From entry-level to proficient: Build an SSH Security Channel (1)

Source: Internet
Author: User

Bkjia.com exclusive Article] the SSH command line utility is a channel for secure access by remote system staff. SSH represents a "Secure Shell", so you may think that the most common method is to use it as a remote shell. Maybe this is the most common application, but it is not the only interesting method to use SSH.

1. Connect and execute remote commands and use the authorization key

1. Create a connection

To communicate through SSH, you must first establish a connection to the remote server. When using the SSH command line utility, we have many Parameter options. The basic command line parameters are:

1. ssh ip Address

Here, the IP address is the IP address of the server you want to connect. The following is a simple example:

abc:~ jmjones$ ssh 192.168.1.20
The authenticity of host '192.168.1.20 (192.168.1.20)' can't be established.
RSA key fingerprint is 24:1e:2e:7c:3d:a5:cd:a3:3d:71:1f:6d:08:3b:8c:93.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.20' (RSA) to the list of known hosts.

Note that The message above contains The line "The authenticity of host '192. 168.1.20 (192.168.1.20) 'can't be established .". This message means that the author's SSH client does not know the remote server. I use the "client" here because the SSH command line utility initializes the network and makes it a network client.

In the above message, the SSH program also asked the author if they want to continue connecting you sure you want to continue connecting (yes/no )? ) The author's answer is "yes", because I know that this server is the server I want to connect. Generally, it is safer to answer "yes" to this question. But if the unfriendly guy impersonates the server you want to connect to, it's dangerous .) After answering "yes", the author's client updated the file $ HOME/. ssh/known_hosts with the following content:

192.168.1.20 ssh-rsa 
^4rsa5jmjones6cd7jmjones8^/^9cd10^+9^11yc12yc13rsa14AAAAB15^+^16r
sa17AAAAB18^99u2^19oT20oT21^7N7^22AAAAB23^+^24cd25^5f+^26ykuwQcXI
27EAAAABIwAAAQEAvb28jmjones29oT30commandline31^2Ax3J88^32commandl
ine33yc34^+rOB+gOdRaD+NTkuzrB/^38oT39^50L6^40oT41AAAAB42^61rq+9v+4^
44AAAAB45rsa46ykuwQcXI47^5q1P11^48AAAAB49gcgPr50^==

When I connect to the same server again, My SSH client will check the "known_hosts" file and check whether it is the same as the previous server. If the information returned by the server does not match the information in the "known_hosts" file, the following message is displayed:

abc:~ jmjones$ ssh 192.168.1.20
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
24:1e:2e:7c:3d:a5:cd:a3:3d:71:1f:6d:08:3b:8c:93.
Please contact your system administrator.
Add correct host key in /Users/jmjones/.ssh/known_hosts to get rid of this message.
Offending key in /Users/jmjones/.ssh/known_hosts:1
RSA host key for 192.168.1.20 has changed and you have requested strict checking.
Host key verification failed.

2. Password Verification

Continue with the above example. After answering "yes", the program requires the author to enter the password. The following is part of the interaction information:

jmjones@192.168.1.20's password:
Be careful.
No mail.
Last login: Tue Dec 30 06:36:20 2008 from abc
jmjones@oksir:~$

I typed a password, and then the ssh client established an interactive connection with the remote server. Here, we can see evidence of logon to a Linux server, such as the last logon time.

3. Authorization key

What if we don't want to enter a password every time we log on? Or What should I do if I am a system administrator who wants to make the server more robust and make it difficult for attackers to guess? We can use a public/private key pair to make the login process to the server safer and easier.

To use a public/private key pair, we must create it. You can use the ssh-keygen program on the command line to achieve this purpose. In fact, this command still has many parameters, such as the type of the key, the file name to be created, and the comment of the key file. However, we only use the default option. The following is the result when I have not used any parameters:

abc:~ jmjones$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/jmjones/.ssh/id_rsa):
Created directory '/Users/jmjones/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/jmjones/.ssh/id_rsa.
Your public key has been saved in /Users/jmjones/.ssh/id_rsa.pub.
The key fingerprint is:
fe:e9:fa:f5:e2:4e:a1:6c:9e:9e:20:a4:cc:ec:4f:62 jmjones@abc
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|                 |
|                 |
|      . S   .    |
|   + o . . . .   |
|    E o o + o    |
|   o o . = *..   |
|    ... .=Xoo..  |
+-----------------+

I accept "id_rsa" as the key file and accept the default option without entering any password phrase. If you select to add a password phrase to the file, you must enter this phrase each time you use it. The result of running ssh-keygen is that two files are generated in the $ HOME/. ssh file:

abc:~ jmjones$ ls -l ~/.ssh/
total 16
-rw-------  1 jmjones  staff  1675 Dec 30 17:37 id_rsa
-rw-r--r--  1 jmjones  staff   400 Dec 30 17:37 id_rsa.pub

"Id_rsa" is the author's private key. I do not want anyone to access this file to prevent others from impersonating themselves. Note that "id_rsa" is more restrictive than "id_rsa.pub. I can send this file to anyone who wants to connect. No one can guess what our private key is.

If you want to use this key on the server in the preceding example, you can put the public key content in the "$ HOME/. ssh/authorized_keys" file of the remote server. To set it correctly, we generally need to connect to the remote server via SSH and copy the local "id_rsa.pub" file to the remote "authorized_keys" file, as shown below:

jmjones@oksir:~$ echo "ssh-rsa 
AAAAB3NzaC1yc2EAAAABIwAAAQEAw4DTUeLXZbjjNhR+AaW9^102rsa103^+Pg2+Q
8M+gK/IGDbPjsAV4KwulqDWS+ChlIiq0wXj/bQKQwZacbghXud/YBI7FfYOkF1R9p
FZ7O9B7zJGAnAtcOEDLfyDhYF2Cl5/1HFolIUuUSCGPJy3bbIK5s6yNwQV6cW6yEF
UuqE8DHlGKf9jwDFgiXrhtuThH2EFGBCxELaumworegMD39Jb9^123rsa124^1zWF
qP2qHX/SzItHm1JrKJdnbsOn5h+KMTeztpn1AExOx1lxSFLk9lp4JAMk8NTURYmBc
AE6yASaQApw5jDw/JpSAdFaQR/Vl6Kpzf9MD1KAEpyd8RaxLa+RQ== jmjones@abc" > ~/.ssh/authorized_keys
jmjones@oksir:~$ ls -l ~/.ssh/
total 4
-rw-r--r-- 1 jmjones jmjones 400 2008-12-30 17:48 authorized_keys
jmjones@oksir:~$

After that, when you log on, the program will not prompt you to enter the password. Here, log out of the server and access the server again using SSH:

jmjones@oksir:~$ logout
Connection to 192.168.1.20 closed.
abc:~ jmjones$ ssh 192.168.1.20
Be careful.
No mail.
Last login: Tue Dec 30 17:50:26 2008 from abc

Note that the user's client does not require a password. Now, if you want to connect to this server and want to log on via SSH, you will be connected immediately.

4. execute remote commands

As mentioned above, after SSH is connected to the remote server, we are in the shell prompt by default, but this is not the only thing we can do. Another useful method for using the SSH client is to execute commands on the remote server instead of typing them into the interactive shell on the remote server. That is to say, when you execute an SSH program on the local system, you can specify what commands to run on the remote system. For example, if you want to see whether a process is listening on port 25 of the remote system, perform the following operations:

abc:~ jmjones$ ssh 192.168.1.20 netstat -ltpn | grep 25
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp    0   0 127.0.0.1:25   0.0.0.0:*  LISTEN      -

In the first line, the syntax is "ssh address command". We can use this method to check disk utilization, check which processes are running, or copy files.

Why not log on directly and run commands interactively? Because this will lose the benefits of the script. From now on, executing commands on the remote system has become part of the shell script.

SSH is an important tool. In general, it allows us to manage the shell interactively on a remote server. This is of course necessary for remote system management. However, by using the authorization key, we can also enhance the security of the authentication process. It allows us to run shell scripts on a remote system without having to be in an interactive shell.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.