Shulou(Shulou.com)06/02 Report--

SSH refers to Secure Shell, which is a secure transport protocol. Ubuntu clients can access remote servers through SSH.

Brief introduction and working Mechanism of SSH

Introduction to SSH

Traditional network service programs, such as ftp, POP and telnet, are inherently insecure because they transmit passwords and data in clear text on the network, which can be easily intercepted by people with ulterior motives. Moreover, the security verification method of these service programs also has its weakness, that is, it is vulnerable to the attack of "man-in-the-middle". The so-called "man in the middle" attack is that the "man in the middle" pretends to be a real server to receive the data you send to the server, and then passes the data to the real server by pretending to be you. After the data transfer between the server and you is tampered with by the "middleman", there will be serious problems.

Once upon a time, a Finnish programmer named Tatu Yl?nen developed a network protocol and service software called SSH (short for Secure SHell). By using SSH, you can encrypt all transmitted data, making man-in-the-middle attacks impossible and preventing DNS and IP spoofing. An additional benefit is that the transmitted data is compressed, so the speed of transmission can be accelerated. SSH has many functions, and although many people use Secure Shell only as a substitute for Telnet, you can use it to secure your network connection. You can forward other network traffic, such as POP, X, PPP, and FTP, through Secure Shell on your local or remote system. You can also forward other types of network traffic, including CVS and any other TCP traffic. In addition, you can use Secure Shell with TCP packaging to enhance the security of the connection. In addition, Secure Shell has some other convenient features that can be used for applications such as Oracle, remote backups and additional authentication like SecurID cards.

The working Mechanism of SSH

SSH is divided into two parts: the client part and the server part.

The server is a daemon (demon) that runs in the background and responds to connection requests from the client. The server is generally a sshd process, which provides the processing of remote connections, including public key authentication, key exchange, symmetric key encryption and non-secure connections.

The client contains ssh programs and other applications such as scp (remote copy), slogin (remote login), sftp (secure file transfer), and so on.

Their working mechanism is that the local client sends a connection request to the remote server, the server checks the requested packet and IP address, and then sends the key to the SSH client, and then sends the key back to the server. Since then the connection is established. What I just talked about is only the general process of SSH connection, and there are some differences between SSH 1.x and SSH 2.x in connection protocols.

SSH is designed to work on its own without using a super server (inetd), although it is possible to run SSH processes through tcpd on inetd, but this is completely unnecessary. After starting the SSH server, sshd runs and listens on the default port 22 (you can use # ps-waux | grep sshd to see if sshd is running correctly.) if SSH is not started through inetd, SSH will be waiting for a connection request. When the request arrives, the SSH daemon generates a child process that performs the connection processing.

However, due to the limitations of copyright and encryption algorithms, many people now switch to OpenSSH. OpenSSH is an alternative to SSH, and it's free.

SSH consists of client-side and server-side software, and there are two incompatible versions: 1.x and 2.x. Clients using SSH 2.x cannot connect to SSH 1.x services. OpenSSH 2.x supports both SSH 1.x and 2.x.

SSH is divided into client openssh-client and openssh-server.

If you just want to log in to the SSH of another machine, you only need to install openssh-client (ubuntu has a default installation, if not, sudoapt-get install openssh-client), and you need to install openssh-server if you want to open the SSH service on this machine.

I. install the client

Ubuntu already has ssh client installed by default.

Sudo apt-get install ssh or sudo apt-get installopenssh-clientssh-keygen

(press enter to set the default value)

Id_rsa and id_rsa.pub files are generated by default, which are the private key and the public key, respectively.

Note: if there is an error in sudo apt-get insall ssh, you can install it using sudo apt-get install openssh-client.

Suppose the server ip is 192.168.1.1. The port number of the Ssh service is 22, and there is a user on the server as root.

The command to log in to the server with ssh is:

> ssh-p 22 root@192.168.1.1 > enter password for root user

Second, install the server

Ubuntu does not have SSH Server installed by default, install it using the following command:

Sudo apt-get install openssh-server

Then verify that sshserver is started: (or use the "netstat-tlp" command)

Ps-e | grep ssh

If there is only ssh-agent and ssh-server has not been started, you need / etc/init.d/ssh start. If you see sshd, it means that ssh-server has been started.

If not, you can start it like this:

Sudo/etc/init.d/ssh start

In fact, if you don't have any special needs, you can install OpenSSH Server here. But if you set it up further, you can make OpenSSH login time shorter and more secure. This is all done by modifying openssh's configuration file, sshd_config.

III. SSH configuration

The ssh-server configuration file is located in / etc/ssh/sshd_config, where you can define the service port of SSH. The default port is 22. You can define other port numbers, such as 222, by yourself. Then restart the SSH service:

Sudo / etc/init.d/sshresart

By modifying the configuration file / etc/ssh/sshd_config, you can change the ssh login port and disable root login. Changing the port prevents it from being scanned by the port.

Sudo cp/etc/ssh/sshd_config / etc/ssh/sshd_config.originalsudochmod a murw / etc/ssh/sshd_config.original

Edit the configuration file:

Gedit / etc/ssh/sshd_config

Find # Port 22, remove the comments, and modify it to a five-bit port: Port 22333

Find # PermitRootLogin yes, remove the comments, and modify it to: PermitRootLogin no

Restart after the configuration is complete:

Sudo/etc/init.d/ssh restart

4. SSH service command

Stop service: sudo / etc/init.d/ssh stop

Start the service: sudo / etc/init.d/ssh start

Restart the service: sudo / etc/init.d/sshresart

Disconnect: exit

Login: sshroot@192.168.0.100

Root is a user on the 192.168.0.100 machine and needs to enter a password.

Fifth, SSH login command

Common format: ssh [- llogin_name] [- p port] [user@] hostname

More details can be seen with ssh-h.

Give an example

No user specified: ssh 192.168.0.1

Specify the user:

Ssh-l root 192.168.0.1ssh root@192.168.0.1

If you have modified the ssh login port, you can:

Ssh-p 22333 192.168.0.111ssh-l root-p 22333 216.230.230.105ssh-p 22333 root@216.230.230.105

VI. Improve the login speed

When logging in remotely, you may find that you have to wait a long time before you are prompted for a password after entering the user name. In fact, this is because sshd needs to reverse check the dns information of the client. You can greatly increase the speed of login by disabling this feature. First, open the sshd_config file:

Sudo nano / etc/ssh/sshd_config

Find the GSSAPI options section and comment out the following two lines:

# GSSAPIAuthentication yes # GSSAPIDelegateCredentials no and then restart the ssh service:

Sudo / etc/init.d/ssh restart

Try logging in again. It should be very soon.

7. Log in to the server through certificate authentication using PuTTy

In the SSH service, all the content is encrypted and the security is basically guaranteed. However, if you can use certificate authentication, security will be asked to climb another high-rise building, and after a certain setting, it can also achieve the effect of automatic login of certificate authentication.

First, modify the sshd_config file to enable the certificate verification option:

Restart the ssh service after the RSAAuthentication yes PubkeyAuthentication yesAuthorizedKeysFile h/.ssh/authorized_keys modification is complete.

Next we need to establish the private and public keys for the SSH user. The first step is to log in to the account that needs to establish a key. Here, pay attention to logging out of the root user, and use the su command to switch to another user if necessary. Then run:

Ssh-keygen

Here, we can store the generated key in the default directory. During the establishment process, you will be prompted to enter passphrase, which is equivalent to adding a password to the certificate, and it is also a measure to improve security, so that you are not afraid even if the certificate is accidentally handcuffed. Of course, if this is left blank, the automatic login of PuTTy through certificate authentication can be realized later.

The ssh-keygen command generates two keys. First we need to rename the public key and leave it on the server:

Cd / .ssh mv id_rsa.pub authorized_keys

Then copy the private key id_rsa from the server and delete the id_rsa file on the server.

The settings on the server are done, and the following steps need to be done on the client computer. First, we need to convert the id_rsa file to a format supported by PuTTy. Here we need to use PuTTyGEN as a tool:

Click the Load button in the PuTTyGen interface, select the id_rsa file, enter passphrase (if any), and then click the Save PrivateKey button, so that the private key accepted by PuTTy is done.

Open PuTTy, enter the IP address of the server in Session, click the Browse button under Connection- > SSH- > Auth, and select the private key you just generated. Then go back to the Connection option and enter the user name to which the certificate belongs in Auto-login username. Go back to the Session tab and enter a name and click Save to save the Session. Click the Open at the bottom and you should be able to log in to the server with certificate authentication. If you have passphrase, you will be asked to enter passphrase during the login process, otherwise you will log in directly to the server, which is very convenient.

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.