From entry to entry: Build an SSH Security Channel

Zhao Changlin

The SSH command line utility is a secure channel for remote system staff. SSH represents a "Secure Shell", so you may think that the most common method is to use it as a remote shell. Maybe this is the most common application, but it is not the only interesting method to use SSH.

1. Connect and execute remote commands and use the authorization key

1. Create a connection

To communicate through SSH, you must first establish a connection to the remote server. When using the SSH command line utility, we have many Parameter options. The basic command line parameters are:

1. ssh ip Address

Here, the IP address is the IP address of the server you want to connect. The following is a simple example:

Abc :~ Jmjones $ ssh 192.168.1.20The authenticity of host 192.168.1.20 (192.168.1.20) cant be established. RSA key fingerprint is 24: 1e: 2e: 7c: 3d: a5: cd: a3: 3d: 71: 1f: 6d: 08: 3b: 8c: 93.Are you sure you want to continue connecting (yes/no )? YesWarning: Permanently added 192.168.1.20 (RSA) to the list of known hosts.

Note that The message above contains The line "The authenticity of host 192.168.1.20 (192.168.1.20) cant be established .". This message means that the author's SSH client does not know the remote server. I use the "client" here because the SSH command line utility initializes the network and makes it a network client.

In the above message, the SSH program also asked the author if they want to continue the connection (Are you sure you want to continue connecting (yes/no )? ) The author's answer is "yes", because I know that this server is the server I want to connect. Generally, it is safer to answer "yes" to this question. (But if a malicious guy impersonates the server you want to connect to, this operation is dangerous .) After answering "yes", the author's client updated the file $ HOME/. ssh/known_hosts with the following content:

192.168.1.20 ssh-rsa ^ 4rsa5jmjones6cd7jmjones8 ^/^ 9cd10 ^ + 9 ^ 11yc12yc13rsa14AAAAB15 ^ + ^ 16rsa17AAAAB18 ^ 99u2 ^ 19oT20oT21 ^

7N7 ^ 22AAAAB23 ^ + ^ 24cd2 ^ 5f + ^ 26ykuwQcXI27EAAAABIwAAAQEAvb28jmjones29oT30commandline31 ^

2Ax3J88 ^ 32commandline33yc34 ^ + rOB + gOdRaD + NTkuzrB/^ 38oT39 ^ 50L6 ^ 40oT41AAAAB42 ^ 61rq + 9 v + 4 ^

44AAAAB45rsa46ykuwQcXI47 ^ 5q1P11 ^ 48aaaab49gcupl50 ^ =

When I connect to the same server again, My SSH client will check the "known_hosts" file and check whether it is the same as the previous server. If the information returned by the server does not match the information in the "known_hosts" file, the following message is displayed:

Abc :~ Jmjones $ ssh 192.168.1.20WARNING: remote host identification has changed! It is possible that someone is doing something nasty! Someone cocould be eavesdropping on you right now (man-in-the-middle attack )! It is also possible that the RSA host key has just been changed. the fingerprint for the RSA key sent by the remote host is24: 1e: 2e: 7c: 3d: a5: cd: a3: 3d: 71: 1f: 6d: 08: 3b: 8c: 93. please contact your system administrator. add correct host key in/Users/jmjones /. ssh/known_hosts to get rid of this message. offending key in/Users/jmjones /. ssh/known_hosts: 1RSA host key for 192.168.1.20 has changed and you have requested strict checking. host key verification failed.

2. Password Verification

Continue with the above example. After answering "yes", the program requires the author to enter the password. The following is part of the interaction information:

Jmjones@192.168.1.20s password: Be careful. No mail. Last login: Tue Dec 30 06:36:20 2008 from abcjmjones @ oksir :~ $

I typed a password, and then the ssh client established an interactive connection with the remote server. Here, we can see evidence of logon to a Linux server, such as the last logon time.

3. Authorization key

What if we don't want to enter a password every time we log on? Or What should I do if I am a system administrator who wants to make the server more robust and make it difficult for attackers to guess? We can use a public/private key pair to make the login process to the server safer and easier.

To use a public/private key pair, we must create it. You can use the ssh-keygen program on the command line to achieve this purpose. In fact, this command still has many parameters, such as the type of the key, the file name to be created, and the comment of the key file. However, we only use the default option. The following is the result when I have not used any parameters:

Abc :~ Jmjones $ ssh-keygenGenerating public/private rsa key pair. enter file in which to save the key (/Users/jmjones /. ssh/id_rsa): Created directory/Users/jmjones /. ssh. enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in/Users/jmjones /. ssh/id_rsa.Your public key has been saved in/Users/jmjones /. ssh/id_rsa.pub.The key fingerprint is: fe: e9: fa: f5: e2: 4e: a1: 6c: 9e: 9e: 20: a4: cc: ec: 4f: 62 jmjones @ abcThe keys randomart image is: + -- [RSA 2048] ---- + |. s. | + o .... | E o + o | o. = *.. | .... = Xoo .. | + --------------- +

I accept "id_rsa" as the key file and accept the default option without entering any password phrase. If you select to add a password phrase to the file, you must enter this phrase each time you use it. The result of running ssh-keygen is that two files are generated in the $ HOME/. ssh file:

Abc :~ Jmjones $ ls-l ~ /. Ssh/total 16-rw ------- 1 jmjones staff 1675 Dec 30 id_rsa-rw-r -- r -- 1 jmjones staff 400 Dec 30 id_rsa.pub

"Id_rsa" is the author's private key. I do not want anyone to access this file to prevent others from impersonating themselves. Note that "id_rsa" is more restrictive than "id_rsa.pub. I can send this file to anyone who wants to connect. No one can guess what our private key is.

If you want to use this key on the server in the preceding example, you can put the public key content in the "$ HOME/. ssh/authorized_keys" file of the remote server. To set it correctly, we generally need to connect to the remote server via SSH and copy the local "id_rsa.pub" file to the remote "authorized_keys" file, as shown below:

Jmjones @ oksir :~ $ Echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAw4DTUeLXZbjjNhR + AaW9 ^ 102rsa103 ^ + Pg2 + Q8M + gK/IGDbPjsA

V4KwulqDWS + ChlIiq0wXj/bQKQwZacbghXud/YBI7FfYOkF1R9pFZ7O9B7zJGAnAtcOEDLfyDhYF2Cl5/1HF

^

123rsa124 ^ 1zWFqP2qHX/SzItHm1JrKJdnbsOn5h + KMTeztpn1AExOx1lxSFLk9lp4JAMk8NTURYmBcAE6yA

SaQApw5jDw/JpSAdFaQR/Vl6Kpzf9MD1KAEpyd8RaxLa + RQ = jmjones @ abc "> ~ /. Ssh/authorized_keysjmjones @ oksir :~ $ Ls-l ~ /. Ssh/total 4-rw-r -- r -- 1 jmjones 400 authorized_keysjmjones @ oksir :~ $

After that, when you log on, the program will not prompt you to enter the password. Here, log out of the server and access the server again using SSH:

Jmjones @ oksir :~ $ LogoutConnection to 192.168.1.20 closed. abc :~ Jmjones $ ssh 192.168.1.20Be careful. No mail. Last login: Tue Dec 30 17:50:26 2008 from abc

Note that the user's client does not require a password. Now, if you want to connect to this server and want to log on via SSH, you will be connected immediately.

4. execute remote commands

As mentioned above, after SSH is connected to the remote server, we are in the shell prompt by default, but this is not the only thing we can do. Another useful method for using the SSH client is to execute commands on the remote server instead of typing them into the interactive shell on the remote server. That is to say, when you execute an SSH program on the local system, you can specify what commands to run on the remote system. For example, if you want to see whether a process is listening on port 25 of the remote system, perform the following operations:

Abc :~ Jmjones $ ssh 192.168.1.20 netstat-ltpn | grep 25 (Not all processes cocould be identified, non-owned process info will not be shown, you wowould have to be root to see it all .) tcp 0 0 127.0.0.1: 25 0.0.0.0: * LISTEN-

In the first line, the syntax is "ssh address command". We can use this method to check disk utilization, check which processes are running, or copy files.

Why not log on directly and run commands interactively? Because this will lose the benefits of the script. From now on, executing commands on the remote system has become part of the shell script.

SSH is an important tool. In general, it allows us to manage the shell interactively on a remote server. This is of course necessary for remote system management. However, by using the authorization key, we can also enhance the security of the authentication process