OpenSSH is an open source program (Open Source) used to encrypt (encrypt) transactions between hosts using Secure Shell (SSH). It is a safe alternative for programs used to connect such as: Telnet, rlogin, rsh . By it always encrypt (encrypt) all transactions, hide, hide username and Password is used for remote login sessions. After the login session is done, it will continue to encrypt (encrypt) all transaction data between the two hosts
The OpenSSH project was developed based on the foundation of the Open BSD project (an OS belonging to the Unix family). It is designed to use strong encryption algorithms to improve security and prevent hackers from sabotaging. Although built and developed by the OpenBSD platform, it is also compatible and can work on most Unix : Linux, HP-UX, AIX, Irix, SCO, MacOS X, and OS OSes. Cygwin, Digital Unix / Tru64 / OSF, SNI / Reliant Unix, NeXT, Solaris .
OpenSSH is not a program. It is a set of secure connection programs:
These are the main Tools that are indispensable in OpenSSH. There are also many Tools, Plugins, Addin .
SETTING
To get OpenSSH you go to its main Homepage: openssh.org
Download a version that matches your system. I use Linux so I will download the * .rpm package. Then use the command:
root@domain.com#: rpm -Uvh * .rpm
If you use other systems, the installation is similar. You download the package that fits your system. It can be * .tar, * .tar.gz, * .gz . etc. Extract it to a folder.
root@domain.com #: ./configure
root@domain.com #: make
root@domain.com #: make install
Then follow the script's instructions. Installation is not difficult. Let's spend time and effort on configuration work.
HIGHLIGHTS OF OPEN SSH
Open SSH provides a lot of features to make communication between two hosts safe. Here are some highlights:
1) Strong coding capabilities by using 3 DES and Blowfish coding standards :
Both of these coding standards are provided free of charge and widely used in many countries around the world. 3DES provides the ability to validate time authentication. Blowfish provides faster coding capabilities. As with other coding standards, both standards provide the ability to encrypt data before it can be safely transmitted.
2) Strong authentication ability by using Public Key mechanisms, OPTs (One Time Password), Kerberos :
It protects against vulnerability in the authentication process by exploiting and using techniques such as IP Spoof, DNS Spoof, Fake Router . There are 4 authentication methods used by Open SSH:
3) Encrypt X11 protocol for using X Window :
Encrypt data during the use of X Window between two hosts. Used to combat remote attacks aimed at xterm like Snooping, Hjacking .
4) Encryption for port conversion (Port Forwarding) :
Allows the process of converting TCP / IP ports to another system via an encrypted channel. It is used for standard Internet protocols that do not provide data encryption capabilities such as SMTP, POP, FTP, Telnet .
5) Forwarding for logon to single networks :
A user authentication key can and is usually stored on their PC, it can become an authentication representative station. When users access the system from another network system. Their connection will be forwarded to this authentication agent. It works to allow users to access your system securely from any system.
6) Data compression :
Provides the ability to securely compress data. It makes sense on non-fast networks.
7) General authentication for Kerberos and Andrew File System using Ticket :
Kerberos and AFS users will be provided with a common password to use and access the two services for a specified period of time.
OPEN OPERATIONS OF OPEN SSH
We first learn about authentication mechanisms for r * commands (rlogin, rsh, rcp). When using rlogin , the first condition is that the user must have an account on the system they want to log in remotely. For example, the remote system has an account. If from the local system I connect to a remote system, there will not be any requests to ask for passwords when I access this remote system. Simply by my account binhnx2000 has been confirmed by the .rhost file placed in the / home / binhnx2000 directory on the remote system.
The .rhost file contains the required hostname and username for the accounts needed to use the login to the system. For example, my hostname is vnzone.net and my username is binhnx2000 . To access the system without Passowd, the information about me in the .rhost file is as follows:
Hostname Username
For hostname must be the full hostname of the system. For username, it must be valid usernames that exist on the system you want to log into.
A concrete example: if I want to use rlogin. Then admin must create a .rhost file in / home / binhnx2000 with the content:
domain.com binhnx2000
Everything is done! Now when I want to log into the system I just issue commands.
The drawback of this protocol is that the data going to the host is not encrypted. It is very likely to be sniffed by sniffer programs. Especially very vulnerable to attacks: IP Spoof, DNS Spoof, Router Spoof .
Because of the vulnerability on security experts recommend you to remove (disable) the r * service (rlogin, rsh .) on the system. Usually on Linux systems the overall configuration works for the services configured in the /etc/xinet.d file, to disable the * service:
- You use vi, emacs . or any text editor you want to open /etc/init.d/xinet.d
- Find the ' service login ' section to remove them. Record all changes and exit the editor.
- Restart the xinetd.d daemon: /etc/init.d/xinet.d restart
- If possible, disable the telnet service all the time. Then replace them with Open SSH.
We learned through the operation principle of r * service. Now we will learn about the operating principle of Open SSH. The first thing I can tell you is: Open SSH provides a quite secure authentication mechanism by using Public Key and Private Key . Private Keys are only used by the owner, and Public Key can be used by everyone.
Want Open SSH to create DSA Private / Public Key you use the command:
shh-keygen -d
The DSA Private Key is usually stored in $ HOME / .ssh / id_dsa file. The DSA Public Key is usually stored in $ HOME / .ssh / id_dsa.pub . Public Key needs to be renamed and copied to the appropriate directory on the remote system that wants to use Open SSH.
The following lists the location of the Public Key that Open SSH uses in the authentication process:
SSH Version 2 KeyLocal System Default Location
Remote Host Location
Private Key
$ HOME / .ssh / id_dsa
Public Key
$ HOME / .ssh / id_dsa.pub
$ HOME / .ssh / authorized_keys2
Remote Host Location
Private Key
$ HOME / .ssh / identity
Public Key
$ HOME / .ssh / identity.pub
$ HOME / .ssh / authorized_keys
Here are the important files used by Open SSH to identify Public Key:
- $ HOME / .ssh / known_hosts : A list of Public Key for all hosts with user login. Usually the Public Key host lists are listed at / etc / ssh_known_hosts
- / etc / ssh_known_hosts : Contains a list of RSA Generated Public Key for all hosts for which the system is known. Any host who wants to log in to the system must have the Public Key listed in this file. The administrator on your system needs to list the Public Keys of the users in that network
- / etc / ssh_known_hosts2 : Just like ssh_know_host it contains a list of DSA Generated Public Key for all hosts that the system knows.
- $ HOME / .ssh / config : Configuration file for each user. In some large systems, each user will have a special configuration file. It will be used by SSH Client.
- / etc / ssh / ssh_config : Configuration file for the entire system. It can also be used for users without configuration files or temporarily without configuration files. It is automatically initialized when installing Open SSH for the first time and is called to use each time the Open SSH daemon runs.
- $ HOME / .ssh / rc : List the commands that were executed during the user login, these commands are executed before the user's shell is opened.
- / etc / sshrc : Similar to / .ssh / rc it is used on large systems.
USING OPEN SSH TO ENSURE SECURITY OF DATA ON AN SECURITY NETWORK SYSTEM
Before using Open SSH you must make sure that your local system and the remote system have Open Open installed .
The ssh-keygen command is used to create and manage SSH Key authentication. To use Open SSH you must first create DSA or RSA Private Key, Public Key . Next, follow the instructions below. I myself use the Debian Linux system v 2.5.2
First, create a user on the system
root@domain.com#: useradd binhnx2000
Don't forget to set a password for this user
root@domain.com#: passwd binhnx2000
Đang thay đổi mật khẩu cho người dùng xn2000
New UNIX password: *****
Retype new UNIX password: *****
passwd: all authentication tokens updated successfully
Log in to the account that I just created:
Now I will continue to create Private Key and Public Key.
Note : From Open SSH v 2.0 onwards when you request to create a new Key. By default it will give you RSA Key. If you want to create a Key DSA you must use the -d option
binhnx2000@domain.com$: ssh-keygen -d
Generating DSA parameter and key.
Enter file trong đó để lưu khóa (/home/binhnx2000/.ssh/id_dsa):
Press Enter if you want to save the Key to its default directory:
Created directory '/home/binhnx2000/.ssh'.
Enter passphrase (empty for no passphrase):
Enter the passphrase (this is the password that will be encrypted using the 3 DES algorithm to control the Private Key).
Note : pasphrase cannot be recovered. If you forget, you will have to create and redistribute the Key. This is very annoying.
Press Enter when everything is done.
Bạn xác định đã được lưu lại trong /home/binhnx2000/.ssh/id_dsa.
Your public key has been saved in /home/binhnx2000/.ssh/id_dsa.pub.
The fingerprint key is:
ca: 3b: f9: 80: 5a: 91: e5: c1: 1e: 5b: 30: 02: 2f: d5: 53: 13
binhnx2000@domain.com
Looking through the Private Key content you will see:
----- BEGIN DSA PRIVATE KEY -----
Proc-Type: 4, ENCRYPTED
DEK-Info: DES-EDE3-CBC, D40D902FF5666C7B
DlyufhXG5shn / JblF4iY67nMAHG5AUtBvpdBZKiMnq6bKLPQ5nFmDBVxZ9jb86BT
p / XL6IoJOeyeHDf3txtCkFymujibeO203uMwQ / yvH1VrENkywj1uglAYBxF5FdPt
44Y5Mab04tQPVKLd1Jgxs / O / 23bghYNJyCw9j9uP / G / 6dkrYB5EAMZ / HnD6OG0 / 5
UPSrOTLwxfIOq7RbJGthgejosVvSFCEfNOu1OyhTF0FqM9po6uGbzVra36Lk13M +
EnNbG7Bs0Z91v9hgyb0w0TwA4jnX / uP2lUdYxuCgpRyg3jDoYZFsa37GBZm5WeOY
4TjsuSKuE4oNLnr6Kx5dcg6ZedHRx + ggaSRZ + 4VTP43RgEj0CsqY9wB8kN1wXEWM
z7oj4o8EtrN4xFcT3C9Jl2sd + nJA085wFCFktdtI6zN7i6gMXMhTvTi / w / gPF + vM
4pAzP9Z5NHN5v8 / UHBmkytwx4f5uofYovM8hHQzUZGs / 3yEsUPBrxCQgW / MMC5jd
XyZyF0ryleid62feGNbbvgLEIZMZvNSCmJpYgD60CFskBemg / 02htaIVwdlg85lW
JoZuLBBKpkRb4UXNb0IRG2NvtZKQ8h98
----- END DSA PRIVATE KEY -----
This is the content of Public Key:
ssh-dss AAAAB3NzaC1kc3MAAACBAL4qF1YLu6l / zhhmgBJfFOgAqc635u / DRes / bXiSrCbuV1
Rey5nZb2AA8rdCZzwMyMdreCD34HRCVSblirirhSZ3r9qld1fipT6NPsOr + AMct13oPirlWAF0
1euJoPYEm62 + subVKWHQoNAwb7gIjNlMqNjaRuwNyBCLPwb7EcUjAAAAFQD9L07yMF
CTQ5bmP7ztr1LME / UjMQAAAIEAlyiJs4CazMnGB6mguefOZHI1BJPmPdOZeee9cvFRSQ1
nDoLK6ScxPpclQu0uwh8CEFuIjl / oMBf1rIHwONC7kxIIY6U82B3cZcBOL7SXt2wnPg8mg4I7
quG2Mq23lWsPeAH3ElfijOr15rgb4PQPV1bYoNlQPmb3zb6n4uoe3WQAAACBAKiamld09b
mHk3GCqn40u1WKtMLzpwowCtv24VZ / v4yQV4fY3CvrbgsAEnBD3mSEpOea7tSNDTxY83D
6ayJ40ZS2zN3bhBZos + Jp53tq8Eni1pSELS5wlw5NkkoY + F4lmda + sK5gTOOExI2tWyA0z5V
7hkOQuxcLbvc9GR + ywibz binhnx2000@domain.com
All important information is encrypted using DSA algorithm
USE The Private Key & Public Key
Using the Public Key, you must first distribute it. Or, to put it in a straightforward way, you must activate these Public Keys in the appropriate locations on the remote server. As stated above Public Key can be distributed freely and freely. So you can send it to any system you want to communicate with Open SSH.- Create Public Key folder in Apache root directory:
root@domain.com#: mkdir / var / html / pubkeys
- Copy Binhnx2000's Public Key into the folder you just created and rename them:
root@domain.com#: cp /home/binhnx2000/.ssh/id_dsa.pub var / html / pubkeys / binhnx2000.pub
- On remote host system: You need to refer to the parameters as on your host. You log in as root and create an account account:
root@domain2.com#: useradd binhnx2000
passwd binhnx2000
Đang thay đổi mật khẩu cho người dùng xn2000
New UNIX password: *****
Retype new UNIX password: *****
passwd: all authentication tokens updated successfully
- Next create a ' .ssh ' subdirectory in the home directory of your account.
root@domain2.com#: mkdir / home/binhnx2000/.ssh
You have uploaded the address uploaded to the x2000's Public Key and downloaded it to:
Save it to /home/binhnx2000/.ssh = => This is the Public Key of domain.com. It contains information about the ID encoded by DSA algorithm. Everything is fine, now try ssh from system 2 via system 1 with Public Key see:
binhnx2000@domain2.com$: ssh domain.com
If all goes well you can ssh into system 1 remotely via Open SSH safely. All transactions between systems 1 and 2 are compressed and encoded to ensure safety on the line
For example, VeriSign is a company that provides Digital ID to encrypt and secure E-mail for customers. Digital ID is actually a Public Key embedded with basic ID information in it. VeriSign will automatically send the user's Public Key to its Site. Any user who wants to access another user's Public Key. They can download the user's Digital ID from the VeriSign site:
digitalid.verisign.com/services/client/index.html
For Private Key. I will Upload it to my Web server. Remote hosts will Download Public Key and automatically activate them.
You continue to do the following steps if your system has installed Apache Web server:
However! life is not always as good as we thought ;-( You will encounter notice:
Đã xác thực của máy phục vụ domain.com 'không thể được thực hiện.
DSA key fingerprint is ca: 3b: f9: 80: 5a: 91: e5: c1: 1e: 5b: 30: 02: 2f: d5: 53: 13.
Bạn có chắc muốn tiếp tục kết nối (yes / no)?
The above message says that you cannot set up a secure connection from system 2 to system 1 using Open SSH. You continue to click Yes to continue connecting. There will be a message saying that the remote system's Public Key has been added to a reasonable location on the local system. The work of updating Public Key was successful. Next time you won't have to see this annoying message again. Why don't you try ssh to the remote system again (There won't be any requests for passwords, because it uses and authenticates Public Key)
/home/binhnx2000/.ssh/know_host.
Warning: Permanently added 'domain.com, 24,130.8,170'
(DSA) to the list of known hosts.
[binhnx2000@domain.com binhnx2000] $
If the information about Public Key is incorrect. In other words, the authentication process of Public Key failed. Open SSH will ask you to provide the user's password using the server:
binhnx2000@domain.com's password:
The password here is the password of the account that is created on the remote system. When you enter a username and password similar to Telnet, the other point is that it has been encrypted with Open SSH. If you encounter password query requests, review the process of allocating and using Public Key.
DATA SAFETY ISSUES
So far RSA and DSA Key are considered to have high security and data encryption capability (RSA Key is now up to 256 bit encryption). In the middle of July, the Security community discovered a Bug that exploited the vulnerability of short passphrases under 2 characters. But it was quickly overcome and the practicality of this Bug was not high. Open SSH is still considered by the * nix community as a highly secure media.
Note : This article is only for learning and exchanging experiences. You can freely use it, but hope you respect Copyright a bit. When you need to quote somewhere in the document, please specify the source and the name of the writer . Thank you very much for your interest in my article.
(Power by: binhnx2000 == (=========> ^ ($) ^ Supporter Of VTF)
(E-mail: binhnx2000@yahoo.com | Home: vieteam.com)
Note : Public Key can be distributed as you like. Anyone, the system who wants to communicate securely with x2000 can receive Public Key . You can change the name of Public Key comfortably. For security purposes, Security advises you to regularly rename Public Key before distributing it to each person. binhnx2000@domain.com$: rlogin -l binhnx2000 vnzone.net