Build a secure LinuxFTP server with SRP (figure)

Article Title: Use SRP to establish a secure LinuxFTP server II (figure ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
2. Use the eps pam module for password verification
　　
(1) first back up the/etc/pam. d/system-auth file
　　
(2) modify the/etc/pam. d/system-auth file in the following format:
　　
Auth required/lib/security/pam_unix.so likeauth nullok md5 shadow
　　
Auth sufficient/lib/security/pam_eps_auth.so
　　
Auth required/lib/security/pam_deny.so
　　
Account sufficient/lib/security/pam_unix.so
　　
Account required/lib/security/pam_deny.so
　　
Password required/lib/security/pam_cracklib.so retry = 3
　　
Password required/lib/security/pam_eps_passwd.so
　　
Password sufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow
　　
Password required/lib/security/pam_deny.so
　　
Session required/lib/security/pam_limits.so
　　
Session required/lib/security/pam_unix.so
　　
Note that the first line in bold indicates that the PAM eps_auth module can meet the authentication requirements. The second line in bold indicates that the pam_eps_passwd.so module of PAM is used for password management.
　　
(3) convert the standard password to the EPS format
　　
(4) The module pam_eps_passwd.so in the/etc/pam. d/system-auth configuration file writes the password verification string of the EPS version to the/etc/tpasswd file. Modify the/etc/pam. dpasswd file in the following format:
　　
Auth required/lib/security/pam_stack.so service = system-auth
　　
Account required/lib/security/pam_stack.so service = system-auth
　　
Password required/lib/security/pam_stack.so service = system-auth
　　
　　 4. Start the FTP server in the SRP version
　　
(1) Go to the SRP source code FTP subdirectory and create FTP server files and FTP client files respectively:
　　
# Cd/usr/src/redhat/SOURCES/srp-2.2.1/ftp
　　
# Make; make install
　　
(2) create a super Access Program/etc/xinetd. d/srp-ftpd with the following content:
　　
Service ftp
　　
{
　　
Socket_type = stream
　　
Wait = no
　　
User = root
　　
Server =/usr/local/sbin/ftpd
　　
Log_on_success + = DURATION USERID
　　
Log_on_failure + = USERID
　　
Nice = 10
　　
Disable = no
　　
}
　　
(3) Use the command to start xinetd again
　　
# Killall-USR1 xinetd
　　
(4) create a/etc/pam. d/telnet file with the following content:
　　
# % PAM-1.0
　　
Auth required/lib/security/pam_listfile.so item = user
Sense = deny file =/etc/ftpusers onerr = succeed
　　
Auth required/lib/security/pam_stack.so service = srp-ftp
　　
Auth required/lib/security/pam_shells.so
　　
Account required/lib/security/pam_stack.so service = srp-ftp
　　
Session required/lib/security/pam_stack.so service = srp-ftp
　　
So far, an FTP server using the SRP service has been established. First, perform a local test. The following is a typical session:
　　
$/Usr/local/bin/ftp localhost
　　
Connected to localhost.intevo.com.
　　
220 k2.intevo.com FTP server (SRPftp 1.3) ready.
　　
SRP accepted as authentication type.
　　
Name (localhost: kabir): cao
　　
SRP Password: xxxxxxxx
　　
SRP authentication succeeded.
　　
Using cipher CAST5_CBC and hash function SHA.
　　
200 Protection level set to Private.
　　
232 user kabir authorized by SRP.
　　
230 User kabir logged in.
　　
Remote system type is UNIX.
　　
Using binary mode to transfer file
　　
If you want to log on to the SRP server using FTP on another Linux computer, you must install the SRP service support and SRP client software. The method is the same as on the SRP server.
　　
The following password formula is usually used for srp ftp services:
　　
NONE (1)
　　
BLOWFISH_ECB (2)
　　
BLOWFISH_CBC (3)
　　
BLOWFISH_CFB64 (4)
　　
BLOWFISH_OFB64 (5)
　　
CAST5_ECB (6)
　　
CAST5_CBC (7)
　　
CAST5_CFB64 (8)
　　
CAST5_OFB64 (9)
　　
DES_ECB (10)
　　
DES_CBC (11)
　　
DES_CFB64 (12)
　　
DES_OFB64 (13)
　　
DES3_ECB (14)
　　
DES3_CBC (15)
　　
DES3_CFB64 (16)
　　
DES3_OFB64 (17)
　　
SRP also supports MD5 and SHA hash functions. By default, SRP uses the CAST5_CBC password and SHA function. Use a password in another format. You can use the-c or-h option.
　　
#/Usr/local/bin/ftp-c blowfish_cfb64 "ip address"
　　
The above command uses the BLOWFISH_CFB64 password instead of the default CAST5_CBC.
　　
#/Usr/local/bin/ftp? H md5 "ip address"
　　
The preceding command uses the MD5 function instead of the default SHA function.
　　
　　 5. Use the SRP client on a non-Linux platform
　　
SRP also supports other popular operating systems (Unix, BSD, Winodws, and MacOS ). Kermit 95 is an SRP client that works on Windows 9x, ME, NT, and 2000, XP, and OS/2 operating systems. View the relevant web site: http://www.columbia.edu/kermit/k95.html before details.
　　
Conclusion: The detailed working principle of SRP can be found at the relevant site of SRP. The address is bytes. The above provides a safer and faster way to log on to a remote Linux server than OPENSSH. The SRP-based FTP application is similar to other network applications in the client/server model. Once connected, the client can enjoy all the services provided by the server.