SSH workflow and principle

SSH（Secure Shell Protocol, Containment protocol ）, It can encrypt the data packets waiting for transmission through packet encryption technology and then transmit them to the network .ssh The protocol itself provides two server functions ： One is similar telnet For remote connections, use shell Server for ; The other is something like ftp Service sftp-server, Provide a safer ftp service .
1、 Introduction to connection encryption technology
At present, the common network packet encryption technology is usually through “ Asymmetric key system ” To deal with . It is mainly a process of encryption and decryption through two different public keys and private keys .
Public key （public key）： The act of providing data encryption to a remote host , Everyone can get your public key to encrypt data .
Private key （private key）： The remote host uses your public key to encrypt data , The private key can be used to decrypt on the local side . The private key is only owned by yourself .
SSH working process ： Throughout the communication process , In order to achieve SSH Security connection for , The server and client go through the following five stages ：

One 、 Version negotiation stage
1、 Open the port on the server side 22, Wait for the client to connect ;
2、 The client initiates TCP Initial connection request ,TCP After the connection is established , The server sends the first message to the client , Include version flag string , The format is “SSH-< Master Agreement version number >.< Sub agreement version No >.< Software version number >”, The protocol version number consists of a major version number and a minor version number , The software version number is mainly used for debugging .
3、 After the client receives the message , Parse the packet , If the protocol version number of the server is lower than your own , And the client can support the lower version of the server , Use the lower version protocol number of the server , Otherwise use your own protocol version number .
4、 The client responds to a message from the server , Contains the protocol version number that the client decides to use . The server compares the version number sent by the client , Decide whether you can work with the client . If the negotiation is successful , Then enter the key and algorithm negotiation stage , Otherwise, the server is disconnected TCP Connect .
explain ： The above messages are transmitted in clear text .

Two 、 Key and algorithm negotiation phase
1、 The server and the client send algorithm negotiation messages to the opposite end respectively , The message contains a list of public key algorithms supported by itself 、 List of encryption algorithms 、MAC（Message Authentication Code, Message verification code ） Algorithm list 、 Compression algorithm list, etc .
2、 The server and client can get the final algorithm according to the list of algorithms supported by the peer and the client .
3、 Server side and client side utilization DH In exchange for （Diffie-Hellman Exchange） Algorithm 、 Host key peer parameters , Generate session key and session ID.
thus , The server and the client get the same session key and session ID. For subsequent data transmission , Both sides will use the session key for encryption and decryption , Ensure the safety of data transmission . At the certification stage , Both sides will use the session for the authentication process .

Generation of session key ：
1、 The client needs to use the appropriate client program to request a connection to the server , The server sends the public key of the server to the client .（ The public key generation process of the server ： Every time the server starts sshd The service , The service will take the initiative to find /etc/ssh/ssh_host* file , If the system has just been installed , Without these public key files , therefore sshd Will take the initiative to calculate these required public key files , At the same time, it also calculates the private key file required by the server itself .）
2、 The server generates the session ID, And the conversation ID Send to client .
3、 If the client connects to this server for the first time , The public key data of the server will be recorded in the user home directory of the client ~/.ssh/known_hosts. If the public key data of the server has been recorded , Then the client will compare whether the received record is different from the previous record . The client generates the session key , And encrypt it with the public key of the server , Send to the server .
**4、** The server decrypts the received data with its own private key , Get session key .
5、 Both the server and the client know the session key , All future transmissions will be encrypted by the session key .

3、 ... and 、 Authentication phase
SSH Two authentication methods are provided ：
1、 Password based authentication （password authentication ）： The client sends a message to the server password Authentication request , Encrypt the user name and password and send them to the server , The server decrypts the information and gets the clear text of the user name and password , Compare with the user name and password saved on the device , And return the authentication success or failure message .

2、 Key based authentication （publickey authentication ）： The client generates a pair of public keys , Save the public key to the home directory of the account on the server to be logged in .ssh/authorized_keys In file . Authentication phase ： The client first passes the public key to the server . After receiving the public key, the server will communicate with the... Under the local account directory authorized_keys Compare the public key in , If it's not the same , Then the authentication fails ; Otherwise, the server generates a random string , And encrypts it with client public key and session key , Send to client . After receiving the decrypted random string, the client sends it to the server with the session key . If the returned string is the same as that generated on the server side , Then the certification is passed , otherwise , Authentication failed .

notes ： The server authenticates the client , If authentication fails , The authentication failure message is sent to the client , It contains a list of methods that can be re authenticated . The client selects an authentication method from the authentication method list to authenticate again , The process is repeated . Until the authentication is successful or the number of authentication times reaches the upper limit , Until the server closes the connection .
example

[[email protected] ~]# ssh-keygen -t rsa # Optional dsa/ecdsa/ed25519/rsa/rsa1 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):  # Default storage path , No need to input , Directly enter 
Enter passphrase (empty for no passphrase):  # No password required , Directly enter 
Enter same passphrase again: # Directly enter 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:IKIZhQjwslma218g/E7u3OQPjogvvZtmsfoZcRtDkXQ [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|*...o.E          |
|oo  .o           |
|o + o .          |
| % o . .         |
|B + =   S        |
| o.= =           |
|..oo+ +          |
|..=@ B .         |
|oBO+B +..        |
+----[SHA256]-----+

 Switch to cd /root/.ssh/
[[email protected] .ssh]# pwd
/root/.ssh
[[email protected] .ssh]# ls -l
total 12
-rw-------. 1 root root 1811 Jan 10 22:38 id_rsa
-rw-r--r--. 1 root root  391 Jan 10 22:38 id_rsa.pub
-rw-r--r--. 1 root root  177 Jan 10 22:15 known_hosts

id_rsa: Client's private key
id_rsa.pub: The public key of the client