关于SSH协议最完整的讲解

首先了解几个概念（部分未做翻译，请自行翻译）

SSH protocol（SSH协议）

The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

务必阅读官方文档：https://www.ssh.com/ssh/protocol/

user authentication：用户授权

host authentication：主机授权

Host keys：

A host key is a cryptographic key used for authenticating computers in the SSH protocol.

Host keys are key pairs, typically using the RSA, DSA, or ECDSA algorithms. Public host keys are stored on and/or distributed to SSH clients, and private keys are stored on SSH servers.

Host Keys Should Be Unique

Each host (i.e., computer) should have a unique host key.
Host keys are normally generated automatically when OpenSSH is first installed or when the computer is first booted.
In OpenSSH（Server端）, host keys are usually stored in the /etc/ssh directory.

客户端存放known_hosts文件：

SSH clients store host keys for hosts they have ever connected to. These stored host keys are called known host keys, and the collection is often called known hosts. In OpenSSH, the collection of known host keys is stored in /etc/ssh/known_hosts and in .ssh/known_hosts in each user's home directory.

阅读官方文档：https://www.ssh.com/ssh/host-key

private key（在SSH里面又叫 identity key）

public key（在SSH里面又叫 authorized key）

User keys：identity key和authorized key的统称，用于用户授权。

关于 public key和 private key 参见官方说明：

https://www.ssh.com/ssh/public-key-authentication

key生成工具说明参见：

https://www.ssh.com/ssh/keygen/

SSH key：SSH授权凭证（authentication credential）的统称。

Session key：

a session key is a cryptographic key that is used for encrypting the bulk of transmitted data and ensuring integrity of the data.

Session key为对称加密算法（例如Diffie-Hellman）的key，每次建立的session的key都不一样；
为了防止中间人攻击，数据不但要加密，还得签名，签名和验签一般用private key和public key。

参见：https://www.ssh.com/ssh/session-key

Passphrase：

用来加密private key的密码。假设private key被盗，那么它可以被用来登录所有与之匹配的系统。

在生成 private key时，可以设置一个 passphrase（类似于密码）的字符串，然后这个private key相当于被加密了，使用这个private key时就需要输入密码解密后才能正常使用。这样即使private key泄露，别人也无法解密真正的key。很多时候这个passphrase可以保存在本地（例如ssh agent中），这样就相当于记住了密码，在本地使用这个private key就不用再次输入密码了。（注意，如果忘了passphrase，则该private key就无法在其他电脑上使用了，而且无法找回）

原文：

The purpose of the passphrase is usually to encrypt the private key. This makes the key file by itself useless to an attacker. It is not uncommon for files to leak from backups or decommissioned hardware, and hackers commonly exfiltrate files from compromised systems.

To use an encrypted key, the passphrase is also needed. In a way, they are two separate factors of authentication.

With SSH keys, if someone gains access to your computer, they also gain access to every system that uses that key. To add an extra layer of security, you can add a passphrase to your SSH key. You can use ssh-agent to securely save your passphrase so you don't have to reenter it.

参考资料：

https://help.github.com/articles/working-with-ssh-key-passphrases/

https://www.ssh.com/ssh/passphrase

ssh-agent：

The ssh-agent is a helper program that keeps track of user's identity keys and their passphrases. The agent can then use the keys to log into other servers without having the user type in a password or passphrase again. This implements a form of single sign-on (SSO).

The SSH agent is used for SSH public key authentication. It uses SSH keys for authentication. Users can create SSH keys using the ssh-keygen command and install them on servers using the ssh-copy-id command.

On most Linux systems, ssh-agent is automatically configured and run at login.

By default, the agent uses SSH keys stored in the .ssh directory under the user's home directory. The ssh-add command is used for adding identities to the agent. In the simplest form, just run if without argument to add the default files ~/.ssh/id_rsa, .ssh/id_dsa, and ~/.ssh/identity. Otherwise, give it the name of the private key file to add as an argument.

The following command will list private keys currently accessible to the agent:

ssh-add -l

参见更多：

https://www.ssh.com/ssh/agent

https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/

SSH工作流程

Initializing a connection in SSH consists of:

Negotiating the version of the protocol to use
Negotiating cryptographic algorithms and other options to use
Negotiating a one-time session key for encrypting the rest of the session
Authenticating the server host using its host key
Authenticating the user using a password, public key authentication, or other means.

After this, data can be exchanged, including terminal data, graphics, and files.

关于SSH协议最完整的讲解相关推荐

SVN+SSH协议工作方式全解析，以Sourceforge为例讲解如何在Windows下配置TortoiseSVN和Su
分享一下我老师大神的人工智能教程!零基础,通俗易懂!http://blog.csdn.net/jiangjunshow 也欢迎大家转载本篇文章.分享知识,造福人民,实现我们中华民族伟大复兴! 简单地说 ...
SSH2.0编程 ssh协议过程实现（转）
SSh协议: 全称为Secure Shell,即很安全的shell,主要目的是用来取代传统的telnet和r系列命令(rlogin,rsh,rexec等)远程登录和远程执行命令的工具,实现远程登录和远 ...
Java 实现 SSH 协议的客户端登录认证方式
摘自:http://blog.sae.sina.com.cn/archives/333/comment-page-1#comment-37391 简介: 本文首先对 SSH 协议的基础知识作以介绍,然 ...
Java 实现 SSH 协议的客户端登录认证方式--转载
背景在开篇之前,让我们先对 SSH 协议有个宏观的大致了解,这样更有利于我们对本文的加深了解.首先要提到的就是计算机网络协议,所谓计算机网络协议,简单的说就是定义了一套标准和规则,使得不同计算机之间 ...
SSH连接原理及ssh-key讲解
1.1 ssh介绍 SSH是Secure Shell Protocol的简写,由IETF网络工作小组(Network Working Group)制定:在进行数据传输之前,SSH先对联机数据包通过加密 ...
git: 四种git协议 (本地协议、HTTP 协议、SSH协议、 Git 协议)
转载自服务器上的 Git - 协议 : 到目前为止,你应该已经有办法使用 Git 来完成日常工作. 然而,为了使用 Git 协作功能,你还需要有远程的 Git 仓库. 尽管在技术上你可以从个人仓库进 ...
linux 7 打开22端口,Linux（例如CentOS 7）打开TCP 22端口，基于SSH协议
SSH 为 Secure Shell 的缩写,由 IETF 的网络工作小组(Network Working Group)所制定:SSH 为建立在应用层和传输层基础上的安全协议.SSH 是目前较可靠,专 ...
Linux之SSH协议知识点总结
最近在写自动化测试用例的时候经常会用python语言去实现文件的上传下载功能,这里主要用到的就是SSH协议.为了更好的理解SSH协议,我就翻看了手头的书,回顾SSH的相关知识点,今天就把它总结下,希望 ...
使用Telnet与ssh协议远程登录linux系统
一.计算机的登录计算机终端设备通过输入用户账户标识和与之对应的口令的方式被计算机验证的过程. 终端的分类: 1)物理终端:计算机本身的控制台设备:通常将其标识为"pty",在现代 ...

关于SSH协议最完整的讲解

关于SSH协议最完整的讲解相关推荐

最新文章

热门文章