Security shell protocol SSH

From: http://bbs.hx95.com/read-htm-tid-230463.html

　

I. Introduction to SSH

SSH is the Secure Shell protocol. The full name is secure shell protocol or secure shell. Its operating principle is similar to telnet, but it has higher security. By using SSH, You can encrypt all transmitted data so that the "man-in-the-middle" attack method is impossible and can also prevent DNS and IP spoofing. Another advantage is that the data transmitted is compressed, which can speed up transmission. SSH has many functions. It can replace Telnet and provide a secure "channel" for FTP, pop, and even PPP ".

SSH was initially developed by a Finnish company. But because of copyright and encryption algorithm restrictions, many people are now switching to OpenSSH (http://www.openssh.com /).

OpenSSH is an alternative to SSH and is free of charge. It is expected that more and more people will use it instead of SSH in the future. For ease of learning, this article uses SSH as an example to introduce relevant knowledge.

Ii. Background of SSH

Traditional network service programs, such as FTP, pop, and telnet, are inherently insecure because they transmit passwords and data in plain text on the network, people with ulterior motives can easily intercept these passwords and data. The security authentication methods of these service programs also have their weaknesses, that is, they are vulnerable to man-in-the-middle attacks. The so-called "man-in-the-middle" attack means that "man-in-the-middle" impersonates a Real Server to receive the data you send to the server, and then impersonates you to pass the data to the Real Server. Currently, many network attackers use this method. To prevent man-in-the-middle attacks, ssh came into being.

Iii. How does SSH security verification work?

From the client perspective, SSH provides two levels of security authentication.

Level 1 (password-based security verification) you can log on to the remote host as long as you know your account and password. All transmitted data is encrypted, but it cannot be guaranteed that the server you are connecting to is the server you want to connect. Other servers may pretend to be real servers, that is, being attacked by man-in-the-middle.

The second level (key-based security verification) depends on the key, that is, you must create a pair of keys for yourself and put the public key on the server to be accessed. If you want to connect to the SSH server, the client software will send a request to the server, requesting your key for security verification. After receiving the request, the server first looks for your public key in the home directory of the server, and then compares it with the public key you sent. If the two keys are consistent, the server uses the public key to encrypt the challenge and send it to the client software. After the client software receives a question, it can use your private key to decrypt it and then send it to the server.

In this way, you must know your key password. However, compared with the first level, the second level does not need to transmit passwords over the network.

The second level not only encrypts all transmitted data, but also the "man-in-the-middle" attack method is impossible (because he does not have your private key ). However, the entire logon process may take 10 seconds.

Iv. Main Components of SSH:

Transport Layer Protocol SSH-TRANS: provides server authentication, confidentiality and integrity. In addition, it sometimes provides the compression function. A SSH-TRANS typically runs on a TCP/IP connection and may also be used on other reliable data streams. SSH-TRANS provides strong encryption technology, password Host Authentication and Integrity protection. The authentication in this Protocol is based on the host and does not perform user authentication. Higher-level user authentication protocols can be designed on top of these protocols.

User Authentication Protocol SSH-USERAUTH: used to provide client user authentication to the server. It runs on the transport layer protocol SSH-TRANS. When the SSH-USERAUTH starts, it receives session identifiers from low-level protocols (from swap hash H in the first key exchange ). The session identifier uniquely identifies the session and applies to the tag to prove the ownership of the private key. SSH-USERAUTH also needs to know whether low-level protocols provide confidentiality protection.

Connection protocol SSH-CONNECT: divides multiple encrypted tunnels into logical channels. It runs on the user authentication protocol. It provides interactive logon routes, remote command execution, forwarding TCP/IP connections, and forwarding X11 connections.

Once a secure transport layer connection is established, the client sends a service request. After the user authentication is complete, the second service request is sent. This allows the newly defined protocol to coexist with the preceding protocol. The connection protocol provides a wide range of channels with standard methods for establishing secure interactive session casings and forwarding ("tunneling technology") Proprietary TCP/IP ports and X11 connections.

5. Two parts of SSH

The SSH software package consists of two parts: the server side and the client side. The server is mainly installed on the controlled side, that is, the objects that require remote management. The client is installed on the host of the operator. The SSH package is applicable to all operating systems, including Microsoft, Linux, and Cisco IOS operating systems.

######################################## ######################################## ############

6. Preparation example

Because SSH uses an encryption mechanism, the configuration is more complex than the Telnet protocol. Next we will take Cisco's firewall server as an example to see how to configure the SSH protocol to make it take effect on the server.

To enable the SSH service for the firewall, five steps are required.

Step 1: configure the firewall host name.

This step is not a required step to enable the SSH service. However, I suggest you give the firewall a proper name. When accessing the SSH service period through a client, the input name is much simpler than the input IP address. In addition, the name is much easier to remember than the boring number. Therefore, an easily remembered SSH server name is the basis for managing SSH servers.

In Cisco Firewall, you can use the hostname command to configure the name of the SSH server. In order to facilitate identification, it is generally necessary to comply with certain rules when naming. For example, you can use the "device name-Object Name" rule to name a device.

Step 2: generate a key pair.

In Cisco Firewall, we recommend that you use the "Key Authentication installation method ". Therefore, you need to generate a key pair for it. This step is also very simple, because the firewall already has the default item method. The Administrator only needs to enter the command ca generate RSA key 1024 in the command line, and the firewall operating system will automatically generate a key pair. After the key pair is generated, the Administrator also needs to use the CA save all command to save the key pair.

Note that different systems adopt different encryption mechanisms, so the generated key pair methods are also different. As an Enterprise Security Manager, there should be a unified plan for key generation methods. When security permits, the security key generation method is unified within the company. This greatly reduces the maintenance workload.

Step 3: Specify the IP address of the client.

To improve the security of Remote Management, Cisco firewall filters out an IP address. On the SSH server, you must specify the IP address of the client. Only allowed IP addresses can be connected to the SSH server through the SSH client.

This is an important security control method. In this way, only specific clients can use the SSH protocol to remotely manage the firewall. Unauthorized clients have no access permission. This ensures the security of SSH remote management.

The administrator can use the SSH ip_adress command to configure the IP address of the client that can be accessed. Generally, only the Administrator is allowed to access the remote host through SSH.

Step 4: Set the access password.

Although the client has been restricted to Ensure SSH security, it is still necessary to set an access account and password for it. Sometimes, the SSH server also has a default user name. However, to ensure the security of the SSH server, we strongly recommend that you change the default password immediately. Changing the default account and password of servers and devices is a necessary work habit for network security personnel. In SSH, you can use the PASSWORD command to change the SSH Login username.

Step 5: Set the idle time.

Finally, you need to set the idle time before the session is disconnected. This is similar to screen protection. Sometimes you may have other things that require you to leave the SSH client for a while. However, you have already left, but the SSH session has not been interrupted. What should I do if someone is using the time when you leave to destroy the action? Therefore, we need to set a maximum idle time for an SSH session like setting screen protection. When the time limit expires, the SSH server will automatically interrupt the session to ensure the security of the SSH server. In this case, we can use the SSH tineout command to set the maximum idle time. The Unit is minute. By default, the maximum idle time is 5 minutes.

Generally, no additional configuration is required on the client. Only compatibility issues should be considered in client selection. That is, if you select SSH1 on the server, the client must also be SSH1. If the server is SSH2, the client also needs to select SSH2 (the version must be corresponding ).

To manage multiple SSH servers, there are two convenient methods. First, use the above "security key authentication method ". In this case, you only need one account and password to manage all SSH services. Second, you can save related configurations on the SSH client. When the administrator needs to access an SSH server, he only needs to select the server on the client instead of entering the server configurations, such as IP addresses and ports.