Linux Server security user key authentication login

Transferred from: http://blog.sina.com.cn/s/blog_6561ca8c0102vb0d.html

First, Key Introduction

Under Linux, the remote login system has two authentication methods: Password authentication and key authentication. The method of password authentication is a traditional security policy. Set a relatively complex password, the security of the system can play a certain role, but also face some other problems, such as password brute force hack, password leakage, password loss, and too complex password will also cause a certain burden on operation and maintenance work.

Key authentication is a new type of authentication, the public key is stored on the remote server, the private key is saved locally, when the need to log on to the system, the local private key and the remote server's public key for pairing authentication, if the authentication is successful, you can successfully log on to the system. This type of authentication avoids the risk of brute force, and as long as the local private key is not compromised by hackers, the attacker generally cannot access the system by means of key authentication.

Second, server-side key generation and configuration

There are two kinds of key authentication system in OpenSSH: RSA and DSA, respectively, two different encryption and decryption algorithms. The administrator of the T710 server mainly uses RSA key authentication. After the user has logged on with the initial key, they can modify the other key authentication methods themselves.

The server-side RSA key generation and configuration steps are as follows:

1. Create a new. SSH directory under the user directory and change its directory permissions to 700 (only the user has read and write permissions):

# mkdir. SSH

# chmod. SSH

2. Enter the. SSH directory and use the Ssh-keygen command to generate the RSA key pair:

# ssh-keygen–t RSA (all the way to the return)

3. Two files are generated: Id_rsa and Id_rsa.pub, where the first is the private key, the latter is the public key, the public key must remain on the server, and the private key is copied to the client machine

4. Create a new file in the. ssh directory named: authorized_keys, copy the public key contents into this file, and change the file permissions to 600 (only the user has read and write permission)

# Touch Authorized_keys

# cat Id_rsa.pub >> Authorized_keys

# chmod Authorzied_keys

In this case, the server-side key setup is complete, it is important to ensure that the. SSH and Authorized_keys are only write-enabled by the user themselves, otherwise the validation is not valid, which is also a security consideration for the system.

Third, settings for client keys

First we need to copy the private key generated on the server side ID_RSA to the client computer to be used to log on to the server. Next, according to the client computer operating system is different to explain separately:

Windows system

Under the Windows system, generally we use different X Server tools to log in, we need to first import the private key into the Login tool Key Manager, establish a new connection, user name and host to fill in with the User name password login, login no longer select "Password" but "public Key ", user name fill in your login username, user key Select the server private key to import before, after saving, you can login without password.

Linux system

The Linux system is set to copy the server private key to the client first

1. As with the server side, create a new. SSH directory under the user directory and change its directory permissions to 700 (only the user has read and write permissions):

# mkdir. SSH

# chmod. SSH

2. Copy the private key Id_rsa to the. SSH directory, check whether the file permissions are 600, and if not, change the file permissions to 600

# mv Id_rsa./.ssh

# chmod Id_rsa

3. Then the setup is complete, enter the SSH command, you can connect directly to the server, no need to enter the user name password

# SSH–L User Name server IP

4. If you need to log in from the client through the key authentication to different servers, the name of the private key cannot be used Id_rsa, this can be in the. SSH directory to create a config file to differentiate, config file permissions are also set to 600

# Touch Config

# chmod Config

5. Add the following to the config file:

User Username//username fill in your login username

Host SERVER_IP//Set server IP

Identityfile ~/.ssh/rsa_file//rsa_file Fill in the private key name

Port 22

This allows the user to change the private key Id_rsa to a file name with the same name as Irs_file in the config file, which matches the login server.

Linux disables root account telnet

In Linux systems, the root user has almost all of the privileges, much higher than the administrator user rights in Windows systems. Once the root user information is compromised, it can be a very deadly threat to our servers. Therefore, the root user is not allowed to telnet via SSH, which can greatly improve the security of the server, even if the root user password leaked out can also ensure the security of the server. Down, from the professional operation of Hong Kong server, the United States server, Korea server and other foreign servers world data for everyone in detail how to prohibit the root user ssh remote login.

First create a Doiido normal user to join the appropriate group

You must create a new user here, or you will not be able to log on to the server via remote SSH

# Groupadd Doiido

# useradd-g Doiido Doiido

Change Password for user Doiido

# passwd Doiido

Then modify the Sshd_config file

# sed-i ' s/#PermitRootLogin yes/permitrootlogin no/'/etc/ssh/sshd_config

Finally, restart the SSH service

# Service Sshd Restart

This way, even if the root user password is compromised, no one else can connect directly to the server through the root user.

Linux Server security user key authentication login