SSH principle and simple use
1. SSH concept
SSH (Secure Shell, SSH) is a secure shell protocol, which is a security protocol specially provided for remote login sessions . The default port is 22. Note that it is different from plaintext transmission protocols such as Talnet (remote login) and FTP (file transfer).
The implementation of the SSH protocol generally includes commercial implementation and open source implementation. We are mainly talking about open source implementations for OpenSSH.
OpenSSH is an open source library and a secure remote login protocol based on the OpenSSl cryptographic library, while OpenSSL is a cryptographic library implemented in C language, providing quite rich cryptographic components. For details, please refer to the relevant links at the end of the article.
2, SSH principle
First understand the basic login pattern:
After the client provides the password to the server and is confirmed, the authentication is successful and you can log in. But the question here is, the security of the password? Authentication security concerns? SSH uses public key cryptography to improve security. That is, the server generates a pair of public and private keys by itself, and sends the public key to the client securely, and uses its own private key for verification. Of course, this authentication is mutual, and the client also needs to authenticate the server. At the same time, note that it is different from the CA-based authentication mode in HTTPS.
However, the secure sending process may face a man-in-the-middle attack. The best solution at present is that the client can confirm whether the public key of the target server is credible, and once it is credible, it will add the Host to its own known_hosts. For example, the following may occur:
The authenticity of host 'ssh-server.example.com (12.18.429.21)' can't be established.
RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d.
Are you sure you want to continue connecting (yes/no)?
The above indicates whether to trust the public key of the remote host (the public key generated by RSA has 1024 bits, and the fingerprint information obtained here is obtained through MD5).
At this point, enter yes and the following information will appear:
Warning: Permanently added 'ssh-server.example.com,12.18.429.21' (RSA) to the list of known hosts.
Password: (enter password)
Indicates that the client has confirmed the connection, the remote host will be added to known_hosts, and then enter the password to complete the login.
3. SSH password-free login
It is particularly inconvenient to enter a password every time you log in, especially in a cluster environment where traffic between hosts is very frequent. SSH provides a password-free login strategy.
Basic process:
4. SSH combat
The basic process of configuring the server password-free service is as follows:
1. Enter the client home directory .sshfolder
cd ~/.ssh
2. Generate public and private keys
ssh-keygen-t rsa
3. Copy the public key to the target server
ssh-copy-id xxx
- authorized_keys: store the authorized client public key;
- id_rsa: store the private key;
- id_rsa.pub: store the public key;
- known_hosts: Stores host information that has been accessed.
When in use, just execute ssh xxx to log in to the target server.
Similarly, when using git to log in to github, a similar SSH password-free authorization operation will be performed.
【Reference link】