1. modify the SSH configuration file of the server first. As follows: [root @ sample ~] # Vi/etc/ssh/sshd_config & larr; use vi to open the SSH configuration file and click (here) to fold or open it # Protocol2, 1 & larr; find this line to show the line header & ldquo; # & rdquo 1. modification of server SSH configuration files
First, modify the SSH configuration file. As follows:
[Root @ sample ~] # Vi/etc/ssh/sshd_config using vi to open the SSH configuration file
Click (here) to fold or open
- # Protocol locate this row and delete the line header "#". then, delete ", 1" at the end of the line, and only allow connections in SSH2 mode.
- Bytes
- The Protocol 2 Protocol changes to this status after modification. only SSH2 is used.
-
- # ServerKeyBits 768 rows find this line, remove "#" at the beginning of the line, and change 768 to 1024
- Bytes
- Changed ServerKeyBits 1024 bytes to this status, and changed the ServerKey strength to 1024 bits.
-
- # PermitRootLogin yes locate this line, remove "#" at the beginning of the line, and change "yes" to "no ".
- Bytes
- PermitRootLogin no logs is changed to this status and cannot be logged on using root.
-
- # PasswordAuthentication yes locate this line and change yes to no
- Bytes
- PasswordAuthentication no. login is changed to this status, and password-based logon is not allowed.
-
- # PermitEmptyPasswords no longer find this row and delete the line header "#". empty password logon is not allowed.
- Bytes
- PermitEmptyPasswords no. changed to this status. do not log on with a blank password.
Save and exit.
Because we only want to make the SSH service more convenient for the management system, we only allow the intranet client to log on to the server through SSH without remotely managing the system over the Internet, to minimize unsafe factors. The setting method is as follows:
[Root @ sample ~] # Vi/etc/hosts. deny blocks modify the blocking rule and add corresponding lines at the end of the text
Click (here) to fold or open
- #
- # Hosts. deny This file describes the names of the hosts which are
- # ** Not * allowed to use the local INET services, as decided
- # By the '/usr/sbin/tcpd' server.
- #
- # The portmap line is redundant, but it is left to remind you that
- # The new secure portmap uses hosts. deny and hosts. allow. In particle
- # You shoshould know that NFS uses portmap!
-
- Sshd: ALL clients add this line to shield all ssh connection requests.
-
- [Root @ sample ~] # Vi/etc/hosts. allow modify permit rules and add corresponding lines at the end of the text
-
- #
- # Hosts. allow This file describes the names of the hosts which are
- # Allowed to use the local INET services, as decided
- # By the '/usr/sbin/tcpd' server.
- #
-
- Sshd: 192.168.0. allow add this line, only allow SSH connection requests from the intranet
Restart the SSH service
After modifying the SSH configuration file, you must restart the SSH service to make the new settings take effect.
Root @ sample ~] #/Etc/rc. d/init. d/sshd restart SSH server Stopping sshd: [OK] Starting sshd: [OK] restart SSH server restart successful
At this time, on the remote terminal (personal PC, etc.), you cannot log on to the server by using the SSH client software with a normal password. In order for the customer to log on to the server, we will create a public key and private key for SSH to log on to the SSH server as a "key" for the client.
The establishment of the public key and private key of SH2
Logon is a general user who establishes a public key and a private key based on this user. (This example uses the bruce user)
[Root @ sample ~] # Run the su-bruce guest command to log on to the general user bruce [centospub @ sample ~]. $ Ssh-keygen-t rsa keys create public keys and private keys Generating public/private rsa key pair. enter file in which to save the key (/home/kaz /. ssh/id_rsa): name of the KeyStore key file. press enter Created directory by default /. ssh 'Enter passphrase (empty for no bruce): Enter the password Enter same passphrase again: Enter the password again (remember the password) Your identification has been saved in/home/kaz /. ssh/id_rsa. your public key has been saved in/home/kaz /. ssh/id_rsa.pub. the key fingerprint is: tf: rs: e3: 7 s: 28: 59: 5 s: 93: fe: 33: 84: 01: cj: 65: 3b: 8e centospub@sample.centospub.com
Then confirm the establishment of the public key and the key, and some processing corresponding to the client.
[Centospub @ sample ~] $ Cd ~ /. Enter the directory [centospub @ sample. ssh] $ ls-l keys list the files total 16-rw ------- 1 centospub 951 Sep 4 id_rsa Keys confirm that the private key has been created-rw-r -- 1 centospub 241 sep 4 id_rsa.pub then confirm that the public key has been created [centospub @ sample. ssh] $ cat ~ /. Ssh/id_rsa.pub> ~ /. Ssh/authorized_keys export public key content to the corresponding file [centospub @ sample. ssh] $ rm-f ~ /. Ssh/id_rsa.pub KeyStore delete the original public key file [centospub @ sample. ssh] $ chmod 400 ~ /. Ssh/authorized_keys secret set the attribute of the new public key file to 400
Then, the private key is securely transferred to the PC on which you want to connect to the server through SSH. The following uses a 3.5-inch disk as the media:
Centospub @ sample. ssh] $ exit quit normal user logon (return root logon) [root @ sample ~] # Mount/mnt/floppy/ephemeral mount the floppy drive [root @ sample ~] # Mv/home/centospub/. ssh/id_rsa/mnt/floppy/Secrets move the created private key to a floppy disk [root @ sample ~] # Umount/mnt/floppy/uninstall detach a floppy disk drive
In this way, we can connect to the server through the SSH client on a remote terminal through the private key corresponding to the centospub user.
II. SecureCRT 7.0 client configuration logon
Step 1:
Step 2:
Step 3:
Step 4: the enter key password box will pop up upon initial login. after the password is entered, you do not need to enter the password.