Linux Server security user key authentication login (based on CentOS 7.0 system)

First, the key introduction:

under Linux, the remote login system has two authentication methods: Password authentication and key authentication. The method of password authentication is a traditional security policy. Set a relatively complex password, the security of the system can play a certain role, but also face some other problems, such as password brute force hack, password leakage, password loss, and too complex password will also cause a certain burden on operation and maintenance work. Key authentication is a new type of authentication, the public key is stored on the remote server, the private key is saved locally, when the need to log on to the system, the local private key and the remote server's public key for pairing authentication, if the authentication is successful, you can successfully log on to the system. This type of authentication avoids the risk of brute force, and as long as the local private key is not compromised by hackers, the attacker generally cannot access the system by means of key authentication.

Two: Server-side key generation and configuration

There are two kinds of key authentication system in OpenSSH: RSA and DSA, respectively, two different encryption and decryption algorithms.

The administrator of the T710 server mainly uses RSA key authentication. After the user has logged on with the initial key, they can modify the other key authentication methods themselves.

The server-side RSA key generation and configuration steps are as follows:

1. Create a new. SSH directory under the user directory and change its directory permissions to 700 (only the user has read and write permissions):

# mkdir. SSH

# chmod. SSH

2. Enter the. SSH directory and use the Ssh-keygen command to generate the RSA key pair:

# ssh-keygen-b 4096 (RSA defaults to 2048-bit)-t RSA (all the way to the return; if you want to encrypt the generated private key, you can encrypt it)

3. Two files are generated: Id_rsa and Id_rsa.pub, where the first is the private key, the latter is the public key, the public key must remain on the server, and the private key is copied to the client machine

4. Create a new file in the. ssh directory named: authorized_keys, copy the public key contents into this file, and change the file permissions to 600 (only the user has read and write permission)

# Touch Authorized_keys

# cat Id_rsa.pub >> Authorized_keys

# chmod Authorzied_keys

to this: the server-side key settings are complete, it is important to ensure that the. SSH and Authorized_keys are only write permissions to the user itself, otherwise the validation is not valid, which is the system security considerations.

Enhanced security-related settings:

The server-side key generation method to verify, if you want more security, you can modify:/etc/ssh/sshd_config configuration file;

#Port 22 (This entry indicates the port used, the default is Port 22nd, can be changed to something else)

#LoginGraceTime 2m (sets the time (in seconds) that the server waits before disconnecting the connection if the user cannot log on successfully

#PermitRootLogin Yes (this will not be able to log in directly to the no admin account root; This option must not be set to "yes")

#StrictModes Yes (set whether SSH checks the permissions and ownership of the user home directory and the rhosts file before receiving the login request. This is usually necessary because novices often set their own directories and files to anyone with write access

#MaxAuthTries 6 (This enabled, indicates the maximum number of authentications allowed)

#MaxSessions 10 (This enables the maximum number of session connections that are allowed to be established)

#KeyRegenerationInterval 3600 (sets the number of seconds after which the server's key is automatically rebuilt if the key is used). The rekey is regenerated to prevent the intercepted information from being decrypted with the stolen key. ）

#IgnoreRhosts Yes (use "rhosts" and "shosts" files when setting authentication)

#IgnoreUserKnownHosts Yes (set SSH daemon to ignore the user's "$HOME/.ssh/known_hosts" for rhostsrsaauthentication security verification)

#X11Forwarding No (set whether to allow X11 forwarding)

#PrintMotd Yes (sets whether sshd displays the information in "/ETC/MOTD" when the user logs in)

#SyslogFacility AUTH (syslogfacility "setting" facility code "when recording messages from sshd)

#LogLevel INFO("LogLevel" setting records the level of the SSHD log message. Info is a good choice. See the man help page for sshd for more information)

#RhostsAuthentication No ("rhostsauthentication" setting is sufficient for security verification with rhosts or "/etc/hosts.equiv")

#RhostsRSAAuthentication No ("Rhostsrsa" setting allows security verification with rhosts or "/ETC/HOSTS.EQUIV" plus RSA)

#RSAAuthentication Yes (setting whether to allow only RSA security authentication)

#PasswordAuthentication Yes (set whether password authentication is allowed)

#PermitEmptyPasswords No (set whether password-free accounts are allowed to log in)

#AllowUsers admin ("allowusers" can be followed by any number of user name matching string (patterns) or [email protected] Such a match string, these strings are separated by spaces. The host name can be a DNS name or an IP address. ）

Third, the client key settings:

Windows System

under the Windows system, generally we use different X Server tools to log in, we need to first import the private key into the Login tool Key Manager, to establish a new connection, user name and host to fill in with the User name password login, login no longer select "Password" but " Public key ", user name fill in your login username, user key Select the server private key that was imported before, save, can login without password.

Linux Systems

The Linux system is set to copy the server private key to the client first

1. As the server side, create a new. SSH directory under the user directory and change its directory permissions to 700 (only the user has read and write permissions) :

# mkdir. SSH

# chmod. SSH

2. Copy the private key Id_rsa to the. SSH directory, check whether the file permissions are 600, and if not, change the file permissions to 600

# mv Id_rsa./.ssh

# chmod Id_rsa

3. Then the setup is complete, enter the SSH command, you can connect directly to the server, no need to enter the user name password

# SSH–L User Name server IP

4. If you need to log in from the client through the key authentication to different servers, the name of the private key cannot be used Id_rsa, this can be in the. SSH directory to create a config file to differentiate, config file permissions are also set to 600

# Touch Config

# chmod Config

5. Add the following to the config file:

User Username//username fill in your login username

Host SERVER_IP//Set server IP

Identityfile ~/.ssh/rsa_file//rsa_file Fill in the private key name

Port 22

this:

The user can match the login server by changing the private key Id_rsa to a file name with the same name as Irs_file in the config file.

This article is from the "Small ops" blog, please make sure to keep this source http://wangyongchun.blog.51cto.com/10421552/1768423

Linux Server security user key authentication login (based on CentOS 7.0 system)