Table of Contents
1. ssh protocol
1.SSH protocol
2. Working process of SSH protocol
(1) The first stage: TCP three-way handshake version negotiation stage:
(2) The second stage: Negotiation algorithm and determination of symmetric secret key stage
(3) The third stage: certification stage:
(4) The fourth stage: session request stage:
(5) The fifth stage: interactive conversation stage:
2. Achieve mutual password-free login between two Linux hosts
1. First, we need to ensure that the SSH service is deployed on both hosts. If it is not deployed, we need to download openssh. After the download is completed, we ensure that the ssh related services are started and turn off the firewall on both hosts.
2. Generate public key information on the client and send it to the server through the ssh-copy command. The client’s public key file is stored in the server/root/.ssh as shown in the figure below. Now the 131 client’s public key file is in 133 /root/.sh, and host 131 realizes password-free login when logging in to host 133.
3. Use host 133 as the client and host 131 as the server. Repeat step 2 to realize mutual password-free login between the two Linux hosts.
1. ssh protocol
1.SSH protocol
SSH (Secure Shell Protocol, Secure Shell Protocol) can use data packet encryption technology to encrypt data packets waiting for transmission before transmitting them to the network. The ssh protocol itself provides two server functions: one is a server similar to telnet for remote connection using shell; the other is sftp-server similar to ftp service, providing a more secure ftp service.
2. Working process of SSH protocol
(1)The first phase: The TCP three-way handshake version has been negotiated:
Currently, it includes two versions: SSH1 and SSH2. Both parties determine the version to use through version negotiation. The server has enabled the ssh service by default, opened port 22, and is waiting for the client to connect. The server sends the first message to the client: telling the client the ssh version and software information used; after the client receives the message, Take out the ssh version of the server and see if it supports it. If it supports it, use this version.
(2)Second phase: Negotiation algorithm and determination of symmetric secret key phase
SSH supports multiple encryption algorithms. Both parties negotiate the final algorithm based on the algorithms supported by the local and peer end:
Symmetric encryption: The same key can be used for both encryption and decryption
Advantages: Using a secret key makes encryption more efficient (faster)
Defect: Security of secret key transmission (the secret key is not transmitted during network transmission)
Application: Transmitting data (bidirectional transmission of data)
Asymmetric encryption:Generate a pair of secrets: public key: public key encryption private key: private key decryption (no network transmission)
Defect: The security of the public key when the client accesses a server (assuming the data is intercepted by our hacker, the hacker sends his public key to the client, the client uses the hacker’s public key to encrypt the data, and then the hacker uses his own Decrypt the private key to obtain the private (user and password) information transmitted by the user, further motivating the server); the transmission speed is slow (low efficiency)
Advantages: higher security
Application: One-way authentication phase (establishing a secure connection to ensure the security of the subsequent symmetric encryption key)
(3)The third stage: certification stage:
The SSH client initiates an authentication request to the server, and the server authenticates the client.
(1) Password-based authentication: When the client uses the SSH protocol to connect to the server, it will store the client’s public key information on the server. When the client logs in next time, the server finds the user’s public key. Otherwise, verification will not be performed, and the client can directly enter the password.
(2) Public key-based authentication:
1.Client stores its public key on the Server and appends it to the file authorized_keys.
2. After the Server receives the Client’s connection request, it will match the Client’s pubKey in authorized_keys, generate a random number R, encrypt the random number with the Client’s public key to obtain pubKey(R), and then store the encrypted information Sent to Client.
3. The client decrypts the random number R through the private key, and then uses MD5 to generate a digest Digest1 based on the random number R and the SessionKey of this session, and sends it to the server.
4. The server will also use the same digest algorithm for R and SessionKey to generate Digest2.
5. The server will finally compare whether Digest1 and Digest2 are the same and complete the authentication process.
(4)The fourth phase: session request phase:
After passing the authentication, the client sends a session request to the server to establish a new connection.
(5) The fifth stage: interactive conversation stage:
After the session request passes, the server and client exchange information.
Second, realize mutual password-free login between two Linux hosts
1. First we need to ensure that the SSH service is deployed on both hosts. If it is not deployed, we need to download openssh. After the download is completed, we ensure that the ssh related services are started and turn off the firewall on both hosts.
rpm -qa | grep ssh Check whether the host has deployed ssh related services yum install openssh -y download ssh ps -aux |grep sshd Check whether ssh related services are started systemctl stop/disable firewalld close/permanently close the firewall
2. Generate the public key information on the client and send it to the server through the ssh-copy command. The client’s public key file is stored in the server/root/.ssh as shown in the figure below. Now the 131 client’s public key file is in 133’s/root/.sh, and the 131 host realizes password-free login when logging in to the 133 host. .
Client: ssh-keygen -t rsa generates public key login information ssh-copy-id username@ip address sends the public key information to the server ssh username@ip address implements ssh login Server: ll /root/.ssh Check whether the client’s public key information is sent