关于SSH协议最完整的讲解
2014年11月16日

首先了解几个概念

SSH protocol(SSH协议)

    The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

   务必阅读官方文档:https://www.ssh.com/ssh/protocol/


user authentication:用户授权

host authentication:主机授权


Host keys:

    A host key is a cryptographic key used for authenticating computers in the SSH protocol.

    Host keys are key pairs, typically using the RSA, DSA, or ECDSA algorithms. Public host keys are stored on and/or distributed to SSH clients, and private keys are stored on SSH servers.

  1. Host Keys Should Be Unique

    Each host (i.e., computer) should have a unique host key.

  2. Host keys are normally generated automatically when OpenSSH is first installed or when the computer is first booted.

  3. In OpenSSH(Server端), host keys are usually stored in the /etc/ssh directory.

客户端存放known_hosts文件:

    SSH clients store host keys for hosts they have ever connected to. These stored host keys are called known host keys, and the collection is often called known hosts. In OpenSSH, the collection of known host keys is stored in /etc/ssh/known_hosts and in .ssh/known_hosts in each user's home directory.

阅读官方文档:https://www.ssh.com/ssh/host-key


private key(在SSH里面又叫 identity key

public key(在SSH里面又叫 authorized key

User keys:identity key和authorized key的统称,用于用户授权。

关于 public key和 private key 参见官方说明:

https://www.ssh.com/ssh/public-key-authentication

key生成工具说明参见:

https://www.ssh.com/ssh/keygen/


SSH key:SSH授权凭证(authentication credential)的统称。

Session key

    a session key is a cryptographic key that is used for encrypting the bulk of transmitted data and ensuring integrity of the data.

  1. Session key为对称加密算法(例如Diffie-Hellman)的key,每次建立的session的key都不一样;

  2. 为了防止中间人攻击,数据不但要加密,还得签名,签名和验签一般用private key和public key。

    参见:https://www.ssh.com/ssh/session-key


Passphrase:

   用来加密private key的密码。假设private key被盗,那么它可以被用来登录所有与之匹配的系统。

   在生成 private key时,可以设置一个 passphrase(类似于密码)的字符串,然后 这个private key相当于被加密了,使用这个private key时就需要输入密码解密后才能正常使用。这样即使private key泄露,别人也无法解密真正的key。很多时候这个passphrase可以保存在本地(例如ssh agent中),这样就相当于记住了密码,在本地使用这个private key就不用再次输入密码了。(注意,如果忘了passphrase,则该private key就无法在其他电脑上使用了,而且无法找回)

原文:

    The purpose of the passphrase is usually to encrypt the private key. This makes the key file by itself useless to an attacker. It is not uncommon for files to leak from backups or decommissioned hardware, and hackers commonly exfiltrate files from compromised systems.

    To use an encrypted key, the passphrase is also needed. In a way, they are two separate factors of authentication.

    With SSH keys, if someone gains access to your computer, they also gain access to every system that uses that key. To add an extra layer of security, you can add a passphrase to your SSH key. You can use ssh-agent to securely save your passphrase so you don't have to reenter it.

    参考资料:

https://help.github.com/articles/working-with-ssh-key-passphrases/

https://www.ssh.com/ssh/passphrase


ssh-agent:

    The ssh-agent is a helper program that keeps track of user's identity keys and their passphrases. The agent can then use the keys to log into other servers without having the user type in a password or passphrase again. This implements a form of single sign-on (SSO).

    The SSH agent is used for SSH public key authentication. It uses SSH keys for authentication. Users can create SSH keys using the ssh-keygen command and install them on servers using the ssh-copy-id command.

    On most Linux systems, ssh-agent is automatically configured and run at login.

    By default, the agent uses SSH keys stored in the .ssh directory under the user's home directory. The ssh-add command is used for adding identities to the agent. In the simplest form, just run if without argument to add the default files ~/.ssh/id_rsa, .ssh/id_dsa, and ~/.ssh/identity. Otherwise, give it the name of the private key file to add as an argument.

    The following command will list private keys currently accessible to the agent:

ssh-add -l

参见更多:

https://www.ssh.com/ssh/agent

https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/


SSH工作流程

Initializing a connection in SSH consists of:

  • Negotiating the version of the protocol to use

  • Negotiating cryptographic algorithms and other options to use

  • Negotiating a one-time session key for encrypting the rest of the session

  • Authenticating the server host using its host key

  • Authenticating the user using a password, public key authentication, or other means.

After this, data can be exchanged, including terminal data, graphics, and files.