Go Linux SSH configuration and disable root remote login settings

Source: Internet
Author: User
Tags session id ssh server

Original

First, modify the Vi/etc/ssh/sshd_config file
1, modify the default port: The default is 22, and has been commented out, the modification is to remove the comments, and modify the other ports.
2, prohibit the root user remote login: Modify the Permitrootlogin, the default is yes and commented out, modify is to remove the comment, and change to No.
3, Permitemptypasswords No does not allow null password user login


Second, the SSH public key authentication configuration:
Modify the Vi/etc/ssh/sshd_config file
Rsaauthentication Yes # Enable RSA authentication (default is commented out, remove comment, if not yes, change to Yes)
Pubkeyauthentication Yes # Enable public key authentication (default is commented out, remove comment, if not yes, change to Yes)
Passwordauthentication No # Disable password authentication (change to No, the default is Yes is password authenticated)
Strictmodes no #修改为no, the default is yes. If you do not modify the login with key is the presence of server refused our key (if strictmodes for Yes must ensure that the owner of the folder holding the public key is the same as the login user name. ") Strictmodes "Sets whether SSH checks the permissions and ownership of the user home directory and the rhosts file before receiving the logon request. This is usually necessary because novices often set their own directories and files to anyone with write access. )


After you restart the SSH service:/etc/init.d/ssh restart


Generate the login public key and the private key,
[[Email protected]_168_0_21 ssh]# ssh-keygen-t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):/home/linden.guo/.ssh/id_rsa (Generate private key and public key storage location)
Enter passphrase (empty for no passphrase): Enter password
Enter same passphrase again: enter password again
Your identification has been saved In/home/linden.guo/.ssh/id_rsa. (Generated private key)
Your public key has been saved in/home/linden.guo/.ssh/id_rsa.pub. (Generated public key)
The key fingerprint is:
76:04:4d:44:25:37:0f:b1:a5:b7:6e:63:d4:97:22:6b [Email protected]_168_0_21

The generated public key id_rsa.pub is uploaded to the server to be logged in and appended to the Authorized_keys file and placed in the user directory. SSH cat id_rsa.pub >>. Ssh/authorized_keys ( If there is no Authorized_keys, you can rename the id_rsa.pub directly to Authorized_keys, which you think has not been tested)


Use putty to connect to the SSH server. In order to use public key authentication, we need to download the Puttygen tool simultaneously to generate the keys used by putty
If you follow the instructions above and generate a public key and key under Linux, you need to use Puttygen to convert the key to the format used by the putty. Copy the key Id_rsa generated under Linux to Windows. Start Puttygen, and then click the Load button, select file type for all files, and then select Id_rsa, Open. If you enter a password when you generate the key, you need to enter the password when you open it (the password you entered when you generated the key with Linux). You can then click Save Private key on the main interface of Puttygen to save the key in putty format.

It is best to determine if the. SSH folder under the user directory has read and write permissions for the owner, with the minimum of execute permissions, such as 700 or read-only permissions in the 100;authorized_keys file


Note: Authorizedkeysfile. Ssh/authorized_keys (the directory of the authentication file and the public key file name can be modified, and the corresponding directory should also be modified, such as Authorizedkeysfile. Sshd/linden.guo_ke YS, you need to set up the. sshd folder in the user directory, put the Linden.guo_keys file below)


Third, why to use public key authentication
In general, when you log in to a remote server via SSH, password Authentication is used to enter the user name and password, both of which meet certain rules to log in. However, password authentication has the following disadvantages:

The user cannot set a blank password (even if the system allows a blank password, it can be very dangerous)
The password is easy to be peeping or guessed.
One account on the server to use for multiple people, you must let all users know the password, causing the password to leak easily, and must notify everyone when the password is changed
The use of public key authentication can solve the above problems.

Public key authentication allows you to use a blank password, eliminating the hassle of entering a password every time you log in
Multiple consumers can log on to the same user on the system with their own keys
The principle of public key authentication
The so-called public key authentication, actually uses a pair of encrypted string, one is called public key, anyone can see its content for encryption, and the other is called the key (private key), only the owner can see, for decryption. Ciphertext encrypted with a public key can be easily decrypted using a key, but it is difficult to guess the key based on the public key.

SSH's public key authentication is the use of this feature. Both the server and the client each have their own public key and key. For illustrative purposes, these symbols are used below.

AC Client Public key
Bc Client Key
As Server public key
Bs Server Key

Before authentication, the client needs a way to log the public key Ac to the server.

The certification process consists of two steps.

Session key generation
The client requests a connection to the server, and the server sends the as to the client.
The server generates the session ID, which is set to P and sent to the client.
The client generates the session key, set to Q, and calculates r = P XOR Q.
The client encrypts r with AS and sends the result to the server.
The server decrypts with Bs and obtains R.
The server carries out the operation of R XOR P and obtains Q.
Both the server and the client are aware of the session key Q, and subsequent transmissions will be encrypted by Q.
Certification
The server generates a random number x and uses AC encryption to generate the result S (x), which is sent to the client
Client uses Bc decryption S (x) to get X
Client calculates the MD5 value of Q + x N (q+x), Q is the session key obtained in the previous step
Server calculates q + x's MD5 value m (q+x)
The client sends N (Q+X) to the server
Server comparison m (q+x) and N (q+x), both of which are certified successful
Server-side settings
Using public key authentication requires a few settings for the server. Modify the following configuration for/etc/sshd_config.

Rsaauthentication Yes # Enable RSA authentication
Pubkeyauthentication Yes # Enable public key authentication
Passwordauthentication No # Disable password Authentication strictmodes No #修改为no, the default is yes. If you do not modify the login with key is to appear server refused our key and then restart sshd.

/etc/init.d/ssh Restart client Settings
Linux
Assume that the client user Charlee to log on to the server as the guest user. First, execute the following command on the client.

[Email protected]:~]$ ssh-keygen-t RSA
Generating public/private RSA1 key pair.
Enter file in which to save the key (/HOME/CHARLEE/.SSH/ID_RSA):
Enterpassphrase (empty for no passphrase): Enter the password
Enter same passphrase again: enter password again
Your identification has been sabed In/home/charlee/.ssh/id_rsa
Your public key has been saved In/home/charlee/.ssh/id_rsa.pub the generated file is saved in the. SSH directory of the home directory, ID_RSA is the client secret, and Id_rsa.pub is the client key.

After that, the public key id_rsa.pub is copied to the server by means of a USB flash drive, and the following commands are executed.

[Email protected]:~]$ cat id_rsa.pub >>. Ssh/authorized_keys where id_rsa.pub is the public key of the client's user Charlee.

This allows the client to connect to the server with the following commands.

[Email protected]:~]$ ssh-l Guest server If you do not want to enter a password each time you log on to the server, you can first execute the following command:

[[Email protected]:~]$ ssh-add
Enter passphrase For/home/charlee/.ssh/id_rsa: enter password
Identity added:/home/charlee/.ssh/id_rsa (/HOME/CHARLEE/.SSH/ID_RSA) You do not need to enter a password after you log in to the server.

Windows
Let's say we use putty to connect to the SSH server. In order to use public key authentication, we need to download the Puttygen tool at the same time to generate the key used by putty.

Use of public keys and keys generated under Linux
If you follow the instructions above and generate a public key and key under Linux, you need to use Puttygen to convert the key to the format used by the putty.

Copy the key Id_rsa generated under Linux to Windows. Start Puttygen, and then click the Load button, select file type for all files, and then select Id_rsa, Open. If you enter a password when you generate the key, you will need to enter the password when you open it. You can then click Save Private key on the main interface of Puttygen to save the key in putty format.

Using Puttygen to generate public keys and keys
You can also use Puttygen to generate public keys and keys directly. Open Puttygen, then select the encryption algorithm and the length of the encryption in the Parameters bar at the bottom of the screen (usually the default), and then click Generate. A progress bar appears on the screen, moving the mouse randomly around the interface to generate random numbers. At the end of the prompt, click the Save Private Key button to save the key. Finally, copy the contents of the above public key to pasting into OpenSSH authorized_keys file column to the ~/.ssh/authorized_keys files in the home directory under Linux.

Setting up putty using public key authentication
The host name, port and other information of the connection are set up in the Putty first (description omitted). There are two places to use public key authentication: One is the auto-login username in Connection, the user name is entered on the server, and the other is the Private key file in Connection->ssh->auth For authentication, select the key in the. PPK format that you just converted or generated. It can then be connected using public key authentication.

Go Linux SSH configuration and disable root remote login settings

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.