SSH refers to Secure Shell, which is a secure transmission protocol. Ubuntu clients can access remote servers through SSH.
Introduction and working mechanism of SSH
Introduction to SSH
Traditional network service programs, such as ftp, POP, and telnet, are inherently insecure because they transmit passwords and data in clear text on the network, and people with ulterior motives can easily intercept these passwords and data. Moreover, the security verification methods of these service programs also have their weaknesses, that is, they are vulnerable to "man-in-the-middle" attacks. The so-called "man in the middle" attack method is that the "man in the middle" pretends to be a real server to receive the data you send to the server, and then pretends to be you and transmits the data to the real server. After the data transfer between the server and you is changed hands and feet by the "middleman", serious problems will arise.
In the past, a Finnish programmer named Tatu Ylönen developed a network protocol and service software called SSH (short for Secure SHell). By using SSH, you can encrypt all transmitted data, so that the "man in the middle" attack is impossible, and it can also prevent DNS and IP spoofing. An additional benefit is that the transmitted data is compressed, so the transmission speed can be accelerated. SSH has many functions. Although many people regard Secure Shell as a substitute for Telnet, you can use it to protect your network connection. You can forward other network communications such as POP, X, PPP, and FTP through the Secure Shell on the local or remote system. You can also forward other types of network communications, including CVS and any other TCP communications. In addition, you can use Secure Shell with TCP wrapper to enhance the security of the connection. In addition, Secure Shell has some other convenient functions, which can be used in applications such as Oracle, and it can also be used for remote backup and additional authentication like SecurID cards.
SSH working mechanism
SSH is divided into two parts: the client part and the server part.
The server is a daemon (demon), which runs in the background and responds to connection requests from clients. The server is generally an sshd process, which provides processing of remote connections, including public key authentication, key exchange, symmetric key encryption, and non-secure connections.
The client includes the ssh program and other applications like scp (remote copy), slogin (remote login), sftp (secure file transfer) and so on.
Their working mechanism is roughly that the local client sends a connection request to the remote server, the server checks the applied packet and IP address and then sends the key to the SSH client, and the local sends the key back to the server. Since then the connection has been established. What I just talked about is just the general process of SSH connection. SSH 1.x and SSH 2.x have some differences in connection protocols.
SSH is designed to work on its own basis without using the super server (inetd). Although the SSH process can be run through tcpd on inetd, it is completely unnecessary. After starting the SSH server, sshd runs and listens on the default port 22 (you can use # ps -waux | grep sshd to check whether sshd has been run correctly) If it is not SSH started via inetd, then SSH will Waiting for connection request. When the request comes, the SSH daemon will spawn a child process, which will handle this connection.
However, due to copyright and encryption algorithm restrictions, many people now switch to OpenSSH. OpenSSH is an alternative to SSH, and it’s free.
SSH is composed of client and server software. There are two incompatible versions: 1.x and 2.x. The client program using SSH 2.x cannot connect to the service program of SSH 1.x. OpenSSH 2.x supports both SSH 1.x and 2.x.
SSH is divided into client openssh-client and openssh-server
If you just want to log in to the SSH of another machine, you only need to install openssh-client (ubuntu has a default installation, if not, sudoapt-get install openssh-client), if you want to open the SSH service on this machine, you need to install openssh-server.
1. Install the client
Ubuntu has installed ssh client by default.
sudo apt-get install ssh or sudo apt-get installopenssh-client
ssh-keygen
( Press Enter to set the default value)
Generate id_rsa and id_rsa.pub files by default, which are the private key and public key respectively.
Note: If sudo apt-get insall ssh fails and cannot be installed, use sudo apt-get install openssh-client to install.
Assume that the server IP is 192.168.1.1, the port number of the ssh service is 22, and a user on the server is root;
The command to log in to the server with ssh is:
> ssh –p 22 [email protected]>Enter the password of the root user
**Two, install the server **
Ubuntu does not install SSH Server by default, use the following command to install:
sudo apt-get install openssh-server
Then confirm whether sshserver is started: (or use the "netstat -tlp" command)
ps -e|grep ssh
If there is only ssh-agent, then ssh-server has not been started, you need /etc/init.d/ssh start, if you see sshd, then ssh-server has been started.
If not, you can start it like this:
sudo/etc/init.d/ssh start
In fact, if there is no special requirement, OpenSSH Server is installed here. But further settings can make OpenSSH login time shorter and more secure. All this is achieved by modifying the configuration file sshd_config of openssh.
Three, SSH configuration
The ssh-server configuration file is located in /etc/ssh/sshd_config, where you can define the service port of SSH. The default port is 22. You can define other port numbers, such as 222. Then restart the SSH service:
sudo /etc/init.d/sshresart
By modifying the configuration file /etc/ssh/sshd_config, you can change the ssh login port and prohibit root login. Changing the port can prevent port scanning.
sudo cp/etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudochmod a-w /etc/ssh/sshd_config.original
Edit the configuration file:
gedit /etc/ssh/sshd_config
Find #Port 22, remove the comment, and modify it to a five-digit port: Port 22333
Find #PermitRootLogin yes, remove the comment and modify it to: PermitRootLogin no
Restart after configuration:
sudo/etc/init.d/ssh restart
Four, SSH service commands
Stop the service: sudo /etc/init.d/ssh stop
Start the service: sudo /etc/init.d/ssh start
Restart the service: sudo /etc/init.d/sshresart
Disconnect: exit
Login: [email protected]
Root is the user on the 192.168.0.100 machine and needs to enter a password.
Five, SSH login command
Common format: ssh [-llogin_name] [-p port] [user@]hostname
More detailed information can be viewed with ssh -h.
For example
No user specified: ssh 192.168.0.1
Designated users:
ssh -l root 192.168.0.1
ssh [email protected]
If you have modified the ssh login port, you can:
ssh -p 22333192.168.0.111
ssh -l root -p 22333216.230.230.105
ssh -p 22333 [email protected]
Six, improve the login speed
When logging in remotely, you may find that you need to wait a long time before you are prompted to enter the password after entering the user name. In fact, this is because sshd needs to check the client's dns information. You can greatly increase the speed of login by disabling this feature. First, open the sshd_config file:
sudo nano /etc/ssh/sshd_config
Find the section GSSAPI options and comment out the following two lines:
sudo /etc/init.d/ssh restart
Try logging in again, it should be very fast
Seven, use PuTTy to log in to the server through certificate authentication
In the SSH service, all content is encrypted and transmitted, and the security is basically guaranteed. But if certificate authentication can be used, the security will be even higher, and after certain settings, the effect of automatic login by certificate authentication can also be realized.
First modify the sshd_config file and enable the certificate authentication option:
RSAAuthentication yes PubkeyAuthentication yesAuthorizedKeysFile %h/.ssh/authorized_keys After the modification is complete, restart the ssh service.
In the next step, we need to establish private and public keys for SSH users. First, log in to the account that needs to establish a key. Here, please log out of the root user. If necessary, use the su command to switch to another user. Then run:
ssh-keygen
Here, we can store the generated key in the default directory. During the establishment process, you will be prompted to enter the passphrase, which is equivalent to adding a password to the certificate, which is also a measure to improve security, so that you are not afraid even if the certificate is accidentally copied. Of course, if this is left blank, PuTTy can automatically log in through certificate authentication later.
The ssh-keygen command will generate two keys. First, we need to rename the public key and leave it on the server:
cd ~/.ssh mv id_rsa.pub authorized_keys
Then copy the private key id_rsa from the server and delete the id_rsa file on the server.
The settings on the server are finished, the following steps need to be done on the client computer. First, we need to convert the id_rsa file into a format supported by PuTTy. Here we need to use PuTTyGEN this tool:
Click the Load button in the PuTTyGen interface, select the id_rsa file, enter the passphrase (if any), and then click the Save PrivateKey button, so that the private key accepted by PuTTy is ready.
Open PuTTy, enter the IP address of the server in the Session, click the Browse button under Connection->SSH->Auth, and select the private key just generated. Then go back to the Connection option and enter the username of the certificate in Auto-login username. Go back to the Session tab, enter a name and click Save to save the Session. Click Open at the bottom and you should be able to log in to the server through certificate authentication. If there is a passphrase, you will be asked to enter the passphrase during the login process, otherwise you will log in directly to the server, which is very convenient.
The above is the whole content of this article, I hope it will be helpful to everyone's study.
Recommended Posts