SSH is a secure protocol at the application layer basis. SSH is more reliable, designed to provide security protocol for remote login session, and other network services
22 monitor port
Establish an SSH connection
The first stage: protocol version negotiation
Cleartext
Phase II: algorithm negotiation
List of public key algorithms, the encryption algorithm list, a message authentication code algorithm list, and compression algorithm list
The third stage: Stage Certification
The first time you connect to the server via SSH server sends the public key to the client
Saved ~/.ssh/known_hostsin
Method One: password
The client uses the server's public key encryption to send to the server, the server uses the private key to decrypt
Method two: public key authentication landing
Copy the client's public key to the server ~/.ssh/authorized_keysfile
principle
Server encrypted with the public key client of a 256-bit random string
After receiving the client uses its private key to decrypt the string and then merged session-id, a result of applying the MD5 hash function and the hash value is returned to the server
Server for processing the same MD5 hash function, if the client and the value can be matched, then the authentication is successful, allow landing
Middle attack
If the attacker is inserted between the user and the remote host (such as wifi in public areas), with a forged public key, obtaining the user's login password. Then this password to log the remote host, then the SSH security mechanism on the hollow. This risk is the man in the middle attacks
Although the man in the middle attacks against SSH can not in principle, but the first SSH connection will download the public key of the server, and prompts the server's public key fingerprint, the user can check whether the server's public key fingerprint with the fingerprint generated consistent
The next time you visit the same whether the client will be sent to check the server's public key and saved locally, except on the issue warnings refuse to connect middle attack
Conclusion: If the first connected no middleman, no need to worry about after the connection broker
OpenSSH
Service Name: sshd
Server main program: / usr / sbin / sshd
Client main program: / usr / bin / ssh
Server configuration file: / etc / ssh / sshd_config