Secure data transmission in Linux Using SSH (figure)

Article Title: Use SSH for secure data transmission in Linux (figure ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Currently, services such as FTP, Telnet, and POP used on the Internet are inherently insecure. They use Plaintext to transmit passwords and data over the network, hackers can easily intercept these passwords and data, undermining the confidentiality and integrity of the data. This article describes how to use SSH software in Linux to ensure data transmission security through the password mechanism in an insecure network environment.
　　
The full name of SSH is Secure SHell. By using SSH, You can encrypt all transmitted data, so that even if hackers in the network can hijack the data transmitted by the user, if the data cannot be decrypted, it cannot pose a real threat to data transmission. In addition, the transmitted data is compressed, so the transmission speed can be accelerated. SSH has many functions. It can replace Telnet and provide a secure "transmission channel" for FTP and POP ". In an insecure network communication environment, it provides a strong authentication mechanism and a very secure communication environment.
　　
SSH is composed of the client and server software. There are two incompatible versions: 1.x and 2.x. The client program using SSH 2.x cannot connect to the service program of SSH 1.x. OpenSSH 2.x supports both SSH 1.x and 2.x.
　　
SSH provides two levels of security verification: one is password-based security verification. You can log on to the remote host as long as you know your account and password. All transmitted data is encrypted, but the server that the user is connecting to cannot be the server that the user wants to connect. Other servers may pretend to be real servers, which poses a potential threat.
　　
Second, security verification based on keys. You must create a public key/key pair for yourself and place the public key on the server you want to access. If you need to connect to the SSH server, the client software sends a request to the server to use the user's key for security verification. After receiving the request, the server first finds the public key of the user under the user's home directory on the server, and then compares it with the public key sent by the user. If the two keys are the same, the server uses the public key to encrypt the question and send it to the client software. After the client software receives a question, it can use the user's private key to decrypt it and then send it to the server.
　　
　　 Install and start SSH
　　
The Red Hat Linux 7 and its released versions contain OpenSSH-related software packages. If not, you can download the RPM package from the OpenSSH homepage and install it on your own, the homepage of OpenSSH is www.openssh.com. The main installation of the following packages: openssh-3.5p1-6, openssh-server-3.5p1-6, openssh-askpass-gnome-3.5p1-6, openssh-clients-3.5p1-6, openssh-askpass-3.5p1-6. Run the following command to install the SDK:
　　
First, check whether the software package is installed.
　　
# Rpm-qa | grep openssh
　　
If not, run the following command.
　　
# Rpm-ivh openssh-3.5p1-6
　　
# Rpm-ivh openssh-server-3.5p1-6
　　
# Rpm-ivh openssh-askpass-gnome-3.5p1-6
　　
# Rpm-ivh openssh-clients-3.5p1-6
　　
# Rpm-ivh openssh-askpass-3.5p1-6
　　
After the installation is complete, use either of the following two commands to start.
　　
# Service sshd start
　　
#/Etc/rc. d/initd/sshd start
　　
In addition, if you want to automatically run the service when the system starts, you need to use the setup command. In the network service configuration option, select the sshd daemon.
　　
After OpenSSH is installed and started, run the following command to test it.
　　
Ssh-l [username] [address of the remote host]
　　
If OpenSSH works properly, the following prompt is displayed:
　　
The authenticity of host [hostname] can't be established.
　　
Key fingerprint is 1024 5f: a0: 0b: 65: d3: 82: df: AB: 44: 62: 6d: 98: 9c: fe: e9: 52.
　　
Are you sure you want to continue connecting (yes/no )?
　　
When you log on for the first time, OpenSSH will prompt you that you do not know the host you are logged on to. If you type "yes", the "recognition mark" of the logon host will be added to "~ /. Ssh/know_hosts "file. This prompt is no longer displayed when you access this host for the second time. Then, SSH prompts the user to enter the password of the user account on the remote host. In this way, an SSH connection is established, and then SSH can be easily used as via telnet.
　　
　　 SSH key management
　　
1. Generate your own key pair
　　
Use the following command to generate a public/private key pair: ssh-keygen t type. If the remote host uses SSH 2.x, use this command: ssh-keygen d. It is okay to have SSH1 and SSH2 keys on the same host, because they exist in different files. The following information is displayed after the ssh-keygen command is run:
　　
# Ssh-keygen-t rsa
　　
Generating public/private rsa key pair.
　　
Enter file in which to save the key (/home/. username/ssh/id_rsa ):
　　
Enter passphrase (empty for no passphrase ):
　　
Enter same passphrase again:
　　
Your identification has been saved in/home/. username/. ssh/id_rsa.
　　
Your public key has been saved in/home/. username/. ssh/id_rsa.pub.
　　
The key fingerprint is:
　　
38: 25: c1: 4d: 5d: d3: 89: bb: 46: 67: bf: 52: af: c3: 17: 0c username @ localhost
　　
Generating RSA keys:
　　
Key generation complete.
　　
The "ssh-keygen-d" command does the same job, but its storage path for a pair of keys is/home/[user]/by default. ssh/id_dsa (Private Key) And/home/[user]/. ssh/id_dsa.pub (Public Key ). Now the user has a pair of keys: public keys should be distributed to all remote hosts that users want to log on via SSH; private keys should be kept properly to prevent others from knowing. Use "ls-l ~ /. Ssh/identity or "ls-l ~ The file access permission displayed by the/. ssh/id_dsa command must be "-rw -------".
　　
If you suspect that your key has been known by others, you should immediately generate a new key. Of course, after doing so, you still need to resend the public key for normal use.
　　
2. distribute public keys
　　
Create a ". ssh sub-directory to set the user's public key "identity. copy pub to this directory and rename it "authorized_keys ". Then run the following command:
　　
Chmod 644. ssh/authorized_keys
　　
This step is essential. Because, in addition to users, if someone else has the write permission on the "authorized_keys" file, SSH will not work properly if it is damaged illegally.
　　
If you want to log on to a remote host from a different computer _
　　
The keys file can also have multiple public keys. In this case, you must re-generate a pair of keys on the new computer, copy and paste the generated "identify. pub" file into the "authorized_keys" file of the remote host. Of course, a user on a new computer must have an account and the key is password-protected. It is important to remember to delete this pair of keys after the user cancels the account.
　　
　　 Configure the SSH client
　　
Using SSH on a Linux client makes it easier to operate without additional software. However, the disadvantage is that it is not intuitive. You only need to use the default configuration file "/etc/ssh/ssh_config" provided by the system, and use the following simple command to log on:
　　
// Log on to the remote server www.test.com with user test
　　
# Ssh-l test www.test.com
　　
The following section describes how to use the putty tool in Windows to log on to the SSH server. This tool is currently widely used and can be downloaded for free from the Internet. The latest version on the internet is putty 0.58. After installing the version, configure the following steps:
　　
1. Open the software and enter the configuration interface. The software automatically opens the Session window at the beginning.
　　
2. in the Host Name (or IP address) edit box in the right area of the interface, enter the address of the server to be remotely logged on. Set it to 192.168.10.1, in the edit port box, enter the default port number 22, and click Save to Save the input configuration, as shown in 1.
　　 　
　　 Configure the IP address and port number
　　
3. Click Open to connect the software to the server. The connection result is displayed, and you can perform corresponding remote management operations.
　　
　　 Configure Automatic SSH Logon
　　
In the SSH usage process described above, users need to enter a password each time they log on to the server, which is not a hassle for users. Because SSH fully uses the key mechanism, you can use certain system configurations to achieve one configuration. You do not need to enter a password in the future to facilitate logon. The following uses a Windows client as an example, describes how to configure automatic SSH logon.
　　
In Windows, you can also use the client software putty described earlier to conveniently implement automatic logon. It mainly uses the puttygen tool provided by the putty tool suite to generate public/private key pairs, the principle is the same as that in Linux. The configuration details are described below.
　　
1. Open the puttygen tool and prepare to generate a public/private key pair. 2. Select the type of the key to generate SSH2 RSA.
　　
　　 Main Interface of PuttygenGenerator
　　
2. Click Generate to go to the public key/private key generation page. You need to move the mouse in the blank area to ensure random key generation performance.
　　
3. After the public/private key is generated successfully, the system prompts you to save the public/private key pair. Click Save public key and Save private key to Save the public key and private key respectively.
　　
4. After using putty to connect to the server, copy the contents of the public key file to the corresponding home directory of the server, log on to the remote system with your own account, and then execute the following command. Open the id_rsa1.pub file in notepad, select all the content, press Ctrl + C to copy it to the clipboard, press Shift + Ins in the Putty window, and press Ctrl + D, complete file creation. This is the process of completing Public Key Distribution.