1. Introduction and Features of SSH
1.
The ssh command is a client connection tool in the openssh suite, which can give the ssh encryption protocol a secure remote login server.
具体的软件实现:
OpenSSH: ssh协议的开源实现,CentOS默认安装
dropbear:另一个开源实现
SSH协议版本
v1: 基于CRC-32做MAC,不安全;man-in-middle
v2:双方主机协议选择安全的MAC方式
基于DH算法做密钥交换,基于RSA或DSA实现身份认证
两种方式的用户登录认证:
基于password
基于key
端口号:22
-------------------------------------------------------------------------------------
ssh, 配置文件:/etc/ssh/ssh_config
Host PATTERN
StrictHostKeyChecking no 首次登录不显示检查提示
格式:ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]
-p port:远程服务器监听的端口
-b:指定连接的源IP
-v:调试模式
-C:压缩方式
-X: 支持x11转发
-Y:支持信任x11转发
-t: 强制伪tty分配
ssh -t remoteserver1 ssh remoteserver2 
2. Three login authentications for ssh service
When assh/know_hosts. The next time you connect, the corresponding private key will be automatically matched. If it cannot match, the connection will be refused.
①Login verification based on user and password
1. The client initiates an ssh request, and the server sends its own public key to the user
2. The user encrypts the password according to the public key sent by the server
3. The encrypted information is sent back to the server , the server decrypts with its own private key, if the password is correct, the user logs in successfully,
②Key-based login method:
1. First generate a pair of keys (ssh-keygen) on
the client side 2. Copy the client's public key ssh-copy-id to the server side
3. When the client sends a connection again Request, including ip and username
4. After the server gets the client's request, it will look in authorized_keys. If there is a responding IP and user, a random string will be generated, for example: acdf
5. The server will use the client The copied public key is encrypted, and then sent to the client
6. After getting the message from the server, the client will use the private key to decrypt it, and then send the decrypted string to the server
7. The server receives the After the string sent by the client, compare it with the previous string. If they are consistent, password-free login is allowed.
③基于key认证
(1) 在客户端生成密钥对
ssh-keygen -t rsa [-P ''] [-f “~/.ssh/id_rsa"]
(2) 把公钥文件传输至远程服务器对应用户的家目录
ssh-copy-id [-i [identity_file]] [user@]host
(3) 测试
(4) 在SecureCRT或Xshell实现基于key验证 在SecureCRT工具—>创建公钥—>生成Identity.pub文件 转化为openssh兼容格式(适合SecureCRT,Xshell不需要转化 格式),并复制到需登录主机上相应文件authorized_keys中, 注意权限必须为600,在需登录的ssh主机上执行:
ssh-keygen -i -f Identity.pub >> .ssh/authorized_keys
(5)重设私钥口令:
ssh-keygen –p
(6)验证代理(authentication agent)保密解密后的密钥
这样口令就只需要输入一次
在GNOME中,代理被自动提供给root用户
否则运行ssh-agent bash
(7)钥匙通过命令添加给代理
ssh-add
2. SSH forwarding features