SSH principles and Public Key Authentication

Source: Internet
Author: User
Tags ssh server

SSH principles and Public Key Authentication

Creation process

Ssh uses the asymmetry of rsa encryption to share a communication key that only the two of them know. Through this communication key, they then perform subsequent communication.

The client receives the public key of the server and encrypts the Communication Key generated by the client to the server. The server decrypts the key with a private key. At this time, the two use symmetric keys for communication;

Key and algorithm negotiation stage

The procedure is as follows:

(1)

The server and client send the algorithm negotiation packet to the peer respectively. The packet contains the Public Key algorithm list, encryption algorithm list, and MAC (Message Authentication Code, Message Verification Code) supported by the peer) algorithm list, compression algorithm list, etc.

(2)

The server side and client side obtain the final algorithm used based on the list of Algorithms supported by the peer side and the local side. If any algorithm negotiation fails, the algorithm negotiation process between the server and the client fails, and the server disconnects the client.

(3)

The server and client use the DH-Hellman Exchange algorithm and host key peer parameters to generate the session key and session ID, and complete the client's authentication of the server identity.

Through the preceding steps, the server and client obtain the same session key and session ID. For subsequent data transmission, both ends use session keys for encryption and decryption, ensuring the security of data transmission. The session ID identifies an SSH connection. during authentication, the session ID is also used for authentication at both ends.

Authentication phase

SSH provides two authentication methods:

1 password Authentication

Use AAA (Authentication, Authorization, Accounting, Authentication, Authorization, and billing) to authenticate the client identity. The client sends a password authentication request to the server, encrypts the user name and password, and sends it to the server. The server decrypts the information to obtain the plaintext of the user name and password, verify the validity of the user name and password through local or remote authentication, and return the message of successful or failed authentication. If the remote authentication server requires secondary password authentication, a prompt message is sent to the server in the authentication response message, which is transparently sent to the client by the server, the client outputs and requires the user to enter a password of the specified type again. After the user submits the correct password and successfully passes the authentication on the server, the server returns a message indicating the authentication is successful.

2 publickey Authentication

Use the digital signature method to authenticate the client. Currently, the device can use RSA and DSA public key algorithms to implement digital signatures. The client sends a publickey authentication request containing the user name, public key, and public key algorithm to the server. The server checks the validity of the public key. If the public key is invalid, the server sends a failed message directly. Otherwise, the server uses a digital signature to authenticate the client and returns a message indicating that the authentication succeeds or fails.

The second level is key-based security verification.

You need to rely on the key, that is, you must create a pair of keys for yourself, and put the public key on the server to be accessed. If you want to connect to the SSH server, the client software will send a request to the server, requesting your key for security verification. After receiving the request, the server first looks for your public key under your home directory on the server, and then compares it with the public key you sent. If the two keys are the same, the server uses the public key to encrypt the question and send it to the client software. After the client software receives a question, it can use your private key to decrypt it and then send it to the server. In this way, you must know your key password. However, compared with the first level, the second level does not need to transmit passwords over the network. The second level not only encrypts all transmitted data, but also the "man-in-the-middle" attack method is impossible (because he does not have your private key ). However, the entire login process may take 10 seconds, but it is not longer than the password input method.

Ssh Public Key Authentication uses this feature. Both the server and client have their own public keys and keys. These symbols are used for convenience.

Ac client Public Key

Bc client key

As server Public Key

Bs server key

Before authentication, the client needs to log on to the server with the public key Ac in some way.

The authentication process is divided into two steps:

1. session key Generation

The client requests to connect to the server, and the server sends the As to the client.

The session ID (session id) generated by the server is set to p and sent to the client.

The client generates a session key, sets it to q, and calculates r = p xor q.

The client encrypts r with the As and sends the result to the server.

The server uses Bs for decryption to obtain the r.

The server performs r xor p operations to obtain q.

At this point, both the server and the client know the session key q, and all future transmissions will be encrypted by q.

2 Certification

The server generates random number x and uses Ac encryption to generate the result S (x), which is sent to the client.

The client uses Bc to decrypt S (x) to obtain

The client calculates the md5 value of q + x n (q + x), and q is the session key obtained in the previous step.

The server calculates the md5 value of q + x m (q + x)

The client sends n (q + x) to the server.

The server compares m (q + x) and n (q + x). If the two are the same, the authentication succeeds.

How to Improve the SSH login authentication speed of Ubuntu

Enable the SSH service to allow Android phones to remotely access Ubuntu 14.04

How to add dual authentication for SSH in Linux

Configure the SFTP environment for non-SSH users in Linux

Configure and manage the SSH service on Linux

Basic SSH tutorial

This article permanently updates the link address:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.