How to Use the SRP service to build an FTP server in Linux (on)

In small and medium-sized heterogeneous networks, many users choose Linux as the network operating system and use its simple configuration and user-familiar graphical interfaces to provide Internet services. FTP is one of the services it provides. Among many network applications, FTP File Transfer Protocol has a very important position. Software resources are a very important resource on the Internet, and most of the various software resources are stored on FTP servers. Like most Internet services, FTP is also a client/server system.

FTP is a traditional network service program, which is inherently insecure because it transmits passwords and data in plain text on the network. It is very easy for others with ulterior motives to intercept these passwords and data. In addition, the security authentication methods of these service programs also have their weaknesses, that is, they are vulnerable to man-in-the-middle attacks. The so-called "man-in-the-middle" attack means that "man-in-the-middle" impersonates a Real Server to receive the data you send to the server, and then impersonates you to pass the data to the Real Server. After the data transfer between the server and you is transferred by a "man-in-the-middle", serious problems will occur. These passwords are intercepted by brute force cracking. In addition, you can use the sniffer program to monitor network packets and capture the session information starting with FTP.

SSHSecure Shell) is a safer solution for operating servers through remote online services. It was initially developed by a Finnish company, but due to copyright and encryption algorithm restrictions, many people switched to the free alternative software OpenSSH. SSHSecure Shell) is a safer solution for operating servers through remote online services. It was initially developed by a Finnish company, but due to copyright and encryption algorithm restrictions, many people switched to the free alternative software OpenSSH. You can use SSH to encrypt all transmitted data so that the "man-in-the-middle" attack method is not possible, and it can also prevent DNS and IP spoofing. It also has an additional advantage that the transmitted data is compressed and can speed up transmission. SSH is widely used. It can replace Telnet, provide FTP, POP, and even a secure "channel" for PPP ". The SSH protocol provides two Server functions in the preset state: one is a remote online Shell Server similar to Telnet, which is also known as the SSH function; the other is similar to the SFTP-Server function of the FTP service, provides more secure FTP services.

How does SSH security verification work? It mainly relies on online encryption technology. From the client perspective, there are two security verification levels:

1. Password-based security verification ssh1) you can log on to the remote host as long as you know your account and password. All transmitted data will be encrypted, but there is no guarantee that the server being connected is the server to be connected. Attackers may be attacked by man-in-the-middle.

2. Key-based security authentication (ssh2) relies on keys, that is, you must create a pair of keys for yourself and place the public keys on the servers to be accessed. If you want to connect to the SSH server, the client software sends a request to the server, requesting security verification with the key. After receiving the request, the server first looks for the Public Key in the home directory of the server, and then compares it with the public key sent. If the two keys are the same, the server uses the public key to encrypt "Question" challenge) and sends it to the client software. After the client software receives a question, it can use a private key to decrypt it and then send it to the server. In this way, you must know the password of your key. Compared with the first level, this level does not need to transmit passwords over the network. It not only encrypts all transmitted data, but also prevents man-in-the-middle attacks. Currently, OpenSSH has two security risks: Password, key cracking, and dictionary file de-Password removal.) and OpenSSH may be installed with Trojans.

1. Introduction to SRP

SRP stands for Secure Remote Password, which is an open source code authentication protocol. The client/server using SRP does not transmit the password in plaintext or encrypted mode on the network, which completely eliminates password spoofing. Ensure that passwords can be securely transmitted over the network. The basic idea is to prevent dictionary attacks by passive or active network intruders.
The computer department of Standford University has developed SRP software packages that provide password-based authentication and Session Encryption security mechanisms without the need for users or network administrators to participate in key management or distribution. SRP provides transparent password security for each individual without other expensive initial expenses, such as blocking the use of other security software. Unlike other security software, the SRP package is a complete Cryptographic software package, not a temporary solution. Compared with standard/etc/shadow-style security, SRP is better in every aspect. Using SRP has the following benefits for users and managers:

SRP defends against password sniffing attacks. In a session that uses SRP authentication, the listener does not monitor any passwords transmitted over the network. In remote login software, plaintext password transfer is the biggest security vulnerability. Anyone can use a simple sniffer) tool to obtain the key you log on to the remote system.

SRP defends against dictionary attacks. It is not enough for a system to protect simple password listening. If attackers use powerful attacks, such as Dictionary attacks, they do not simply listen to passwords, but track the entire session process, and then compare the entire information with common passwords in the dictionary. Even some Kerberos systems are vulnerable to such attacks. SRP performs password security before resisting dictionary attacks. The algorithm used requires an attacker to execute an impossible large computing before launching a powerful attack. SRP even protects "active" attacks against passwords. Therefore, even if intruders have the ability to access the network, they cannot break the SRP. Therefore, even if the user uses a very fragile password, it will not make it easy for intruders to crack it. SRP is completely transparent to end users. Because there is no so-called "keyrings", "certificate", or "ticket" ticket ). Your password is the key. SRP simply protects this key, but it is better than the old and weak key protection mechanism. SRP is easy to implement from the perspective of managers. There are no such concepts as "Key Server", "certificate authentication", and "authentication server. The SRP password file is next to the standard Unix password file. The software works with the two system passwords to ensure consistency with the SRP password file. There is no redundant system maintenance mechanism. SRP exchanges an encrypted key when authenticating a user. This means that a login session can be encrypted to resist so-called network listening and malicious tampering. When users read their letterhead remotely, they use 128-bit encrypted information, which is automatically processed after the user logs on, and the user does not have to worry about whether or not encryption is required. The system completes encryption and sends it to the user. In addition, SRP does not use encryption for authentication, which makes it faster and safer than public/private key-based authentication. SRP uses the 128-bit CAST encryption algorithm by default. CAST-128 is defined in RFC2144http: // srp.stanford.edu/srp/rfc2144.txt. Standard SRP also supports 56-bit DES and 48-bit DES. Advanced Support for Triple-DES encryption. This article describes how to create a SRP-based Telnet server. Operating Environment Redhat Linux 9.0.

Ii. Software Download and compilation

SRP software home page is: http://srp.stanford.edu Latest Version 2.1.1, before installing SRP first install OpenSSL.

# Wget http://srp.stanford.edu/source/srp-2.1.1.tar.gz

# Cp/usr/src/redhat/SOURCES

#./Configure -- with-openssl =/usr/src/redhat/SOURCES/openssl-0.9.6 \

-- With-pam

# Make; make install