SSH configuration and password-free key login

Objective:

Tidy up a long time ago to do offsite backup, data synchronization has the use of SSH password-free through the key to login steps.

For security reasons, a simple configuration of the SSH service is required

Description

Server: Servers (or destination machines that store data offsite) or understood as destination addresses in IP traffic

Client: Both workstations, personal computers (or data source servers), or understood as source addresses in IP traffic

Ideas:

There are several places to do:

1. Default service port modification (can avoid brute force cracking or scanning of some 22 ports)

2. SSH version Protocol (this is now basically the default is version 2)

3. Disable the root account SSH login

4. Custom Login message (can give non-personal login behavior a friendly reminder)

5. Allow only designated IP login

6. Key Authentication Login
   

7. sudo permissions for ordinary accounts

8. Iptables Rule Modification
   

9. Restart the service to verify that the changes are in effect
   

Body:

1.SSH Service configuration (main configuration service side, if both two-way landing will need to configure)

The Linux SSH service configuration file is/etc/ssh/sshd_config, modify the following several places, this paper gives the modified parameters and description

port 2020                                                   #修改ssh服务端口为2020Protocol  2                                                   #只允许SSH2协议链接ServerKeyBits   1024                                 # Serverkey Strength is 1024permitrootlogin no                                  # Disable the root account SSH login permitemptypasswords no                      #禁止空密码登陆PasswordAuthentication  no                    # Disable password mode login banner /etc/ssh/ssh_banner.txt              #自定义登陆前欢迎语的具体文件 (file content for pre-login welcome message)

Some of the above parameters have been defaulted to the above values in most systems, such as Serverkeybit

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/5F/wKiom1YbaXzgMiw6AADdKeS5D_4536.jpg "title=" Ssh-1.png "alt=" Wkiom1ybaxzgmiw6aaddkes5d_4536.jpg "/>

2. Custom Login Prompt Information

Account login before the prompt information settings have been set up in the above, then do the following after the success of the account login prompt message, the prompt content written to the following files can be

/etc/motd

3. Allow only designated IP login

Configuration this is usually in the case you have a fixed public network IP, or you have a VPN can be connected to the server intranet, otherwise do not easily set this, set up will probably not be able to login

Here we use Hosts.allow and hosts.deny two files to control, these two files for TCP wrappers rules file both ACLs, interested friends can understand their own under

Simply say security rules, SSH login, the main opportunity to detect the Hosts.deny file has a deny list, and then in the detection hosts.allow whether there is an allow list. For more information about ACL access control lists, see for yourself.

Here are two uses, one is to add the identified dangerous IP to the Hosts.deny file, the other is directly with the Hosts.deny file reject all, and then add the allowed IP to Hosts.allow, here we use the latter way

Edit the Hosts.deny hosts.allow file, add the following in the last line, the format is [,] the comma is to split multiple IPs, and [:] The colon is the processing of splitting it, processing can only be allowed or deny, the way of splitting can be omitted

Vim/etc/hosts.denysshd:all #下载deny文件中就是默认拒绝所有

vim/etc/hosts.allowsshd:118.144.133.66 #允许指定单一IP地址sshd: 192.168.1.2/24 #允许指定单一IP地址sshd: 192.168.2. #允许指定IP地址段

4. Key authentication

This key is to be generated on the client, both on the PC workstation, the key is divided into the private key and the public key, the private key is stored on its own client, and the public key is sent to the server store on the service side

Generate the key, the key is divided into RSA and DSA, there are differences in the algorithm, the specific needs to be understood.

Execute the following command, all the way to enter, remember not to input the password, or will not be able to achieve the effect of password-free landing, of course, if you use the key to verify the login method, you can set the password, so that in addition to the login required key, but also need the correct password to log on successfully

SSH-KEYGEN-T RSA

Transfer the generated Id_rsa.pub public key file to the server, save as Authorized_keys, and give 755 permissions, remember that this file must be saved to the login user's ~/.ssh directory. If I was logged in as Om user, the file I saved was/home/om/.ssh/authorized_keys.

If the server already has this file, then note whether the file content is a self-party public key information, if you append your own public key to the file, you can use the following command. If the information is not from the party, you need to troubleshoot the server

Cat Id_rsa.pub >>/home/om/.ssh/authorized_keys

Finally, give Authorized_keys 755 permission

5. Give sudo permissions to ordinary users

The file that controls sudo permissions is/etc/sudoers, which defaults to read-only files, even if the root account

First, modify the sudoers user rights so that the root account has write permissions

chmod u+w/etc/sudoers

Find the following line to add a row in the same format

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/5D/wKioL1Ybczuh5cr3AAA3zmapvtw264.jpg "title=" Ssh-2.jpg "alt=" Wkiol1ybczuh5cr3aaa3zmapvtw264.jpg "/>

Finally, write permission is removed

chmod u-w/etc/sudoers

Here is a simple and rough configuration, a detailed description of the sudoers file, take me to study and then write an article ^_^

6. Add Iptables Rules

Add the modified SSH port number to iptables to prevent the inability to link due to iptables to allow port traffic

7. Restart the service

Restart SSH and iptables services

Service sshd Restartservice iptables restart

Each time you modify the SSH configuration file, you need to restart the service to take effect

8. Verification

Do not rush to exit the current login window, re-open a command-line window, the landing test, because if the login failed, there is the opportunity to modify, to have exited the original landing window, it is tragic ...

This article is from the "Morrowind" blog, make sure to keep this source http://morrowind.blog.51cto.com/1181631/1702194

SSH configuration and password-free key login