.ssh/authorized_key file
The above steps are just the process of generating the public and private keys, and the next step is to place the public key you just generated on the server you want to manage.
Use the Xshell to log on to the server, go to the "/root/.ssh/" directory, and use XFile to upload the public key to the server.
Then run the following command to import the public key into the "Authorized_keys" file:
[[Email protected] ~]# CD. ssh/
[email protected]. ssh]# ls
[email protected]. ssh]# RZ-E
RZ waiting to receive.
[email protected]. ssh]# ls
Authorized_keys known_hosts laomao.pub
[email protected]. ssh]# CP Authorized_keys Authorized_keys.bak
[email protected]. ssh]# Cat Laomao.pub >authorized_keys
[email protected]. ssh]# Cat Authorized_keys
Ssh-rsa aaaab3nzac1yc2eaaaabiwaaayeaybjy7/dvwxxm4lcxfa+x0bgbmi+aq6zizybffskjemhahs/ mxbkhol1c1gwzpsaklahor8uzsqo7qqcykqeb8cnwr8f9ngnbcjs+e6fpl7bvnpkfnrixnq+ gt5viz77u2rxu74jbouwsgaehtcu5dqhifvaoue64qcbuy5j6jhjv3bblmxnqxrjqo4+4hh0dhyvzc5wmp0ngnah/ 6za64hk3nd1tder7na701geztr5n4oqecep+ttpcbt4rkq1qj5l67et5x3uygekzdk4tol2kluepd2xhrqg1qcxl87f7hkziliicglu8/rb+ lyuojzywtvhvmtwtpds1u6rmaqslh/4vu0veks7bij7xtcakjuo6ughvxpzl1bqwj8ty6fzerdndvm5borkahgz67zjk6x+zui4fhtkxsq/ Gvzogbylhsl3tyc1prlvo8l7bl9r36x7hlachr0brqpenrkxdmmrr4i4rooryaijxophvg5uwh+rseubzddew7s/f[[email protected]. SSH ]#
[email protected]. ssh]# chmod Authorized_keys
[email protected]. ssh]#
1.3 Configuring the SSH client to log on with a key
Open Xshell, click the "New" button, pop up the "New Session Properties" dialog box, in the "Connection" section, enter the IP address and port just configured public key, as shown in:
In the User Authentication window, enter the authentication method as "public key"
Select the private key file that you just generated from the user key, and enter the password you just set in the Password box below 123456 (can not be the same as the system login password)
Now you can use the public key to login, browse to select the user key location, and then enter the password just set above "123456", click "OK", you can log in. After the SSH key configuration above, we can manage the server by using the secret key in the publish over SSH plugin. Note that the public key generated above is stored on the server, and the generated private key file is stored on Jenkins.
The technology used
In order to ensure the security of information transmission, SSH uses the techniques of symmetric encryption, asymmetric encryption and hashing. Symmetric encryption
Symmetric key encryption, also known as symmetric encryption, private key encryption, and shared key encryption, is a cryptographic algorithm in cryptography. Such algorithms use the same key when encrypting and decrypting, or use two keys that can be easily extrapolated from one another.
SSH uses a symmetric key to encrypt the information transmitted during the entire connection. It is important to note that the Public/private key pair created by the user is used only for authentication and is not used on encrypted connections. Symmetric encryption allows passwords to be authenticated to prevent third-party snooping.
The shared key is generated by a key exchange algorithm that allows both parties to create a key through an unsecured channel without any prior information from the other. Both the client and the server are involved in the process, and the details of the process are explained later.
The generated key will be used to encrypt the data transmitted by the client and server during this session. This process is done before verifying the identity of the client.
SSH supports a variety of symmetric key algorithms, including aes,blowfish,3des,cast128 and Arcfour. The client and server can configure a list that takes the algorithm. The first algorithm that can be supported by the server in the client list is adopted.
For example, on Ubuntu 14.04, the default configuration of the client and server is as follows: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected] ,[email protected],[email protected], AES128-CBC,BLOWFISH-CBC,CAST128-CBC,AES192-CBC, Aes256-cbc,arcfour.
That is, if two Ubuntu 14.04 uses the default configuration, they will always use the AES128-CTR algorithm to encrypt the connection. Asymmetric encryption
In an asymmetric encryption method, a pair of keys is required, one is the private key and the other is the public key. These two keys are mathematically related. The information that is encrypted with the public key can only be decrypted with the private key. If you know one of them, you can't calculate the other one. Therefore, if one of the two keys is exposed, it does not compromise the secret nature of the other.
SSH uses asymmetric encryption in some places.
Asymmetric encryption was used during key exchange. At this stage, the client and server generate a temporary key pair and exchange the public key to generate the shared key.
Asymmetric encryption is also used in the authentication process. The SSH key pair is used to authenticate the client to the server. The client creates a pair of keys and then uploads the public key to the remote server and writes the file ~/.ssh/authorized_keys.
After the shared key is created, the client must prove its identity to the server. The server encrypts a piece of information with the public key in the file and sends the encrypted information to the client. If the client can crack the message, it can prove that it has the relevant private key. The server will then set up the shell environment for the client. Hash column
Hashing is a kind of data processing method in computer science, which relates the items to be retrieved by a certain algorithm to the indexed index, and generates a data structure (hash table) that is easy to search. It is also used to make a information security method, by a string of data through the hashing algorithm computed data fingerprint, to identify whether the files and data has been tampered with.
SSH mainly uses the hash message authentication code (Keyed-hash message Authentication Code, abbreviated as HMAC), to confirm that the message has not been tampered with.
The Message Authentication code (MAC) algorithm is used during the symmetric encryption negotiation process mentioned above. This algorithm is selected from the client-supported algorithm.
After the key negotiation is complete, all messages must carry the Mac, which is used to verify the consistency of the messages on both sides of the communication. Mac values are computed by the shared key, the grouping sequence of messages, and the actual message content.
Outside the symmetric encryption area, the MAC itself is sent as the last part of the grouping. Researchers usually recommend confidential data before calculating the MACSSH workflow
The SSH protocol uses the client-server model to authenticate the two parties and encrypt the data between them.
The server listens for connection requests on the specified port. It is responsible for negotiating a secure connection, authenticating the connecting party, and generating the correct shell environment for the client.
The client is responsible for negotiating a secure connection, verifying that the identity of the server matches the previously logged information, and providing credentials for authentication.
An SSH session is divided into two stages. The first is to agree and build encryption to protect future communication. The second phase is authenticating the user and discovering whether access to the server should be granted. Session Encryption Negotiation
When the client initiates the request, the server returns the supported protocol version. If the client can match one of the protocol versions, the connection continues. The server provides its public host key, which the client can use to verify that the server is legitimate.
At this point, the communication parties use the Deffee-Herman algorithm to negotiate the session key.
The approximate process of the algorithm is as follows:
- Both agreements share a large prime number.
- Mutual agreement an encryption algorithm.
- Each side generates a prime number and is kept secret. This prime number will be used as the private key.
- Both parties use the algorithm of the contract, which computes the public key by the respective private key and the shared prime number.
- Both sides exchange the generated public key.
- Both parties use their own private key, the other party's public key and the shared prime number, to calculate a shared secret key. The shared key computed by both parties should be the same.
- Use the shared secret key to encrypt the subsequent session.
The shared key encryption used for the remaining connections is known as the binary Packet protocol. The above procedure allows both parties to participate equally in generating shared keys.
The generated key is a symmetric key, which means that the key used to encrypt the message can also be used for decryption. The purpose is to wrap the subsequent communication in an encrypted tunnel that cannot be decrypted by an external person.
After the session key is generated, user authentication begins. Verify user identity
Depending on how the server is accepted, there are several different ways to use authentication.
The simplest method is password authentication, where the server requires the client to enter a password to attempt to log in to the account. The password is sent through negotiated encryption.
Although passwords are encrypted, this method is generally not recommended because of the limited complexity of passwords. Automatic scripting is relatively easy to break the normal-length password compared to other authentication methods.
The most recommended option is to use an SSH key pair. The SSH key pair is a non-symmetric key.
The public key is used to encrypt data that can only be decrypted with the private key. The public key can be freely shared because there is no way to export the private key from the public key.
The verification process is as follows:
- The client first sends the ID of the key pair to the server.
- The server checks the file Authorized_keys to find the public key for that ID.
- If found, the server generates a random number and encrypts the number with the public key.
- The server sends the encrypted information to the client.
- If the client has a corresponding private key, it can use the private key to decrypt the message, resulting in a random number generated by the server.
- The client uses the decrypted number and the shared key used by the session to get a value, and then computes the MD5 hash value of the value.
- The client sends this MD5 hash value back to the server.
- The server calculates its own MD5 hash value with the session shared key and generated random values. It then compares the value returned by the client and its own generated value. If the match proves that the client owns the private key, the client verifies the pass.
As you can see, the asymmetry of the key allows the server to encrypt the message to the client using the public key. The client can then prove that it has a private key by decrypting the message correctly.
SSH Technology Introduction and Xshell public key remote login