Linux implementation based security authentication key under
------- OpenSSH + WinSCP + putty key generator + putty
Experimental background:
Currently the company has a small promise to use Linux to build the various servers (FTP, DNS, Apache, Sendmail, Samba), since these servers are placed in a safe place, usually not allow anyone to enter, companies are now required by the remote client end secure access to these servers.
SSH is the standard network protocol, can be used in most UNIX operating system, a character can be managed remotely login interface, which uses a default port number 22, in the form of ciphertext data transmission network, with respect to the transmission of clear text Telnet, higher security.
SSH provides two user password and authentication key, both of which are transmitted in ciphertext data, the difference is that the transmission of the user authentication password is the user account name and password, which password is required to have sufficient complexity in order to have better security. The security must be created based on user authentication key for themselves a pair of keys, and the shared key on the server need to access. When the need to connect to a SSH server, the client software will send a request to the server, the client request to use the key for secure authentication. After the server receives the request, first look for common key in the root directory of the user, and then send it over the public key comparison. If the same two keys, public key encryption with the server "challenge", and sends it to the client software (puetty). After the client receives the challenges, it can decrypt and then send it to the server with a local private key. This approach is fairly safe.
Experimental Network topology:
Experimental Procedure:
First, install and configure OpenSSH software
In RHEL4 OpenSSH server system and the client software is installed by default, and therefore does not require the user to manually install. If not, OpenSSH packages relating to services are included then the second installation CD-ROM, can be installed by the rpm command.
在RHEL4中,与OpenSSH服务相关的配置文件都保存在目录“/etc/ssh”中,其中sshd_config是SSH服务器的配置文件,ssh_config是SSH客户机的配置文件。本实验通过在Windows使用puetty登录,因此不需要配置ssh_config。只需要配置sshd_config即可。
在sshd_config文件中将下面的三行注释去掉即可。
RSAAuthentication yes 开启RSA加密功能
PubkeyAuthentication yes 开启公钥验证功能
AuthorizedKeysFile 指定公钥的文件名称以及保存位置
配置完成之后,需要重启sshd服务程序,以便新的配置生效。
在SSH服务器端(客户机端也可以,最好在客户机端生成,然后将公钥上传到对应的目录中,这样比较安全)生成公钥和私钥对。
ssk-keygen命令用于生成当前用户的密钥对。
-t rsa 命令选项指定密钥的类型为rsa。
-b 1024 命令选项指定密钥的长度为1024位。
在ssh-keygen命令生成密钥的执行过程中,需要用户回答相关的设置信息,第一个为私钥的默认路径,第二个为私钥的密码,第三个为私钥的再次密码确认。
ssh-keygen命令执行完毕后会在用户宿主目录的“.ssh”目录中生成两个文件,其中id_rsa是用户私钥文件,id_rsa.pub是用户的公钥文件,这两个文件是通过ssh_keygen命令一次生成,并且需要配对使用的。
由于生成的公钥名称与指定的公钥名称不符,因此需要将生成的文件名换成authorized_keys即可。
二、 安全使用WinSCP软件导出用户私钥
由于需要将私钥文件id_rsa拷贝到用户的主机上,而且还要删除服务器上的私钥,这样可以保证私钥的唯一性。如果通过Samba或者FTP服务器都可能造成私钥的丢失,因此需要采用安全的方式访问Linux服务器。WinSCP是Windows下的scp和sftp客户端程序,安装完WinSCP软件之后,开启WinSCP软件会出现与PuTTY类似的配置对话框,在该对话框中输入SSH服务器的主机名(IP地址)和端口号,用户名和密码(口令),并选择“登录”按钮进入登录,连接的方式是通过密文传输的,安全性极高。
通过WinSCP软件登录上Linux之后,可以将用户的私钥id_rsa先拷贝到自己的主机上,然后将Linux上的私钥删除即可以防后患。
三、 使用PuTTY密钥生成器生成Windows识别的密钥。
由于Linux下生成的密钥直接在Windows下是不能使用的,因此需要使用puTTYgen在Windows客户端生成对应的私钥。
将Linux服务器上下载下来的私钥导入到PuTTY服务器上,选择密钥位数为1024,类型为SSH-2 RSA和服务器上命令ssh-keygen设置的参数对应。
单击“生成”按钮,然后输入密钥使用的密码。
生成之后,单击“保存私钥”到本机上,会生成一个扩展名为ppk文件退出即可。
四、 安装并配置PuTTY软件
在windows中需要安装第三方软件来实现SSH客户端的功能。PuTTY是Windows下最流行的SSH客户端软件,并且还是绿色软件,专门为SSH设置使用的,能够免费使用。下面是打开之后的主界面。
在会话一栏输入主机名称对应的IP地址,端口号为22,协议类型为SSH。
在认证一栏中导入PuTTY密钥生成器生成的密钥。
然后保存会话并打开。输入用户名root,然后输入私钥的密钥即可。
Since SSH uses encrypted transmission mode, the default root user to run directly into the SSH login, for security needs you can also set the root user directly prohibit SSH login.
"PermitRootLogin yes" in the foregoing comments removed sshd_config configuration file, and "yes" to "no" to. After sshd_config on the configuration, you can restart the sshd service.
Setting a Login failed login can be found using the Linux password on PuTTY, which is "PermitRootLogin no" result.
This article Source http://dreamfire.blog.51cto.com/418026/167468
Reproduced in: https: //www.cnblogs.com/caly/archive/2012/08/21/2648617.html