当前位置:网站首页>SSH remote login service
SSH remote login service
2022-07-19 06:52:00 【Everything is lovely 33】
Catalog
2. see ssh Whether the service started successfully
4.ssh Login mode of public key encryption
5.ssh Principle of login verification
1.ssh brief introduction
SSH(Secure Shell, Secure enclosure ) It is a protocol that can provide remote login in a safe way , The remote host can access through the network sshd service , Start a safe shell, And manipulate it to learn linux
SSHD(Secure Shell Daemon) It can be turned on in the host through the network shell Service for ,d Just daemon, Is the meaning of background process
It is designed for remote login sessions ( It can even be used Windows Remote login Linux The server transfers files to each other ) And other network services , Can effectively make up for the loopholes in the network ,ssh Protocol belongs to application layer protocol . meanwhile ssh Service is also a service for encrypted data transmission .
ssh Services provide clients with secure shell Environmental Science , For remote administration .ssh The default port number for is 22 Port no.
ssh The service is mainly in HP_UX,LINUX,AIX,UNIX On the system, but Windows Not on
ssh Service is to allow the user to execute any command on the remote machine , Then the standard output is local ( Equivalent to you using xshell Connect your vmware virtual machine , And then in xshell Enter any command in it , The real implementation is still vmware Inside , But it will output the execution results in your xshell In the interface )
The early plaintext remote login protocol is :telnet( Because it's plain text , So it's not safe enough , To phase out )
2. see ssh Whether the service started successfully
1. Use ps Command to view process information ( If there is ssh Information about the process , Indicates that the system has been started successfully )
[[email protected] ~]# ps -ef|grep ssh
root 6996 1 0 5 month 30 ? 00:00:00 /usr/sbin/sshd -D
root 9384 6996 0 03:24 ? 00:00:00 sshd: [email protected]/1
root 10158 6996 0 06:57 ? 00:00:00 sshd: [email protected]/0
root 10257 6996 0 08:54 ? 00:00:00 sshd: [email protected]/2
root 10275 10259 0 08:54 pts/2 00:00:00 grep --color=auto ssh
[[email protected] ~]# ps aux|grep ssh
root 6996 0.0 0.4 112872 4364 ? Ss 5 month 30 0:00 /usr/sbin/sshd -D
root 9384 0.0 0.6 161480 6084 ? Ss 03:24 0:00 sshd: [email protected]/1
root 10158 0.0 0.7 162656 7320 ? Ss 06:57 0:00 sshd: [email protected]/0
root 10257 0.2 0.6 161476 6216 ? Ss 08:54 0:00 sshd: [email protected]/2
root 10277 0.0 0.0 112824 988 pts/2 R+ 08:55 0:00 grep --color=auto ssh
2. Use pidof Process name , Check whether there is process information
[[email protected] ~]# pidof sshd
10257 10158 9384 69963. Use netstat View port status (ssh Service is 22 Port no. )
[[email protected] ~]# netstat -anplut|grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6996/sshd
tcp 0 0 192.168.0.43:22 192.168.0.3:49174 ESTABLISHED 10257/sshd: [email protected]
tcp 0 0 192.168.0.43:22 192.168.0.3:52753 ESTABLISHED 10158/sshd: [email protected]
tcp 0 0 192.168.0.43:22 192.168.0.99:62588 ESTABLISHED 9384/sshd: [email protected]
tcp6 0 0 :::22 :::* LISTEN 6996/sshd
[[email protected] ~]# netstat -anplut|grep 22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6996/sshd
tcp 0 0 192.168.0.43:22 192.168.0.3:49174 ESTABLISHED 10257/sshd: [email protected]
tcp 0 0 192.168.0.43:22 192.168.0.3:52753 ESTABLISHED 10158/sshd: [email protected]
tcp 0 0 192.168.0.43:22 192.168.0.99:62588 ESTABLISHED 9384/sshd: [email protected]
tcp6 0 0 :::22 :::* LISTEN 6996/sshd
#0.0.0.0:22 Indicates that in this machine all ip On the monitor 22 port
#0.0.0.0:* To allow to be arbitrary ip, Any port client to connect 4. Use lsof Command to view port status
[[email protected] ~]# lsof -i:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 6996 root 3u IPv4 39093 0t0 TCP *:ssh (LISTEN)
sshd 6996 root 4u IPv6 39095 0t0 TCP *:ssh (LISTEN)
sshd 9384 root 3u IPv4 95885 0t0 TCP www.huang.com:ssh->192.168.0.99:62588 (ESTABLISHED)
sshd 10158 root 3u IPv4 122768 0t0 TCP www.huang.com:ssh->192.168.0.3:52753 (ESTABLISHED)
sshd 10257 root 3u IPv4 134869 0t0 TCP www.huang.com:ssh->192.168.0.3:49174 (ESTABLISHED)5. Use ss Command to view port status
[[email protected] ~]# ss -anplut|grep ssh
tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=6996,fd=3))
tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=6996,fd=4))
[[email protected] ~]# ss -anplut|grep 22
tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=6996,fd=3))
tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=6996,fd=4))3.ssh Security mechanism
SSH Is a security protocol designed for remote login sessions and other network services , Want to use SSH Protocol to remotely manage Linux System , You need to configure sshd Service program .sshd Is based on SSH Protocol development of a remote management service , It can provide two methods of security verification :
Password based authentication —— Use account and password to verify login ( Password to login )
Key based authentication —— You need to generate a secret key pair locally , Then upload the public key in the secret key pair to the server , And compare with the public key in the server , This method is safer ( Password free login )
ssh There are two main ways to encrypt data :
- Symmetric encryption ( Also known as key encryption )
- The keys for encryption and decryption are the same , How to save this key safely , And let this key be shared before the machine that needs encryption ?
- therefore , Symmetric encryption is not secure , It is difficult to ensure that this key is not leaked
- Asymmetric encryption ( Also known as public key encryption )
- Generate a pair of public and private keys , The private key is kept by itself , Give it to someone else ( Which is the private key depends on which one the manager leaves to himself , Which one to be , What you give yourself is called the private key , What you give to others is called public key )
- Public and private keys exist in pairs , One for encryption , One for decryption
- If you use a public key for encryption , The private key is decrypted , It is generally used for data encryption
- If the private key is used for encryption , Public key to decrypt , It is generally used for authentication
The schematic diagram of asymmetric encryption is as follows ( Data encryption process ):
4.ssh Login mode of public key encryption
ssh Public key authentication , Password free login , It can be on two different machines , It can also be on different accounts of a machine .
4.1 Implementation steps
A-->B
1、 stay A Generate a public key pair on the machine ,( If there is a public key pair , There is no need to regenerate ), It will be placed in the current user's home directory by default .ssh/ Under the document , Will generate a id_rsa( Private key ),id_rsa.pub( Public key )
[[email protected] ~]# ssh-keygen # Generate , Keep knocking back in the middle , Choose default 2、 stay B Under the home directory of the target user on the machine ~/.ssh/authorized_keys There will be A Copy and paste the public key of the machine , Create without this file , And make sure that the permissions of this file are set to 600
3、 Check whether the public key authentication is successful
stay A Executed on machine ssh [email protected] Mechanical ip
You can log in to... Without entering a password B machine , It means that the password free login is successful
######## Public key authentication debugging ##############
1、 Make sure the public key is correct
2、 Make sure ~/.ssh/authorized_keys File permissions are 600
3、 Make sure the home directory and .ssh The directory permissions are 755 The following permissions , That is, the group and others do not 7 Authority
4.2 Practice demonstration
1. stay Linux Of A A pair of public and private keys are generated in the machine , Use ssh-keygen command
[[email protected] ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): # The path where the public and private keys are stored , Just follow the default
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y # I have generated , Now cover
Enter passphrase (empty for no passphrase): # Whether to add a password to the public and private keys , I don't think it's necessary , So I didn't enter the password , Directly enter
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:l+fh7mbTjslYck6jpiGBl6mOxavaK+7vYrAZWGO2eC4 [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| |
| |
| |
| = . o . |
|.= o. = S o o |
|= o. o . . + . |
|.* + . . . B. |
|E+.+ . . [email protected]++. |
|=*O=o .oo+Bo. |
+----[SHA256]-----+
[[email protected] ~]#
2. see A Machine generated public key ( Store in ~/.ssh/id_rsa.pub Inside )
[[email protected] ~]# cd .ssh
[[email protected] .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
[[email protected] .ssh]# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8K7izJ0akb3tOOPdT5BRFTBN5xdoREg0cH40OzdNF3a8msQUbaZ6kNo7FbQijfEcDa87gvG+3QU6lPi7ok9xqjINrxg/3XGD4bUV4IXygXb+MoOJy69SjV6fd5FFuZNq5M2NK7OSx64Ut+2jKci689Hh2VQzGQkdOaOF4vOdMgkxDjr7UEWA8bcgiJjlv6XfqLbgHT6iZ2aG5sFWDdnegR8EqI0TjVyFC+9kO67E8qU+SwQCcMJ+srf6MSYWxU4JQkBBrYpMkIRmX80NM2WvSoNI13VHE8wKJeSnrOqpA9GwzxBgr06mhn4zsrpuetvGm63DHfo7Edh4B1Mn5cpKX [email protected]
[[email protected] .ssh]# pwd
/root/.ssh
3. stay B In machine , take A The machine generated public key is added to ~/.ssh/authorized_keys Inside , And modify the permissions (.ssh Permission bits 755 once ,authorized_keys File permissions are 600)
[[email protected] .ssh]# su - sc
Last login : Two 5 month 31 09:57:54 CST 2022 from 192.168.0.43pts/1 On
[[email protected] ~]$ ls -al
Total usage 20
drwx------. 3 sc sc 111 5 month 31 16:57 .
drwxr-xr-x. 5 root root 44 5 month 31 09:52 ..
-rw-------. 1 sc sc 139 5 month 31 16:57 .bash_history
-rw-r--r--. 1 sc sc 18 10 month 31 2018 .bash_logout
-rw-r--r--. 1 sc sc 193 10 month 31 2018 .bash_profile
-rw-r--r--. 1 sc sc 231 10 month 31 2018 .bashrc
drwxr-xr-x. 2 sc sc 29 5 month 31 09:56 .ssh
-rw-------. 1 sc sc 672 5 month 31 09:56 .viminfo
[[email protected] ~]$ cd .ssh
[[email protected] .ssh]$ vim authorized_keys
[[email protected] .ssh]$ chmod 600 authorized_keys
[[email protected] .ssh]$ 4. stay A Used in the machine ssh Connected to the B machine , And you don't need to enter a password ( You will be A The generated public key is added to B Which account of the machine , Just connect to which account , I am adding to B Of sc Inside )
[[email protected] .ssh]# ip a # see A Mechanical IP Address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:7b:fb:12 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.43/24 brd 192.168.0.255 scope global noprefixroute dynamic ens33
valid_lft 84856sec preferred_lft 84856sec
inet 192.168.0.130/24 brd 192.168.0.255 scope global secondary noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::3ecb:fb98:7235:d96d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:7b:fb:1c brd ff:ff:ff:ff:ff:ff
inet 192.168.66.254/24 brd 192.168.66.255 scope global noprefixroute ens37
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe7b:fb1c/64 scope link
valid_lft forever preferred_lft forever
[[email protected] .ssh]# ssh [email protected] # Password free login to B Mechanical sc On the user
Last failed login: Wed Jun 1 19:48:38 CST 2022 from 192.168.0.43 on ssh:notty
There were 5 failed login attempts since the last successful login.
Last login: Wed Jun 1 19:45:12 2022
[[email protected] ~]$ ip a # see B Mechanical IP Address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:d5:52:4b brd ff:ff:ff:ff:ff:ff
inet 192.168.0.11/24 brd 192.168.0.255 scope global noprefixroute dynamic ens33
valid_lft 84959sec preferred_lft 84959sec
inet 192.168.66.1/24 brd 192.168.66.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::985d:f102:2334:7e09/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[[email protected] ~]$ exit # Exit login
Log out
Connection to 192.168.0.11 closed.
[[email protected] .ssh]# ^C5. Use ssh -vvv You can view the login details
When logging in, you will find... In the home directory by default ~/.ssh/id_rsa To verify , So try not to generate key Change its default path when , If it changes , You need to use ssh Ordered -i Option to specify the path of the private key file
[[email protected] .ssh]# ssh -vvv 192.168.0.35 wy ####### View login process details
...
debug1: Trying private key: /home/sanchuang/.ssh/id_rsa
debug3: no such identity: /home/sanchuang/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/sanchuang/.ssh/id_dsa
debug3: no such identity: /home/sanchuang/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/sanchuang/.ssh/id_ecdsa
debug3: no such identity: /home/sanchuang/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/sanchuang/.ssh/id_ed25519
debug3: no such identity: /home/sanchuang/.ssh/id_ed25519: No such file or directory
...
### The default is to look for ~/.ssh/id_rsa, And then find id_dsa wait 4.3 ssh Command parsing
ssh Command to log in
-l Specify the login user name
-p Appoint server The port of
-i Specify private key file , The default will be ~/.ssh/ Find the private key
-o Followed by specific setting options
# No input required yes, Save automatically hostkey
ssh -o StrictHostKeyChecking=no 192.168.0.132 -p 223
[[email protected] .ssh]# ssh 192.168.0.35 -l wy -p 22 # Designated user , Designated port
Last login: Sat Nov 14 10:01:37 2020 from 192.168.0.132
[[email protected] ~]$ ssh 192.168.0.35 # Don't answer any user names , Will default to the current A The user where the machine is located logs in B A user with the same name as the machine , No matter B Does the machine have this user
[email protected]'s password:
[[email protected] .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
[[email protected] .ssh]# rm -rf known_hosts
[[email protected] .ssh]# ssh 192.168.0.11 -l sc
The authenticity of host '192.168.0.11 (192.168.0.11)' can't be established.
ECDSA key fingerprint is SHA256:5Z0EPSwK2A0knQIfyFdynxekKIG2vttgi5eZeaD1YB0.
ECDSA key fingerprint is MD5:c8:15:ba:62:75:70:eb:54:90:11:91:2e:01:97:84:b8.
Are you sure you want to continue connecting (yes/no)? no # Each login must be entered manually yes, If input no, You will never be able to log in , This is inconvenient for writing scripts to manage a large number of machines
Host key verification failed.
[[email protected] .ssh]# ssh 192.168.0.11 -l sc
The authenticity of host '192.168.0.11 (192.168.0.11)' can't be established.
ECDSA key fingerprint is SHA256:5Z0EPSwK2A0knQIfyFdynxekKIG2vttgi5eZeaD1YB0.
ECDSA key fingerprint is MD5:c8:15:ba:62:75:70:eb:54:90:11:91:2e:01:97:84:b8.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
[[email protected] .ssh]# ssh 192.168.0.11 -l sc
The authenticity of host '192.168.0.11 (192.168.0.11)' can't be established.
ECDSA key fingerprint is SHA256:5Z0EPSwK2A0knQIfyFdynxekKIG2vttgi5eZeaD1YB0.
ECDSA key fingerprint is MD5:c8:15:ba:62:75:70:eb:54:90:11:91:2e:01:97:84:b8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.11' (ECDSA) to the list of known hosts.
Last login: Wed Jun 1 20:16:32 2022 from 192.168.0.43
[[email protected] ~]$ exit
Log out
Connection to 192.168.0.11 closed.
[[email protected] .ssh]#
[[email protected] .ssh]# ssh -o StrictHostKeyChecking=no 192.168.0.11 -l sc #-o Special settings for options , There is no need to manually enter yes 了 , Save automatically hostkey
Last login: Wed Jun 1 20:17:42 2022 from 192.168.0.43
5.ssh Principle of login verification
5.1 Password login
client towards server Send login request ,server Send your public key to client.
client Use this public key , Encrypt password , Send to server
server Decrypt the login password with the private key , Verify legitimacy
server Return the verification result to client
### Public and private keys for password login ssh Service itself , Store in /etc/ssh Inside , Several pairs , It just adopts different encryption methods
[[email protected] .ssh]# cd /etc/ssh
[[email protected] ssh]# ls
moduli ssh_host_ecdsa_key ssh_host_ed25519_key.pub
ssh_config ssh_host_ecdsa_key.pub ssh_host_rsa_key
sshd_config ssh_host_ed25519_key ssh_host_rsa_key.pub
[[email protected] ssh]# ls -al
Total usage 616
drwxr-xr-x. 2 root root 225 3 month 21 14:52 .
drwxr-xr-x. 88 root root 8192 6 month 1 19:57 ..
-rw-r--r--. 1 root root 581843 4 month 11 2018 moduli
-rw-r--r--. 1 root root 2276 4 month 11 2018 ssh_config
-rw-------. 1 root root 3907 3 month 21 14:52 sshd_config
-rw-r-----. 1 root ssh_keys 227 12 month 31 15:57 ssh_host_ecdsa_key
-rw-r--r--. 1 root root 162 12 month 31 15:57 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 387 12 month 31 15:57 ssh_host_ed25519_key
-rw-r--r--. 1 root root 82 12 month 31 15:57 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 1679 12 month 31 15:57 ssh_host_rsa_key
-rw-r--r--. 1 root root 382 12 month 31 15:57 ssh_host_rsa_key.pub
[[email protected] ssh]#
There is a problem with this process , How to ensure that the received public key is the target server The public key ?( Man-in-the-middle attack )
If an attacker intercepts halfway client Login request for , Send your own public key to client,client The client will encrypt data with the attacker's public key , After the attacker receives the information , You can decrypt it with your own private key , This is stealing client Your login information .
To solve this problem ,client When the client first logged in , A login public key confirmation will be performed
[email protected] .ssh]$ ssh 192.168.0.35
The authenticity of host '192.168.0.35 (192.168.0.35)' can't be established.
ECDSA key fingerprint is SHA256:6V02tsAzBmVJ7yEbppVkISnSEyvf+HFWbzDbIPwmG84.
ECDSA key fingerprint is MD5:6c:bd:a9:37:af:ba:f1:53:dd:c8:d2:d9:16:44:c9:9e.
Are you sure you want to continue connecting (yes/no)?
#### confirm server The server side host Host summary , After confirming success, you will server Terminal pubkey Save in ~/.ssh/known_hosts Inside , In the future, each connection will verify this know_hosts Inside key And received pubkey Is it consistent .
### Check the public key fingerprint ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
###server The host pubkey Save in /etc/ssh/ Under the table of contents , By default ssh_host_ecdsa_key.pub
[[email protected] ssh]# cd /etc/ssh
[[email protected] ssh]# ls
moduli sshd_config ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub
ssh_config ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_keyPassword login diagram :
5.2 Public key authentication
client The client generates a public key pair , Append the public key to server Terminal ~/.ssh/authorized_keys
Send login request ,server After receiving the request , Generate a random string and send it to client
client Encrypt the string with your own private key , Send to server.
server After receiving the encrypted string, decrypt it with the public key , Compare the decrypted string with the previously generated string after the incident .
Return the result to client
Public key (Public Key) And a private key (Private Key)
Public and private keys are generated in pairs , The two keys are different from each other , The two keys can encrypt and decrypt each other
You can't deduce another key from one key
The public key is open to the public , The private key is known only by the holder of the private key
The private key should be kept by the key holder
According to the different functions , It can be divided into data encryption and digital signature
边栏推荐
猜你喜欢
随机推荐
Some problems encountered in work
ssh远程登录服务
锁
Technical specification for secure electronic signature and password gm/t 0031 | GB / T 38540 format OpenSSL package analysis
MySQL MySQL calculates the number of weekends this year (Saturday and Sunday)
Wu Enda machine learning chapter 1-2
[jmeter] TCP Sampler
Total price contract, cost compensation contract, labor contract
OLED data display based on spi/iic interface
C 语言结构体数组指针以及函数
阿拉伯数字转中文
@resource is popular in idea
Wu Enda machine learning chapter 6-7
lock
破译密码(综合)
高并发day04(ZAB协议,观察者,nc,AVRO,RPC)
Commande awk du troisième épéiste - - interception
小迪网络安全-笔记(4)
Temperature acquisition experiment and experimental experience based on I2C
Wu Enda machine learning chapter 8-9