惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Spread Privacy
Spread Privacy
P
Palo Alto Networks Blog
P
Proofpoint News Feed
AI
AI
Help Net Security
Help Net Security
S
Securelist
T
Troy Hunt's Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
C
Cisco Blogs
Scott Helme
Scott Helme
Hacker News - Newest:
Hacker News - Newest: "LLM"
Vercel News
Vercel News
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
GbyAI
GbyAI
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
P
Proofpoint News Feed
S
Security Affairs
Cisco Talos Blog
Cisco Talos Blog
AWS News Blog
AWS News Blog
T
Tenable Blog
H
Help Net Security
NISL@THU
NISL@THU
F
Fortinet All Blogs
博客园_首页
G
GRAHAM CLULEY
L
LINUX DO - 最新话题
P
Privacy International News Feed
G
Google Developers Blog
博客园 - Franky
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Security Archives - TechRepublic
Security Archives - TechRepublic
The Register - Security
The Register - Security
L
LangChain Blog
aimingoo的专栏
aimingoo的专栏
T
Tor Project blog
P
Privacy & Cybersecurity Law Blog
量子位
C
Cyber Attacks, Cyber Crime and Cyber Security
Forbes - Security
Forbes - Security
S
Secure Thoughts
Simon Willison's Weblog
Simon Willison's Weblog
D
Docker
Recorded Future
Recorded Future
博客园 - 三生石上(FineUI控件)
L
Lohrmann on Cybersecurity
T
Tailwind CSS Blog

jdhao's digital space

Conversion between base64 and OpenCV or PIL Image 腾讯云对象存储博客图床开启 CDN 加速(不需要购买额外域名) Search and Replace in Multiple Files in Vim/Neovim Change Table Column Width in LaTeX Image or Table Side by Side in LaTeX LaTeX 并排显示图像或表格 Firenvim: Neovim inside Your Browser Content inside HTML tags missing in Latest Hugo? Creating Markdown Front Matter with Ultisnips Labelme JSON 标注格式转 voc XML 格式 Nifty Nvim Techniques That Make My Life Easier -- Series 6 macOS 下如何为视频制作字幕 Running Command Asynchronously inside Neovim Resolving Merge Conflict after Git Stash Pop Pylint: command not found? A Hands-on Experience with Neovim's Built-in LSP Support How to Convert PDF to Images with Imagemagick 互联网上常用缩略语集锦 File Backup in Neovim Converting PDF Pages to Images with Poppler Nifty Nvim Techniques That Make My Life Easier -- Series 5 Neovim Configuration for System-wide Use How to sort a list of tuple or list in Python -- lambda or itemgetter? Building A Vim Statusline from Scratch 人类第一颗原子弹爆炸始末 Distributed Training in PyTorch with Horovod Learning Expect Programming Nifty LaTeX Techniques -- Series 1 更改 Adsense 邮寄地址,重新寄送 PIN Mintty Tips and Configurations Generating Table of Contents for Markdown with Tagbar Convert Python Script to Exe on Windows with Pyinstaller Ubuntu on Windows Missing after Windows Update 使用代理加速 Mac 终端下载速度 My Experience with Several Zsh Plugin Managers 深圳租房小记 How to Install zplug inside Docker Container Why don't settings inside bashrc or bash_profile take effect? Setting Up Locale in Linux 谷歌 Adsense 申请及在 Hugo 中的配置 How to Write Algorithm Pseudo Code in LaTeX Nifty Nvim Techniques That Make My Life Easier -- Series 4 A Few Grammar Questions in Writing How to Read and Write Images with Unicode Paths in OpenCV Creating A Professional Table in LaTeX with booktabs How to Create Proper Folding for Vim/Nvim Configuration Linux Tips and Tricks -- s1 JPEG Image Orientation and Exif How Do I Show the Current File Path In Neovim? JPEG Image Quality in PIL Difference between view, reshape, transpose and permute in PyTorch Convert PIL or OpenCV Image to Bytes without Saving to Disk Fast Movement and Navigation Inside Vim or Neovim Unintuitive Behaviour of Case Sensitivity in Python glob Binding Keys in Zsh 几把机械键盘试用体验 Nvim Autocompletion with Deoplete Converting Markdown to Beautiful PDF with Pandoc Exclusive and Inclusive Motion in Neovim/Vim Nifty Nvim Techniques Which Make My Life Easier -- Series 3 Why Doesn't Jedi Autocompletion Work for Some Methods Vim-like Editing inside Browser Markdown 生成 HTML 时汉字之间出现多余空格问题 小米 9 安装谷歌商店(Google Play Store)与相关配置 Create Mappings That Take A Count in Neovim Spell Checking in Nvim English Words Completion inside Neovim/Vim How to Use Python Inside Vim Script with Neovim Nifty Little Nvim Techniques to Make My Life Easier -- Series 2 Setting up Ultisnips for Neovim Mac 上罗技 M590 鼠标设置 Nifty Little Nvim Techniques to Make My Life Easier -- Series 1 A Complete Guide on Writing LaTeX with Vimtex in Neovim Manipulating Images with Alpha Channels in Pillow Sublime Text Regular Expression Cheat Sheet Cropping Rotated Rectangles from Image with OpenCV Boosting Your Productivity on Terminal with Zsh and Plugins 最新版 Rime 输入法使用 (2022 更新) Display Image with Pillow inside Ubuntu on Windows Faster Directory Navigation with z.lua Cmder Advanced Configurations Nvim-qt Settings on Windows 10 Tmux Plugin Install and Management How to Debug Python Code in Terminal Markdown Writing and Previewing in Neovim -- A Complete Guide Line Number Settings for More Efficient Movement in Neovim 两个大规模中文语料库介绍以及处理 Windows 系统下几款程序员不可不用的神器 我的 2018 阅读清单 A Complete Guide to Neovim Configuration for Python Development How Is Newline Handled in Python and Various Editors? Two Issues Related to ImageFont Module in PIL 在 Listary 中调用 GoldenDict 或欧路词典查单词 Reading and Writing Text Files on Windows The Mathematics behind Font Shapes --- Bézier Curves and More 快速识别图片字体:字体识别工具介绍 Deoplete Failed to Load at Startup after Updating Python neovim Package What Is The Difference between pip, pip3 and pip3.6 Shipped with Anaconda3? Windows 10 系统下 Neovim 安装与配置 How to Use shutil.move() on Windows and Linux
Essential Knowledge about SSH
2019-10-27 · via jdhao's digital space

Although I use SSH (secure shell) every day, I seem to know little about it except the fact that I can use ssh command to log into my remote servers. Recently, I found myself some time to learn how does it work.

Preliminary knowledge#

Fingerprint#

In computing, a fingerprint is a shorter sequence representation of a longer message which can be used to identified the original message. For example, in SSH, when you connect to the server, you will get the server public key fingerprint. Then you can compare the fingerprint you have received with the real server fingerprint (e.g., you may have obtained the server public key fingerprint by contacting the administrator) to make sure that you are not being attacked by hackers and connecting the wrong server.

Cryptographic hash function#

To produce such a fingerprint and ensure security, we need to use cryptographic hash functions. A cryptographic hash functions has good properties. It makes sure that same message always produce the same output and different messages produce different output. It also makes sure that you can not deduce the original message from the output. These good properties make it suitable for authentification purposes. You may have probably used it before when you check the integrity of files using md5sum or similar tools.

MD5 and SHA1 are different hash function algorithms to generate a fingerprint. The complete list of hash functions can be found here.

SSH to a server#

Two ways to log in a server when using SSH:

  • use your user name and password
  • use ssh public key authentification

Server public key verification#

When we first log in a server, we will be prompted that the authenticity of the server can not established, and we are shown the fingerprint of the server’s public key. The typical message is like the following:

The authenticity of host 'xxx.xx.xx.xx (xx.xx.xx.xx)' can't be established.
ECDSA key fingerprint is SHA256:zJsEufeAsutfxsZH990Sq7asIBnJvz6B9N63g0/Rx5w.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

In the above message, ECDSA is a type of signature algorithm used to verify the identity of the two sides of a communication. Other signature algorithms include DSA, RSA and ED25519.

To make sure that the public key of the server is true, you have to check via other methods. For example, if you have access to the server in other more secure ways, you can check the fingerprint of the server’s ECDSA public key2 with SHA hash function using the following command:

ssh-keygen -lf -E sha256 /etc/ssh/ssh_host_ecdsa_key.pub

If you want to check the fingerprint of the server in MD5 format, use the following command instead:

# MD5
ssh-keygen -E md5 -lf <fileName>

Then you can compare the fingerprint of the server public key against the fingerprint you have received. If the two fingerprints match, you are actually logging to the right server. Otherwise, you may be under attack by hacker (see man-in-the-middle-attack ).

If you have verified the identity of the new server and choose to connect, the server’s IP and public key will be stored in the file .ssh/known_hosts3 under your HOME directory. The next time you connect to the server, the server’s public key will be compared with the public key stored in known_hosts to make sure that your connection to the server is secure.

Usually you will encounter the unauthorized warning the first time you log in a server. If you encounter the warning the second time, it may be that the server has changed its public key or you are under attack.

Set up public key login#

As stated earlier, we can also set up public key login. First, we need to generate a private and public key pair using ssh-keygen. We can use -t to specify the type of key to create, e.g., dsa, ecdsa, rsa. We can use the following command to generate a ecdsa key pair:

It will prompt you to enter a key file name and the passphrase for the private key. You can press Enter to use the default values. The key pair will be created under $HOME/.ssh. The private key file is id_ecdsa and the public key file is id_ecdsa.pub. You must keep your private key safe. The public key can be safely shown to others.

Transfer your public key to server#

To enable host public key login, you must put your public key under the $HOME/.ssh directory in the remote server. There are two ways.

  • Copy public key manually: Copy the content of the public key. Log in to your server and paste the public key to the file $HOME/.ssh/authorized_keys (if this file does not exist, create the file first.).

  • Use ssh-copy-id: In some systems, there is tool called ssh-copy-id which an copy the content of the public key to $HOME/.ssh/authorized_keys in the host server. You can use the following command to copy the public key to the server:

login to the server#

After setting up public key login, you can log in to the server without using password:

The server will verify if the public key under user’s directory corresponds your private key. If they match, you will log in to the server automatically.

References#