Linux SSH configuration and disable root remote login settings

Source: Internet
Author: User
Tags ssh server

1. Modify the VI/etc/ssh/sshd_config file
1. Modify the default port: the default port is 22 and has been commented out. The comment is removed and changed to another port.
2. Disable remote login for the root user: Modify permitrootlogin, Which is yes by default and commented out. The modification is to remove the comment and change it to No.
3. permitemptypasswords No. Empty Password user login is not allowed

Ii. Ssh Public Key Authentication Configuration:
Modify the VI/etc/ssh/sshd_config file
Rsaauthentication yes # enable RSA Authentication (comment out by default, remove the comment, if not yes, change to yes)
Pubkeyauthentication yes # enable public key authentication (comment out by default, remove the comment, if not yes, change to yes)
Passwordauthentication no # Disable password authentication (change to No. The default value is yes, and password authentication is used)
Strictmodes no # change to No. The default value is yes. if the key is not modified, the server refused our key appears. (If the strictmodes is yes, make sure that the folder for storing the public key has the same ownership as the login username. "strictmodes" sets whether SSH checks the permission and ownership of the user's home directory and rhosts file before receiving the login request. This is usually necessary because new users often set their directories and files to write permissions for anyone .)

Then restart the SSH service:/etc/init. d/ssh restart

Generate the login public key and private key,
[Root @ usousou192_168_0_21 SSH] # ssh-keygen-T RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/root/. Ssh/id_rsa):/home/Linden. Guo/. Ssh/id_rsa (Private Key Generation and public key storage location)
Enter passphrase (empty for no passphrase): enter the password
Enter same passphrase again: enter the password again
Your identification has been saved in/home/Linden. Guo/. Ssh/id_rsa. (generated private key)
Your public key has been saved in/home/Linden. Guo/. Ssh/id_rsa.pub. (generated public key)
The key fingerprint is:
76: 04: 4d: 44: 25: 37: 0f: B1: A5: B7: 6e: 63: D4: 97: 22: 6B root @ usou192_168_0_21

Upload the generated public key id_rsa.pub to the server you want to log on to and append it to the authorized_keys file. cat id_rsa.pub>. SSH/authorized_keys (if no authorized_keys is available, you can directly rename id_rsa.pub to authorized_keys, which you think has not been tested)

Use Putty to connect to the SSH server. To use public key authentication, We need to download the puttygen tool to generate the key used by putty.
If you generate a public key and a key in Linux according to the above introduction, you need to use puttygen to convert the key to the format used by putty. Copy the id_rsa key generated in Linux to Windows. Start puttygen, click the Load button, select all files of the file type, and select id_rsa to open. If you enter a password when generating the key, you need to enter the password when you open the key (the password entered when the key is generated in Linux ). Then you can click Save private key on the main interface of puttygen to save it as a key in putty format.

It is best to determine that the. Ssh folder in the user directory has the read and write permissions for the owner, such as 700 or 100. The authorized_keys file has the read permission.

Note: authorizedkeysfile. SSH/authorized_keys (the directory of the authentication file and the name of the public key file can be modified, and the corresponding directory also needs to be modified, such as authorizedkeysfile. sshd/Linden. guo_keys, which must be created in the user directory. sshd folder, Linden. put the guo_keys file below)

Iii. Why Public Key Authentication?
Generally, when you log on to the remote server through SSH, use password authentication and enter the user name and password respectively. The two can log on only when they meet certain rules. However, password authentication has the following Disadvantages:

The user cannot set a blank password (even if the system allows a blank password, it is very dangerous)
Passwords are easy to peek at or guess.
If an account on the server is to be used by multiple users, all users must know the password, which leads to easy password leakage and must be notified to all users when changing the password.
Public Key Authentication can solve the above problems.

Public Key Authentication allows empty passwords, saving the trouble of entering a password for each login
Multiple users can log on to the same user on the system using their respective keys.
Principles of Public Key Authentication
The Public Key Authentication actually uses a pair of encryption strings. One is called a public key, which can be seen by anyone for encryption. The other is called a private key ), only the owner can see it for decryption. Ciphertext encrypted by the public key can be easily decrypted using the key, but it is very difficult to guess the key based on the public key.

SSH Public Key Authentication uses this feature. Both the server and client have their own public keys and keys. These symbols are used for convenience.

AC client Public Key
BC client key
As server Public Key
BS server key

Before authentication, the client needs to log on to the server with the public key AC in some way.

The authentication process is divided into two steps.

Session Key Generation
The client requests to connect to the server, and the server sends the as to the client.
The session ID (session ID) generated by the server is set to P and sent to the client.
The client generates a session key, sets it to Q, and calculates r = p xor q.
The client encrypts R with the AS and sends the result to the server.
The server uses Bs for decryption to obtain the R.
The server performs r xor p operations to obtain Q.
At this point, both the server and the client know the session key Q, and all future transmissions will be encrypted by Q.
Authentication
The server generates random number X and uses AC encryption to generate the result s (x), which is sent to the client.
The client uses BC to decrypt S (X) to obtain
The client calculates the MD5 value of q + x n (q + x), and Q is the session key obtained in the previous step.
The server calculates the MD5 value of q + x m (q + x)
The client sends N (q + x) to the server.
The server compares M (q + x) and N (q + x). If the two are the same, the authentication succeeds.
Server Settings
To use public key authentication, you must set the server. Modify the following configurations of/etc/sshd_config.

Rsaauthentication yes # enable RSA Authentication
Pubkeyauthentication yes # enable Public Key Authentication
Passwordauthentication no # Disable password authentication strictmodes no # change it to No. The default value is yes. If you do not change it, log on to the server refused our key and Restart sshd.

/Etc/init. d/ssh restart client settings
Linux
Assume that charlee of the client is logged on to the server as a guest user. First, execute the following command on the client.

[Charlee @ client: ~] $ Ssh-keygen-T RSA
Generating public/private rsa1 key pair.
Enter file in which to save the key (/home/charlee/. Ssh/id_rsa ):
Enterpassphrase (empty for no passphrase): enter the password
Enter same passphrase again: enter the password again
Your identification has been sabed in/home/charlee/. Ssh/id_rsa
The files generated by your public key has been saved in/home/charlee/. Ssh/id_rsa.pub are stored in the. Ssh directory of the main directory, id_rsa is the client key, and id_rsa.pub is the client public key.

Then, copy the Public Key id_rsa.pub to the server using the U disk and other methods, and execute the following command.

[Guest @ server: ~] $ Cat id_rsa.pub>. Ssh/authorized_keys where id_rsa.pub is the public key of charlee of the client user.

In this way, you can connect to the server through the following command on the client.

[Charlee @ client: ~] $ Ssh-l guest server if you do not want to enter the password every time you log on to the server, you can run the following command first:

[Charlee @ client: ~] $ Ssh-add
Enter passphrase for/home/charlee/. Ssh/id_rsa: enter the password
Identity added:/home/charlee/. Ssh/id_rsa (/home/charlee/. Ssh/id_rsa). After logging on to the server, you do not need to enter the password.

Windows
Suppose we use Putty to connect to the SSH server. To use public key authentication, We need to download the puttygen tool to generate the key used by putty.

Public Key and key generated in Linux
If you generate a public key and a key in Linux according to the above introduction, you need to use puttygen to convert the key to the format used by putty.

Copy the id_rsa key generated in Linux to Windows. Start puttygen, click the Load button, select all files of the file type, and select id_rsa to open. If you have entered a password when generating the key, you need to enter the password when opening the key. Then you can click Save private key on the main interface of puttygen to save it as a key in putty format.

Use puttygen to generate public keys and keys
You can also use puttygen to directly generate public keys and keys. Open puttygen, select the encryption algorithm and encryption length in the parameters column below the screen (generally the default value is used), and click Generate. A progress bar appears on the screen. Move the mouse freely on the interface to generate a random number. Finally, the system prompts that generation is complete. Click Save private key to save the key. Finally, copy the content in the Public Key for pasting into OpenSSH authorized_keys file column above to ~ /. Ssh/authorized_keys file.

Set Putty to use public key authentication
Set the connection host name, port, and other information in putty (omitted ). To use the public key for authentication, you need to set two places: one is the auto-login username in connection, and the other is the user name on the server; the other is the private key file for authentication in connection-> ssh-> Auth, select. PPK key. Then you can use the public key authentication for connection.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.