SSH Configuration service and how to build a private CA

Building private CAs and SSH configuration services

Before you learn how to build a private CA, familiarize yourself with the basic concepts: CAS represents a certification authority, PKI represents a public key infrastructure, a registry of RA certificates, and a revocation list for CRL certificates. There are some encryption methods involved in architecting the CA, and here are some types of encryption to understand.

Several encryption methods and their differences: Single encryption: Mainly used for extracting eigenvalues of data to verify the integrity of the communication content. Symmetric encryption: A pair of keys, with the same key on both sides. Generally used to encrypt communication content, high efficiency and security is not good. Public key encryption: A pair of keys, but the key has a public key and private key, low efficiency, good security.

The role and significance of CA existence: It is a certificate authority used to increase the reliability of communication resources. By verifying the certificate issued by this institution, we can guarantee that the resources obtained are sent to the other party, and that the content sent is complete. Assuming that both A and B want to achieve the resource transfer, a expects to get the full B resource. The process can be described as simple: first B sends its own resources to the CA and requests a visa from the CA. After the CA confirms that the B resource has no problem, it gives the resource a certificate and sends a signature to B on the certificate. Then when a communicates with B, B sends its own resource to a, and a will verify that B's certificate is true at the CA. If you verify that B is true, then the resource is ready for use. But sometimes we are in a very small area, such as within a company. In order to verify the reliability of the resource, it is not necessary to apply for the CA certificate. We can build our own CAs to implement.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/56/C3/wKiom1SM_pnxTd7dAAB-PZ3xRjo006.jpg "title=" ca.png "alt=" Wkiom1sm_pnxtd7daab-pz3xrjo006.jpg "/>

CA's Concrete construction process: Suppose we use a company's host as a CA host, first for other host can recognize the certificate of this host, recognize the existence of this institution. Here, you need to have a certificate for the CA itself. That's the first step. Self-visa: Here we use the command OpenSSL, first a private key. The self-visa book is then generated based on this private key.

# CD/ETC/PKI/CA is intended to create a CA private organization under the CA directory. # (Umask 077; OpenSSL genrsa-out Private/cakey.pem 2048) # OpenSSL Req-new-x509-key private/cakey.pem-days 3 655-out CACERT.PEM Note: req is a visa request order. -new generates a new visa request-key indicates the private key file path. -x509-out indicates where the certificate is stored for the self-signed-days to generate the certificate validity period. Here when the CA certificate

when the CA's self-visa book has been generated, each host needs to import the CA's certificate so that each host can verify the reliability of the other certificate based on the CA's certificate. So as to realize the reliability verification of resources. Of course, the import certificate method is various, can copy, send and so on. I'm going to import my own machine right here. Note The file suffix is changed to. crt when exporting. This allows the Windows system to recognize the certificate.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/56/C6/wKioL1SNrIjx8P1QAADaAI4Mmi0782.jpg "title=" ca.png "alt=" Wkiol1snrijx8p1qaadaai4mmi0782.jpg "/>

Here we can implement the authentication of other resources using the private CA we have established. Node Request: Each expected authentication host sends its own desired certificate to the CA, requesting a visa.

# (Umask 077; OpenSSL genrsa-out httpd.key 1024x768) # OpenSSL Req-new-key httpd.key-out httpd.csr-days num# SCP HTTPD.CSR ca_ip:/tmp/

Note: The commands we apply for here no longer have the-x509 option. Send a request for a visa through the SCP host to the CA.

Here is the CA's signing and return certificate.

# OpenSSL ca-in/path/from/req.csr-out/path/to/somefile.crt-days NUM # scp/path/to/somefile.crt REQ_HOST:/path/to/som Ewhere/

Such a complete private CA is complete.

Configuration of the SSH service:

1. Remote login: SSH [[email protected]]host [COMMAND]

SSH [-l USER] HOST [COMMAND]

Note: User default considers the username on the current host and, when the port is modified, also uses-p to indicate the port number.

2. Port modification, it is recommended to change to a high port. Configuration file:

Server configuration file sshd:/etc/ssh/sshd_config

Client configuration file ssh:/etc/ssh/ssh_config

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/56/C8/wKiom1SNss7SoSaLAADTwyObVYU916.jpg "title=" Haha.png "alt=" Wkiom1snss7sosalaadtwyobvyu916.jpg "/>

3. Modify the Protocol to protocol 2. Because there is a security risk in protocol1.

4. Disable the root user for remote host connection because the remote host connection may be caught.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/56/C6/wKioL1SNtMeyvcVGAAA73aXpfxQ232.jpg "title=" Root.png "alt=" Wkiol1sntmeyvcvgaaa73axpfxq232.jpg "/>

5. Restrict logins to users; add: Whitelist in Server configuration file   Allowusers user1 user2 User3 ... Blacklist denyusers user1 user2 User3 ... You can also join a specified genus.

6. Set the idle session timeout length and add the Usedns no configuration to the server's/etc/ssh/sshd_config configuration file. What needs to be explained here is thattheopenssh server has a DNS lookup option Usedns is turned on by default. when the usedns option is turned on, when the client attempts to log on to the OPENSSH server, the server side first DNS PTR reverse query based on the client's IP address , querying the client's host name, Then, according to the queried client host name for the DNS forward a record query, verify that its original IP address is consistent, this is a means to prevent client spoofing, but the general IP is dynamic, there is no PTR record, open this option is just a waste of time.

7. Listen for a specific IP address, not all IP addresses.

8. Using key-based authentication

9. Do log analysis frequently.

This article is from the "I and Linux years" blog, please be sure to keep this source http://guanqianjian.blog.51cto.com/9652236/1589942

SSH Configuration service and how to build a private CA