SSH is the
Secure Shell
abbreviations, developed by the IETF web team (Network Working Group); SSH is built on the basis of the application layer security protocol. SSH is a more reliable and specific for the
remote login
for providing security protocol session and other network services. SSH protocol can effectively prevent the use of remote management in the process of information disclosure issue. SSH was originally a program on UNIX systems, and later quickly spread to other operating platforms. SSH when used properly can make up for network vulnerabilities. SSH client for multiple platforms. Almost all UNIX platforms - including
the HP-UX
,
Linux
,
AIX
,
the Solaris
,
Digital
UNIX
,
Irix
, and other platforms, can run SSH.
————————————————————————————————————————————————————————————
Features
edit
The traditional network service program, such as:
the FTP
, POP, and
telnet
in nature are insecure, because they are used on the network
in clear text
transmitted passwords and data, with ulterior motives are very easy to intercept the passwords and data. Moreover, these service program
security authentication
mode also has its weaknesses, is vulnerable to a "middleman" (man-in-the- middle) attacks in this way. The so-called "middleman" in the attack, is the "middleman" posing as the real
server
receives the data you passed to the server, and then pretending to pass your data to the real server. After the server and data transfer between your being a "middleman" rigged a changing hands, there will be a very serious problem. You can encrypt all data transmitted through the use of SSH, such a "middleman" This attack can not be achieved, but also to prevent DNS spoofing and IP spoofing. Using SSH, there is an additional benefit is that data transmission is compressed, so you can speed up the transfer
speed
. SSH has many functions, it can replace
the Telnet
, but also to
the FTP
,
PoP
, even for the
PPP
to provide a secure "channel"
[1]
。
verification
edit
From the client perspective, SSH provides two levels of security authentication.
The first level (password-based security verification)
As long as you know your account number and password, you can log in to the remote host. All transmitted data will be encrypted, but can not guarantee that you are connecting to a server that you want to connect to
the server
. There may be other servers in the attack posing as a real server, which is subject to a "middleman" in this way.
The second level (key-based security authentication)
Need to rely on
keys
, that is, you have to create for themselves a pair of keys, and the public key on the server need to access. If you want to connect to the SSH server, the client software will send a request to the server, the request for secure authentication with your key. After the server receives a request, first find your public key on the server under your home directory, and then you send it over the public key comparison. If the same two keys, public key encryption with the server "question" (challenge) and sends it to the client software. After the client software receive a "challenge" you can use your private key to decrypt and then send it to the server.
In this way, you must know the key
password
. However, compared with the first level, second level password need not be transmitted over the network.
The second level is not only encrypt all transmitted data, and a "middleman" This attack is not possible (because he did not have your private key). But the entire login process can take 10 seconds
[2]
。
level
edit
SSH consists of three parts:
Transport layer protocol [SSH-TRANS]
It provides server authentication, confidentiality and integrity. In addition, it is sometimes also provides compression. SSH-TRANS often run
TCP / IP
connection may also be used for other reliable data stream. SSH-TRANS provides strong encryption, cryptographic host authentication, and integrity protection. The host-based authentication protocol, and the protocol does not perform
user authentication
. Higher-level user authentication protocol can be designed on top of this protocol.
User Authentication Protocol [SSH-USERAUTH]
For providing client user authentication function to the server. It runs in
the transport layer
protocol SSH-TRANS above. When SSH-USERAUTH started, it receives from the lower layer protocol session there
identifier
(from the first
key
exchange exchange hash H). This session identifier uniquely identifies the session and apply labeling to prove ownership of the private key. SSH-USERAUTH also need to know whether low-level protocol provides confidentiality protection.
Connection Agreement [SSH-CONNECT]
The encrypted tunnel is divided into a plurality of logical channels. It runs on the user authentication protocol. It provides interactive login sessions, remote command execution, forwarding TCP / IP connections and forwarding X11 connections.