Secure login with key for SSH [Ssh+pam+putty]
Author: Shaozong [Scott Siu]
E-mail:scottsiuzs@gmail.com
Have seen a lot about SSH key to log in the article, a lot of points in the incomplete, I am here to tidy up.
System Platform
Server: SLES 9.3
Client: Window XP
RHEL 4 as 4.0
Notes
1. Putty Generation Key (Window)
Download the Putty Component http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Includes: Putty.exe puttygen.exe plink.exe Pageant.exe After two files This is not for the moment.
Generate key:
Run Puttygen.exe at the bottom of the first choice you want encryption algorithm and number of digits, such as: SSH-2 DSA 2048
Click "Generate" to generate the key
Save public key saves the key as: Wsshtest
Save private key saves the private key as: WSSHTEST.PPK
2, Ssh-keygen (Linux)
For example: The current user is root, I want to add an account sshadmin let it have access to the remote server
# Useradd Sshadmin-m
# passwd Sshadmin
# MKDIR/HOME/SSHADMIN/.SSH
# chown Sshadmin:users/home/sshadmin/.ssh
# CD/HOME/SSHADMIN/.SSH
# Ssh-keygen-t DSA 2048 (here will let you enter the key file name such as: Lsshtest)
# CP Lsshtest ID_DSA (Cat/etc/ssh/ssh_config see why CP is needed)
3, Server
Prerequisite: I am now the root account, the server address 192.168.1.100
# Useradd Sshuser-m (set up an account that allows SSH login on the server)
# passwd Sshuser
# MKDIR/HOME/SSHUSER/.SSH
# chown Sshuser:users/home/sshuser/.ssh
# Vi/home/sshuser/.ssh/authorized_keys
(writes the contents of the lsshtest.pub generated by Ssh-keygen in LINUX to this file
Write the contents of the wsshtest that you just generated in PuTTY to here, and the final file looks like this:
SSH-DSA xxxxxxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXX Xxx@localhost
SSH-DSA xxxxxxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXX dsa-key-20061115
Note that the putty generated file may appear in Linux as a branch rather than a single line of text, please string it into one line.
One line in the Authorized_keys represents a key)
The following are settings for the SSH service
# Vi/etc/ssh/sshd_config
Permitrootlogin No (no root login is allowed)
Allowusers Sshuser user1 user2 (only user1 user1 login allowed)
Passwordauthentication No (settings for whether you can log in with a password)
Kerberosauthentication No (IBID.)
Usepam No
(I found that the SSH installation was configured to only support key logins, but Pam allows the use of passwords.)
Here are two methods that can be set to only support the use of keys, one is the above usepam set to No do not use Pam,
The second is the following line in the PAM SSH configuration file. )
# vi/etc/pam.d/sshd
Auth Required pam_securid.so Reserve (only allow login via key)
#/etc/init.d/sshd Restart
# chkconfig sshd on
4, Firewall iptables
# iptables-a input-p TCP--dport 22-j ACCEPT
5, testing
WINDOW: Running Putty
Session-> Host name:192.168.1.100
Connection-> Data-> auto-login username:sshuser
Connection-> SSH-> Auth: Select the WSSHTEST.PPK that you just generated
LINUX: Landing with Sshadmin
# SSH sshuser@192.168.1.100
You can try in the putty without PPK to log in ... Oh... Pass the test.
You can also try the Sshd_config usepam Yes and no effect, I recommend No.
The above content if have omitted to say with me to contact, reprint to say to indicate source. Thank you.