Quick overview of SSH

The SSH protocol uses encryption to secure the connection between a client and a server. All user authentication, commands, output, and file transfers are encrypted to protect against attacks in the network.

Cliet Server Model

  • client 需要有 ssh program 負責發送 connection request
  • server 運行一個 ssh daemon,負責監聽 ssh connection request (預設 TCP port22)

Public Key Cryptography

  • 一個 publick key 對應一個 private key,兩者可以互相解密
  • public key 加密資料、驗證簽名
  • private key 解密資料、簽名(signature)

Signature

signature 確保資料傳輸的能符合

  • 資料在傳輸過程中不會被篡改
  • 確實是從持有 private key 的來源所發佈

簡易流程如下

  1. 將要傳送的資料 hash 後,以 private key 進行加密,得到簽名 (signature)
  2. 將簽名與資料一同送出
  3. 收到資料與簽名後,以同樣的 hash 方式將資料轉為 hash value
  4. 透過公鑰解開簽名,比對步驟 3 的 hash value

Password Authentication

未將 client 端的 public key 加至 server .ssh/authorized_keys

shellscript
ssh <username>@<remote_host>

# specify the port

ssh -p 2222 <username>@<remote_host>
serverclientserverclientsaving server public key to known_hosts fileencrypt password using server public keydecrypt using server private key and authenticatingrequest ssh connectionsend server public keyencrypted passwordconnection established

Public Key Authentication

generating ssh keys

shellscript
ssh-keygen -t rsa

# hit enter to put the key files in the default place

# hit enter to give an empty passphrase

# hit enter again to confirm

add the public key to server machine

shellscript
mkdir ~/.ssh

vi ~/.ssh/authorized_keys # paste in client public key

chmod 700 ~/.ssh

chmod 600 ~/.ssh/authorized_keys

connecting to server

shellscript
ssh <username>@<remote_host>
serverclientserverclientmatching key foundsaving server public key to known_hosts filedecrpt and md5 hashserver has client public key in the authorized_keys filerequest ssh connectionmessage encrypted with client public keymd5connention established

Reference