Use SRP to establish a secure LinuxFTP Server

Source: Internet
Author: User
Tags install openssl ssh server
Use SRP to create secure LinuxFTP server-Linux Enterprise Application-Linux server application information. The following is a detailed description. In small and medium-sized heterogeneous networks, many users choose Linux as the network operating system and use its simple configuration and user-familiar graphical interfaces to provide Internet services. FTP is one of the services it provides. FTP (file transfer protocol) plays an important role in many network applications. Software resources are a very important resource on the Internet, and most of the various software resources are stored on FTP servers. Like most Internet services, FTP is also a client/server system.


FTP is a traditional network service program, which is inherently insecure because it transmits passwords and data in plain text on the network. It is very easy for others with ulterior motives to intercept these passwords and data. In addition, the security authentication methods of these service programs also have their weaknesses, that is, they are vulnerable to man-in-the-middle attacks. The so-called "man-in-the-middle" attack means that "man-in-the-middle" impersonates a Real Server to receive the data you send to the server, and then impersonates you to pass the data to the Real Server. After the data transfer between the server and you is transferred by a "man-in-the-middle", serious problems will occur. These passwords are intercepted by brute force cracking. In addition, you can use the sniffer program to monitor network packets and capture the session information starting with FTP.

SSH (Secure Shell) is a safer solution for operating servers through remote online services. It was initially developed by a Finnish company, but due to copyright and encryption algorithm restrictions, many people switched to the free alternative software OpenSSH. SSH (Secure Shell) is a safer solution for operating servers through remote online services. It was initially developed by a Finnish company, but due to copyright and encryption algorithm restrictions, many people switched to the free alternative software OpenSSH. You can use SSH to encrypt all transmitted data so that the "man-in-the-middle" attack method is not possible, and it can also prevent DNS and IP spoofing. It also has an additional advantage that the transmitted data is compressed and can speed up transmission. SSH is widely used. It can replace Telnet, provide FTP, POP, and even a secure "channel" for PPP ". The SSH protocol provides two Server functions in the preset state: one is a remote online Shell Server similar to Telnet, which is also known as the SSH function; the other is similar to the SFTP-Server function of the FTP service, provides more secure FTP services.

How does SSH security verification work? It mainly relies on online encryption technology. From the client perspective, there are two security verification levels:

1. Password-based security authentication (ssh1) as long as you know your account and password, you can log on to the remote host. All transmitted data will be encrypted, but there is no guarantee that the server being connected is the server to be connected. Attackers may be attacked by man-in-the-middle.

2. The key-based security authentication (ssh2) relies on the key, that is, you must create a pair of keys for yourself and put the public key on the server to be accessed. If you want to connect to the SSH server, the client software sends a request to the server, requesting security verification with the key. After receiving the request, the server first looks for the Public Key in the home directory of the server, and then compares it with the public key sent. If the two keys are consistent, the server uses the public key to encrypt the challenge and send it to the client software. After the client software receives a question, it can use a private key to decrypt it and then send it to the server. In this way, you must know the password of your key. Compared with the first level, this level does not need to transmit passwords over the network. It not only encrypts all transmitted data, but also prevents man-in-the-middle attacks. Currently, OpenSSH has two security risks: Password, key cracking (using dictionary files to unbind the password), and Trojan Horse placement in OpenSSH.

   1. Introduction to SRP

SRP stands for Secure Remote Password, which is an open source code authentication protocol. The client/server using SRP does not transmit the password in plaintext or encrypted mode on the network, which completely eliminates password spoofing. Ensure that passwords can be securely transmitted over the network. The basic idea is to prevent dictionary attacks by passive or active network intruders. The computer department of Standford University has developed SRP software packages that provide password-based authentication and Session Encryption security mechanisms without the need for users or network administrators to participate in key management or distribution. SRP provides transparent password security for each individual without other expensive initial expenses, such as blocking the use of other security software. Unlike other security software, the SRP package is a complete Cryptographic software package, not a temporary solution. Compared with standard/etc/shadow-style security, SRP is better in every aspect. Using SRP has the following benefits for users and managers:

SRP defends against password sniffing attacks. In a session that uses SRP authentication, the listener does not monitor any passwords transmitted over the network. In remote login software, plaintext password transfer is the biggest security vulnerability. Anyone can use a simple sniffer tool to obtain the key for logging on to the remote system.
SRP defends against dictionary attacks. It is not enough for a system to protect simple password listening. If attackers use powerful attacks, such as Dictionary attacks, they do not simply listen to passwords, but track the entire session process, and then compare the entire information with common passwords in the dictionary. Even some Kerberos systems are vulnerable to such attacks. SRP performs password security before resisting dictionary attacks. The algorithm used requires an attacker to execute an impossible large computing before launching a powerful attack. SRP even protects "active" attacks against passwords. Therefore, even if intruders have the ability to access the network, they cannot break the SRP. Therefore, even if the user uses a very fragile password, it will not make it easy for intruders to crack it. SRP is completely transparent to end users. Because there is no so-called "keyrings", "certificate", or "ticket ). Your password is the key. SRP simply protects this key, but it is better than the old and weak key protection mechanism. SRP is easy to implement from the perspective of managers. There are no such concepts as "Key Server", "certificate authentication", and "authentication server. The SRP password file is next to the standard Unix password file. The software works with the two system passwords to ensure consistency with the SRP password file. There is no redundant system maintenance mechanism. SRP exchanges an encrypted key when authenticating a user. This means that a login session can be encrypted to resist so-called network listening and malicious tampering. When users read their letterhead remotely, they use 128-bit encrypted information, which is automatically processed after the user logs on, and the user does not have to worry about whether or not encryption is required. The system completes encryption and sends it to the user. In addition, SRP does not use encryption for authentication, which makes it faster and safer than public/private key-based authentication. SRP uses the 128-bit CAST encryption algorithm by default. CAST-128 is defined in RFC2144 (http://srp.stanford.edu/srp/rfc2144.txt. Standard SRP also supports 56-bit DES and 48-bit DES. Advanced Support for Triple-DES encryption. This article describes how to create a SRP-based Telnet server. Operating Environment Redhat Linux 9.0.

   Ii. Software Download and compilation

SRP software home page is: http://srp.stanford.edu Latest Version 2.1.1, before installing SRP first install OpenSSL.

# Wget http://srp.stanford.edu/source/srp-2.1.1.tar.gz

# Cp/usr/src/redhat/SOURCES

#./Configure -- with-openssl =/usr/src/redhat/SOURCES/openssl-0.9.6 \

-- With-pam

# Make; make install



   3. Establish an index password system EPS

EPS Full name: Exponential Password System (Exponential Password System), which includes the source code of EPS.

1. Install the PAM module

PAM introduction:

PAM Full name: Pluggable Authentication Module (embedded Authentication Module ). It was initially developed by SUN and soon accepted by the Linux community and developed more modules. The goal is to provide a set of function libraries that can be used to authenticate user identities, thus separating authentication from application development. Linux-PAM handles four independent (Management) tasks. They are: authentication management, account management, session management, and password management.

PAM working method:

(1) call an application to obtain the service of the application.

(2) The PAM application calls the background PAM library for authentication.

(3) The PAM library searches for configuration files related to application details in the/etc/pam. d/directory, which tells PAM what authentication mechanism is used by the application.

(4) install the required authentication module in the PAM library.

(5) These modules allow PAM to communicate with Session functions in the application.

(6) The session function asks the user for relevant information.

(7) The user responds to these requirements and provides the required information.

(8) The PAM Authentication Module provides authentication information to applications through the PAM library.

(9) after the authentication is completed, the application has two options:

Grant the required permissions to the user and notify the user.

The authentication fails and the user is notified.

For PAM workflow, see.



(400) {this. resized = true; this. width = 400; this. alt = 'click here to open new window';} "onmouseover =" if (this. resized) this. style. cursor = 'hand'; "onclick =" window. open ('HTTP: // www.fbsky.com/up/2005-10-26/2005102614253542.16.jpg'); ">

PAM Workflow

PAM usage:

# Cd/usr/src/redhat/SOURCES/srp-2.1.1/base/pam_eps.

# Install-m 644 pam_eps_auth.so pam_eps_passwd.so/lib/security



The above command installs the PAM module in the/lib/security directory. Run the "/usr/local/bin/tconf" command to create the/etc/tpasswd and/etc/tpasswd. conf files.

2. Use the eps pam module for password verification

(1) first back up the/etc/pam. d/system-auth file

(2) modify the/etc/pam. d/system-auth file in the following format:

Auth required/lib/security/pam_unix.so likeauth nullok md5 shadow

Auth sufficient/lib/security/pam_eps_auth.so

Auth required/lib/security/pam_deny.so

Account sufficient/lib/security/pam_unix.so

Account required/lib/security/pam_deny.so

Password required/lib/security/pam_cracklib.so retry = 3

Password required/lib/security/pam_eps_passwd.so

Password sufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow

Password required/lib/security/pam_deny.so

Session required/lib/security/pam_limits.so

Session required/lib/security/pam_unix.so




Note that the first line in bold indicates that the PAM eps_auth module can meet the authentication requirements. The second line in bold indicates that the pam_eps_passwd.so module of PAM is used for password management.

(3) convert the standard password to the EPS format

(4) The module pam_eps_passwd.so in the/etc/pam. d/system-auth configuration file writes the password verification string of the EPS version to the/etc/tpasswd file. Modify the/etc/pam. dpasswd file in the following format:

Auth required/lib/security/pam_stack.so service = system-auth

Account required/lib/security/pam_stack.so service = system-auth

Password required/lib/security/pam_stack.so service = system-auth



   4. Start the FTP server in the SRP version

(1) Go to the SRP source code FTP subdirectory and create FTP server files and FTP client files respectively:

# Cd/usr/src/redhat/SOURCES/srp-2.2.1/ftp

# Make; make install



(2) create a super Access Program/etc/xinetd. d/srp-ftpd with the following content:

Service ftp

{

Socket_type = stream

Wait = no

User = root

Server =/usr/local/sbin/ftpd

Log_on_success + = DURATION USERID

Log_on_failure + = USERID

Nice = 10

Disable = no

}



(3) Use the command to start xinetd again

# Killall-USR1 xinetd



(4) create a/etc/pam. d/telnet file with the following content:

# % PAM-1.0

Auth required/lib/security/pam_listfile.so item = user \

Sense = deny file =/etc/ftpusers onerr = succeed

Auth required/lib/security/pam_stack.so service = srp-ftp

Auth required/lib/security/pam_shells.so

Account required/lib/security/pam_stack.so service = srp-ftp

Session required/lib/security/pam_stack.so service = srp-ftp

So far, an FTP server using the SRP service has been established. First, perform a local test. The following is a typical session:

$/Usr/local/bin/ftp localhost

Connected to localhost.intevo.com.

220 k2.intevo.com FTP server (SRPftp 1.3) ready.

SRP accepted as authentication type.

Name (localhost: kabir): cao

SRP Password: xxxxxxxx

SRP authentication succeeded.

Using cipher CAST5_CBC and hash function SHA.

200 Protection level set to Private.

232 user kabir authorized by SRP.

230 User kabir logged in.

Remote system type is UNIX.

Using binary mode to transfer file


If you want to log on to the SRP server using FTP on another Linux computer, you must install the SRP service support and SRP client software. The method is the same as on the SRP server.
The following password formula is usually used for srp ftp services:

NONE (1)

BLOWFISH_ECB (2)

BLOWFISH_CBC (3)

BLOWFISH_CFB64 (4)

BLOWFISH_OFB64 (5)

CAST5_ECB (6)

CAST5_CBC (7)

CAST5_CFB64 (8)

CAST5_OFB64 (9)

DES_ECB (10)

DES_CBC (11)

DES_CFB64 (12)

DES_OFB64 (13)

DES3_ECB (14)

DES3_CBC (15)

DES3_CFB64 (16)

DES3_OFB64 (17)



SRP also supports MD5 and SHA hash functions. By default, SRP uses the CAST5_CBC password and SHA function. Use a password in another format. You can use the-c or-h option.

#/Usr/local/bin/ftp-c blowfish_cfb64 "ip address"



The above command uses the BLOWFISH_CFB64 password instead of the default CAST5_CBC.

#/Usr/local/bin/ftp? H md5 "ip address"



The preceding command uses the MD5 function instead of the default SHA function.

   5. Use the SRP client on a non-Linux platform

SRP also supports other popular operating systems (Unix, BSD, Winodws, and MacOS ). Kermit 95 is an SRP client that works on Windows 9x, ME, NT, and 2000, XP, and OS/2 operating systems. View the relevant web site: http://www.columbia.edu/kermit/k95.html before details.

Conclusion: The detailed working principle of SRP can be found at the relevant site of SRP. The address is bytes. The above provides a safer and faster way to log on to a remote Linux server than OPENSSH. The SRP-based FTP application is similar to other network applications in the client/server model. Once connected, the client can enjoy all the services provided by the server.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.