ssh框架实现数据库_自顶向下介绍SSH及其如何实现安全的数据共享

ssh框架实现数据库

by Sam Ollason

通过萨姆·奥拉森(Sam Ollason)

This article will take a high-level and top-down approach to explain how SSH works and how it is used for securely communicating with remote computers.

本文将采用一种自上而下的高级方法来解释SSH的工作方式以及如何将其用于与远程计算机的安全通信。

We will look at how an SSH session is actually ‘secure’ and how computers establish and set-up an SSH session in the first place. We will also look at the benefits of using SSH.

我们首先将了解SSH会话实际上是“安全的”，以及计算机如何建立和设置SSH会话。我们还将探讨使用SSH的好处。

Note: This is intended as future notes to myself, but I hope you learn something from it too!

注意：此内容仅供以后参考，但我希望您也能从中学到一些！

什么是SSH？ (What is SSH?)

SSH is short for ‘secure shell’. It is a protocol for sharing data between two computers over the internet.

SSH是“安全外壳”的缩写。它是用于通过Internet在两台计算机之间共享数据的协议。

A protocol is essentially a set of rules that define the language that computers can use to communicate.

协议本质上是一组规则，用于定义计算机可以用来进行通信的语言。

Typically, the two computers involved are your computer (the ‘client’) and a remote server (the ‘host’).

通常，涉及的两台计算机是您的计算机(“客户端”)和远程服务器(“主机”)。

我们为什么在乎？ (Why do we care?)

计算机之间的安全通信 (Secure communications between computers)

Whenever two computers communicate over the internet we want to be sure that our messages can’t be intercepted and understood by anyone listening to the messages.

每当两台计算机通过Internet通信时，我们都希望确保收听消息的任何人都不会截获和理解我们的消息。

Imagine sending your bank details over the internet to buy something online. If your messages weren’t encrypted, then any computer that was listening or any computer that received the messages to pass onwards may be able to see your account number and your password. That isn’t good!

想象一下通过互联网发送您的银行详细信息以在线购买商品。如果您的消息未加密，则任何正在侦听的计算机或任何收到该消息继续传递的计算机都可以看到您的帐号和密码。那不好！

I believe this is an important concept to understand for anyone who aspires to work with web technologies.

我相信，这对于任何渴望使用Web技术的人来说都是一个重要的概念。

安全访问远程计算机 (Secure access to remote computers)

Using SSH to check authentication is a more secure way of authentication than using a password. We will explore how this works below.

与使用密码相比，使用SSH检查身份验证是一种更安全的身份验证方法。我们将在下面探讨其工作方式。

SSH如何安全？ (How is SSH secure?)

SSH is a secure way of sending communications between two computers.

SSH是在两台计算机之间发送通信的安全方式。

By ‘secure’, I mean a way of encoding the messages on a client computer such that the only other computer that can decode the messages and understand them is the host. This encoding/decoding is called encryption, so what we really mean here is SSH is secure because it uses an encrypted communication channel.

“安全”是指在客户端计算机上对消息进行编码的一种方式，使得可以解码消息并理解消息的唯一另一台计算机是主机。这种编码/解码称为加密，因此在这里我们真正要说的是SSH是安全的，因为它使用了加密的通信通道。

如何建立SSH会话？ (How is a SSH session established?)

There are several processes that need to happen between two computers in order for an SSH session to begin.

为了开始SSH会话，两台计算机之间需要执行多个过程。

First we need a way of setting up a secure method of exchanging messages between the computers. We need to set up an encrypted channel.
首先，我们需要一种建立安全的方法来在计算机之间交换消息。我们需要建立一个加密通道。
We need a way of checking that the data received by the host hasn’t been tampered with. This called verification and here we are verifying the integrity of the data that is sent by the client.
我们需要一种检查主机接收到的数据是否未被篡改的方法。这称为验证，此处我们正在验证客户端发送的数据的完整性。
Verification (again). We need a way of checking that the computer we are communicating with isn’t an imposter. This is another form of verification but here we are verifying the identity of the computer.
验证(再次)。我们需要一种检查与之通信的计算机不是冒名顶替者的方法。这是另一种验证形式，但是在这里我们要验证计算机的身份。

After these three steps, we can now communicate securely with a remote computer.

经过这三个步骤，我们现在可以与远程计算机安全地通信。

After these steps, we can share ‘secret’ data securely and we can also check if a client has permission to access a host in a more secure way than using a password. This process is called authentication using asymmetric encryption.

完成这些步骤后，我们可以安全地共享“秘密”数据，还可以检查客户端是否具有以比使用密码更安全的方式访问主机的权限。此过程称为使用非对称加密的身份验证。

Each of these sections below will go into more detail on these steps.

下面的每个部分都将详细介绍这些步骤。

设置加密频道 (Setting up an encrypted channel)

A core part of the SSH protocol is that is it secure (it is in even in the name!), meaning all information that is sent using SSH is encrypted.

SSH协议的核心部分是它的安全性(甚至在名称中也是如此！)，这意味着使用SSH发送的所有信息均已加密。

该信息如何加密？ (How does this information get encrypted?)

Encrypting essentially just means ‘jumbling up the letters’ using some clever maths. Both computers need to have a way of encrypting the information so that only the other computer can decrypt the information and understand it.

本质上，加密只是意味着使用一些聪明的数学来“弄乱字母”。两台计算机都需要有一个加密信息的方式，以便只有其他计算机才能解密信息并理解信息。

这是如何运作的？ (How does this work?)

Both computers have an identical version of a symmetric key. The symmetric key is just a string of letters stored somewhere on the computers. The computers can use the symmetric keys to encrypt and also decrypt messages sent to them.

两台计算机都具有相同版本的对称密钥。 对称密钥只是存储在计算机某处的字母字符串。计算机可以使用对称密钥对发送给它们的消息进行加密和解密。

Using this symmetric key approach is called symmetric encryption. The ‘symmetric’ part comes from the fact the symmetric key on each computer is identical. This approach works really well … but it only works as long as no other computers have access to the symmetric key.

使用这种对称密钥方法称为对称加密。 “对称”部分来自每台计算机上的对称密钥相同的事实。这种方法确实非常有效……但是，只有在没有其他计算机可以访问对称密钥的情况下，它才有效。

一个问题 (A problem)

How do both computers know what the symmetric key is?

两台计算机如何知道对称密钥是什么？

One computer could create it and send it in a message over the internet. But the messages wouldn’t be encrypted yet, so anyone intercepting the messages would instantly have the symmetric key … and can decrypt all future communications. That’s bad!

一台计算机可以创建它，然后通过Internet以消息形式发送它。但是消息还没有被加密，因此任何拦截消息的人都将立即拥有对称密钥……并且可以解密所有将来的通信。那很糟！

This is sometimes called the ‘key-exchange’ problem. It is clear that we need to add another step in the process before we can use symmetric keys.

有时称为“密钥交换”问题。显然，在使用对称密钥之前，我们需要在该过程中添加其他步骤。

一个办法 (A solution)

A solution to the ‘key-exchange’ problem above is that both computers share some public information with each other (it is ‘public’ meaning they don’t mind if anyone intercepts it) and combine this with some information on their own computer to independently create identical symmetric keys.

上面的“密钥交换”问题的一种解决方案是，两台计算机彼此共享一些公共信息(这是“公共”，这意味着他们不介意是否有人拦截了它)，并将其与自己计算机上的某些信息结合在一起独立创建相同的对称密钥。

These symmetric keys can then be used in symmetric encryption in the way outlined above.

然后，可以按照上述方式将这些对称密钥用于对称加密。

这如何运作 (How this works)

Both computers each have their own private key and public key. Together they form a key-pair. The computers share their public keys with each other over the internet. So, at this point in the process each computer knows

两台计算机均具有自己的私钥和公钥。它们一起形成密钥对 。这些计算机通过Internet彼此共享其公共密钥 。因此，在此过程中，每台计算机都知道

its own private key,
它自己的私钥，
its own public key,
它自己的公钥
and the other computer’s public key.
以及另一台计算机的公钥。

生成对称密钥 (Generating Symmetric Keys)

Both computers then use these 3 pieces of information to independently generate an identical symmetric key.

然后，两台计算机都使用这3条信息来独立生成相同的对称密钥。

Each computer uses a mathematical algorithm which uses the 3 inputs mentioned above. This algorithm is part of the Diffie-Hellman key exchange algorithm. The algorithm that will be executed on each computer is something like this:

每台计算机都使用一种数学算法，该算法使用上述3个输入。该算法是Diffie-Hellman密钥交换算法的一部分。将在每台计算机上执行的算法如下所示：

Hostpub_2 = other computer's public keypub_1 = my public keypri_1 = my private key

f(pub_2, pub_1, pri_1) = abcdefg // Symmetric Key

Client:f(pub_1, pub_2, pri_2) = abcdefg // Symmetric Key

The important thing to take away here is that computers have shared only public information over the internet but have still been able to create symmetric keys!

重要的是，计算机仅在Internet上共享公共信息 ， 但仍然能够创建对称密钥！

The approach of using key-pairs and sharing public information to generate identical symmetric keys is called asymmetric encryption. It is called ‘asymmetric’ because both computers start off with their own, different, key pairs.

使用密钥对和共享公共信息以生成相同的对称密钥的方法称为非对称加密 。之所以称为“非对称”，是因为两台计算机都以各自不同的密钥对启动。

So far: we have seen how to use asymmetric encryption to independently generate identical symmetric keys on both computers in a secure way (solving the key-exchange problem) and then securely exchange information between computers using symmetric keys for encryption and decryption.

到目前为止：我们已经看到了如何使用非对称加密以安全的方式在两台计算机上独立生成相同的对称密钥(解决了密钥交换问题)，然后使用对称密钥在计算机之间安全地交换信息进行加密和解密。

验证 (Verification)

So we can communicate securely. But the next part of the process of establishing an SSH session is to verify that the data hasn’t been tampered with as it has been transmitted and that the other computer is actually who it is says it is.

这样我们就可以安全地进行通信。但是建立SSH会话过程的下一部分是验证数据在传输时是否未被篡改，以及另一台计算机实际上就是它所说的那个人。

我们为什么需要这个？ (Why do we need this?)

Another computer could impersonate one of the computers and initiate the key exchange above. So how do we securely figure out that the message is actually from the other computer and not from an imposter?

另一台计算机可以模拟其中一台计算机并启动上面的密钥交换。那么，我们如何安全地确定消息实际上是来自另一台计算机而不是冒名顶替者？

散列 (Hashing)

We have to use a hash function. This is just a mathematical function that takes inputs and produces a string of a fixed size.

我们必须使用哈希函数。这只是一个数学函数，它接受输入并产生固定大小的字符串。

The important feature of this function is that it is virtually impossible to work out what the inputs were just using the outputs.

该功能的重要特征是实际上不可能仅使用输出来算出输入是什么。

After a client and a host have generated their symmetric keys, the client will use a hashing function to generate a HMAC. This just stands for “hash-based message authentication code”. This is just another string of characters/numbers. The client will send this HMAC to the server for verification.

客户端和主机生成对称密钥后，客户端将使用哈希函数生成HMAC。这仅代表“基于哈希的消息身份验证代码”。这只是另一个字符串/数字。客户端会将这个HMAC发送到服务器进行验证。

The ingredients to the hashing function are

哈希函数的组成部分是

The symmetric key on the client
客户端上的对称密钥
The package sequence number (each message that is sent is contained in a ‘package’ of information)
包序号(发送的每个消息都包含在信息的“包”中)
The (encrypted!!!) message contents
(加密的！！)消息内容

An example with fake data:

伪数据示例：

symm_key       = abcdefgpkge_no        = 13encr_message   = encrypted_password

Hash(symm_key, pkge_no, encr_message) = *HMAC* // Hashed value

主机如何使用此信息？ (How does the host use this information?)

When the host receives the HMAC, it can use the same hash function with these three ingredients:

当主机接收到HMAC时，它可以对这三种成分使用相同的哈希函数：

its own copy of the (identical!) symmetric key,
它自己的(相同！)对称密钥的副本，
the package sequence number,
包裹序列号，
and the encrypted message.
和加密的消息。

If the hashed value it computes is the same as the HMAC it received from the client, then we have verified that the connecting computer is the same as the computer who has the symmetric key.

如果它计算的哈希值与它从客户端接收到的HMAC相同，则我们已验证连接的计算机与具有对称密钥的计算机相同。

Remember that only the host and client know what the symmetric key is and no other computers do!

请记住，只有主机和客户端知道对称密钥是什么，其他计算机则不知道！

So here it doesn’t matter that the host doesn’t know the decoded contents of the encrypted message —the host has still verified the identity of the connecting computer!

因此，主机不知道加密消息的解码内容也没关系-主机仍在验证连接计算机的身份！

The beauty of this approach is that we have not just verified the identity of the client and made sure that the data hasn’t been tampered, but we have done so securely (without without sharing any private information).

这种方法的优点在于，我们不仅验证了客户端的身份并确保数据未被篡改，而且还安全地做到了这一点( 无需共享任何私人信息) 。

Summary: we used a hash function on the client and then on the host to verify data integrity and verify the identity of the client.

简介：我们在客户端上然后在主机上使用哈希函数来验证数据完整性并验证客户端的身份。

认证方式 (Authentication)

The final part of the securely communicating with remote computers is:

与远程计算机进行安全通信的最后一部分是：

even if we have generated symmetric keys with the connecting computer and

即使我们已经通过连接计算机生成了对称密钥，并且

even if we are using the symmetric keys to communicate securely and

即使我们使用对称密钥进行安全通信，

even if the connecting computer is genuinely the client we expect and not an imposter,

即使连接的计算机确实是我们期望的客户，而不是冒名顶替的人，

then we have set up an SSH session … but does the connecting computer have permission to access the contents of the host?

那么我们已经建立了SSH会话...但是连接的计算机是否有权访问主机的内容？

This is called ‘authentication’: the act of checking permissions and access rights.

这称为“身份验证”：检查权限和访问权限的行为。

有两种检查身份验证的方法： (There are two ways of checking authentication:)

1—Using a password

1-使用密码

The client can send the host an (encrypted) message containing a password. The host can decrypt the message and check the password in a database to check if the client has permission to access the specified ‘user’ (area of the computer). Job done.

客户端可以向主机发送包含密码的(加密)消息。主机可以解密消息并检查数据库中的密码，以检查客户端是否有权访问指定的“用户”(计算机区域)。任务完成。

2 — Using key-pairs and asymmetric encryption

2-使用密钥对和非对称加密

Earlier, we saw how asymmetric encryption can use two key-pairs to securely generate identical symmetric keys on both the client and the host. Using similar ideas, the client can log in without a password.

之前，我们看到了非对称加密如何使用两个密钥对在客户端和主机上安全地生成相同的对称密钥。使用类似的思路，客户端无需密码即可登录。

This is a very high-level approach to the how the process works:

这是该过程如何工作的非常高级的方法：

Setting up:

配置：

On the client, head to the terminal and use a command to generate a public key and a private key (under the surface it uses ‘RSA’, a mathematical algorithm) on the client. Copy the public key (NOT the private key!) to the clipboard.

在客户端上，前往终端并使用命令在客户端上生成公钥和私钥(在表面上，它使用数学算法“ RSA”)。将公共密钥(不是私有密钥！)复制到剪贴板。

I repeat: Copy the PUBLIC key (NOT THE PRIVATE KEY!) to the clipboard.

我重复一遍：将PUBLIC键( 不是私钥！)复制到剪贴板。

Then, in the terminal on the client, use a password to remotely log in to the host. Paste the public key of the client into the appropriate folder on the host alongside any other public keys.

然后，在客户端的终端上，使用密码远程登录到主机。将客户端的公共密钥与任何其他公共密钥一起粘贴到主机上的相应文件夹中。

Now, the host has

现在，主持人已经

It’s own public/private key-pair
它是自己的公钥/私钥对
The public key of the client
客户的公钥

Looking at the section above on the key-exchange algorithm, you can see how the host has all the ingredients it needs to generate a symmetric key!

查看上面有关密钥交换算法的部分，您可以看到主机如何拥有生成对称密钥所需的所有要素！

Challenging:

具有挑战性的：

When the client wants to connect, the host can use issue a ‘challenge’ by sending a message that has been encrypted (with the host’s symmetric key) and say: ‘I will only authorise you access if you can decrypt this message!’.

当客户端要连接时，主机可以通过发送已加密的消息(使用主机的对称密钥)并说： “我仅授权您访问，除非您可以解密此消息！”来发出“挑战”。

The client then has

客户然后有

its own public and private key
自己的公钥和私钥
the public key of the host
主机的公钥
the encrypted message
加密的消息

So now the client has everything needed to generate an (identical) symmetric key … and decrypt the message! It can decrypt the message and send confirmation that is has ‘succeeded’ in the challenge back to the host.

因此，现在客户端具有生成(相同)对称密钥并解密消息所需的一切！它可以解密消息，并将在质询中“成功”的确认发送回主机。

The host is satisfied that the connecting client is authorised and grants permission for access.

主机对连接客户端被授权并授予访问权限感到满意。

Why bother using the second approach?

为什么要使用第二种方法呢？

This is seen as more secure than simply using a password because a bot can use a ‘brute force’ approach to keep using lots of combinations to guess your password, but they will not have they right key-pairs for the second approach to work.

这被认为比仅使用密码更安全，因为机器人可以使用“蛮力”方法来继续使用许多组合来猜测您的密码，但是他们不会为第二种方法使用正确的密钥对。

结论 (Conclusion)

SSH is an important tool used to remotely control other computers.

SSH是用于远程控制其他计算机的重要工具。

SSH is secure because both computers can encrypt and decrypt message using identical symmetric keys (known as ‘symmetric encryption’).

SSH是安全的，因为两台计算机都可以使用相同的对称密钥(称为“对称加密”)对消息进行加密和解密。

The main steps to initiate an SSH session are:

发起SSH会话的主要步骤是：

Setting up an encrypted channel. Using asymmetric encryption to solve the key-exchange problem which independently generates identical symmetric keys on both computers without sharing any private information.
设置加密通道。 使用非对称加密来解决密钥交换问题，该问题在两台计算机上独立生成相同的对称密钥，而不共享任何私有信息。
Verification: Using hashing on both computers to verify the identity of the connecting computer
验证：在两台计算机上使用哈希来验证连接计算机的身份
Verification (again). Using hashing on both computers to verify data integrity hasn’t been compromised in transmission.
验证(再次)。在两台计算机上使用哈希来验证数据完整性在传输中没有受到影响。

We can then use SSH to securely send data between the computers. One important use case of this is for authentication. Although you can use a password, using asymmetric encryption to check the connecting ‘client’ has permission to access the ‘host’ is is seen as more secure.

然后，我们可以使用SSH在计算机之间安全地发送数据。一个重要的用例是用于身份验证。 尽管您可以使用密码，但是使用非对称加密来检查连接的“客户端”是否具有访问“主机”的权限被视为更安全。

If you are interested in leveling up your SSH, I seriously recommend this course. I found it really useful to sharpen up some of my skills! (disclaimer: I have no links or ties to the author or the platform. I took the course a while ago and found it really good!)

如果您有兴趣升级SSH，我强烈建议您学习此课程。我发现提高自己的一些技能真的很有用！ ( 免责声明：我与作者或平台没有任何链接或联系。我前一阵子上了这门课程，发现它确实很棒！)

Thanks for reading!

谢谢阅读！

翻译自: https://www.freecodecamp.org/news/a-top-down-introduction-to-ssh-965f4fadd32e/

ssh框架实现数据库