{"id":15917,"date":"2020-02-25T08:42:05","date_gmt":"2020-02-25T01:42:05","guid":{"rendered":"https:\/\/blog.tinohost.com\/?p=3132"},"modified":"2023-10-27T09:11:07","modified_gmt":"2023-10-27T02:11:07","slug":"ssh-la-gi","status":"publish","type":"post","link":"https:\/\/tino.vn\/blog\/ssh-la-gi\/","title":{"rendered":"SSH l\u00e0 g\u00ec? C\u00e1ch s\u1eed d\u1ee5ng SSH cho ng\u01b0\u1eddi m\u1edbi b\u1eaft \u0111\u1ea7u"},"content":{"rendered":"\n

SSH l\u00e0 g\u00ec<\/span><\/h2>\n\n\n\n

SSH, ho\u1eb7c \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0 Secure Shell<\/strong>, l\u00e0 m\u1ed9t giao th\u1ee9c \u0111i\u1ec1u khi\u1ec3n t\u1eeb xa cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng ki\u1ec3m so\u00e1t v\u00e0 ch\u1ec9nh s\u1eeda server t\u1eeb xa qua Internet. D\u1ecbch v\u1ee5 \u0111\u01b0\u1ee3c t\u1ea1o ra nh\u1eb1m thay th\u1ebf cho tr\u00ecnh Telnet<\/a> v\u1ed1n kh\u00f4ng c\u00f3 m\u00e3 h\u00f3a v\u00e0 s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt cryptographic \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o t\u1ea5t c\u1ea3 giao ti\u1ebfp g\u1eedi t\u1edbi v\u00e0 g\u1eedi t\u1eeb server t\u1eeb xa di\u1ec5n ra trong t\u00ecnh tr\u1ea1ng m\u00e3 h\u00f3a. N\u00f3 cung c\u1ea5p thu\u1eadt to\u00e1n \u0111\u1ec3 ch\u1ee9ng th\u1ef1c ng\u01b0\u1eddi d\u00f9ng t\u1eeb xa, chuy\u1ec3n input t\u1eeb client t\u1edbi host<\/a>, v\u00e0 relay k\u1ebft qu\u1ea3 tr\u1ea3 v\u1ec1 t\u1edbi kh\u00e1ch h\u00e0ng.
H\u00ecnh b\u00ean d\u01b0\u1edbi th\u1ec3 hi\u1ec7n m\u1ed9t giao di\u1ec7n Windows SSH \u0111i\u1ec3n h\u00ecnh. B\u1ea5t k\u1ec3 user Linux<\/a> ho\u1eb7c macOS <\/a>n\u00e0o c\u0169ng \u0111\u1ec1u c\u00f3 th\u1ec3 SSH t\u1edbi server t\u1eeb xa tr\u1ef1c ti\u1ebfp t\u1eeb c\u1eeda s\u1ed5 terminal<\/a>. Windows users c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng nh\u1eefng\u00a0SSH clients nh\u01b0 l\u00e0 Putty<\/a>.\u00a0 B\u1ea1n c\u00f3 th\u1ec3 th\u1ef1c thi l\u1ec7nh shell c\u0169ng nh\u01b0 vi\u1ec7c b\u1ea1n \u0111ang th\u1ef1c s\u1ef1 v\u1eadn h\u00e0nh m\u00e1y t\u00ednh v\u1eadt l\u00fd.<\/p>\n\n\n

\n
\"ssh-la-gi\"<\/figure>\n<\/div>\n\n\n

B\u1ea1n \u0111\u00e3 bi\u1ebft SSH l\u00e0 g\u00ec v\u1eady h\u00e3y ti\u1ebfp t\u1ee5c t\u00ecm hi\u1ec3u v\u1ec1 c\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng c\u1ee7a SSH,b\u00ean c\u1ea1nh vi\u1ec7c t\u00ecm hi\u1ec3u v\u1ec1 c\u00f4ng ngh\u1ec7 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o t\u00ednh an to\u00e0n cho c\u00e1c k\u1ebft n\u1ed1i t\u1eeb xa. N\u00f3 s\u1ebd g\u1ed3m nhi\u1ec1u l\u1edbp v\u00e0 lo\u1ea1i m\u00e3 h\u00f3a \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng, t\u00f9y thu\u1ed9c v\u00e0o m\u1ee5c \u0111\u00edch c\u1ee7a t\u1eebng layer.<\/p>\n\n\n\n

 <\/div>\n\n\n\n

SSH ho\u1ea1t \u0111\u1ed9ng nh\u01b0 th\u1ebf n\u00e0o
<\/span><\/span><\/h2>\n\n\n\n

\u0110\u1ec3 hi\u1ec3u SSH l\u00e0 g\u00ec th\u00ec tr\u01b0\u1edbc ti\u00ean b\u1ea1n c\u1ea7n ph\u1ea3i bi\u1ebft n\u00f3 ho\u1ea1t \u0111\u1ed9ng nh\u01b0 th\u1ebf n\u00e0o. N\u1ebfu b\u1ea1n \u0111ang s\u1eed d\u1ee5ng Linux ho\u1eb7c Mac, s\u1eed d\u1ee5ng SSH r\u1ea5t \u0111\u01a1n gi\u1ea3n. N\u1ebfu b\u1ea1n s\u1eed d\u1ee5ng Windows, b\u1ea1n ch\u1ec9 c\u1ea7n s\u1eed d\u1ee5ng nh\u1eefng SSH client \u0111\u1ec3 m\u1edf k\u1ebft n\u1ed1i SSH. Nh\u1eefng tr\u00ecnh SSH client ph\u1ed5 bi\u1ebfn l\u00e0 Putty, b\u1ea1n c\u00f3 th\u1ec3 xem th\u00eam t\u1ea1i \u0111\u00e2y.
\u0110\u1ed1i v\u1edbi ng\u01b0\u1eddi d\u00f9ng x\u00e0i MAC v\u00e0 Linux, h\u00e3y m\u1edf terminal<\/strong> v\u00e0 l\u00e0m theo h\u01b0\u1edbng d\u1eabn sau:
L\u1ec7nh SSH c\u00f3 3 ph\u1ea7n:<\/p>\n\n\n\n

ssh {user}@{host}<\/pre>\n\n\n\n
SSH key command cho h\u1ec7 th\u1ed1ng bi\u1ebft l\u00e0 b\u1ea1n mu\u1ed1n m\u1edf m\u1ed9t k\u1ebft n\u1ed1i \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a Secure Shell Connection. {user}<\/strong> \u0111\u1ea1i di\u1ec7n cho t\u00e0i kho\u1ea3n ng\u01b0\u1eddi d\u00f9ng b\u1ea1n mu\u1ed1n d\u00f9ng \u0111\u1ec3 truy c\u1eadp. V\u00ed d\u1ee5, b\u1ea1n mu\u1ed1n truy c\u1eadp user root<\/strong>, th\u00ec thay root t\u1ea1i \u0111\u00e2y. User root l\u00e0 user qu\u1ea3n tr\u1ecb h\u1ec7 th\u1ed1ng v\u1edbi to\u00e0n quy\u1ec1n \u0111\u1ec3 ch\u1ec9nh s\u1eeda b\u1ea5t k\u1ef3 \u0111i\u1ec1u g\u00ec tr\u00ean h\u1ec7 th\u1ed1ng. {host}<\/strong> \u0111\u1ea1i di\u1ec7n cho m\u00e1y t\u00ednh b\u1ea1n mu\u1ed1n d\u00f9ng \u0111\u1ec3 truy c\u1eadp. N\u00f3 c\u00f3 th\u1ec3 l\u00e0 m\u1ed9t \u0111\u1ecba ch\u1ec9 IP (v\u00ed d\u1ee5 244.235.23.19)<\/strong> ho\u1eb7c m\u1ed9t t\u00ean mi\u1ec1n (v\u00ed d\u1ee5, www.xyzdomain.com).
Khi b\u1ea1n nh\u1ea5n enter, n\u00f3 s\u1ebd h\u1ecfi b\u1ea1n nh\u1eadp m\u1eadt kh\u1ea9u t\u01b0\u01a1ng \u1ee9ng cho t\u00e0i kho\u1ea3n. Khi b\u1ea1n g\u00f5, b\u1ea1n s\u1ebd kh\u00f4ng th\u1ea5y b\u1ea5t k\u1ef3 d\u1ea5u hi\u1ec7u n\u00e0o tr\u00ean m\u00e0n h\u00ecnh, nh\u01b0ng n\u1ebfu b\u1ea1n g\u00f5 \u0111\u00fang m\u1eadt kh\u1ea9u v\u00e0 nh\u1ea5n enter, b\u1ea1n s\u1ebd v\u00e0o \u0111\u01b0\u1ee3c h\u1ec7 th\u1ed1ng v\u00e0 nh\u1eadn th\u00f4ng b\u00e1o \u0111\u0103ng nh\u1eadp th\u00e0nh c\u00f4ng.
N\u1ebfu b\u1ea1n mu\u1ed1n t\u00ecm hi\u1ec3u th\u00eam v\u1ec1 l\u1ec7nh SSH, h\u00e3y tham kh\u1ea3o t\u1ea1i \u0111\u00e2y<\/p>\n\n\n\n
Hi\u1ec3u v\u1ec1 nhi\u1ec1u k\u1ef9 thu\u1eadt m\u00e3 h\u00f3a kh\u00e1c nhau<\/strong><\/span><\/span><\/h2>\n\n\n\n
L\u1ee3i \u0111i\u1ec3m khi\u1ebfn SSH h\u01a1n h\u1eb5n nh\u1eefng giao th\u1ee9c c\u0169 l\u00e0 kh\u1ea3 n\u0103ng m\u00e3 h\u00f3a v\u00e0 truy\u1ec1n t\u1ea3i d\u1eef li\u1ec7u an to\u00e0n gi\u1eefa host v\u00e0 client. Host <\/strong>\u0111\u1ea1i di\u1ec7n cho m\u00e1y ch\u1ee7  t\u1eeb xa b\u1ea1n mu\u1ed1n k\u1ebft n\u1ed1i t\u1edbi v\u00e0 client <\/strong>l\u00e0 m\u00e1y t\u00ednh c\u1ee7a b\u1ea1n d\u00f9ng \u0111\u1ec3 truy c\u1eadp t\u1edbi host. C\u00f3 3 c\u00e1ch kh\u00e1c nhau \u0111\u1ec3 m\u00e3 h\u00f3a qua SSH:<\/p>\n\n\n\n
    \n
  1. Symmetrical encryption<\/li>\n\n\n\n
  2. Asymmetrical encryption<\/li>\n\n\n\n
  3. Hashing.<\/li>\n<\/ol>\n\n\n\n
    Symmetric Encryption<\/strong><\/h3>\n\n\n\n
    Symmetric encryption l\u00e0 m\u1ed9t d\u1ea1ng m\u00e3 h\u00f3a s\u1eed d\u1ee5ng\u00a0secret key<\/strong>\u00a0\u1edf c\u1ea3 2 chi\u1ec1u m\u00e3 h\u00f3a v\u00e0 gi\u1ea3i m\u00e3 tin nh\u1eafnb b\u1edfi c\u1ea3 host v\u00e0 client. C\u00f3 ngh\u0129a l\u00e0 ai n\u1eafm \u0111\u01b0\u1ee3c kh\u00f3a \u0111\u1ec1u c\u00f3 th\u1ec3 gi\u1ea3i m\u00e3 tin nh\u1eafn trong qu\u00e1 tr\u00ecnh chuy\u1ec1n.<\/p>\n\n\n
    \n
    \"ssh-la-gi\"<\/figure>\n<\/div>\n\n\n

    <\/a><\/a>
    Symmetrical encryption th\u01b0\u1eddng \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0\u00a0shared key\u00a0<\/strong>ho\u1eb7c\u00a0shared secret<\/strong>\u00a0encryption. V\u00ec c\u00f3 m\u1ed9t kh\u00f3a \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng, ho\u1eb7c m\u1ed9t c\u1eb7p kh\u00f3a (pair key) m\u00e0 m\u1ed9t kh\u00f3a c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c t\u00ednh ra t\u1eeb kh\u00f3a kia.
    Symmetric keys \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 m\u00e3 h\u00f3a to\u00e0n b\u1ed9 li\u00ean l\u1ea1c trong phi\u00ean giao d\u1ecbch SSH. C\u1ea3 client v\u00e0 server t\u1ea1o chung m\u1ed9t key b\u00ed m\u1eadt nh\u01b0 l\u00e0 m\u1ed9t ph\u01b0\u01a1ng th\u1ee9c th\u1ecfa thu\u1eadn, v\u00e0 key \u0111\u00f3 kh\u00f4ng \u0111\u01b0\u1ee3c ti\u1ebft l\u1ed9 cho b\u00ean th\u1ee9 ba. Qu\u00e1 tr\u00ecnh t\u1ea1o symmetric key \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n b\u1edfi\u00a0key exchange algorithm<\/strong>.<\/em>
    \u0110i\u1ec1u khi\u1ebfn cho thu\u1eadt to\u00e1n an to\u00e0n l\u00e0 v\u00ec key kh\u00f4ng \u0111\u01b0\u1ee3c truy\u1ec1n gi\u1eefa client v\u00e0 host. Thay v\u00e0o \u0111\u00f3, c\u1ea3 2 m\u00e1y t\u00ednh Chia s\u1ebb th\u00f4ng tin chung v\u00e0 sau \u0111\u00f3 s\u1eed d\u1ee5ng ch\u00fang \u0111\u1ec3 t\u00ednh ra kh\u00f3a b\u00ed m\u1eadt.K\u1ec3 c\u1ea3 c\u00f3 m\u00e1y kh\u00e1c b\u1eaft \u0111\u01b0\u1ee3c th\u00f4ng tin chung, n\u00f3 c\u0169ng kh\u00f4ng th\u1ec3 t\u00ednh ra key b\u00ed m\u1eadt v\u00ec kh\u00f4ng bi\u1ebft \u0111\u01b0\u1ee3c thu\u1eadt to\u00e1n t\u1ea1o key.
    C\u0169ng ph\u1ea3i l\u01b0u \u00fd r\u1eb1ng, tuy nhi\u00ean secret token \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng cho m\u1ed9t phi\u00ean SSH nh\u1ea5t \u0111\u1ecbnh, v\u00e0 \u0111\u01b0\u1ee3c t\u1ea1o b\u1edfi ch\u1ee9ng th\u1ef1c c\u1ee7a client. Khi key \u0111\u00e3 \u0111\u01b0\u1ee3c t\u1ea1o, t\u1ea5t c\u1ea3 packets truy\u1ec1n gi\u1eefa 2 m\u00e1y ph\u1ea3i \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a b\u1edfi private key. Vi\u1ec7c n\u00e0y bao g\u1ed3m c\u1ea3 m\u1eadt kh\u1ea9u \u0111i\u1ec1n v\u00e0o b\u1edfi user, v\u00ec v\u1eady m\u1eadt kh\u1ea9u c\u0169ng c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 kh\u1ecfi nh\u1eefng \u201cl\u00ednh b\u1eafn t\u1ec9a packet\u201d tr\u00ean m\u1ea1ng.
    M\u1ed9t s\u1ed1 lo\u1ea1i symmetrical encryption ciphers \u0111\u00e3 t\u1ed3n t\u1ea1i, bao g\u1ed3m, nh\u1eefng kh\u00f4ng gi\u1edbi h\u1ea1n AES (Advanced Encryption Standard), CAST128, Blowfish etc. Tr\u01b0\u1edbc khi thi\u1ebft l\u1eadp k\u1ebft n\u1ed1i an to\u00e0n client v\u00e0 host s\u1ebd \u0111\u1ed3ng \u00fd lo\u1ea1i cipher n\u00e0o \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng, b\u1eb1ng c\u00e1ch xu\u1ea5t b\u1ea3n danh s\u00e1ch cyphers \u0111\u01b0\u1ee3c h\u1ed7 tr\u1ee3 \u0111\u1ec3 tham kh\u1ea3o. Cypher th\u00edch h\u1ee3p nh\u1ea5t \u1edf ph\u00eda client s\u1ebd hi\u1ec3n th\u1ecb trong danh s\u00e1ch c\u1ee7a host nh\u01b0 l\u00e0 m\u1ed9t bidirectional cypher.
    V\u00ed d\u1ee5, n\u1ebfu 2 m\u00e1y Ubuntu 14.04 LTS li\u00ean l\u1ea1c v\u1edbi nhau qua SSH, n\u00f3 s\u1ebd s\u1eed d\u1ee5ng\u00a0\u00a0aes128-ctr<\/strong>\u00a0l\u00e0m cipher m\u1eb7c \u0111\u1ecbnh.<\/p>\n\n\n\n
    Asymmetric Encryption<\/strong><\/h3>\n\n\n\n
    Kh\u00f4ng gi\u1ed1ng v\u1edbi symmetrical encryption, asymmetrical encryption s\u1eed d\u1ee5ng 2 kh\u00f3a kh\u00e1c nhau \u0111\u1ec3 m\u00e3 h\u00f3a v\u00e0 gi\u1ea3i m\u00e3. 2 kh\u00f3a n\u00e0y \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0\u00a0public key<\/strong>\u00a0v\u00e0\u00a0private key<\/strong>. C\u1ea3 2 h\u00ecnh th\u00e0nh n\u00ean m\u1ed9t c\u1eb7p kh\u00f3a l\u00e0\u00a0public-private key pair<\/strong>.<\/p>\n\n\n
    \n
    \"ssh-la-gi\"<\/figure>\n<\/div>\n\n\n

    Kh\u00f3a public, nh\u01b0 t\u00ean g\u1ecdi c\u1ee7a n\u00f3 s\u1ebd \u0111\u01b0\u1ee3c c\u00f4ng khai cho t\u1ea5t c\u1ea3 c\u00e1c b\u00ean li\u00ean quan. M\u1eb7c d\u00f9 n\u00f3 li\u00ean quan m\u1eadt thi\u1ebft \u0111\u1ebfn private key v\u1ec1 ch\u1ee9c n\u0103ng, nh\u01b0ng private key kh\u00f4ng th\u1ec3 \u0111\u01b0\u1ee3c t\u00ednh to\u00e1n ra t\u1eeb m\u1ed9t public key. S\u1ef1 li\u00ean quan n\u00e0y r\u1ea5t ph\u1ee9c t\u1ea1p: th\u01b0 \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a b\u1edfi public key c\u1ee7a m\u1ed9t m\u00e1y, v\u00e0 ch\u1ec9 c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c gi\u1ea3i m\u00e3 b\u1edfi private key c\u1ee7a ch\u00ednh m\u00e1y \u0111\u00f3. S\u1ef1 li\u00ean quan m\u1ed9t chi\u1ec1u n\u00e0y c\u00f3 ngh\u0129a l\u00e0 public key kh\u00f4ng th\u1ec3 gi\u1ea3i m\u00e3 ch\u00ednh th\u01b0 c\u1ee7a n\u00f3, ho\u1eb7c kh\u00f4ng th\u1ec3 gi\u1ea3i m\u00e3 b\u1ea5t k\u1ef3 th\u1ee9 g\u00ec \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a b\u1eb1ng private key.
    Private key ph\u1ea3i lu\u00f4n lu\u00f4n \u0111\u01b0\u1ee3c \u0111\u1ea3m b\u1ea3o an to\u00e0n, v\u00ed d\u1ee5, k\u1ebft n\u1ed1i an to\u00e0n, kh\u00f4ng c\u00f3 b\u00ean th\u1ee9 3 bi\u1ebft. S\u1ee9c m\u1ea1nh c\u1ee7a c\u1ea3 chu tr\u00ecnh k\u1ebft n\u1ed1i ph\u1ee5 thu\u1ed9c v\u00e0o vi\u1ec7c private key c\u00f3 b\u1ecb ti\u1ebft l\u1ed9 hay kh\u00f4ng, v\u00ec ch\u1ec9 c\u00f3 n\u00f3 m\u1edbi c\u00f3 kh\u1ea3 n\u0103ng gi\u1ea3i m\u00e3 th\u01b0 \u0111\u01b0\u1ee3c truy\u1ec1n \u0111i m\u00e0 \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a b\u1edfi public key. V\u00ec v\u1eady, b\u1ea5t k\u1ef3 b\u00ean n\u00e0o c\u00f3 th\u1ec3 gi\u1ea3i m\u00e3 th\u01b0 \u0111\u01b0\u1ee3c k\u00fd b\u1edfi public key c\u00f3 ngh\u0129a l\u00e0 b\u00ean \u0111\u00f3 \u0111ang s\u1edf h\u1eefu private key t\u01b0\u01a1ng \u1ee9ng.
    Kh\u00f4ng gi\u1ed1ng v\u1edbi quan ni\u1ec7m th\u00f4ng th\u01b0\u1eddng, asymmetrical encryption kh\u00f4ng \u0111\u01b0\u1ee3c d\u00f9ng \u0111\u1ec3 m\u00e3 h\u00f3a to\u00e0n b\u1ed9 phi\u00ean SSH. Thay v\u00e0o \u0111\u00f3, n\u00f3 ch\u1ec9 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong qu\u00e1 tr\u00ecnh trao \u0111\u1ed5i thu\u1eadt to\u00e1n c\u1ee7a kh\u00f3a c\u1ee7a symmetric encryption. tr\u01b0\u1edbc khi b\u1eaft \u0111\u1ea7u m\u1ed9t phi\u00ean giao d\u1ecbch an to\u00e0n, c\u1ea3 2 \u0111\u1ed3ng \u00fd t\u1ea1o ra m\u1ed9t c\u1eb7p public-private key t\u1ea1m, Chia s\u1ebb private keys \u0111\u1ec3 t\u1ea1o m\u1ed9t kh\u00f3a secret key chung.
    Khi k\u1ebft n\u1ed1i symmetrict an to\u00e0n \u0111\u00e3 \u0111\u01b0\u1ee3c thi\u1ebft l\u1eadp, server s\u1eed d\u1ee5ng public key c\u1ee7a client \u0111\u1ec3 t\u1ea1o v\u00e0 challenge v\u00e0 truy\u1ec1n n\u00f3 t\u1edbi client \u0111\u1ec3 ch\u1ee9ng th\u1ef1c. N\u1ebfu client c\u00f3 th\u1ec3 gi\u1ea3i m\u00e3 tin nh\u1eafn, c\u00f3 ngh\u0129a l\u00e0 n\u00f3 \u0111ang gi\u1eefa \u0111\u00fang private key c\u1ea7n thi\u1ebft cho k\u1ebft n\u1ed1i. Phi\u00ean giao d\u1ecbch SSH b\u1eaft \u0111\u1ea7u.<\/p>\n\n\n\n
    Hashing<\/strong><\/h3>\n\n\n\n
    Hashing m\u1ed9t chi\u1ec1u l\u00e0 m\u1ed9t d\u1ea1ng m\u00e3 h\u00f3a kh\u00e1c s\u1eed d\u1ee5ng trong Secure Shell Connections. Hash m\u1ed9t chi\u1ec1u kh\u00e1c v\u1edbi c\u1ea3 2 ph\u01b0\u01a1ng th\u1ee9c m\u00e3 h\u00f3a tr\u00ean \u1edf ch\u1ed7 n\u00f3 kh\u00f4ng \u0111\u01b0\u1ee3c sinh ra \u0111\u1ec3 gi\u1ea3i m\u00e3. Ch\u00fang t\u1ea1o ra m\u1ed9t gi\u00e1 tr\u1ecb duy nh\u1ea5t v\u1edbi \u0111\u1ed9 d\u00e0i nh\u1ea5t \u0111\u1ecbnh cho m\u1ed7i l\u1ea7n nh\u1eadp li\u1ec7u m\u00e0 kh\u00f4ng c\u00f3 h\u01b0\u1edbng n\u00e0o kh\u00e1c \u0111\u1ec3 khai th\u00e1c. \u0110i\u1ec1u n\u00e0y khi\u1ebfn n\u00f3 d\u01b0\u1eddng nh\u01b0 kh\u00f4ng th\u1ec3 quay ng\u01b0\u1ee3c l\u1ea1i gi\u1ea3i m\u00e3.<\/p>\n\n\n
    \n
    \"ssh-la-gi\"<\/figure>\n<\/div>\n\n\n

    <\/a><\/a>
    R\u1ea5t d\u1ec5 \u0111\u1ec3 t\u1ea1o m\u1ed9t cryptographic hash t\u1eeb m\u1ed9t l\u1ea7n input, nh\u01b0ng kh\u00f4ng th\u1ec3 t\u1ea1o ra l\u1ea7n input \u0111\u00f3 t\u1eeb m\u1ed9t hash. C\u00f3 ngh\u0129a l\u00e0 n\u1ebfu client gi\u1eef \u0111\u00fang input \u0111\u00f3, client c\u00f3 th\u1ec3 t\u1ea1o ra m\u1ed9t crypto-graphic hash gi\u1ed1ng nh\u01b0 v\u1eady v\u00e0 so s\u00e1nh n\u00f3 v\u1edbi gi\u00e1 tr\u1ecb \u1edf \u0111\u1ea7u b\u00ean kia \u0111\u1ec3 x\u00e1c \u0111\u1ecbnh c\u1ea3 2 b\u00ean nh\u1eadp gi\u1ed1ng input.
    SSH s\u1eed d\u1ee5ng hashes \u0111\u1ec3 x\u00e1c nh\u1eadn t\u00ednh x\u00e1c th\u1ef1c c\u1ee7a tin nh\u1eafn. N\u00f3 \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n b\u1edfi HMACs, ho\u1eb7c\u00a0H<\/strong>ash-based\u00a0M<\/strong>essage\u00a0A<\/strong>uthentication\u00a0C<\/strong>odes. Vi\u1ec7c n\u00e0y \u0111\u1ea3m b\u1ea3o l\u1ec7nh kh\u00f4ng b\u1ecb gi\u1ea3 m\u1ea1o b\u1edfi b\u1ea5t k\u1ef3 ph\u01b0\u01a1ng th\u1ee9c n\u00e0o.
    Trong khi thu\u1eadt to\u00e1n symmetrical encryption \u0111\u01b0\u1ee3c ch\u1ecdn, m\u1ed9t thu\u1eadt to\u00e1n x\u00e1c th\u1ef1c tin nh\u1eafn ph\u00f9 h\u1ee3p c\u0169ng \u0111\u01b0\u1ee3c ch\u1ecdn. N\u00f3 ho\u1ea1t \u0111\u1ed9ng t\u01b0\u01a1ng t\u1ef1 vi\u1ec7c cipher \u0111\u01b0\u1ee3c ch\u1ecdn nh\u01b0 th\u1ebf n\u00e0o, nh\u01b0 b\u00ean tr\u00ean m\u00ecnh \u0111\u00e3 gi\u1ea3i th\u00edch trong ph\u1ea7n symmetric encryption.
    M\u1ed7i tin nh\u1eafn \u0111\u01b0\u1ee3c truy\u1ec1n \u0111i ph\u1ea3i ch\u1ee9a MAC, \u0111\u01b0\u1ee3c t\u00ednh b\u1edfi symmetric key, packet sequence number, v\u00e0 n\u1ed9i dung tin nh\u1eafn. N\u00f3 truy\u1ec1n ra ngo\u00e0i m\u1ed9t g\u00f3i d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a symmetric nh\u01b0 l\u00e0 m\u1ed9t ph\u1ea7n c\u1ee7a communication packet.<\/p>\n\n\n\n
    SSH x\u1eed l\u00fd nh\u01b0 th\u1ebf n\u00e0o v\u1edbi nh\u1eefng k\u1ef9 thu\u1eadt n\u00e0y<\/strong><\/span><\/span><\/h2>\n\n\n\n
    Sau khi b\u1ea1n \u0111\u00e3 bi\u1ebft SSH l\u00e0 g\u00ec v\u00e0 bi\u1ebft c\u00e1c lo\u1ea1i m\u00e3 h\u00f3a, ch\u00fang ta \u0111i ti\u1ebfp v\u1ec1 vi\u1ec7c n\u00f3 ho\u1ea1t \u0111\u1ed9ng nh\u01b0 th\u1ebf n\u00e0o. SSH ho\u1ea1t \u0111\u1ed9ng b\u1eb1ng m\u00f4 h\u00ecnh client-server cho ph\u00e9p ch\u1ee9ng th\u1ef1c an to\u00e0n gi\u1eefa 2 m\u00e1y t\u1eeb xa v\u00e0 m\u00e3 h\u00f3a d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c truy\u1ec1n gi\u1eefa ch\u00fang.
    SSH v\u1eadn h\u00e0nh tr\u00ean TCP port 22 m\u1eb7c \u0111\u1ecbnh (c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c thay \u0111\u1ed5i n\u1ebfu c\u1ea7n). Host (server) nghe port 22 (ho\u1eb7c b\u1ea5t k\u1ef3 port n\u00e0o SSH \u0111\u01b0\u1ee3c g\u00e1n v\u00e0o) cho nh\u01b0ng k\u1ebft n\u1ed1i t\u1edbi. N\u00f3 s\u1ebd thi\u1ebft l\u1eadp k\u1ebft n\u1ed1i an to\u00e0n khi ch\u1ee9ng th\u1ef1c gi\u1eefa client v\u00e0 m\u00f4i tr\u01b0\u1eddng shell \u0111ang m\u1edf th\u00e0nh c\u00f4ng.<\/p>\n\n\n
    \n
    \"ssh-la-gi\"<\/figure>\n<\/div>\n\n\n

    <\/a><\/a>
    Client ph\u1ea3i b\u1eaft \u0111\u1ea7u k\u1ebft n\u1ed1i SSH b\u1eb1ng c\u00e1ch t\u1ea1o ra TCP handshake v\u1edbi server, \u0111\u1ea3m b\u1ea3o c\u00f3 th\u1ec3 thi\u1ebft l\u1eadp k\u1ebft n\u1ed1i symmetric, x\u00e1c th\u1ef1c th\u00f4ng tin c\u1ee7a server c\u00f3 kh\u1edbp d\u1eef li\u1ec7u c\u0169 kh\u00f4ng (th\u00f4ng th\u01b0\u1eddng \u0111\u01b0\u1ee3c trong RSA key store file), v\u00e0 so s\u00e1nh th\u00f4ng tin \u0111\u0103ng nh\u1eadp c\u1ee7a user k\u1ebft n\u1ed1i \u0111\u1ec3 x\u00e1c th\u1ef1c \u0111\u00fang k\u1ebft n\u1ed1i.
    C\u00f3 2 giai \u0111o\u1ea1n \u0111\u1ec3 thi\u1ebft l\u1eadp k\u1ebft n\u1ed1i: tr\u01b0\u1edbc ti\u00ean c\u1ea3 2 b\u00ean \u0111\u1ed3ng \u00fd chu\u1ea9n m\u00e3 h\u00f3a \u0111\u1ec3 b\u1ea3o v\u1ec7 giao ti\u1ebfp trong t\u01b0\u01a1ng, th\u1eeb 2, user ph\u1ea3i \u0111\u01b0\u1ee3c x\u00e1c th\u1ef1c. N\u1ebfu th\u00f4ng tin \u0111\u0103ng nh\u1eadp kh\u1edbp, user c\u00f3 quy\u1ec1n truy c\u1eadp.<\/p>\n\n\n\n
    Session Encryption Negotiation<\/strong><\/h3>\n\n\n\n
    Khi client c\u1ed1 k\u1ebft n\u1ed1i t\u1edbi server qua TCP, server s\u1ebd tr\u00ecnh ra encrytpion protocal v\u00e0 nh\u1eefng phi\u00ean b\u1ea3n li\u00ean quan n\u00f3 h\u1ed7 tr\u1ee3. N\u1ebfu client c\u0169ng c\u00f3 protocol t\u01b0\u01a1ng \u1ee9ng v\u00e0 phi\u00ean b\u1ea3n \u0111\u00fang nh\u01b0 v\u1eady, m\u1ed9t th\u1ecfa thu\u1eadt s\u1ebd \u0111\u01b0\u1ee3c \u0111\u1eb7t ra v\u00e0 k\u1ebft n\u1ed1i b\u00e1t \u0111\u1ea7u ti\u1ebfp nh\u1eadn protocol. Server c\u0169ng s\u1eed d\u1ee5ng m\u1ed9t symmetric public key m\u00e0 client c\u00f3 th\u1ec3 d\u00f9ng \u0111\u1ec3 x\u00e1c th\u1ef1c t\u00ednh ch\u00ednh x\u00e1c c\u1ee7a server.
    Khi \u0111\u00e3 \u0111\u01b0\u1ee3c thi\u1ebft l\u1eadp, c\u1ea3 2 b\u00ean s\u1eed d\u1ee5ng m\u1ed9t thu\u1eadt to\u00e1n \u0111\u01b0\u1ee3c bi\u1ebft l\u00e0     Diffie-Hellman Key Exchange Algorithm<\/a> \u0111\u1ec3 t\u1ea1o symmetrical key. Thu\u1eadt to\u00e1n n\u00e0y cho ph\u00e9p c\u1ea3 client v\u00e0 server c\u00f3 c\u00f9ng m\u1ed9t key chung \u0111\u01b0\u1ee3c d\u00f9ng \u0111\u1ec3 m\u00e3 h\u00f3a to\u00e0n b\u1ed9 li\u00ean l\u1ea1c sau n\u00e0y.
    \u0110\u00e2y l\u00e0 c\u00e1ch thu\u1eadt o\u00e1n ho\u1ea1t \u0111\u1ed9ng v\u1ec1 c\u01a1 b\u1ea3n:<\/p>\n\n\n\n
      \n
    1. C\u1ea3 client v\u00e0 server \u0111\u1ed3ng \u00fd d\u1ef1a tr\u00ean m\u1ed9t s\u1ed1 nguy\u00ean l\u1edbn, d\u0129 nhi\u00ean l\u00e0 kh\u00f4ng c\u00f3 b\u1ea5t k\u1ef3 t\u00ednh ch\u1ea5t chung n\u00e0o. S\u1ed1 n\u00e0y \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0 seed value<\/strong>.<\/li>\n\n\n\n
    2. Ti\u1ebfp theo, c\u1ea3 2 b\u00ean \u0111\u1ed3ng \u00fd m\u1ed9t c\u00e1ch m\u00e3 h\u00f3a \u0111\u01b0\u1ee3c t\u1ea1o ra t\u1eeb seed value b\u1eb1ng m\u1ed9t d\u1ea1ng thu\u1eadt to\u00e1n nh\u1ea5t \u0111\u1ecbnh. Nh\u1eefng c\u01a1 ch\u1ebf n\u00e0y l\u00e0 ngu\u1ed3n t\u1ea1o m\u00e3 h\u00f3a, ho\u1ea1t \u0111\u00f4ng l\u1edbn tr\u00ean seed value. V\u00ed d\u1ee5 nh\u01b0 l\u00e0 generator ll\u00e0 AES (Advanced Encryption Standard).<\/li>\n\n\n\n
    3. C\u1ea3 2 b\u00ean \u0111\u1ed9c l\u1eadp t\u1ea1o m\u1ed9t s\u1ed1 kh\u00e1c. N\u00f3 \u0111\u01b0\u1ee3c d\u00f9ng nh\u01b0 l\u00e0 m\u1ed9t private key b\u00ed m\u1eadt cho t\u01b0\u01a1ng t\u00e1c.<\/li>\n\n\n\n
    4. Key private m\u1edbi t\u1ea1o n\u00e0y, v\u1edbi s\u1ed1 chung v\u00e0 thu\u1eadt to\u00e1n m\u00e3 h\u00f3a \u1edf tr\u00ean (AES) \u0111\u01b0\u1ee3c d\u00f9ng \u0111\u1ec3 t\u1ea1o ra m\u1ed9t key public \u0111\u01b0\u1ee3c ph\u00e2n ph\u1ed1i cho m\u00e1y c\u00f2n l\u1ea1i.<\/li>\n\n\n\n
    5. 2 b\u00ean sau \u0111\u00f3 s\u1eed d\u1ee5ng private key c\u1ee7a ch\u00ednh n\u00f3, public key c\u1ee7a m\u00e1y c\u00f2n l\u1ea1i v\u00e0 s\u1ed1 nguy\u00ean ban \u0111\u1ea7u \u0111\u1ec3 t\u1ea1o ra m\u1ed9t key chung cu\u1ed1i c\u00f9ng. Key n\u00e0y \u0111\u1ed9c l\u1eadp \u0111\u01b0\u1ee3c t\u00ednh to\u00e1n b\u1edfi c\u1ea3 2 m\u00e1y nh\u01b0ng s\u1ebd t\u1ea1o ra m\u1ed9t key m\u00e3 h\u00f3a gi\u1ed1ng nhau tr\u00ean c\u1ea3 2.<\/li>\n\n\n\n
    6. B\u00e2y gi\u1edd c\u1ea3 2 \u0111\u00e3 c\u00f3 shared key, ch\u00fang c\u00f3 th\u1ec3 t\u1ea1o m\u00e3 h\u00f3a symmetric cho c\u1ea3 phi\u00ean SSH. M\u1ed9t key chung \u0111\u01b0\u1ee3c s\u1eed dung \u0111\u1ec3 m\u00e3 h\u00f3a v\u00e0 gi\u1ea3i m\u00e3 tin nh\u1eafn (\u0111\u1ecdc l\u1ea1i m\u1ee5c: symmetrical encryption).<\/li>\n<\/ol>\n\n\n\n
      B\u00e2y gi\u1edd phi\u00ean giao d\u1ecbch \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a symmetric \u0111\u00e3 \u0111\u01b0\u1ee3c thi\u1ebft l\u1eadp, ch\u1ee9ng th\u1ef1c cho user s\u1ebd \u0111\u01b0\u1ee3c ti\u1ebfn h\u00e0nh.<\/p>\n\n\n\n
      Ch\u1ee9ng th\u1ef1c ng\u01b0\u1eddi d\u00f9ng
      <\/strong><\/h3>\n\n\n\n
      B\u01b0\u1edbc cu\u1ed1i l\u00e0 khi user \u0111\u01b0\u1ee3c c\u1ea5p quy\u1ec1n truy c\u1eadp v\u00e0o server x\u00e1c th\u1ef1c ch\u00ednh th\u00f4ng tin \u0111ang nh\u1eadp \u0111\u00f3. \u0110\u1ec3 l\u00e0m v\u1eady, h\u1ea7u h\u1ebft SSH user s\u1eed d\u1ee5ng m\u1eadt kh\u1ea9u. Ng\u01b0\u1eddi d\u00f9ng \u0111\u01b0\u1ee3c h\u1ecfi \u0111\u1ec3 nh\u1eadp username, ti\u1ebfp theo l\u00e0 m\u1eadt kh\u1ea9u. Nh\u1eefng th\u00f4ng tin \u0111\u0103ng nh\u1eadp n\u00e0y \u0111\u01b0\u1ee3c chuy\u1ec3n an to\u00e0n qua m\u1ed9t \u0111\u01b0\u1eddng h\u1ea7m b\u1ea3o m\u1eadt symmetric, v\u00ec v\u1eady kh\u00f4ng c\u00f3 c\u00e1ch n\u00e0o ch\u00fang b\u1ecb l\u1ea5y c\u1eafp t\u1eeb b\u00ean th\u1ee9 3.
      M\u1eb7c d\u00f9 m\u1eadt kh\u1ea9u \u0111\u00e3 \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a, ch\u00fang t\u00f4i v\u1eabn kh\u00f4ng khuy\u00ean s\u1eed d\u1ee5ng m\u1eadt kh\u1ea9u \u0111\u1ec3 thi\u1ebft l\u1eadp k\u1ebft n\u1ed1i. L\u00fd do l\u00e0 v\u00ec b\u1eb1ng th\u1ee7 thu\u1eadt t\u1ea5n c\u00f4ng brute fore, m\u1eadt kh\u1ea9u m\u1eb7c \u0111\u1ecbnh ho\u1eb7c d\u1ec5 \u0111o\u00e1n c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c l\u1ea7n ra v\u00e0 b\u1ea1n s\u1ebd b\u1ecb chi\u1ebfm quy\u1ec1n t\u00e0i kho\u1ea3n. V\u00ec v\u1eady, c\u00e1ch t\u1ed1t nh\u1ea5t l\u00e0 s\u1eed d\u1ee5ng SSH Key Pairs.
      \u0110\u00e2y l\u00e0 m\u1ed9t b\u1ed9 kh\u00f3a asymmetric \u0111\u01b0\u1ee3c d\u00f9ng \u0111\u1ec3 ch\u1ee9ng th\u1ef1c th\u00e0nh vi\u00ean m\u00e0 kh\u00f4ng \u0111\u00f2i h\u1ecfi ph\u1ea3i nh\u1eadp m\u1eadt kh\u1ea9u.<\/p>\n\n\n\n
      K\u1ebft lu\u1eadn
      <\/strong><\/span><\/span><\/h2>\n\n\n\n
      Hi\u1ec3u r\u00f5 v\u1ec1 SSH l\u00e0 g\u00ec v\u00e0 l\u00e0m th\u1ebf n\u00e0o SSH ho\u1ea1t \u0111\u1ed9ng \u0111\u01b0\u1ee3c c\u00f3 th\u1ec3 gi\u00fap b\u1ea1n hi\u1ec3u th\u00eam v\u1ec1 c\u00f4ng ngh\u1ec7 b\u1ea3o m\u1eadt. H\u1ea7u h\u1ebft m\u1ecdi ng\u01b0\u1eddi t\u01b0\u1edfng qu\u00e1 tr\u00ecnh n\u00e0y l\u00e0 ph\u1ee9c t\u1ea1p v\u00e0 kh\u00f4ng t\u00e0i n\u00e0o hi\u1ec3u n\u1ed5i, nh\u01b0ng n\u00f3 \u0111\u01a1n gi\u1ea3n h\u01a1n m\u1ecdi ng\u01b0\u1eddi ngh\u0129 nhi\u1ec1u. N\u1ebfu b\u1ea1n kh\u00f4ng bi\u1ebft m\u1ed9t m\u00e1y t\u00ednh m\u1ea5t bao l\u00e2u \u0111\u1ec3 t\u00ednh ra m\u1ed9t hash v\u00e0 ch\u1ee9ng th\u1ef1c user, th\u00ec tr\u00ean th\u1ef1c t\u1ebf n\u00f3 ch\u1ec9 m\u1ea5t \u00edt h\u01a1n m\u1ed9t gi\u00e2y. L\u01b0\u1ee3ng th\u1eddi gian tr\u00ean internet ch\u1ee7 y\u1ebfu l\u00e0 do vi\u1ec7c truy\u1ec1n d\u1eef li\u1ec7u t\u1eeb xa.
      Hy v\u1ecdng v\u1edbi b\u00e0i h\u01b0\u1edbng d\u1eabn SSH n\u00e0y, ch\u00fang t\u00f4i \u0111\u00e3 gi\u00fap b\u1ea1n c\u00f3 c\u00e1i nh\u00ecn kh\u00e1c v\u1ec1 c\u00f4ng ngh\u1ec7 v\u00e0 n\u00f3 l\u00e0 th\u00e0nh t\u1ed1 ch\u00ednh \u0111\u1ec3 b\u1ea1n t\u1ea1o m\u1ed9t h\u1ec7 th\u1ed1ng m\u1ea1nh m\u1ebd v\u00e0 b\u1ea3o m\u1eadt. C\u0169ng v\u00ec l\u1ebd \u0111\u00f3, b\u1ea1n \u0111\u00e3 hi\u1ec3u v\u00ec sao Telnet \u0111\u00e3 l\u00e0 qu\u00e1 kh\u1ee9 v\u00e0 v\u00ec sao SSH \u0111\u00e3 chi\u1ebfm l\u1ea5y m\u1ecdi ch\u1ed7 \u0111\u1ee9ng c\u1ee7a n\u00f3.
      \u0110\u1ec3 bi\u1ebft th\u00eam v\u1ec1 th\u1ee7 thu\u1eadt Linux, h\u00e3y xem qua khu v\u1ef1c h\u01b0\u1edbng d\u1eabn cho VPS tutorials c\u1ee7a ch\u00fang t\u00f4i<\/p>\n","protected":false},"excerpt":{"rendered":"
      SSH l\u00e0 g\u00ec SSH, ho\u1eb7c \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0 Secure Shell, l\u00e0 m\u1ed9t giao th\u1ee9c \u0111i\u1ec1u khi\u1ec3n t\u1eeb xa cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng ki\u1ec3m so\u00e1t v\u00e0 ch\u1ec9nh s\u1eeda server t\u1eeb xa qua Internet. D\u1ecbch v\u1ee5 \u0111\u01b0\u1ee3c t\u1ea1o ra nh\u1eb1m thay th\u1ebf cho tr\u00ecnh Telnet v\u1ed1n kh\u00f4ng c\u00f3 m\u00e3 h\u00f3a v\u00e0 s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt cryptographic \u0111\u1ec3 […]<\/p>\n","protected":false},"author":4,"featured_media":78140,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-15917","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/posts\/15917","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/comments?post=15917"}],"version-history":[{"count":0,"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/posts\/15917\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/media\/78140"}],"wp:attachment":[{"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/media?parent=15917"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/categories?post=15917"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/tags?post=15917"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}