SSH login process analysis and OpenSSH compilation and usage

Source: Internet
Author: User
Tags install openssl ssh account

 

SSH is a secure shell program

 

[Authentication principle]

There are two authentication methods

(1)
Account and password-based authentication

(2)
Public Key and private key-based authentication

The SSH logon process is divided into five phases.

1. Version Number negotiation stage
2. Key and algorithm negotiation stage
3. Authentication phase
4. Session Request stage
5. Session interaction stage

Version Number negotiation phase
The server opens port 22 and waits for the customer to connect.
The client initiates a TCP connection to the server. After the connection is established, the server sends the first packet to the client, including the version flag string, in the format of "Protocol version number" and "Protocol version number ".
After the client receives the message, it parses the Protocol version number. If the Protocol version number of the server is lower than its own, and the client can support the earlier version of the server, it uses the Protocol Number of the server, otherwise, use your protocol version.
The client replies to a message from the server, which contains the Protocol version number determined by the client.
The server compares the version number sent by the client to determine whether it can interact with the client.
If the negotiation is successful, the key-algorithm negotiation phase is entered. Otherwise, the server disconnects the TCP connection.

Key and algorithm negotiation phase 2
The server and client respectively send algorithm negotiation packets to each other. The messages contain their own public key algorithm list, encryption algorithm list, message verification code algorithm list, and compression algorithm list.
The server and client obtain the final algorithm based on the algorithms supported by the other party and themselves.
The server and client generate the session key and session ID using the DH exchange algorithm and host key-to-Peer parameters.

Public Key of the C-Client
C-key client key
S public server Public Key
S secret server key

After the version number negotiation stage is complete:
The server sends s public to the client.
The session ID generated by the server, which is set to ID and sent to the client.
The client generates a session key, sets it to key, and calculates the res = ID difference or key.
The client encrypts res with s public and sends the result to the server.
The server uses the S password for decryption to obtain the res.
The server calculates the res variance or ID to obtain the key.
Now the server and client know the session key and session ID, and later data transmission uses the session key for encryption and decryption.

3 certification stage
Account and password-based verification methods:
The client uses the session key encrypted account, authentication method, and password generated during key and algorithm negotiation to send the result to the server.
The server decrypts the message using the obtained session key to obtain the account and password.
The server determines the account and password. If the password fails, the server sends an authentication failure message to the client, which contains a list of methods for re-authentication.
The client selects a method from the authentication method list for re-authentication.
This process is repeated until the authentication succeeds or the maximum number of authentications has been reached. The server closes the TCP connection.

Public Key and private key-based verification methods:
The SSH-keygen program is used to generate the Public Key id_dsa.pub and the private key id_dsa. Generally, id_dsa.pub is generated on the client and then sent to the server in some way.
The server is placed under the. Ssh directory of the account to be remotely logged on.
The client uses the session key encrypted account, authentication method, and id_dsa.pub generated during key and algorithm negotiation to send the result to the server.
The server uses the session key to decrypt the message and obtain the account and id_dsa.pub.
The server is in the directory of this account. find the corresponding public key in the SSH directory. If no public key is found, send the failed message to the client. If yes, compare the public key sent by the client with the public key found. If the content is the same, the server generates a random string, referred to as "Question", encrypts the question with the found public key, and then encrypts the question again with the session key.
The server sends the double encrypted data to the client.
The client uses the session key to decrypt the message, and then uses id_dsa to decrypt the data again to obtain a question.
The client uses the session key to encrypt the question and send it to the server.
The server uses the session key to decrypt the message, obtain the question, and determine whether the question is generated by itself. If the question is different, the server sends the failed message to the client. If the question is the same, the server passes the authentication.

 

[Compilation steps]


OpenSSH is an open-source SSH program, including the server and client.
: Http://www.openssh.com/

OpenSSH depends on OpenSSL
: Http://www.openssl.org/

First, compile and install OpenSSL

Tar-zxvf openssl-1.0.0d.tar.gz
Mkdir/ usr/local/openssl-1.0.0d
CD openssl-1.0.0d
../Configure -- prefix =/usr/local/openssl-1.0.0d
Make
Make install

Then compile and install OpenSSH

Tar-zxvf openssh-2.1.1p4.tar.gz
Mkdir/ usr/local/openssh-2.1.1p4
./Configure -- prefix =/usr/local/openssh-2.1.1p4 -- With-SSL-Dir =/usr/local/openssl-1.0.0d -- With-ldflags =-lcrypt
An error will be reported during make:
"The sshconnect1.c md5_ctx type is not defined. The md5init md5update md5final cannot be defined"
In this case, you need to download the md5.h md5.c source file, which requires the md5_ctx type definition in the source code and the implementation of the above three functions, and then put it in the same directory of sshconnect1.c.
Modify sshconnect1.c, add # include "md5.h", and modify makefile
Add md5.o after sshobjs = ssh. O sshconnect. O sshconnect1.o.
Make
Make install

Finally, in the/usr/local/openssh-2.1.1p4 directory is the generated Executable File
Bin/etc/man/sbin/

The server is sshd, the client is SSH, and the key generation program is ssh-keygen.

 

 

[Usage]

Account and password-based verification methods:
After the sshd server is enabled, run the client./ssh account @ Server IP Address
The system will prompt you to enter the password. You can directly enter the password to log on successfully.

Public Key and private key-based verification methods:

RSA SSH1
Use SSH-keygen to generate an RSA key pair./ssh-keygen
It will be created under the directory of the current account. SSH directory, and then generate identity and identity. pub, set identity. put pub to the account to be logged on to the server. if there is no. SSH directory, manually create it, and then create a file named authorized_keys. the content of pub is appended to the end of the authorized_keys file.
Cat> authorized_keys <identity. Pub
In fact, the sshd program traverses all public keys from the authorized_keys file until a matching public key is found.
Note that the permission for modifying the account directory is 755. Otherwise, the client authentication fails.
Client Command Behavior./ssh-I/root/. Ssh/identity account @ Server IP Address

DSA SSH2
The usage is the same as that of RSA SSH1, but the difference is:
1. Add the-D parameter to ssh-keygen to generate id_dsa and id_dsa.pub key pairs.
2. The server creates an authorized_keys2 file under the. Ssh directory and appends the id_dsa.pub content.
3. Client Command Execution behavior:./ssh-2-I/root/. Ssh/id_dsa account @ Server IP Address

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.