Use ssh to log on to the server, and use ssh to log on to the server

Use ssh to log on to the server, and use ssh to log on to the server

1. What is SSH?

To put it simply, SSH is a network protocol used for encrypted login between computers.

If a user logs on to another remote computer from a local computer using the SSH protocol, we can think that such logon is safe and the password will not be disclosed even if it is intercepted midway through.

At the earliest time, the Internet communication was plain text communication. Once intercepted, the content was exposed. In 1995, Finnish scholar Tatu Ylonen designed the SSH protocol to encrypt all login information, which became a basic solution for Internet security and was quickly promoted worldwide, it has become a standard configuration for Linux systems.

It should be noted that SSH is only a protocol and there are multiple implementations, both commercial implementation and open-source implementation. The implementation of this article is OpenSSH, which is a free software and widely used.

In addition, this article only discusses the usage of SSH in Linux Shell. If you want to use SSH in Windows, another software PuTTY is used.

Ii. Basic usage

SSH is mainly used for remote logon. Assume that you want to log on to the remote host using the user name. You only need a simple command.

　　$ ssh user@host

If the local user name is the same as the remote user name, the user name can be omitted during logon.

　　$ ssh host

The default SSH port is 22, that is, your login request is sent to port 22 of the remote host. Use the p parameter to modify the port.

　　$ ssh -p 2222 user@host

The above command indicates that ssh is directly connected to port 2222 of the remote host.

3. Man-in-the-middle attack

SSH ensures security because it uses public key encryption.

The entire process is as follows: (1) the remote host receives the user's login request and sends its own public key to the user. (2) The user uses this public key to encrypt the logon password and send it back. (3) the remote host uses its own private key to decrypt the login password. If the password is correct, the user is allowed to log on.

This process is safe, but there is a risk during implementation: If someone intercepts the login request, impersonate a remote host, and send the forged public key to the user, it is difficult for users to identify authenticity. Unlike the https protocol, the public key of the SSH protocol is not notarized by the certificate Center (CA), that is, it is issued by itself.

It can be imagined that, if an attacker is inserted between a user and a remote host (for example, in a public Wi-Fi area), he or she uses a forged public key to obtain the user's logon password. Use this password to log on to the remote host, and the SSH security mechanism will disappear. This risk is known as Man-in-the-middle attack ).

How does the SSH protocol work?

Iv. Password Logon

If you log on to the host for the first time, the following prompt will appear:

　　$ ssh user@host
　　The authenticity of host 'host (12.18.429.21)' can't be established.
　　RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d.
　　Are you sure you want to continue connecting (yes/no)?

In this section, you cannot confirm the authenticity of the host. You only know its Public Key fingerprint. Do you want to continue the connection?

The so-called "Public Key fingerprint" refers to the long length of the public key (RSA algorithm is used here, up to 1024 bits), which is difficult to compare, so MD5 calculation is performed on it, turn it into a 128-bit fingerprint. In the preceding example, 98: 2e: d7: e0: de: 9f: ac: 67: 28: c2: 42: 2d: 37: 16: 58: 4d, it is much easier.

Naturally, how do users know the public key fingerprint of the remote host? There is no good way to answer this question. The remote host must have a public key fingerprint on its own website so that you can check the fingerprint on your own.

Assuming that, after the risk is measured, the user decides to accept the public key of the remote host.

　　Are you sure you want to continue connecting (yes/no)? yes

The system prompts that the host has been recognized.

　　Warning: Permanently added 'host,12.18.429.21' (RSA) to the list of known hosts.

Then, the password is required.

　　Password: (enter password)

If the password is correct, you can log on.

When the public key of the remote host is accepted, it will be saved in the file $ HOME/. ssh/known_hosts. Next time you connect to the host, the system will recognize that its public key has been saved locally, skip the warning section and prompt you to enter the password.

Each SSH user has its own known_hosts file, and the system also has such a file, usually/etc/ssh/ssh_known_hosts, save the public keys of remote hosts trusted to all users.

V. Public Key Logon

It is very troublesome to log on with a password. Fortunately, SSH also provides public key logon, saving you the need to enter a password.

The principle of "public key Logon" is that users store their public keys on remote hosts. When you log on, the remote host sends a random string to the user. After the user encrypts the string with his/her own private key, it returns the string. The remote host uses the pre-stored Public Key for decryption. If the decryption succeeds, it proves that the user is trusted. You can directly log on to the shell without requiring a password.

This method requires you to provide your own public key. If not, you can use ssh-keygen to generate one:

　　$ ssh-keygen

After running the above command, the system will display a series of prompts, you can press enter all the way. One problem is whether to set a password for the private key (passphrase). If you are worried about the security of the private key, you can set one here.

After running, two new files are generated under the $ HOME/. ssh/directory: id_rsa.pub and id_rsa. The former is your public key, and the latter is your private key.

Then enter the following command to send the public key to the remote host:

　　$ ssh-copy-id user@host

Now, you can log on again without entering the password.

If the problem persists, open the/etc/ssh/sshd_config file of the remote host and check whether the comment "#" in front of the following lines is removed.

　　RSAAuthentication yes
　　PubkeyAuthentication yes
　　AuthorizedKeysFile .ssh/authorized_keys

Then, restart the ssh service of the remote host.

// Ubuntu System
Service ssh restart

// Debian system/etc/init. d/ssh restart if you want to use a specific user name mailbox to generate a key, you can use the following method: $ ssh-keygen-t rsa-C "user@example.com" ssh-keygen [-q] [-B bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] [-N new_passphrase] [-C comment] [-f output_keyfile] is the same as the preceding method.

Vi. authorized_keys File

The remote host saves the user's public key in the $ HOME/. ssh/authorized_keys file of the user's main directory after logon. The public key is a string that can be appended to the end of the authorized_keys file.

The above ssh-copy-id command is not used here. Instead, use the following command to explain the saving process of the public key:

　　$ ssh user@host 'mkdir -p .ssh && cat >> .ssh/authorized_keys' < ~/.ssh/id_rsa.pub

This command is composed of multiple statements, which are divided into two parts in sequence: (1) "$ ssh user @ host", indicating logon to the remote host; (2) mkdir in single quotes. ssh & cat>. ssh/authorized_keys indicates the Command executed on the remote shell after Logon: (3) "$ mkdir-p. ssh is used. if the ssh directory does not exist, create one. (4) 'cat>. ssh/authorized_keys '<~ /. Ssh/id_rsa.pub is used to convert the Local Public Key File ~ /. Ssh/id_rsa.pub, redirection to append to the end of the Remote File authorized_keys.

After the authorized_keys file is written, the Public Key Logon Setting is complete. VII. Other efficient use methodsSometimes you may need to connect to another server from one server, for example, directly transferring data between two servers, instead of transferring data through a local computer: www1 $ scp-pr templates www2: $ PWD (by the way, $ PWD variable is useful when you need to copy files between two servers ), because even if you have added the public key of your local computer to two servers, scp will still prompt you to enter the password by default: this is because the server you use as the stepping stone does not have your private key, so the second server will reject your public key, but do not copy your private key to the Transit server to solve this problem. You can use agent forwarding to solve this problem, as long. add the following line of code to the ssh/config file to ForwardAgent yes 2. Omitted Host Name

It is boring to enter the complete host name of the server to create a new SSH connection, especially when you have a group of servers with the same domain name but different sub-domain names that need to be managed, for example:

* Www1.example.com
* Www2.example.com
* Mail.example.com
* Intranet.internal.example.com
* Backup.internal.example.com
* Dev.internal.example.com

You may have configured your network to directly use short domain names, such as intranet. However, if your network does not support it, you can solve the problem by yourself instead of asking the network administrator for help.

The solution varies slightly depending on the operating system you use. The following is the configuration of my Ubuntu system:

Prepend domain-search "internal.example.com", "example.com ";

Then you need to restart the network: $ sudo restart network-manager

These two commands may be slightly different for different systems. 3. Host alias

You can also define the host alias in your SSH configuration, as shown below:

Host dev
HostName dev.internal.example.com

You can also use wildcards for grouping:

Host dev intranet backup
HostName % h.internal.example.com

Host www * mail
HostName % h.example.com

In Putty, you can save a separate session for each host name, and double-click to establish a connection (but it may not support wildcards ). 4. Save User Name  

If your user name on the remote server is different from your local user name, you can also set it in SSH Configuration:

Host www * mail
HostName % h.example.com
User simon

Now, even if my local user name is smylers, I can still connect to my server like this:

$ Ssh www2

SSH will use the simon account to connect to your server. Similarly, Putty can save this information in your session. 5. Jump between servers

In some cases, you may not be able to directly connect to a server, but you need to use an intermediate server for transit. This process can also be automated. First, make sure that you have configured public key access for the server and enabled agent forwarding. Now you can use two commands to connect to the target server without any prompt:

$ Ssh gateway
Gateway $ ssh db

Then add the following configuration in your local SSH Configuration:

Host db
HostName db.internal.example.com
ProxyCommand ssh gateway netcat-q 600% h % p

Now you can use a command to directly connect to the target server:

$ Ssh db

Here you may need to wait for a long time, because SSH requires two authentication. Note that netcat may also be written as nc or ncat, or g must be added before, you need to check your intermediate server to determine the actual parameters. 6. Break through network blockout

Sometimes, the network you are using may only open port 80, or they have blocked the SSH port (default port 22). In this case, you can configure an SSH server to listen on port 80 or port 443 to break through the blocking. You only need to edit the/etc/ssh/sshd_config file of your server:

Port 443

Then restart the SSH server:

$ Sudo reload ssh

Of course, the premise is that your server does not use the HTTS service, but in fact you only need to set up a server to use the https port, but you can access this server, you can use the technology we mentioned above to use it as a springboard to access other servers, but remember, you need to configure this server in advance (how is it now ?), In this case, when you are in a Web-only network environment, you can save the trouble of making calls to help others configure intermediate servers. 7. Web Proxy

Sometimes, your network does not only block SSH ports, but they may go further and only allow you to access the network through Web Proxy, fortunately, we have a program called Corkscrew that can send SSH data through a Web proxy. The use of Corkscrew is very simple. Generally, I search for it as needed, download it directly, follow the instructions on the website, and then get it done. Generally, you need such a Configuration:

ProxyCommand corkscrew proxy.example.org 8080% h % p 8. Local Remote File Operations

An alternative solution for Displaying Remote GUI programs locally is to allow local GUI programs to directly operate remote files. You can use SSHFS to create an empty directory, then mount a remote directory to this directory using SSHFS:

$ Mkdir gallery_src
$ Sshfs dev: projects/gallery/src gallery_src
$ Cd gallery_src
$ Ls

Now you can use any local program you like to conveniently access the files in this directory. They look like they are local files, but they are files on the real-time remote server, you can run the fusermount command to unmount these files. Don't worry, they will be on top of the sshfs manual:

$ Cd ..
$ Fusermount-u gallery_src

SSHFS can work on Linux and OSX. I have not found any good solutions for Windows users. 9. Use Vim to access remote files

Vim has a built-in function to directly edit remote files. scp url is required:

$ Gvim scp: // dev/projects/gallery/src/templates/search.html. tt

This method is obviously not as flexible as SSHFS, but if you only need to edit one or two files on the remote server, this command will be more flexible, you can also do this on Windows:

: Help netrw-problems 10. Connect to a remote server using a local App

Sometimes some services, such as databases or Web servers, run on remote servers. However, it is very useful to connect them directly from local programs, you need to use port forwarding. For example, if your server runs ipvs (and only allows local access), you can add:

Host db
LocalForward 5433 localhost: 5432

Now, when you connect to your SSH server, it will open port 5433 on your local computer (I will pick it up ), and forward all data sent to this port to port 5432 (default port of ipvs) on the server. Then, as long as you establish a connection with the server, you can access the Postgres of the server through port 5433.

$ Ssh db

Now, in another window, you can use the following command to locally connect to your ipvs database:

$ Psql-h localhost-p 5443 orders

This command is particularly useful when you want to use a graphical ipvs client that is not supported by the server:

$ Pgadmin3 &

Or you have a backend Web server. You do not want to access it directly through the Internet. You can also access it through port forwarding:

Host api
LocalForward 8080 localhost: 80

Now connect to the server:

$ Ssh api

Then point the browser to the port number you selected:

$ Firefox http: // localhost: 8080/