What Happens During SSH Login

Foreword

Several years ago in a job interview, the interviewer asked me what happens during ssh login. I didn't answer it well at that time. Now it's time to throw out an answer sheet.

First of all, sshd works as a client/server model, the client program is ssh and the server programme is called sshd("d" for daemon). Most of the time we use ssh to login a server which has sshd running.

Firewall

The iptables firewall works in kernel space, ssh traffic must be allowed before connecting to the remote host.

sshd

sshd reads configuration data from /etc/ssh/sshd_config (or the file specified with -f on the command line).

TCP Wrapper

sshd is linked to TCP wrapper to control access.

When a connection attempt is made to a TCP-wrapped service, the service first references host's access files(/etc/hosts.allow and /etc/hosts.deny) to determine whether or not the client is allowed to connect.

Pluggable Authentication Modules(PAM)

sshd is also linked to PAM for authentication and security.

/etc/pam.d/sshd file defines the authentication process, generally it requires more modules to work together.

e.g. pam_access.so uses /etc/security/access.conf as default configuration file

Local Account

Accounts in /etc/passwd are local accounts, which means they belong only to the server.

Domain Account

Accounts reside outside the server are domain accounts. They can be stored in Windows AD, LDAP server etc. Login usually takes longer time comparing with local account.

Socket

Programs talk to each other by "plug" them into the endpoints of a socket.Here is an example about IP socket.

❶ Create a socket with AddressFamily: IP v4, SocketKind: TCP.

After creation, a socket file can be found under the file descriptor of the process.

❷ Bind the socket to a local (host, port) pair.

❸ Enable a server to accept connections.

One endpoint of the socket is bound to a local host:port.

See Also

HowTo: UNIX / Linux Open TCP / UDP Ports

壬寅年立夏前三日於Düsseldorf