Linux Security Introduction SSH service connection when the common problems and answers

What is SSH?

The English full name of SSH is secure SHell. By using SSH, you can encrypt all transmitted data so that the man-in-the-middle attack is not possible and can prevent DNS and IP spoofing. An additional benefit is that the data being transmitted is compressed, so the speed of transmission can be speeded up. SSH has many functions, which can replace Telnet, and can provide a secure "channel" for FTP, pop, or even PPP. When the SSH client communicates with the server, the username and password are encrypted, which effectively prevents eavesdropping on the password. Originally, SSH was developed by a Finnish company. But because of the limitations of copyright and encryption algorithms, many people now turn to OpenSSH. OpenSSH is an alternative to SSH and is free to expect more and more people to use it than SSH in the future. SSH is made up of client and server-side software. SSH installation is easy, easy to use, and more common, general UNIX systems, Linux systems, FreeBSD systems are attached with an SSH-enabled application package.

How does SSH's security verification work?

From a client perspective, SSH provides two levels of security authentication.

The first level (password based security authentication) you can log on to a remote host as long as you know your account number and password. All transmitted data will be encrypted, but it is not guaranteed that the server you are connecting to is the server you want to connect to. There may be other servers impersonating a real server, which is an attack by the "middleman" approach.

The second level (security verification based on the key) relies on the key, which means you have to create a pair of keys for yourself and place the public key on the server you need to access. If you are connecting to an SSH server, the client software sends a request to the server requesting security verification with your key. After the server receives the request, first locate your public key in the home directory of the server and compare it to the public key you sent over. If two keys are identical, the server encrypts the "Challenge" (challenge) with the public key and sends it to the client software. After the client software receives a "challenge", you can decrypt it and send it to the server with your private key.

In this way, you must know your secret key password. However, the second level does not require a password to be routed over the network, as compared to the first level.

The second level not only encrypts all the transmitted data, but also the "middleman" attack is impossible (because he doesn't have your private key). However, the entire login process may take 10 seconds.

Format of the command

First, make sure the server-side SSH service is open (Service SHHD start)

Then enter on the client side: SSH usrname@serverip (telnet)

SCP filename Usrname@serverip:/url (remote transmission)

Frequently occurring problems:

Question One

Link port failed while ssh logged in

Tips (1):

# SSH 172.16.81.221

Ssh:connect to host 172.16.81.221 Port 22:no route to host

This is because the server side does not boot or the network does not pass (this reason many, the simplest is the network cable does not plug.) There may be a network card down and so on)

Tips (2):

# SSH work@172.16.81.221

Ssh:connect to host 172.16.81.221 Port 22:connection refused

This is because the SSH service for the other server is not open. This server-side opens the service.

Question Two,

The password is right when SSH is on the server, but the following information is reported:

# SSH 172.16.81.221

root@172.16.81.221 ' s Password:

Permission denied, please try again.

This is because the default is root if you do not enter a username, but the SSH service does not open the root SSH permission by default during security

Workaround:

To modify the SSH permissions for root, modify the/etc/ssh/sshd_config file

Permitrootlogin no change to permitrootlogin Yes

Question Three

Login is the following prompt:

SSH root@172.16.81.221

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@@@@@@@@

@ warning:remote HOST Identification has changed! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@@@@@@@

IT is POSSIBLE This SOMEONE is doing something nasty!

Someone could is eavesdropping on your right now (Man-in-the-middle attack)!

It is also possible the RSA host key has just been changed.

The fingerprint for the "RSA key sent by" The remote host is

76:fb:b3:70:14:48:19:d6:29:f9:ba:42:46:be:fb:77.

Please contact your system administrator.

Add correct host key in/home/fante/.ssh/known_hosts to get rid of this

Message.

Offending key in/home/fante/.ssh/known_hosts:68

RSA host key for 172.16.81.221 has changed and your have requested strict.

Host Key verification failed.

Server-side passwords or other changes that occur. The solution generally needs to delete ~/.ssh/known_hosts's corresponding line, and then log in again.