Server side and client's key system is not the same, called Asymmetric Key system RSA algorithm is based on modulo operation x mod n, in fact: [(a mod n) + (b mod n)] mod n = (a+b) mod n[(a mod n)-(b mod n)] MoD n = (a) mod n[(a mod n) * (b mod n)] mod n = (a*b) mod n so there (a mod n) ^d mod n = a^d mod n message/message (message) is actually just a bit mode (bit PA Ttern), each bit pattern can be represented as a unique integer, and encrypting a message is equivalent to encrypting a number in order to encrypt m, we can encrypt the corresponding number and get a new number (i.e. ciphertext)the process by which RAS generates public and private key pairs:
- Select a large prime number of 2 1024bits p and Q
- Calculate n = pq,z = (p-1) (q-1)
- Select E (satisfies e<n) so that there is no common factor between E and Z, i.e. E, z coprime
- Select D to make ed-1 exactly divisible by Z (ie: ed mod z = 1)
- Get the Public key: (n,e); private key: (N,d)
When encrypting message M (m<n), calculate c = m^e mod n to decrypt C, calculate m = c^d mod nhave m = (m^e mod n) ^d mod n = m^ed mod n = (m^d mod n) ^e mod nBy using public key encryption, private key decryption can be used to encrypt the RSA, and the security of PKI can be based on the problem of "large number decomposition and primality detection". The multiplication of two large primes is easy to be achieved on the computation, and the calculation of the multiplicative integral solution is quite large. The known public key solves the private key, which is equivalent to finding the factor of n without knowing the two factors p and q, it is very difficult but its computation speed is very slow, so it often uses public key encryption to establish a secure connection, then , used for encrypting data Remote connection server There are three main: text interface plaintext: Telnet,rsh, such as the main text interface password: SSH (Secure SHELL protocol) Main graphics interface: XDMCP,VNCRDP SSH has two encryption algorithms, The default RSA encryption algorithm opens the SSHD service:
[Email protected] ~]#RM/etc/SSH/ssh_host*[[Email protected]~]# service sshd restartredirecting to/bin/systemctl restart Sshd.service[[email protected]~]#DateTue Jul One +: $: toEDT .[[Email protected]~]# ll/etc/SSH/ssh_host*-rw-r-----.1Root Ssh_keys227Jul One +: $/etc/SSH/Ssh_host_ecdsa_key-rw-r--r--.1Root root162Jul One +: $/etc/SSH/ssh_host_ecdsa_key.pub-rw-r-----.1Root Ssh_keys387Jul One +: $/etc/SSH/Ssh_host_ed25519_key-rw-r--r--.1Root root theJul One +: $/etc/SSH/ssh_host_ed25519_key.pub-rw-r-----.1Root Ssh_keys1675Jul One +: $/etc/SSH/Ssh_host_rsa_key-rw-r--r--.1Root root382Jul One +: $/etc/SSH/Ssh_host_rsa_key.pub[[email protected]~]# NETSTAT-TLNP |grep SSHProto Recv-Q send-q Local address Foreign address State Pid/Program name TCP0 0 0.0.0.0: A 0.0.0.0:* LISTEN16016/sshd TCP60 0::: A:::* LISTEN16016/sshd
SSH account @ Host IP does not write account will default to the local side account login Remote Ssh-f[email protected]Find/&> ~/find1.log-f does not log on to the remote host only sends a command past the server public key record file ~/.ssh/known_hosts if the received public key has not been recorded, then asks the user whether to record if the received public key has been recorded, then contrast, Different will warn SCP Xxx.tar [email protected]:/root/(target) SCP[email protected]:/etc/bashrc/tmp-r Copying folders recursively
[[Email protected] ~]# sftp [email protected]sftp> lls/etc/hosts/etc/hostssftp> put/etc/hostsuploading/etc/hosts to/home/student/hostssftp>ls-a ..... . bash_history. Bash_logout.bash_profile. bashrc. Mozilla HOSTSSFTT> LCD/tmpsftp>lpwdlocal working directory:/tmpsftp>get. Bashrcfetching/home/student/. BASHRC to. BASHRC/home/student/.bashrc -%124 0.1kb/sxx:xxsftp> Lls-A. Font-unix KEYRING-RND7QX. x11-Unix: . Gdm_socket Lost+found Scim-panel-socket:0-ROOT.BASHRC. ICE-unix Mapping-root. x0-locksftp> Exit
Create an SSH user who can log in immediately without a password
Ssh-keygen -t rsa/DSA generatingpublic/fileinwhich to Save the key (/root/. SSH/ for no passphrase): Enter same passphrase again:
Generated two files ~/.ssh/id_rsa (-RW-------) and ~/.ssh/id_rsa.pub Place the public key content on the server side of ~/.ssh/authorized_keys (-rw-r--r--) Ssh-copy-id- I ~/.ssh/id_rsa.pub Remote-host can write key directly to the remote machine's authorized_keys and then login to the remote machine via SSH no longer requires a password
[[Email Protected]_6_187_centos ~]# LDD $ (whichgrep libwrap libwrap.so. 0 =/lib64/libwrap.so. 0 (0x00007f0430674000~]# ldd $ (whichgrep libwrap
SSH has support for TCP wrappers provided by libwrap.so This library file, you can use/etc/host. {Allow,deny} is a firewall-like resistance, and HTTP does not control remote access settings:
[Email protected] ~]# vim/etc/127.0. 0.1 192.168. 1.0/255.255. 255.0 192.168. 100.0/255.255. 255.0 ~]# vim/etc/Hosts.denysshd:ALL
The two files are in the same format <service (program_name) >: <ip, Domain, hostname>: <action> Hosts.allow action defaults to Allow,hosts.deny action default deny
RSA encryption algorithm and SSH remote connection server