Implementation of key-based security verification in Centos

Tutorial Background:Xiaonuo has used Linux to build various servers (FTP, DNS, Apache, Sendmail, and Samba), because these servers are placed in a safe place, generally, no one is allowed to access these servers. The company now needs to securely access these servers through remote clients. SSH is a standard network protocol that can be used in most UNIX operating systems to achieve remote login management on the Character interface. It uses port 22 by default and transmits data in the network in the form of ciphertext, it is more secure than Telnet through plaintext transmission. SSH provides two user authentication methods: password and key. Both methods transmit data through ciphertext. The difference is that the password user authentication method transfers the user's account name and password, this requires that the entered password be complex enough to ensure higher security. For key-based security authentication, you must create a pair of keys for the user and place the keys on the server to be accessed. When you need to connect to the SSH server, the client software sends a request to the server to use the client key for security verification. After receiving the request, the server first looks for a common key under the root directory of the user, and then compares it with the public key sent. If the two keys are consistent, the server uses the public key to encrypt the question and send it to the client software (puetty ). After receiving the question, the client can decrypt it with a local private key and then send it to the server. This method is quite safe.Tutorial network topology:Tutorial steps:I,Install and configure OpenSSHIn RHEL4, the OpenSSH server and client software are installed by default, so you do not need to install them manually. If it is not installed, all the software packages related to the OpenSSH service are included in the second installation disc. You can run the rpm command to install the software. In RHEL4, configuration files related to the OpenSSH service are stored in the "/etc/ssh" directory. sshd_config is the configuration file of the SSH server, and ssh_config is the configuration file of the SSH client. This experiment uses puetty to log on to Windows, so you do not need to configure ssh_config. You only need to configure sshd_config. In the sshd_config file, remove the following three lines of comments. RSAAuthentication yes enable RSA encryption function PubkeyAuthentication yes enable the public key authentication function AuthorizedKeysFile after the file name and storage location of the public key are configured, You need to restart the sshd service program for the new configuration to take effect. The public key and private key pair are generated on the SSH server (the client can also be generated on the client, and then the public key is uploaded to the corresponding directory, which is safer. The ssk-keygen command is used to generate the key pair of the current user. The-t rsa command option specifies that the key type is rsa. -The B 1024 command option specifies that the key length is 1024 bits. When executing the ssh-keygen command to generate a key, you need to answer the relevant settings. The first is the default path of the private key and the second is the password of the private key, the third is the re-Password Confirmation of the private key. After the ssh-keygen command is executed, two files are generated in the ssh directory. id_rsa is the user's private key file, and id_rsa.pub is the user's public key file. These two files are generated once using the ssh_keygen command and need to be paired. Because the generated public key name does not match the specified public key name, you must replace the generated file name with authorized_keys.II,Secure use of WinSCPThe software exports the user's private key because the private key file id_rsa needs to be copied to the user's host, and the private key on the server needs to be deleted, so as to ensure the uniqueness of the private key. If the private key may be lost through Samba or FTP server, you need to access the Linux server in a safe way. WinSCP is a client program for scp and sftp in Windows. After the WinSCP software is installed, a configuration dialog box similar to PuTTY appears when the WinSCP software is enabled, in this dialog box, enter the host name (IP address), port number, user name, password (password) of the SSH server, and select "Log on" to log on. The connection is transmitted in ciphertext, high security. After logging on to Linux using WinSCP, you can copy the user's private key id_rsa to your host and then delete the private key on Linux to prevent future risks.III,Use PuTTYKey generator generates WindowsRecognized key. Because keys generated in Linux cannot be used directly in Windows, you need to use puTTYgen to generate the corresponding private key on the Windows client. Import the private key downloaded from the Linux server to the PuTTY server, and select 1024 for the number of keys, type: SSH-2 RSA and the parameter set for the command ssh-keygen on the server. Click Generate and enter the password used by the key. After the private key is generated, click "Save Private Key" on the local machine to generate a file with the extension of ppk and exit.IV,Install and configure PuTTYThird-party software must be installed in windows to implement the functions of the SSH client. PuTTY is the most popular SSH client software in Windows, and it is also a green software. It is specially set for SSH and can be used for free. The following figure shows the main interface. In the session field, enter the IP address corresponding to the host name. The port number is 22 and the protocol type is SSH. Import the key generated by the PuTTY key generator in the authentication column. Save the session and open it. Enter the username root, and then enter the private key. Because SSH uses the ciphertext transmission mode, by default, the root user is running to log on directly to SSH. For security reasons, you can also set to prohibit the root user from directly logging on to SSH. In the sshd_config configuration file, remove the comment before "permitRootLogin yes" and change "yes" to "no. After configuring sshd_config, restart the sshd service. You can set a Linux Password on PuTTY to log on and find that the logon fails. This is caused by "PermitRootLogin no.

This article is from the blog of "the Linux open source technology blog", please be sure to keep this source http://dreamfire.blog.51cto.com/418026/167468