Key pair authentication and TCP wrappers access control

first, the secret key pair verification

Cryptographic authentication algorithm: RSA ,DSA Two can be used

1 , generate a key pair on the client

executing on the client " ssh-keygen-t RSA " Generating asymmetric cryptographic key pairs

2.upload the public key file to the server

In the. ssh/directory of the client home directory , pass the id_rsa.pub Public key file to the server

3.Create the secret key directory on the server and modify the uploaded key file name

Once the upload is complete, create a. ssh/directory in the home directory on the server side and rename the id_rsa.pub to Authorized_keys and cut inside the . ssh/ directory in the home directory .

4.Edit the/etc/ssh/sshd_config file on the server side , uncomment

5, the use of remote transmission tools

(1) SCP file upload and download

upload format: SCP native file user name @IP address : directory

Download format:SCP user name @IP address : file name local save location

Specify port:-P ( large )

(2)sftp secure FTP Transfer Protocol

Login Method: sftp user name @IP address

Specify the port: -oport= Port

After using sftp to log on to the server, the operation Server command and operation of the same machine, if you want to log on to the server while operating the machine, you need to precede the command to add l

if you want to make Windows can also use password-free connection to Linuxand need to generate a secret key using the X-shell tool - New user key Generation Wizard. Then copy the secret key to the Linux server authorized_keys file .

6, only allow key to login, prohibit password login

* Make sure the ssh Public key authentication feature is enabled, view the /etc/ssh/sshd_config file, and make sure the following two Yes :

* Disable password security verification, edit the /etc/ssh/sshd_config file, and make sure the following files appear in the file:

after editing this file, you need to restart the sshd service:service sshd Restart can disable password login, only with key pair login.

To allow other users to log in through the secret key, you can directly transfer the private key file can be logged to a user.

Note: Be sure to protect the security of your private key.

7.Fast generation and uploading of key pairs

All of the above steps are about the details of the secret key generation process, and the following describes the fast generation and upload of key pairs:

(1) Enter the command on the client: ssh-keygen-t RSA

(2) upload the public key to the service side: ssh-copy-id Server user name @IP address

This allows you to quickly build and upload without renaming and creating in advance . SSH directory

two ,TCP Wrappers Management and access control 1. conditions of the TCP Wrappers Management Command

If a command calls the library file libwarp.so , then this command can be managed by TCP Wrappers .

which command name Querying where a service command is located

ldd command name querying a library file for a command call

2.access Control Policy configuration file

Whitelist (Allow access): /etc/hosts.allow

blacklist (Access Denied): /etc/hosts.deny

Note : Whitelist priority is higher than blacklist

3 , set the access control policy

Policy format: Service list : client Address List

Service list: Multiple services are separated by commas, all representing all services

Client Address list: Multiple addresses are separated by commas, all means all addresses

For example :

allow wildcard characters ? and the *

network segment address, such as 192.168.4. or 192.168.4.0/255.255.255.0

4. Order of application of policies

Check hosts.allow first, match stop (that is, allow)

otherwise check the Hosts.deny, the match is stopped (that is, rejected)

If none of the two files have a matching policy, the access is allowed by default

Key pair authentication and TCP wrappers access control