Shulou(Shulou.com)06/02 Report--

Linux ssh service is what, many novices are not very clear about this, in order to help you solve this problem, the following small series will explain in detail for everyone, there are people who need this can learn, I hope you can gain something.

1 What is SSH?

SSH (Secure Shell Protocol) is a network protocol used for encrypted logins between computers. SSH service provides two service functions by default, one is to provide telnet-like remote connection server service, that is, SSH service, and the other is sftp-server similar to FTP service, which provides more secure SFTP service by means of SSH protocol to transmit data.

Note: The SSH client (ssh command) contains a useful remote security copy command scp, which also works over the ssh protocol.

Second, the most basic usage

The ssh command is used to remotely log on to Linux hosts.

Common format: ssh [-l login_name] [-p port] [user@]hostname

More details can be viewed with Man Ssh.

Do not specify user, default to log in with root account

ssh 192.168.0.15

Designated users:

ssh -l root 192.168.0.15 ssh root@192.168.0.15

If you modify the SSH login port, you can:

ssh -p 521 192.168.0.15 ssh -l root -p 521 192.168.0.15 ssh -p 521 root@192.168.0.15

In addition, modify the configuration file/etc/ssh/sshd_config to change the ssh login port and prohibit root login. Changing ports prevents scanning by ports. (/etc/ssh/sshd_config file is server side,/etc/ssh/ssh_config file is client side, scan port software nmap install yum install nmap -y use, nmap with ip or domain name-p1 -65535)

Edit profile:

vim /etc/ssh/sshd_config

Find #Port 22, remove the comment, and modify it to a three-digit port:

Port 521

Find #PermitRootLogin yes, remove the comment and modify it to:

PermitRootLogin no

Restart sshd service:

service sshd restart Restart successful: Stopping sshd: [ OK ] Starting sshd: [ OK ]

III. Attacks by middlemen

SSH can guarantee security because it uses public key encryption. The whole process is like this:

(1) The remote host receives the user's login request and sends its own public key to the user.

(2) The user uses this public key to encrypt the login password and send it back.

(3) The remote host decrypts the login password with its own private key, and if the password is correct, it agrees to the user login.

The process itself is secure, but there is a risk when it is implemented: if someone intercepts the login request and then impersonates a remote host to send a fake public key to the user, it will be difficult for the user to tell the authenticity. Because unlike https, SSH public keys are not notarized by a certificate authority (CA), that is, they are self-signed.

It is conceivable that if an attacker intervenes between the user and a remote host (say, in a public wifi zone), he can obtain the user's login password with a forged public key. Use this password to log in to the remote host, and SSH security will be gone.

IV. Password login

If this is your first time logging into the host, the system will prompt you with the following:

$ ssh user@host The authenticity of host 'host (12.18.429.21)' can't be established. RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d. Are you sure you want to continue connecting (yes/no)?

You cannot confirm the authenticity of the host, only know its public key fingerprint. Do you still want to continue connecting?

The so-called "public key fingerprint" means that the public key length is long (RSA algorithm is used here, up to 1024 bits), which is difficult to compare, so MD5 calculation is carried out on it to turn it into a 128-bit fingerprint. 98: 2e: d7:e0:de: 9f:ac:67:28:c2:42:2d:37:16:58:4d is easier to compare.

A natural question is, how does the user know what the remote host's public key fingerprint should be? The answer is that there is no good way, the remote host must post a public key fingerprint on its own website so that users can check it themselves.

Suppose, after weighing the risks, the user decides to accept the remote host's public key.

Are you sure you want to continue connecting (yes/no)? yes

A prompt appears indicating that the host has been approved.

Warning: Permanently added 'host,12.18.429.21' (RSA) to the list of known hosts.

Then, they ask for a password.

Password: (enter password)

If the password is correct, you can log in.

When the remote host's public key is accepted, it is saved in the file ~.ssh/known_hosts. The next time you connect to this host, the system recognizes that its public key is already stored locally, skipping the warning section and prompting for the password.

Each SSH user has its own known_hosts file, and the system also has one, usually/etc/ssh/ssh_known_hosts, that holds the public keys of remote hosts that are trusted by all users.

5. Public key login

Use password login, every time you have to enter a password, very troublesome. SSH also provides public key login, which eliminates the need to enter a password.

The so-called "public key login" principle is very simple, that is, the user stores his public key on the remote host. When logging in, the remote host sends a random string to the user, which is encrypted by the user's private key and sent back. The remote host decrypts with a pre-stored public key, and if successful, proves that the user is trusted, allowing the login shell directly, no longer requiring a password.

This method requires users to provide their own public key. If there is no ready-made one, you can directly generate one with ssh-keygen:

$ ssh-keygen

After running the above command, the system will appear a series of prompts, you can enter all the way. One of the questions is whether to set a password for the private key. If you are worried about the security of the private key, you can set one here.

After the run, two new files are generated in the $HOME/.ssh/directory: id_rsa.pub and id_rsa. The former is your public key and the latter is your private key.

At this point, type the following command to transfer the public key to the remote host:

$ ssh-copy-id user@host

Well, from now on you log in again, do not need to enter a password.

If that doesn't work, open the remote host's/etc/ssh/sshd_config file and check that the "#" comment is removed in the first few lines.

RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys

Then restart the ssh service on the remote host.

/etc/init.d/ssh restart

VI. authorized_keys file

The remote host saves the user's public key in the ~/.ssh/authorized_keys file in the logged-in user's home directory. A public key is just a string that you append to the end of the authorized_keys file.

Instead of using the ssh-copy-id command above, use the following command to explain the public key saving process:

$ ssh user@host 'mkdir -p .ssh && cat >> .ssh/authorized_keys'

This command consists of several statements, which are broken down in turn:

(1)"ssh user@host" means logging in to a remote host

(2) mkdir .ssh && cat >> .ssh/authorized_keys in single quotes, indicating commands executed on remote shell after login

(3)"mkdir -p .ssh" is used to create a.ssh directory in the user's home directory if it does not exist.

（4）cat >> .ssh/authorized_keys

Linux is a free-to-use and freely distributed UNIX-like operating system, is a POSIX-based multi-user, multitasking, multi-threaded and multi-CPU operating system, using Linux to run major Unix tools, applications and network protocols.

Did reading the above help you? If you still want to have further understanding of related knowledge or read more related articles, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.