SSH It's every one Linux Standard configuration of computer .

With Linux Devices are gradually expanding from computers to mobile phones 、 Peripherals and household appliances ,SSH The scope of application of this technology is becoming wider and wider . It's not just programmers who can't do without it , Many ordinary users also use it every day .

SSH It has many functions , It can be used in many situations . There are some things , It just can't be done without it . This is my study notes , It is concluded and explained SSH Common usage of , I hope you found that useful .

Although this article only deals with primary applications , It's simpler , But it needs readers to have the most basic ”Shell knowledge ” And understand ” Public key encryption ” The concept of .

One 、 What is? SSH?

In short ,SSH It's a network protocol , For encrypted logins between computers .

If a user is from a local computer , Use SSH Protocol log on to another remote computer , We can think of , This login is secure , Even if intercepted halfway , The password will not leak .

In the earliest days , Internet communication is plaintext communication , Once intercepted , There's no doubt about the content .1995 year , Finnish scholars Tatu Ylonen Designed SSH agreement , Encrypt all login information , Become a basic solution for Internet Security , Quickly spread around the world , It has become Linux Standard configuration of the system .

It's important to point out that ,SSH It's just an agreement , There are many implementations , Existing business realization , There are also open source implementations . This article aims at the realization of OpenSSH, It's free software , Very widely used .

Besides , This article only discusses SSH stay Linux Shell In the middle of the day . If you want to in Windows The system uses SSH, It's going to use another kind of software PuTTY, This needs to be introduced in another article .

Two 、 The most basic usage

SSH Mainly used for remote login . Suppose you want to use the username user, Log on to the remote host host, Just a simple command will do .

$ ssh user@host

If the local user name is the same as the remote user name , User name can be omitted when logging in .

$ ssh host

SSH The default port is 22, in other words , Your login request will be sent to the remote host 22 port . Use p Parameters , You can modify this port .

$ ssh -p 2222 user@host

The above command means ,ssh Directly connected to the remote host 2222 port .

3、 ... and 、 Man-in-the-middle attack

SSH The reason why safety can be guaranteed , The reason is that it uses public key encryption .

The whole process is like this :(1) The remote host receives a login request from the user , Send your public key to the user .(2) The user uses this public key , After encrypting the login password , Send it back .(3) The remote host uses its own private key , Decrypt login password , If the password is correct , Just allow the user to log in .

The process itself is safe , But there is a risk in the implementation : If someone intercepts a login request , And then impersonate the remote host , Send the fake public key to the user , So it's hard for users to tell the truth from the false . Because they don't like https agreement ,SSH The public key of the protocol is no certificate authority (CA) Notarized , in other words , They're all self signed .

You can imagine , If the attacker is between the user and the remote host ( For example, in the public wifi Area ), With a fake public key , Get the user's login password . Use this password to log in to the remote host , that SSH The security mechanism of the system is gone . This kind of risk is famous “ Man-in-the-middle attack ”(Man-in-the-middle attack).

SSH How does the agreement respond ?

Four 、 Password login

If it's the first time you've logged in to a host , The system will show the following prompt :

$ ssh user@host

The authenticity of host 'host (12.18.429.21)' can't be established.

RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d.

Are you sure you want to continue connecting (yes/no)?

This passage means , Can't confirm host The authenticity of the host , Only its public key fingerprint , Ask if you want to continue connecting ?

So-called ” Public key fingerprint ”, The length of the public key is longer ( Here the RSA Algorithm , Long 1024 position ), It's hard to compare , So go ahead with MD5 Calculation , Turn it into a 128 Fingerprints of bits . In the example above is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d, Then compare , It's much easier .

It's a natural question , How do users know the public key fingerprint of the remote host ? The answer is that there is no good way , The remote host must post the public key fingerprint on its own website , So that users can check .

Assume that after risk measurement , The user decides to accept the public key of the remote host .

Are you sure you want to continue connecting (yes/no)? yes

A prompt will appear in the system , Express host The mainframe has been approved .

Warning: Permanently added 'host,12.18.429.21' (RSA) to the list of known hosts.

then , Password will be required .

Password: (enter password)

If the password is correct , You can log in .

When the public key of the remote host is accepted , It will be saved in the file $HOME/.ssh/known_hosts In . Next time I connect to this host , The system will recognize that its public key has been saved locally , So skip the warning section , Direct prompt for password .

Every SSH Users have their own known_hosts file , In addition, the system also has such a file , Usually /etc/ssh/ssh_known_hosts, Save some public keys of remote hosts that can be trusted by all users .

5、 ... and 、 Public key login

Log in with password , You have to enter the password every time , Very trouble . Fortunately SSH Public key login is also provided , It can save the steps of entering the password .

So-called ” Public key login ”, The principle is simple , That is, the user stores his public key on the remote host . When logging in , The remote host sends a random string to the user , After the user encrypts with his private key , Send it back . The remote host decrypts with the stored public key , If it works , Prove that the user is trustworthy , Allow login directly shell, No more passwords .

This method requires users to provide their own public key . If it's not available , It can be used directly ssh-keygen Generate a :

$ ssh-keygen

After running the above command , A series of prompts will appear , You can go all the way back . One of the problems is , Do you want to set a password for the private key (passphrase), If you worry about the security of the private key , Here you can set up a .

After running , stay $HOME/.ssh/ Under the table of contents , Two new files will be generated and id_rsa. The former is your public key , The latter is your private key .

Then enter the following command , Send the public key to the remote host host above :

$ ssh-copy-id user@host

Okay , From then on, you log in , There's no need to enter a password .

If it still doesn't work , Turn on the remote host /etc/ssh/sshd_config This file , Check the front of the next few lines ”#” Is the comment removed .

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

then , Restart the remote host ssh service .

// ubuntu System

service ssh restart

// debian System

/etc/init.d/ssh restart

6、 ... and 、authorized_keys file

The remote host will use the user's public key , Saved in the user's home directory after login $HOME/.ssh/authorized_keys In file . A public key is a string , Just add it to authorized_keys Just the end of the file .

The above is not used here ssh-copy-id command , Use the following command instead , Explain how the public key is saved :

$ ssh user@host 'mkdir -p .ssh && cat >> .ssh/authorized_keys' < ~/.ssh/

This command consists of multiple statements , Break it down one by one :

(1)”$ ssh user@host”, Means to log in to the remote host ;

(2) In single quotes mkdir .ssh && cat >> .ssh/authorized_keys, It means that after logging in, it will be remotely shell Orders executed on :

(3)”$ mkdir -p .ssh” The role of is , If the user's home directory .ssh directory does not exist , Just create one ;

(4)’cat >> .ssh/authorized_keys’ < ~/.ssh/ The role of is , The local public key file ~/.ssh/, Redirect append to remote file authorized_keys At the end of .

write in authorized_keys After the document , The setting of public key login is completed .

source : Ruan Yifeng (@ruanyf)

link :

SSH Remote login principle and use of more related articles

  1. SSH( Remote login ) principle

    Recent research hadoop, Because it's distributed , It involves a lot of machine collaboration , But all operations need permission verification ,namenode The host will try to start datanode Processes on the host, etc . Let's use a picture to explain SSH Login authentication ...

  2. SSH The principle of remote login

    Use ssh There are two main ways to log in : The first is password login , The second is public key login Password password login Log in with a password , The main process is : 1. After the client connects to the server , The server passes its public key to the client 2. The client enters the server password ...

  3. SSH Remote login and port forwarding details

     SSH Remote login and port forwarding details   Introduce SSH It is a security protocol based on application layer and transport layer , For... On the computer Shell( shell ) Provide a secure transport and use environment . SSH It's just an agreement , There are several ways to do this , This paper is based on its open source implementation ...

  4. 【 Shallow Optimization Practice 】ssh Remote login Linux Card slow the whole process of investigation and solutions

    ssh Remote login Linux Card slow the whole process of investigation and solutions Preface : stay linux In the process of using the operating system, I feel used once in a while ssh It takes a long time for remote connection software to connect to the operating system , The first time I didn't care , The second time I didn't care , I can't stand it for the third time ...

  5. Firefly install ROS And ssh Remote login configuration

    One . stay Linux firefly 3.10.0 Installation on ROS-indigo Shortcut key CTRL + ALT  + T Open the terminal and install ROS-indigo sudo sh -c 'echo "d ...

  6. SSH client ( Such as PuTTY)ssh Remote login Linux A very slow solution

    turn : ...

  7. ssh Remote login linux live System

    If you want to ssh Remote login , Two things need to be prepared : The configuration is the same as the network segment IP And on SSH service . because live The system doesn't have IP, So first you need to configure IP. my live The system is started on a virtual machine , host IP by,liv ...

  8. ssh Remote login linux The server

    ssh Remote login linux The server usage : ssh -l user -p port server_ip perhaps ssh -p port user@server_ip Parameters : -l Followed by the user name of the remote system to log in ...

  9. ssh Simple example of remote login command

    ssh Simple example of remote login command ssh The command is used for remote login Linux host . Common formats :ssh [-l login_name] [-p port] [user@]hostname More details can be used ssh -h check ...

Random recommendation

  1. pure JS take table The table is exported to excel

    html <div > <button type="button" onclick="getXlsFromTbl('tableExcel','myDiv ...

  2. Android In the web page tel,sms,mailTo,Intent,Market Summary of protocol usage

     tel: agreement --- Make a phone call <a href="tel:"> Call up the dialing interface </a> <a href="tel:10086"> transfer ...

  3. java in Object.equals() It is easy to use

    /* equals() Method compares the references of two objects by default ! */ class Child { int num; public Child(int x){ num = x; } // The benefits of humanity's throwing runtime exceptions ...

  4. 【GoLang】GoLang unit testing 、 How to use performance test

    Unit test code : ackage test import ( // "fmt" "testing" ) func Test_FlowControl(t *testi ...

  5. linux Command learning (2):wc command

    Linux In the system wc(Word Count) The function of the command is to count the number of bytes in the specified file . Number of words . Row number , And display the statistical results . 1. Command format : wc [ Options ] file ... 2. Command function : Count the number of bytes in the specified file . ...

  6. perl Print single quotes on the command line

    perl -e 'print "\'";'   It's impossible to write like this , The direct execution here will be regarded as the end of the order . The backslash escapes the symbol , Such an order is interpreted as : perl -e 'print ';' ( double ...

  7. git Preliminary use summary

    Today, after more than half a year, I came into contact with you again git, I found that I studied a little this semester linux after , Yes git I feel that everything is taken for granted . The following is just a list of my study notes . 1. download git Can be downloaded to Baidu software library , It's generally OK ...

  8. BZOJ1207_ Whac-A-Mole _KEY

    [HNOI2004] Whac-A-Mole Time Limit: 10 Sec Memory Limit: 162 MB Description Mole is a kind of animal that likes digging holes very much , But after a certain period of time , He still likes to stick his head out to the ground ...

  9. Blade servers and disk array cards (RAID) technology --- Yonghe maintenance

    Recently, customers need to change servers , The client sent the server he bought , A server that used to feel very small , But when I saw it, it was a big one, long and wide , Similar to the kind of computer room server , Later, Miss Mi gave a general explanation : This is a blade server . Blade server refers to on label ...

  10. c/c++ Interview question one

    1. Make a mistake void test1() { char string[10]; char *str1="0123456789"; strcpy(string,str1); } The question is one character ...