1. What is SSH?
Traditional web services, such as: FTP, POP and Telnet are inherently unsafe because they use clear text to transfer passwords and data on the network, and those who have careless people can intercept these passwords and data. Moreover, the security verification method of these servles has its weakness, which is very susceptible to attacks of "man-in-middle). The so-called "middleman" attack is the "middleman" posing as a real server to receive data you pass to the server, and then pretend that you will pass the data to the real server. The server and the data transfer between you are made after the "intermediary" turned hands and feet, and there will be a serious problem.
Once upon a time, a Finnish programmer named TATU YL? NEN has developed a network protocol and service software called SSH (SECURE SHELL abbreviation). By using SSH, you can encrypt all transferred data, which is impossible to achieve this kind of attack mode, and also prevent DNS and IP spoofing. There is also an additional advantage that the data transmitted is compressed, so the speed of the transmission can be accelerated. SSH has a lot of features, although many people use the Secure Shell as a telnet alternative, but you can use it to protect your network connection. You can forward other network communications, such as POP, X, PPP, and FTP via Secure Shell on a local or remote system, such as POP, X, PPP, and FTP. You can also forward other types of network communications, including CVS and any other TCP communication. In addition, you can use the Secure Shell with TCP to enhance the security of the connection. In addition, the Secure Shell also has some other convenient functions that can be used in applications such as Oracle, or it can be used for remote backups and additional authentication like a Securid card.
2.SSH work mechanism
SSH is divided into two parts: the client part and the server part.
The server is a daemon (Demon) that runs in the background and responds to the connection request from the client. The server is generally the SSHD process, providing processing for remote connections, generally including public key authentication, key exchange, symmetric key encryption, and non-secure connections.
The client contains SSH programs and other applications such as SCP (remote copy), Slogin, SFTP (secure file transfer).
Their working mechanism is roughly a local client sends a connection request to the remote server, the server checks the package and the IP address to send the key to the client of SSH, and send the key back to the server, Established since this connection. The rough process of just SSH connections just now, SSH 1.x and SSH 2.x have some differences in the connection protocol.
SSH is designed to be based on your own basis, which is unfavorable with the super server (inetd), although it can run the SSH process through TCPD on inetd, but this is not necessary. After starting the SSH server, SSHD runs and listens on the default 22 port (you can use # ps -waux | grep sshd to see if SSHD has been properly running) If you are not started through inetd, then SSH will Always wait for the connection request. When the request arrives, the SSH daemon generates a child process, the child process performs this connection process.
But because of the restrictions of copyright and encryption algorithms, many people now turn to use OpenSSH. OpenSSH is an alternative software for SSH, and is free.
SSH is composed of software from the client and the server, two incompatible versions are: 1.x and 2.x. Use SSH 2.x clients that cannot be connected to a service program that is SSH 1.x. OpenSSH 2.x supports SSH 1.x and 2.x.x. 3. Install OpenSSH
Here, it is mainly configured based on FreeBSD OpenSSH, other UNIX and derived systems use OpenSSH approach to the same FreeBSD integrated OpenSSH, and there is no OpenSSH in many Linux issues. However, you can download and install OpenSsh from the network, he is completely free. (You can visit OpenSSH http://www.openssh.org)
Generate key pair
Use SSH-Keygen to generate a key pair, such as generating a 4096bit keyword with a DSA encryption algorithm, can enter the following command (for specific parameters, please refer to Man SSH-KEYGEN):
# ssh-keygen -b 4096 -t dsa% ssh-keygen -b 4096 -t dsagenerating public / private dsa key pair.enter file in which to save the key (/Home/fdy84/.ssh/id_dsa): (Key For the path to the path, the brackets are default) CREATED DIRECTORY '/HOME/FDY84/.SSH'.Ter Passphrase (input password) ENTER SAME PASSPHRASE AGAIN: (enter the password again, don't forget Otherwise, only from the newly generated key) Your Identification Has Been Saved IN /HOME/fdy84/.ssh/id_dsa. (Your private key) Your public key HAS been saved in /Home/fdy84/.ssh/id_dsa.pub. (Your public key) The Key Fingerprint IS: BB: 1B: F5: 1C: 77: 72: 90: 21: 59: 7E: C6: 65: E5: 24: C6: E5 fdy84 @ freebsd
Key distribution
A pair of keys have been generated, put the private key on their own machine ~ / .ssh / directory and guarantee access to "-rw ------" (ie 600). Then put the generated public key in the ~ / .ssh / directory of the remote host to be connected and renamed Authorized_Keys, and guarantee that the file is not modified by the owner.
4. Configure SSH
Configuring the server starts the SSH server is easy to run
# sshd
Yes. Or join in /etc/rc.conf
SSHD_ENABLE = "YES"
You can automatically run the SSH server at each startup.
The configuration file used by the SSH server is "/ etc / ssh / sshd_config", and the OpenSSH1.x and 2.x server configuration files are this file.
Configure the client
The client wants to connect to the remote server only if you need to enter a #SSH domain name (or IP), if you want to use the FDY84 user to connect the IP address of 192.168.0.6, you need to type
# ssh 192.168.0.6 -l FDY84 As long as the configuration is correct, you can connect the remote server.
5. SSH connection is performed using SecureCRT under WINDOWS
What should I do if I want to pass the SSH remote management server under Windows? In fact, Windows has a lot of remote management software, which mainly introduces the use of SSH connections in SecureCRT. (Introduction to Version 4.1.1)
CREATE PUBLIC Key ... SecureCRT can also generate a key pair, but SecureCRT only supports 2048bit key, click Tools-> CREATE PUBLIC KEY ..., select the key algorithm and key length, and enter the password Wait for the computer to generate a key pair after a sufficient random amount of the key to generate the key, such as the viewpoint to select the CONNECT button in the upper left corner, turn on the Connect dialog
Click the New session button shown in the red circle to enter the session options dialog.
Here we choose SSH connections, and fill in the host name (or IP address) to connect, the user name, then select the authentication based on public key mode, click Properties ... Enter Key Configuration dialog box.
Fill in your private key file in the position shown in the red circle.
Now click on the connection you just created to make SSH connections, connect the remote server after clicking several dialogs, as shown
It is important to note that the key pair generated by SecureCRT and the key generated by OpenSSH is different in the format, and both can only know the format of their key, so they are connected to the openssh with the OpenSSH. To use their own key format, use any method to generate it with SSH-Keygen -i to convert SecureCrt's key format, or use ssh-keygen -e to put OpenSS's key format Convert to SecureCRT to recognize the IETF SECSH format.
Although SSH provides a password-based landing, it is recommended to use this type of login based on safety consideration. In view of the current speed of the machine, the 4096-bit key is recommended to enhance security.
The above is some simple introduction of SSH and some methods that use OpenSSH and SecureCRT. Since I have a little error in the limited article, I hope that the readers who want to be interested can point out and contact me 1, in the foreword in the IP network in Jiangxi Province A large number of Cisco routers. Administrators typically perform daily maintenance of the router remotely using the Telnet remote login. Since the network service program such as Telnet, FTP uses a clear text to transfer passwords and data in the network, its security cannot be valid. Once the username and password of the administrator are intercepted by people who are being interested in, the consequences will be unimaginable. Therefore, how to implement the security login of the Cisco router becomes the top priority in network daily maintenance work. This paper uses the support of the Cisco router to SSH, and the security login to the router is implemented by SSH. SSH's English is a Secure Shell, which is developed by a company in Finland. SSH consists of software and server software, with two incompatible versions of 1.x and 2.x. SSH is powerful, which can be used in place of Telnet, but also providing a secure "channel" for FTP, POP3, and PPP. With SSH, all data transmitted can be encrypted. Even if someone intercepts that data is also unable to get useful information. At the same time, the data is compressed, which greatly accelerates the speed of transmission.
This article will be described in detail in the Cisco router to implement a secure login configuration method with SSH. This method is simple and easy, safe, suitable for promotion in network maintenance work. 2. Configure the SSH service on the Cisco router to support only 7200 Series, 7500 Series and 12000 Series (GSR), etc. in the Cisco Router Product Series. Generally supporting the IOS version file name of SSH with K3 or K4 words, K3 represents 56bit SSH encryption, and K4 represents 168bit SSH encryption. For example, IOS for ISR 12016 and 12008 in our province is a version that supports 56bit SSH encryption. At present, Cisco's products only support SSH-1, and SSH-2 is not supported. The following is described in detail with GSR 12008 as an example (command for the configuring input):
1 Configuring Hostname and IP Domain-Name: Router # configure Terminal Router (config) #hostname test-GSR12008 TEST-GSR12008 (Config) #ip domain-name jx.cn.net 2 Configure login user name and password (as an example of local authentication : TEST-GSR12008 (config) # uSername Test Password 0 Test Note: Add a user: Test, password: Test Test-GSR12008 (config) #LINE VTY 0 4 Test-GSR12008 (config-line) #login local in these two after part of the work, with the show run command to see: hostname TEST-GSR12008 boot system flash gsr-k3p-mz.120-14.S.bin enable secret 5 $ 1 $ DMyW $ gdSIOkCr7p8ytwcRwtnJG enable password 7 094F47C31A0A username!.! test password 7 0835495D1D clock timezone PRC 16 redundancy main-cpu auto-sync startup-config!!!! ip subnet-zero no ip finger ip domain-name jx.cn.net ip name-server 202.101.224.68 ip name-server 202.101 .226.68! 3 Configuring SSH Service: Test-GSR12008 (config) #Crypto Key Generate Rsa the name for the keyness be: test-gsr12008.jx.cn.net Note: SSH keyword name is Hostname . IP Domain -name choose the size of the key modulus in the range of 360 to 2048 for your general purpose keys. chooo Sing a key modulus greater Than 512 May Take a few minutes. How to: Note: Select the number of encrypted bit, use the default, Gnerating RSA Keys ... [OK] Test-GSR12008 (Config) # End Test-GSR12008 # WRITE BUILDING Configuration ... This time you can see: IP subnet-zero no ip finger ip domain-name jx.cn.net IP name-server 202.101.224.68 IP Name-Server 202.101. 226.68 IP SSH TIME-OUT 120 IP SSH Authentication-Retries 3! Ssh Enabled - Version 1.5 Authentication Timeout: 120 Secs; Authentication Retries: 3 Now SSH service is already started, if you need to stop SSH service , Use the following command:
Test-GSR12008 (config) #Crypto Key Zeroize RSA 4 Set the SSH parameter After the SSH is configured, we will see the default parameters of the SSH through the show run command: timeout is limited to 120 seconds, the number of certified retry is 3 times, can pass below Command Change: Test-GSR12008 (config) #ip ssh {[time-out seconds]} | [Authentication-Retries Interger]} If you want to change the timeout limit to 180 seconds, you should use: Test-GSR12008 (Config) # IP SSH TIME-OUT 180 If you want to change the number of revolutions to 5 times, you should use: Test-GSR12008 (Config) # ip SSH Authentication-Retries 5, SSH has been successfully configured on the router, it can be performed by SSH Safe login. 3, SSH Secure Login Client Settings Windows comes with Telnet components and NetTERMs cannot support SSH. Log in to the remote router with SSH, you must use a specific client software. A client software that is currently able to support SSH is Secure CRT, and can be downloaded by its company's homepage http://www.vandyke.com. The following is a client configuration for SSH as an example: Take Secure CRT 3.3:
The login interface is shown below:
Hostname can directly write IP addresses or domain names that DNs can resolve, encrypting methods Cipher To select DES (Data Encryption Standard).
Then press OK to enter, the password requesting the user TEST appears, as shown in the figure:
Enter the password will enter the same interface as Telnet, as shown in the figure:
At this point, you can operate like Telnet, but don't worry that the password or data is maliciously intercepted. The Cisco router also provides the client software for SSH login, with an interview with the router, and its usage is similar to the router, the command is SSH [-C] [-L] [-p] hostname or ip.
-c Select the encryption algorithm, you can select DES and 3DES; -L This parameter is followed by login username; -P selection SSH service port, the default port is 22.
Implementing a secure login with SSH also applies to 7200 Series and 7500 Series Routers, which are the same as GSR12008. In addition, SSH is also applicable to the Catalyst 6000/6500 series, 5000 series and 4000 series of switches, and its configuration method is slightly different from 12008, which is not described in detail here.
