Principles and Application of SSH remote logon and ssh remote Logon

Principles and Application of SSH remote logon and ssh remote Logon

SSH is the standard configuration for each Linux computer.

 

As Linux devices gradually expand from computers to mobile phones, peripherals, and household appliances, SSH is widely used. Not only do programmers have to do with it, but many common users also use it every day.

 

SSH has multiple features and can be used in many scenarios. Some things cannot be done without it. This article is my study note, which summarizes and explains the common usage of SSH and hopes to be useful to you.

 

Although this article only involves primary applications, it is relatively simple, but the readers need to have the most basic "Shell knowledge" and understand the concept of "public key encryption.

 

1. What is SSH?

 

To put it simply, SSH is a network protocol used for encrypted login between computers.

 

If a user logs on to another remote computer from a local computer using the SSH protocol, we can think that such logon is safe and the password will not be disclosed even if it is intercepted midway through.

 

At the earliest time, the Internet communication was plain text communication. Once intercepted, the content was exposed. In 1995, Finnish scholar Tatu Ylonen designed the SSH protocol to encrypt all login information, which became a basic solution for Internet security and was quickly promoted worldwide, it has become a standard configuration for Linux systems.

 

It should be noted that SSH is only a protocol and there are multiple implementations, both commercial implementation and open-source implementation. The implementation of this article is OpenSSH, which is a free software and widely used.

 

In addition, this article only discusses the usage of SSH in Linux Shell. If you want to use SSH in Windows, another software PuTTY is used.

 

Ii. Basic usage

 

SSH is mainly used for remote logon. Assume that you want to log on to the remote host using the user name. You only need a simple command.

 

$ ssh user@host

 

If the local user name is the same as the remote user name, the user name can be omitted during logon.

 

$ ssh host

 

The default SSH port is 22, that is, your login request is sent to port 22 of the remote host. Use the p parameter to modify the port.

 

$ ssh -p 2222 user@host

 

The above command indicates that ssh is directly connected to port 2222 of the remote host.

  3. Man-in-the-middle attack

 

SSH ensures security because it uses public key encryption.

 

The entire process is as follows: (1) the remote host receives the user's login request and sends its own public key to the user. (2) The user uses this public key to encrypt the logon password and send it back. (3) the remote host uses its own private key to decrypt the login password. If the password is correct, the user is allowed to log on.

 

This process is safe, but there is a risk during implementation: If someone intercepts the login request, impersonate a remote host, and send the forged public key to the user, it is difficult for users to identify authenticity. Unlike the https protocol, the public key of the SSH protocol is not notarized by the certificate Center (CA), that is, it is issued by itself.

 

It can be imagined that, if an attacker is inserted between a user and a remote host (for example, in a public Wi-Fi area), he or she uses a forged public key to obtain the user's logon password. Use this password to log on to the remote host, and the SSH security mechanism will disappear. This risk is known as Man-in-the-middle attack ).

 

How does the SSH protocol work?

 

Iv. Password Logon

 

If you log on to the host for the first time, the following prompt will appear:

 

$ ssh user@host
The authenticity of host 'host (12.18.429.21)' can't be established.
RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d.
Are you sure you want to continue connecting (yes/no)?

 

In this section, you cannot confirm the authenticity of the host. You only know its Public Key fingerprint. Do you want to continue the connection?

 

The so-called "Public Key fingerprint" refers to the long length of the public key (RSA algorithm is used here, up to 1024 bits), which is difficult to compare. Therefore, MD5 calculation is performed on the Public Key fingerprint, turn it into a 128-bit fingerprint. In the preceding example, 98: 2e: d7: e0: de: 9f: ac: 67: 28: c2: 42: 2d: 37: 16: 58: 4d, it is much easier.

 

Naturally, how do users know the public key fingerprint of the remote host? There is no good way to answer this question. The remote host must have a public key fingerprint on its own website so that you can check the fingerprint on your own.

 

Assuming that, after the risk is measured, the user decides to accept the public key of the remote host.

 

Are you sure you want to continue connecting (yes/no)? yes

 

The system prompts that the host has been recognized.

 

Warning: Permanently added 'host,12.18.429.21' (RSA) to the list of known hosts.

 

Then, the password is required.

 

Password: (enter password)

 

If the password is correct, you can log on.

 

When the public key of the remote host is accepted, it will be saved in the file $ HOME/. ssh/known_hosts. Next time you connect to the host, the system will recognize that its public key has been saved locally, skip the warning section and prompt you to enter the password.

 

Each SSH user has its own known_hosts file, and the system also has such a file, usually/etc/ssh/ssh_known_hosts, save the public keys of remote hosts trusted to all users.

 

V. Public Key Logon

 

It is very troublesome to log on with a password. Fortunately, SSH also provides public key logon, saving you the need to enter a password.

 

The principle of public key logon is that users store their public keys on remote hosts. When you log on, the remote host sends a random string to the user. After the user encrypts the string with his/her own private key, it returns the string. The remote host uses the pre-stored Public Key for decryption. If the decryption succeeds, it proves that the user is trusted. You can directly log on to the shell without requiring a password.

 

This method requires you to provide your own public key. If not, you can use ssh-keygen to generate one:

 

$ ssh-keygen

 

After running the above command, the system will display a series of prompts, you can press enter all the way. One problem is whether to set a password for the private key (passphrase). If you are worried about the security of the private key, you can set one here.

 

After running, two new files are generated under the $ HOME/. ssh/directory: id_rsa.pub and id_rsa. The former is your public key, and the latter is your private key.

 

Then enter the following command to send the public key to the remote host:

 

$ ssh-copy-id user@host

 

Now, you can log on again without entering the password.

 

If the problem persists, open the/etc/ssh/sshd_config file of the remote host and check whether the comment "#" is removed before the following lines.

 

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

 

Then, restart the ssh service of the remote host.

 

// Ubuntu System
Service ssh restart
 
// Debian system
/Etc/init. d/ssh restart

 

Vi. authorized_keys File

 

The remote host saves the user's public key in the $ HOME/. ssh/authorized_keys file of the user's main directory after logon. The public key is a string that can be appended to the end of the authorized_keys file.

 

The above ssh-copy-id command is not used here. Instead, use the following command to explain the saving process of the public key:

 

$ ssh user@host 'mkdir -p .ssh && cat >> .ssh/authorized_keys' < ~/.ssh/id_rsa.pub

 

This command is composed of multiple statements, which are divided into two parts:

(1) "$ ssh user @ host" indicates logging on to the remote host;

(2) mkdir. ssh & cat>. ssh/authorized_keys in single quotes indicates the Command executed on the remote shell after Logon:

(3) "$ mkdir-p. ssh" is used to create one if the. ssh directory in the user's home directory does not exist;

(4) 'cat>. ssh/authorized_keys '<~ /. Ssh/id_rsa.pub is used to convert the Local Public Key File ~ /. Ssh/id_rsa.pub, redirection to append to the end of the Remote File authorized_keys.

 

After the authorized_keys file is written, the Public Key Logon Setting is complete.

Source: Ruan Yifeng (@ ruanyf)
Link: http://www.ruanyifeng.com/blog/2011/12/ssh_remote_login.html