Of Stack

SSH remote login and port forwarding details

  • 2020-05-24 06:43:56
  • OfStack

introduce

SSH is a security protocol created on the basis of application layer and transport layer to provide a secure transport and use environment for Shell (shell layer) on a computer.

SSH is just a protocol, there are many ways to implement, this article based on its open source implementation of OpenSSH

Remote login

SSH is mainly used for remote login: 


$ ssh user@host

When the local username and remote username 1 are the same, the username can be omitted: 


$ ssh host

The default port of the SSH protocol is 22, and the specified port can be used with the -p parameter 


$ ssh -p 2222 user@host

MITM

SSH USES public key encryption to ensure transmission security. The process is as follows:

The client initiates a login request, and the remote host sends its own public key to the user. The client USES the public key to encrypt the login password and send it to the remote host. The remote host USES the private key to decrypt the login password, allowing the client to log in if the password is correct.

However!

Since the public key of the SSH protocol is self-signed, HTTPS's SSL certificate is not issued by the CA organization. If someone plugs in between the user and the remote host, intercepts the login request, and then impersonates the remote host and sends the forged public key to the client, then it is difficult for the user to tell the truth. This allows you to get the user login password and use it to log in to the remote host. This is MITM, (Man-in-the-middle attack, man-in-the-middle attack)

Password to login

The first time you log on to the remote host, you will be prompted as follows: 


$ ssh 10.0.0.12
The authenticity of host '10.0.0.12 (10.0.0.12)' can't be established.
RSA key fingerprint is 3a:45:30:52:b5:ea:2a:55:e7:23:41:ef:16:76:0b:8d.
Are you sure you want to continue connecting (yes/no)?

Unable to verify remote host authenticity, means to know its public key fingerprint, do you want to continue the connection?

Public key fingerprint (fingerprint) : a public key, using the algorithm of RSA length is longer than hard, so MD5 calculation, to get 128 fingerprints, namely on the cases of 3 a: 45:30:52: b5: ea: 2 a: 55: e7: suffering justly: ef: utterly lost b: 8 d

In fact, there is no effective and convenient way to confirm the authenticity of the public key fingerprint and to accept the public key of the remote host: 


Are you sure you want to continue connecting (yes/no)? yes

The system prompts that the remote host has been added to the list of trusted hosts: 


Warning: Permanently added '10.0.0.12' (RSA) to the list of known hosts.

Then you are prompted for your password: 


root@10.0.0.11's password:

Enter the password correctly, you can log in normally.

When the public key of the remote host is accepted, it is saved in the file $HOME/.ssh /known_hosts. The next time you connect to the host, the system will notice that its public key is already stored locally, skipping the warning and prompting for the password.

Public key landing

In addition to password login, SSH also supports public key login.

The principle of "public key login" is that users store their public keys on a remote host. When logging in, the remote master sends a random string to the user, who encrypts it with his private key and sends it back. The remote host is decrypted with the previously stored public key, which, if successful, proves that the user is trusted, and directly allows the login to shell without requiring a password.

Public key login requires the user to provide their own public key, 1 normally saved in the $HOME/.ssh/directory, id_rsa is the private key, id_rsa.pub is the public key. If none can be generated by ssh-keygen. 


$ ls -1 ~/.ssh
id_rsa
id_rsa.pub
known_hosts

The public key needs to be sent to the remote host: 


# ssh-copy-id [-i [identity_file]] [user@]machine
$ ssh-copy-id root@10.0.0.12

After that, you don't need to enter your password to log in.

If you still cannot log in using the public key, you can check the remote host SSH configuration /etc/ssh/sshd_config, open the following comments and restart the SSH service [I found that the default SSH configuration of CentOS release 6.8 (Final) can also be logged in using the public key] : 


> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile  .ssh/authorized_keys
>

authorized_keys file

The remote host saves the user's public key in $HOME/.ssh /authorized_keys. The public key is a 1 string or can be manually appended to the remote host authorized_keys file, one per line.

You can also explain the public key saving process by replacing ssh-copy-id with the following command: 


$ ssh host
0

Remote operation

SSH can be used to operate directly on a remote host 


$ ssh host
1

Port forwarding

A local forward

Local forwarding refers to forwarding the local host port to the remote host port through the host port to be logged in.

Local forwarding is specified by parameter -L, format: -L [localhost :] localhost port: remote host: remote host port 


$ ssh host
2

Accessing the local 5000 port via the above command is equivalent to accessing port 80 on the remote host www.google.com, and this is done securely by logging in to the host to forward the data. You can use this method to bind the remote host port locally when a port on the remote host is not directly accessible but is accessible to the login host.

Remote forward

Remote forwarding refers to forwarding the login host port to the remote host through the local host port.

Remote forwarding is specified by the parameter -R, format: -R login host port: remote host: remote host port. 


ssh -R 8080:localhost:80 user@host

With the above command, accessing port 8080 of the login host is equivalent to accessing localhost:80!

For example, in the following scenario: I set up an web service on the machine and want others to access or test it from the external network, but the external network cannot directly access my internal network machine. So I can execute the above command on the local machine, so that I can access port 80 of the machine by accessing port 80 of the login host, so as to realize the external network access to the internal network application. It's so convenient

Dynamic forward

Dynamic forwarding does not need to specify a specific target host and port number, and can achieve unencrypted network connection, all through SSH connection, so as to improve security.

For example, the data of local port 5000 is transmitted to the login host via SSH: 


$ ssh host
4

For example, in a scenario that can be used for scientific Internet surfing, the proxy type is set as SOCKS(5) in the browser, and the host and port are 127.0.0.1:5000.

conclusion

Related articles: