SSH principles and usage

Working on Linux, ssh is a technical method that must be understood. It can establish secure and encrypted transmission between multiple hosts for remote access, control, and data transmission.

What is ssh

SSH is the Secure Sockets Layer of the Secure Shell. In order to establish security protocols on the application layer and transport layer.

Traditional network service programs, such as FTP, POP, and Telnet, are inherently insecure because they transmit data, user accounts, and user passwords in plaintext over the network, attackers are vulnerable to man-in-the-middle attacks. There is another person or a machine impersonating a Real Server to receive data from the user to the server, and then impersonating the user to pass the data to the Real Server. SSH is a reliable protocol that provides security for remote logon sessions and other network services. The SSH protocol can effectively prevent information leakage during Remote Management. SSH can encrypt all transmitted data and prevent DNS Spoofing and IP spoofing. Another aspect of SSH is that the data transmitted is compressed, which can speed up transmission. SSH has many functions. It can replace Telnet, provide a secure "channel" for FTP, POP, and even PPP 」. It's good to know so much about it. In fact, ssh connections can be understood as encrypted remote access.

--- (From Chinese wiki)

Authentication and encryption of ssh connections

Ssh connection is a CS model (client-server). The client sends a connection request, the server verifies the client, and then determines whether to accept the connection request.

The theoretical basis of ssh Secure encryption is a non-symmetric encryption system. In asymmetric encryption, RSA is a common encryption algorithm. Before using ssh, you must first understand the asymmetric encryption and rsa algorithm processes. For more information, see RSA encryption algorithms.

There are two levels of ssh security verification: account password verification and rsa encryption verification. Detailed parameters can be set in the sshd_config configuration file (Ubuntu is/etc/ssh/sshd_config, and mac is/etc/sshd_config)

Account password verification

Enter the password of the user you want to log on. You do not need to modify the configuration file.

If the user password is directly transmitted from the client to the server, the password information is easily intercepted by man-in-the-middle, thus implementing replay attacks. The ssh implementation method is as follows:

1. The client sends a request to the ssh server. The server returns its public key to the client;

2. The client uses the server's public key to encrypt its login password and then sends the information to the server;

3. The server uses its own private key to decode the password sent by the client. If the result is correct, it agrees to log on and establish a connection.

This method is still vulnerable. The man-in-the-middle can pretend to be a server to defraud the client's password.

RSA encryption Verification

The rsa encryption authentication method makes full use of the advantages of the asymmetric encryption system and eliminates the possibility of man-in-the-middle attacks without transmitting passwords over the network. The procedure is as follows:

Preparations

-1. The client first uses the ssh-keygen command to generate the private key and public key. According to the default configuration, the private key will be saved in ~ /. Ssh/id_rsa, the public key is in ~ /. Ssh/id_rsa.pub. (Do not modify the files here)

0. The client securely sends the public key to the server. On the server side, write the public key sent by the client ~ The end of the/. ssh/authorized_keys file.

Establish a connection

1. The client issues an application. The server generates a session key pair and returns the session public key encrypted with the corresponding client's public key.

2. The client decrypts the information with its own key to obtain the session public key.

3. Subsequent data interactions are encrypted by the peer Public Key. After receiving the information, the peer key is used to decrypt the information to implement secure encryption.

1 2 3 Next Page