System Environment: RedHat Linux array.0 [2.4.20.8]
Software Version:
Openssh-3.5p1-6
Openssh-server-3.5p1-6
Openssh-askpass-3.5p1-6
Openssh-clients-3.5p1-6
Openssh-askpass-gnome-3.5p1-6
Target Features:
Server:
1array2. 168.1.1/24
User: Tom Jerry
Station B:
1array2. 168.1.20/24
User: mikky
Implementation:
1. Only allow Tom Jerry to log on to server a through SSH, and verify the password of Tom Jerry respectively.
2. Allow mikky to log on to server a by Using SSH on server B. Use the Jerry user name and mikky's private key phrase for verification. The password of Jerry is not required.
######################################## ######################
I. Installation
For ease of use, install the SSH server/client software package on both machines. The software uses the RPM package that comes with the rharray disc. [procedure omitted]
Ii. Password-based authentication Configuration
Server A: [password authentication is enabled for the sshd service process started by default. You can use the username and password on the server to log in.]
1. # vi/etc/ssh/sshd_config // only partial options are explained
Port 22 // service listening port
Protocol // the Service supports the SSH 1. X and 2. x protocols.
Listenaddress 1array2. 168.1.1 // ip address of the Service listener
Logingracetime 120 // If logingracetime fails to log on to the server within 120 seconds, the connection will be disconnected.
Maxstartups 10 // maximum number of concurrent connections that fail to log on
Permitrootlogin no // disable root user login
Allowusers Tom Jerry // only allow remote login by Jerry
Pubkeyauthentication Yes // allow key-Based Access
Authorizedkeysfile. Ssh/authorized_keys // the location where the server stores the public keys of each client
Passwordauthentication Yes // allow password-based login
Permitemptypasswords no // do not allow users with empty passwords to log on to the system
X11forwarding Yes // You can forward the X11 program.
2. Add Test Users
Server:
# Useradd Tom; passwd Tom
# Useradd Jerry; passwd Jerry
Server B:
# Useradd mikky; passwd mikky
3. # chkconfig -- level 2345 sshd on
#/Etc/init. d/sshd start
Station B: [test whether Tom, Jerry, root, and other users can log on normally. For example, only Tom and Jerry can log on to the server after the token configuration is normal.]
4. # SSH
Jerry@1Array2.168.1.1
// It will be automatically created after the first SSH Login ~ /. Ssh/known_hosts file to save the server's public key
Iii. Key Authentication-Based Configuration
Server:
0, # vi/etc/ssh/sshd_config // refer to step 2, modify the settings as needed, or skip this step
Passwordauthentication no // password-based login prohibited
Pubkeyauthentication Yes // allow key-Based Access
#/Etc/init. d/sshd reload
Basic steps:
1. Create a key pair on the client
Use a mikky user to log on to Station B and create a key pair as a mikky user.
# Su-mikky
$ Ssh-keygen-T RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/home/mikky/. Ssh/id_rsa ):
Created directory '/home/mikky/. Ssh '.
Enter passphrase (empty for no passphrase): // set the password used to protect the private key and the "password phrase"
Enter same passphrase again:
Your identification has been saved in/home/mikky/. Ssh/id_rsa.
Your public key has been saved in/home/mikky/. Ssh/id_rsa.pub.
The key fingerprint is:
A4: 73: 6a: arraya: EA: FF: EF: 1f: 72: 83: 68: 78: 6d: E8: 63: 2b
Mikky@bbb.redhat.com
$ Cat ~ /. Ssh/id_rsa.pub
2. Copy the key to the server
Copy the mikky Public Key to the server [You can use NFS/FTP/samba/HTTP/email/SFTP/SCP or other methods]
This operation is performed as the root user on server A. Because SCP is used, Station B needs to enable the sshd service.
# Mkdir-P/home/Jerry/. SSH
# SCP
[Email = mikky@1Array2.168.1.20:/home/mikky/. Ssh/id_rsa.pub] mikky@1Array2.168.1.20:/home/mikky/. Ssh/id_rsa.pub [/Email]
/Home/Jerry/. Ssh/authorized_keys
# Chmod o + Rx/home/Jerry; chown-r JERRY: Jerry/home/Jerry // you need to modify permissions in some systems. skip this step.
3. client-side test key verification
# Su-mikky // confirm to log on to the Station B system as a mikky user
$ SSH
Jerry@20.0.0.1
// If the following password phrase is prompted, the key verification takes effect; otherwise, check the authorized_keys file name and location.
Enter passphrase for key'/home/mikky/. Ssh/id_rsa ':
4. Use SSH proxy on the client [this step is not required]
Use the ssh-Agent agent for authentication on Station B. Remember the private key phrase without frequent verification.
# Su-mikky
$ Ssh-agent/bin/bash // open a bash process and enable the SSH proxy in the process
$ Ssh-add-T 3600 // The key phrase used by the SSH proxy to remember the private key within an hour
Enter passphrase for/home/mikky/. Ssh/id_rsa:
Identity added:/home/mikky/. Ssh/id_rsa (/home/mikky/. Ssh/id_rsa)
Lifetime set to 3600 seconds
$ SSH
Jerry@1Array2.168.1.1
// Re-log on to the server within one hour without a password or phrase
$ Ssh-add-D // clear all remembered private key and password phrases