Recently the company was mining server, so replace the ssh connections from the previous password to log in to replace key landing approach and banned the password. Therefore, in the configuration of this key process, incidentally, to understand the principles and knowledge of some of ssh. General open source
1, what ssh is why ssh, ssh used where
1) ssh is a protocol standard, also known as Secure Shell protocol, the main provider of security protocol for remote login session, and other network services. The full name of Secure SHell, essentially encrypted shell. It can replace telnet, but also as ftp, pop, and even provide a safe ppp "channel."
2) using the SSH protocol, remote management can effectively prevent information leakage problem in the process, but also to prevent DNS spoofing and IP spoofing, because during the transmission of data compression, but also improve transmission efficiency.
3) Almost all UNIX platforms - including the HP-UX , Linux , AIX , the Solaris , Digital UNIX , Irix , and other platforms, to run SSH. Now the mainstream open source implementation is openssh, of course, there are many commercial implementations.
2, two encryption modes, use the ssh, ssh supports two levels of security verification
1) two types of encryption symmetric encryption and asymmetric encryption. As the name implies symmetric encryption, data encryption and decryption using the same key advantage is the high encryption strength, but the disadvantage is likely to result in the loss of key security issues.
Ssh When using asymmetric encryption of the data transmission processing is divided into private and public keys, data encrypting process is performed usually when using the public key to encrypt data, decrypt the private key (Note here that only the encrypted data , when the signature is just the opposite, using a private signature, public key inspection sign). And substantially absent may deduce the private key of the public key
a, the first way to password. Throughout the process, the client itself does not have any keys.
第一步,客户端输入用户名密码,发出登陆请求。
第二步,服务端接收到请求并返回给客户端公钥以及公钥指纹(公钥指纹是为了防止中间人攻击的产物,是由于公钥本身过长(1024位)而对其hash之后产生的128位的指纹,方便在第一次连接服务端的时候,用户对服务端身份的对比确认。用户确认通过后,该host会被加入到known_hosts。第二次连接时,不需要再次确认服务端身份了。感兴趣可以搜索中间人攻击,如下图)
第三步,客户端收到服务端发送的公钥,对密码进行加密然后将密文发送给服务端
第四步,服务端收到密文,使用私钥将密文进行解密,得到密码并对比确认
第五步,服务端返回给客户端,登陆结果。
b、 第二种方式为公钥登陆,也就是免密登陆。
第一步,客户端生成一对密钥,手动将公钥添加到服务端的authorized_keys中。
第二步,客户端直接发起登陆请求到服务端
第三步,服务端收到请求后,生成随机数R,并使用公钥对随机数R进行加密,得到密文并返回给客户端
第四步,客户端收到密文后,使用私钥对密文解密,得到随机数R。然后用MD5对随机数R和SessionKey进行生成摘要A1,并发送给服务端
第五步,服务端同样用MD5对随机数R和SessionKey进行生成摘要A2,然后对比A1和A2,完成登录确认。
扩展
ssh-keygen是用于生产密钥的工具。
- -t:指定生成密钥类型(rsa、dsa、ecdsa等)
- -P:指定passphrase,用于确保私钥的安全
- -f:指定存放密钥的文件(公钥文件默认和私钥同目录下,不同的是,存放公钥的文件名需要加上后缀.pub)
部分内容和全部图片是从网上拿来用的,如有侵权,联系删除