How OpenSSH Works
OpenSSH provides the functionality of Telnet, rlogin, rsh, rcp, and
FTP, but it does so using encryption. To do this, OpenSSH provides the
following encryption-enabled components:
• sshd This is the ssh daemon that allows remote access to the shell prompt.
• ssh This is the ssh client used to connect to the sshd daemon on
another system.
• scp This utility can be used to securely copy files between systems.
• sftp This utility can be used to securely FTP files between systems.
• slogin This utility can also be used to access the shell prompt remotely.
To establish a secure connection, OpenSSH actually uses both
private/public key encryption along with secret key encryption. First,
the SSH client creates a connection with the system where the SSH
server is running on
IP port 22
The SSH server then sends its publickeys to the SSH client. The SSH server uses the
host key pair to store its private and public keys, which identify the host where the SSH
server is running. The keys are stored in the following files:
• Private key /etc/ssh/ssh_host_key
• Public key /etc/ssh/ssh_host_key.pub
The client system receives the public key from the SSH server and
checks to see if it already has a copy of that key. The SSH client
stores keys from other systems in the following files:
• /etc/ssh/ssh_known_hosts
• ~/.ssh/known_hosts
By default, if it doesn’t have the server’s public key in either of
these files, it will ask the user to add it.
Having done this, the client now trusts the server system and generates a 256-bit secret
key.
It then uses the server’s public key to encrypt the new secret
key and sends it to the server.
Because the secret key was encrypted with the public key, the server can decrypt it using
its private key.
Once this is done, both systems have the same secret key and can now
use symmetric encryption during the duration of the SSH session.
The user is presented with a login prompt and can now authenticate
securely because everything she types is sent in encrypted format.
NOTE
In SSH version 2, several things are a little different. First of
all, the host key files used on the server are different. The
/etc/ssh/ssh_host_rsa_key
and
/etc/ssh/ssh_host_dsa_key
files are used (along with their associated public keys) instead of
/etc/ssh/ssh_host_key. The key pair used depends on
which encryption mechanism (RSA or DSA) the client and server have
been configured to use. In addition, the secret key is not actually
transmitted from the client to the server system. A Diffie-Hellman key
agreement is used instead to negotiate a secret key to be used for the
session without actually sending it over the network medium.
After this secure channel has been negotiated and the user has been
authenticated through the SSH server, data can be securely transferred
between both systems.
LX0-104 Exam Objectives (X)
No comments:
Post a Comment