Build a secure LinuxFTP server with SRP (figure)

Source: Internet
Author: User
Tags ftp client
Article Title: Use SRP to establish a secure LinuxFTP server II (figure ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
2. Use the eps pam module for password verification
  
(1) first back up the/etc/pam. d/system-auth file
  
(2) modify the/etc/pam. d/system-auth file in the following format:
  
Auth required/lib/security/pam_unix.so likeauth nullok md5 shadow
  
Auth sufficient/lib/security/pam_eps_auth.so
  
Auth required/lib/security/pam_deny.so
  
Account sufficient/lib/security/pam_unix.so
  
Account required/lib/security/pam_deny.so
  
Password required/lib/security/pam_cracklib.so retry = 3
  
Password required/lib/security/pam_eps_passwd.so
  
Password sufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow
  
Password required/lib/security/pam_deny.so
  
Session required/lib/security/pam_limits.so
  
Session required/lib/security/pam_unix.so
  
Note that the first line in bold indicates that the PAM eps_auth module can meet the authentication requirements. The second line in bold indicates that the pam_eps_passwd.so module of PAM is used for password management.
  
(3) convert the standard password to the EPS format
  
(4) The module pam_eps_passwd.so in the/etc/pam. d/system-auth configuration file writes the password verification string of the EPS version to the/etc/tpasswd file. Modify the/etc/pam. dpasswd file in the following format:
  
Auth required/lib/security/pam_stack.so service = system-auth
  
Account required/lib/security/pam_stack.so service = system-auth
  
Password required/lib/security/pam_stack.so service = system-auth
  
   4. Start the FTP server in the SRP version
  
(1) Go to the SRP source code FTP subdirectory and create FTP server files and FTP client files respectively:
  
# Cd/usr/src/redhat/SOURCES/srp-2.2.1/ftp
  
# Make; make install
  
(2) create a super Access Program/etc/xinetd. d/srp-ftpd with the following content:
  
Service ftp
  
{
  
Socket_type = stream
  
Wait = no
  
User = root
  
Server =/usr/local/sbin/ftpd
  
Log_on_success + = DURATION USERID
  
Log_on_failure + = USERID
  
Nice = 10
  
Disable = no
  
}
  
(3) Use the command to start xinetd again
  
# Killall-USR1 xinetd
  
(4) create a/etc/pam. d/telnet file with the following content:
  
# % PAM-1.0
  
Auth required/lib/security/pam_listfile.so item = user
Sense = deny file =/etc/ftpusers onerr = succeed
  
Auth required/lib/security/pam_stack.so service = srp-ftp
  
Auth required/lib/security/pam_shells.so
  
Account required/lib/security/pam_stack.so service = srp-ftp
  
Session required/lib/security/pam_stack.so service = srp-ftp
  
So far, an FTP server using the SRP service has been established. First, perform a local test. The following is a typical session:
  
$/Usr/local/bin/ftp localhost
  
Connected to localhost.intevo.com.
  
220 k2.intevo.com FTP server (SRPftp 1.3) ready.
  
SRP accepted as authentication type.
  
Name (localhost: kabir): cao
  
SRP Password: xxxxxxxx
  
SRP authentication succeeded.
  
Using cipher CAST5_CBC and hash function SHA.
  
200 Protection level set to Private.
  
232 user kabir authorized by SRP.
  
230 User kabir logged in.
  
Remote system type is UNIX.
  
Using binary mode to transfer file
  
If you want to log on to the SRP server using FTP on another Linux computer, you must install the SRP service support and SRP client software. The method is the same as on the SRP server.
  
The following password formula is usually used for srp ftp services:
  
NONE (1)
  
BLOWFISH_ECB (2)
  
BLOWFISH_CBC (3)
  
BLOWFISH_CFB64 (4)
  
BLOWFISH_OFB64 (5)
  
CAST5_ECB (6)
  
CAST5_CBC (7)
  
CAST5_CFB64 (8)
  
CAST5_OFB64 (9)
  
DES_ECB (10)
  
DES_CBC (11)
  
DES_CFB64 (12)
  
DES_OFB64 (13)
  
DES3_ECB (14)
  
DES3_CBC (15)
  
DES3_CFB64 (16)
  
DES3_OFB64 (17)
  
SRP also supports MD5 and SHA hash functions. By default, SRP uses the CAST5_CBC password and SHA function. Use a password in another format. You can use the-c or-h option.
  
#/Usr/local/bin/ftp-c blowfish_cfb64 "ip address"
  
The above command uses the BLOWFISH_CFB64 password instead of the default CAST5_CBC.
  
#/Usr/local/bin/ftp? H md5 "ip address"
  
The preceding command uses the MD5 function instead of the default SHA function.
  
   5. Use the SRP client on a non-Linux platform
  
SRP also supports other popular operating systems (Unix, BSD, Winodws, and MacOS ). Kermit 95 is an SRP client that works on Windows 9x, ME, NT, and 2000, XP, and OS/2 operating systems. View the relevant web site: http://www.columbia.edu/kermit/k95.html before details.
  
Conclusion: The detailed working principle of SRP can be found at the relevant site of SRP. The address is bytes. The above provides a safer and faster way to log on to a remote Linux server than OPENSSH. The SRP-based FTP application is similar to other network applications in the client/server model. Once connected, the client can enjoy all the services provided by the server.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.