The principle of graphic ssh and two methods of login

SSH (Secure Shell) is a set of protocol standards that can be used to achieve secure login between two machines and secure data transfer, which ensures that the principle of data security is asymmetric encryption .

Traditional symmetric encryption using a set of secret keys, data encryption and decryption is the set of keys, it is conceivable that all the client and the server need to save the secret key, the risk of leakage is very high, and once the secret key will be leaked will not guarantee data security.

Asymmetric Encryption solves this problem, which consists of two sets of keys- 公钥 and where the public key is used for 私钥 encryption, the private key is used for decryption, and the private key is not computed through the public key, so the private key is carefully stored on the server, and the public key can be passed casually, even if the leak is not risky.

The method of ensuring the security of SSH, simply means that the client and the server each generate a set of private keys and public keys, and exchange the public key, so that each of the data emitted can be encrypted with the other party's public key, the other received and then use their own private key to decrypt.

Link creation

As can be seen from the previous figure, the two machines, in addition to their own set of public and private keys, also save the other party's public key, so there must be a exchange of their own public key steps. Instead of simply sending the public key, there are some specialized algorithms. This step occurs on the first link, before the data is transferred.

1. Client initiated link Request
2. The server returns its own public key, as well as a session ID (this step the client gets the server's public key)
3. Client-generated key pair
4. The client calculates a value with its own public key XOR or session ID, and encrypts it with the public key of the server
5. The client sends the encrypted value to the service side, and the server decrypts it with the private key.
6. The server uses the decrypted value XOR or session ID to calculate the client's public key (this step serves to get the client's public key)
7. At this point, each side holds three keys, respectively, their own pair of public, private key, and the other's public key, all subsequent communications will be encrypted

Here is an interesting place, when two machines first use SSH link, when the server returns its own public key (2nd step), the client will have a message to the effect that the other side is unable to verify the credibility of the other, and give the other public key MD5 encoded value, asked whether it is determined to establish a link.

This is because SSH although the transmission process is very secure, but in the first time the link is not able to know whether the public key is actually from the requested server, if someone in the client to intercept the request after the server, and return their public key impersonate the server, if the link is established, Then all the data can be decrypted by the attacker with their private key. This is known as a man-in-the- middle attack .

Login with Password

SSH is also often used to telnet to other machines, there are two common methods, the first is the account password login.

1. After the server receives the login request, it first swaps the secret key, as described in the previous section for detailed steps.
2. The client encrypts the account password and sends it with the server's public key
3. The server uses its own secret key to decrypt the account password and verify it.
4. The server uses the client's public key to encrypt the validation results and returns
5. The server is decrypted with its own secret key and the results are verified.

Log on with public key

Sometimes it is not the developer to connect to the server manually, but the client's program needs to connect to the server, this time with a password login is more inconvenient, one needs to deal with the problem of input password, the second is to find ways to secure the storage of passwords into the program, in this case you can use the public key for password-free login.

1. The client user must manually add his or her public key to the server, a file called Authorized_keys, which, as the name implies, holds the public key of all machines that can log in remotely.
2. The client initiates a login request and sends a fingerprint of its own public key (unique, but not the public key)
3. The server checks whether this public key is stored in Authorized_keys based on the fingerprint
4. If present, the server generates a random string and then encrypts it with the client public key and returns
5. After the client receives it, decrypts it with its private key, and then sends it back with the service-side public key encryption.
6. The server is decrypted with its own private key after it is received, and if it is the same string, it is validated by

The key to using a public key login is to manually add the client's public key to the server, such as GitHub, which can be added and then logged without a password.

Reference documents:

• SSH Login Authentication Detailed
• Intro to ssh and ssh Keys
• Graphical SSH
• SSH principle and application