Shulou(Shulou.com)05/31 Report--

This article shows you how to do SSH remote login, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

SSH is standard on every Linux computer.

With the gradual expansion of Linux devices from computers to mobile phones, peripherals and household appliances, SSH is used more and more widely. Not only programmers can't do without it, but many ordinary users also use it every day.

SSH has a variety of functions and can be used in many situations. Some things can't be done without it. The following are my study notes, which summarize and explain the common usage of SSH. I hope it will be useful to you.

Although the content is only involved in primary applications, it is relatively simple, but readers need to have the most basic "Shell knowledge" and understand the concept of "public key encryption".

What is SSH?

To put it simply, SSH is a network protocol that is used for encrypted login between computers.

If a user logs in to another remote computer from the local computer using the SSH protocol, we can assume that the login is secure and that the password will not be disclosed even if intercepted halfway.

In the earliest days, Internet communications were all plaintext communications, and once intercepted, the content was undoubtedly exposed. In 1995, Finnish scholar Tatu Ylonen designed SSH protocol, which encrypts all login information, which has become a basic solution of Internet security. It has been rapidly promoted all over the world, and has become the standard configuration of Linux system.

It should be pointed out that SSH is just a protocol, and there are multiple implementations, both commercial and open source. The implementation of this paper is OpenSSH, which is free software and has a wide range of applications.

In addition, this article only discusses the use of SSH in Linux Shell. If you want to use SSH in a Windows system, you will use another software, PuTTY, which requires a separate article.

Second, the most basic usage

SSH is mainly used for remote login. Suppose you want to log in to the remote host host with the user name user, with a simple command.

$ssh user@host

If the local user name is the same as the remote user name, the user name can be omitted when logging in.

$ssh host

The default port for SSH is 22, that is, your login request will be sent to port 22 of the remote host. Using the p parameter, you can modify this port.

$ssh-p 2222 user@host

The above command indicates that ssh is directly connected to port 2222 of the remote host.

Man-in-the-middle attack

The reason why SSH is secure is that it uses public key encryption.

The whole process is as follows: (1) the remote host receives the login request from the user and sends its own public key to the user. (2) the user uses this public key to encrypt the login password and send it back. (3) the remote host uses its own private key to decrypt the login password and allow the user to log in if the password is correct.

The process itself is secure, but there is a risk when it is implemented: if someone intercepts a login request and then pretends to be a remote host and sends the fake public key to the user, it is difficult for the user to tell the authenticity from the false. Because unlike the https protocol, the public key of the SSH protocol is not notarized by the Certificate Authority (CA), that is, it is signed by itself.

It is conceivable that if an attacker intervenes between the user and the remote host (such as in the public wifi area) and uses a fake public key to obtain the user's login password. Then log in to the remote host with this password, and the security mechanism of SSH will be gone. This risk is known as man-in-the-middle attack (Man-in-the-middle attack).

How does SSH deal with it?

IV. Password login

If you are logged in to the other host for the first time, the following prompt will appear:

$ssh user@host

The authenticity of host 'host (12.18.429.21)' can't be established.

RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d.

Are you sure you want to continue connecting (yes/no)?

What this means is that the authenticity of the host host cannot be confirmed, only its public key fingerprint is known. Do you want to continue to connect?

The so-called "public key fingerprint" means that the length of the public key is long (RSA algorithm is used here, which is as long as 1024 bits), so it is difficult to compare, so it is calculated by MD5 to turn it into a 128bit fingerprint. In the above example, it is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d, and it is much easier to compare.

A natural question is, how does the user know what the public key fingerprint of the remote host should be? The answer is that there is no good way, and the remote host must post a public key fingerprint on its own website so that users can check it themselves.

Suppose that after risk measurement, the user decides to accept the public key of the remote host.

Are you sure you want to continue connecting (yes/no)? Yes

A prompt appears indicating that the host host has been recognized.

Warning: Permanently added 'host,12.18.429.21' (RSA) to the list of known hosts.

A password is then asked for.

Password: (enter password)

If the password is correct, you can log in.

When the public key of the remote host is accepted, it is saved in the file $HOME/.ssh/known_hosts. The next time you connect to this host, the system will recognize that its public key has been saved locally, skip the warning section and prompt for the password directly.

Each SSH user has its own known_hosts file, and the system also has a file, usually / etc/ssh/ssh_known_hosts, that holds the public keys of remote hosts that can be trusted by all users.

V. Public key login

To log in with a password, you must enter a password every time, which is very troublesome. Fortunately, SSH also provides public key login, which eliminates the step of entering a password.

The so-called "public key login", the principle is very simple, is that the user stores his public key on the remote host. When logging in, the remote host sends a random string to the user, which is encrypted with his own private key and then sent back. The remote host uses the pre-stored public key for decryption, if successful, it proves that the user is trusted, directly allows login to the shell, and no longer requires a password.

This method requires that the user must provide his own public key. If there is no ready-made one, you can directly use ssh-keygen to generate one:

$ssh-keygen

After running the above command, the system will appear a series of prompts, you can enter all the way. One of the questions is whether to set a password (passphrase) on the private key. If you are worried about the security of the private key, you can set one here.

After running, in the $HOME/.ssh/ directory, two new files are generated: id_rsa.pub and id_rsa. The former is your public key and the latter is your private key.

Then enter the following command to transfer the public key to the remote host host:

$ssh-copy-id user@host

Well, if you log in again, you won't need to enter your password.

If it still doesn't work, open the / etc/ssh/sshd_config file on the remote host and check that the "#" comment in front of the following lines is removed.

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile .ssh / authorized_keys

Then, restart the ssh service for the remote host.

/ / ubuntu system

Service ssh restart

/ / debian system

/ etc/init.d/ssh restart

VI. Authorized_keys file

The remote host saves the user's public key in the $HOME/.ssh/authorized_keys file in the user's home directory after login. The public key is a string, just append it to the end of the authorized_keys file.

Instead of using the ssh-copy-id command above, use the following command to explain the process of saving the public key:

$ssh user@host 'mkdir-p. Ssh & & cat > > .ssh / authorized_keys'

> .ssh / authorized_keys, which indicates the command executed on the remote shell after login:

(3) the purpose of "$mkdir-p. Ssh" is to create a .ssh directory if the .ssh directory in the user's home directory does not exist.

(4) the function of 'cat > > .ssh / authorized_keys' < ~ / .ssh/id_rsa.pub is to append the local public key file ~ / .ssh/id_rsa.pub to the end of the remote file authorized_keys.

After writing to the authorized_keys file, the setup of the public key login is complete.

The above content is how to do SSH remote login, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.