Introduction to Secure Shell (SSH)

Speaking of secure network access, we believe that the first thing we think of is secure shell, which is usually abbreviated as SSH. This is because SSH is easy to install, easy to use, and common. Generally, UNIX, Linux, and FreeBSD systems all come with applications that support SSH. Program Package.

1. What is SSH?

Traditional network service programs, such as FTP, pop, and telnet, do not consider the security mechanism in terms of transmission mechanism and implementation principle. They are inherently insecure; because they transmit data, user accounts, and user passwords in plain text on the network, malicious users can easily intercept the data, user accounts, and user passwords through eavesdropping and other network attacks. Moreover, the simple security authentication methods of these network service programs also have their weaknesses, that is, they are vulnerable to man-in-the-middle attacks. The so-called "man-in-the-middle" attack means that "man-in-the-middle" impersonates a Real Server to receive the data you send to the server, and then impersonates you to pass the data to the Real Server. When the data transfer between the server and you is transferred by a "man-in-the-middle", serious problems will occur.
SSH is short for the English Secure Shell. By using SSH, You can encrypt all transmitted data, so that the "man-in-the-middle" attack method is impossible, and it can also prevent DNS Spoofing and IP spoofing. Another advantage of using SSH is that the data transmitted is compressed, which can speed up transmission. SSH has many functions. It can replace telnet, provide a secure "channel" for FTP, pop, and even PPP ".
SSH was initially developed by a Finnish company. However, due to copyright and encryption Algorithm Now many people are switching to OpenSSH. OpenSSH is an alternative software package for SSH and is free of charge. It is expected that more and more people will use it instead of SSH in the future.
Finally, SSH is also very characteristic in the running mode. Unlike other TCP/IP applications, SSH is designed to work on its own basis, rather than using wrapper (wrappers) or the Internet daemon inetd. However, many want to run the SSH daemon through TCP packaging. Although you can run the SSH process through tcpd (run and start from inetd), this is completely unnecessary.



2. SSH protocol content

The SSH protocol is a security protocol built on the application layer and transport layer. It consists of the following three parts to achieve SSH security and confidentiality.
Transport Layer Protocol, which provides security measures such as authentication, trust, and integrity testing. In addition, it can also provide any data compression function. Generally, these transport layer protocols are built on connection-oriented TCP data streams.
The user authentication protocol layer is used to authenticate the server and client users. It runs on the transport layer protocol.
Connect to the protocol layer and allocate multiple encrypted channels to some logical channels, which run on the user authentication layer protocol.

After a secure transport layer connection is established, the client sends a service request. After the user authentication layer connection is established, the second service request is sent. This allows the newly defined protocol to coexist with the previous protocol. The connection protocol can be used as a channel for multiple purposes. It provides a standard method for setting secure interaction shell sessions and transmitting arbitrary TCP/IP ports and X11 connections.



3. Ssh security verification

From the client perspective, SSH provides two levels of security authentication.

Level 1 (password-based security verification), you can log on to the remote host as long as you know your account and password, and all transmitted data will be encrypted. However, this authentication method cannot ensure that the server you are connecting to is the server you want to connect. Other servers may pretend to be real servers, that is, being attacked by man-in-the-middle (mitm) attacks.

The second level (Security Verification Based on keys) relies on keys, that is, you must create a pair of keys for yourself and place the public keys on the servers to be accessed. If you want to connect to the SSH server, the client software will send a request to the server, requesting your key for security verification. After receiving the request, the server first looks for your public key in the user root directory of the server, and then compares it with the public key you sent. If the two keys are the same, the server uses the public key to encrypt the challenge and send it to the client software. After receiving the question, the client software can use your private key to decrypt it and then send it to the server.
Compared with the first level, the second level does not need to transmit user passwords over the network. In addition, the second level not only encrypts all transmitted data, but also the "intermediary" attack method is impossible (because it does not have your private key ). However, the entire logon process may be slower.



4. Ssh applications

First, the most common application of SSH is to use it to replace traditional network applications such as telnet and FTP, and log on to a remote machine through SSH to execute the work and commands you want. In an insecure network communication environment, it provides a strong authentication mechanism and a very secure communication environment. In fact, the root intention of SSH developers is to design it to replace the RCP, rlogin, RSH, and other instruction programs on the original UNIX system. However, after proper packaging, it is found that it can completely replace traditional applications such as telnet and FTP.
Traditional BSD-style R-series commands (such as RCP, RSH, and rlogin) are often considered insecure and can be easily cracked by various network attacks, almost all books or files related to Unix security will warn system administrators over and over again to pay attention to the setting of R series commands, system Administrators are even required to disable the R-series commands.
Ssh, which is used to replace R-series commands, is greatly enhanced in terms of security. It not only provides extremely secure encryption protection for communication content, at the same time, it also strengthens the security mechanism for identity authentication. It applies several security encryption mechanisms that have been developed in cryptography, such as encryption key cryptography, asypolicric key cryptography, one-way hash function, random-number generation, and so on, to enhance the security protection for identity authentication and communication content. Data Encryption in communication includes idea, three-key Triple DES, Des, RC4-128, TSS, blowfish, and many other security encryption algorithms, the encrypted key is exchanged through RSA. Data Encryption can defend against IP spoofing. RSA, an asymmetric encryption mechanism, can defend against DNS Spoofing and IP routing spoofing. At the same time, RSA can also verify the host identity.
Second, you can set an "encrypted channel" between the local host and remote server by using SSH ", in addition, the encrypted channel can be combined with common pop applications, X applications, and linuxconf applications to provide security assurance.
SSH's "encrypted channel" is implemented through "port forwarding. You can establish an "encrypted channel" between the local port (unavailable) and the port of a service running on the remote server ". Connect to the local port. All requests to the local port are encrypted by SSH and forwarded to the remote server port. Of course, only "encrypted channels" can work when the SSH server software is running on the remote server.