SSH abbreviation of Secure shells for the Network, the IETF Working Group (Group) established by a business; SSH is based on the application layer and the transport layer of security protocols based on. SSH is a reliable, designed for remote logon session and other network services provide security agreement. Use SSH protocols can effectively prevent the remote management process information leakage problem.
SSH introduction
The traditional network service program, such as: FTP, pop and Telnet - in essence is not safe, because they are on the network password and data transfer in clear, have ulterior motives very easy can intercept the password and data. Moreover, these services program security verification has its weaknesses which way is, is very vulnerable to "middle man" (man - in - the - middle) this kind of attack. The so-called "broker" attack mode, namely "broker" impersonating real server receives the data to the server of you, then pretend you gave the data to the real server. Server data transmission between you and by "broker" a changed hands got their hands after, can appear very serious problem.
Through the use of SSH, you can put all the encrypted data transmission, such "broker" such attacks could not have achieved way, but also can prevent the DNS and IP cheating. There is an additional advantage is that the data is after compression, so can accelerate transmission speed. SSH has many functions, it can replace, again can Telnet for FTP, pop, even the PPP provide a secure "channel".
SSH security verification work principle
Judging from the client provides two levels, SSH security verification.
The first level (password-based security verification) as long as you know oneself account and password, you can log on to a remote host. All the data will be encrypted, but cannot ensure you're connecting server is you want to connect server. There may be other server in impersonating real server, is also influenced by the "middle man" this way of attacks.
The second level (based on the key security verification) need to rely on key, namely you must create a pair of key for, and the public key in need access to the server. If you want to connect to SSH server, the client software will make a request to the server, request use your key security verification. The server after receipt of a request, first on the server for your Lord the directory of your public key and then send it to your public key over the comparison. If two key agreement, with public key server inquiries "(challenge encryption") and it is sent to the client software. The client software after receiving "inquiry" with your private can be the key decryption again to send it server.
In this way, you must know oneself key password. However, compared with the first level, the second level don't need in the network to send password.
The second level is not only encryption all data transmitted, and "broker" this attack mode is not possible (because he has no your private key). But the whole login process may take 10 seconds.
Detailed introduction
Safety shell protocol (SSH) is one in unsafe network provide safe Telnet and other safety network service agreement. Secure shells, and can be recorded as S S H, was initially U N I X system on a program, and then quickly spread to other operating platform. S S H is a good application, in the correct use, it can make up for the network of these loopholes and giveaways. In addition, S S H is cool, and the following reasons: S S H client applicable to various platform. Almost all the U N I X platform - including H P - U X, L I N U X, A I X, S o L A r I S, Digital UNIX, I r I X, S C o, and other platforms -- can run S S H. Moreover, there are already some client (some of them for beta) can run in U N I X operating platform beyond, including O S / 2, V M S and B e O S, J a V a, Wi N d O w S 9 5/9 8 and Windows NT. Such, you can in almost all platform to run on S S H client program. For non-commercial use it is free. Many S S H versions can get the source code, and if not used for commercial purposes, can get free. Moreover, U N I X version also provides the source code, this means that anyone can it modified. However, if you choose it for commercial purposes, so no matter use what version of the S S H, you have to make sure you've registered and obtained the corresponding privileges. Most S S H client and guardian process has some registered restrictions. The only S S H General Public License, before Public registered (G P L) version is L S H, it currently still beta. Through the I n t e r n e t transmit password safe and reliable. This is S S H recognized one of advantage. If you look ISP (Internet Service Provider access, I n t e r n e t Service Provider) or university method, are generally adopt Te l n e t or P O P mail client process. Accordingly, want to enter their account when you entered password will be sent (i.e. with gold-digging no protection way, directly to read), this will give attackers a piggybacking on your account opportunity - eventually you will be responsible for his actions. The support for the application. Because S S H source code is open, so in the U N I X world it have gained wide acceptance. L I n u x, its source code is open, the public can free, and also won a similar recognition. This makes all developers (or anyone) could through the patch or b u g repair to improve its performance, and may even increase function. This is also the first part gain and install S S H means its performance can continuously improved from the original creator without having to get direct technical support. S S H replaces unsafe remote application. S S H is designed to replace the Berkeley version of r command set; It also inherited similar grammar. As a result, the user notice use S S H and r command set difference. Using it, you can also do some cool things. Through the use of S S H, you in unsafe network send the message don't worry will be monitored. You can also use P O P channel and Te l n e t mode, through S S H can use P P P channel to create a Virtual personal Network (a order, V P n to). S S H also support other identity authentication methods, such as K e r b e r o S and safety I D card, etc.
But because of the encryption algorithm by copyright and restriction, now many people switch to OpenSSH. OpenSSH is SSH alternative software and is free, can be expected there will be more to the more people use it instead of SSH.
SSH is by the client and server software component, have two incompatible versions respectively are: 1. X and 2. X. Use SSH client 2 x is unable to connect to SSH 1 x service program up. OpenSSH 2. X supports both SSH 1 x and 2. X. SSH is made up of three main parts:
The transport layer protocol [SSH - provides server TRANS] authentication, confidentiality and integrity. In addition, it is sometimes also provide compression function. SSH - TRANS generally runs over TCP/IP connection, may also be used for other reliable data flow. SSH - TRANS provides strong encryption technology, password authentication and integrity protection. Host In this agreement, and the authentication host-based authentication execute user agreement. The more senior user authentication protocol can design for above this agreement.
User authentication protocol [SSH - USERAUTH] used to provide the client to the server user identification function. It runs on the transport layer protocol SSH - TRANS above. When USERAUTH began, SSH - received from low-level agreement session identifier (from the first key exchange of exchange hash H). Session identifier only mark the conversation and apply to the tags to prove the ownership of the private key. SSH - USERAUTH also need to know whether provide privacy protection low-rise agreement.
Link protocol CONNECT] [SSH - multiple encryption tunnel into logical channel. It runs on user authentication protocol. It provides interactive login words road, remote command, forward TCP/IP connection and forwarding X11 connection.
Once establish a safety, the client will connect the transport layer send a service request. When the user authentication is completed, will send the second service request. This allows a new definition of the agreement can coexist with the agreement. Link protocol provides extensive use of various channel, has a standard method is used to establish security interactive session enclosure and forwarding (" channel technology ") proprietary TCP/IP port and X11 connection.
Through the use of SSH, you can put all the encrypted data transmission, such "broker" such attacks could not have achieved way, but also can prevent DNS deceit and IP cheating. Use SSH, there is an additional advantage is that the data is after compression, so can accelerate transmission speed. SSH has many functions, it can replace, again can Telnet for FTP, PoP, even for the PPP provide a secure "channels".
SSH is divided into two parts: the client part and the server parts.
The server is a daemon (demon), he runs in the background and response from client connect requests. The server is generally SSHD process, provide the remote connections processing, generally include a public key encryption authentication, exchange, symmetry encryption and unsafe connection.
Clients include SSH procedures and like the SCP (remote copy), slogin (remote login), SFTP (safety file transfer) and other applications.
Their work mechanism is roughly local client sends a connection requests to the remote server, the server-side checking application package and IP address to send key to SSH client, local then key back to the server to establish connections, since then. Just about the only SSH connection general process, SSH 1 x and SSH 2. X in connection with some differences on the agreement.
SSH is designed into work in their own basis without using super server (inetd), although the inetd TCPD through the process, but to run the SSH completely unnecessary. Start SSH server, SSHD run up and in the default 22 port surveillance (you can use # ps - waux | grep SSHD SSHD to check whether it has already been the correct operation) if not through the inetd start-up SSH, then SSH will have been waiting for the connection attempt. When request comes SSH daemon will produce a child process, this child processes proceed with the connection processing.
SSH: new MVC software development mode, SSH (Struts, Hibernate) are Struts, process control, are on business flow, database Hibernate package, this new operation development pattern let our development is more convenient, quick, clear thinking!
No comments:
Post a Comment