Implementation: in each server 1. install package: openssh-3.4pl-sol7-sparc-local openssl-0.96d-sol7-sparc-local zlib-1.1.4-sol7-sparc-local prngd-0.0.25-sol7-sparc-local egd-0.8-sol7-sparc-local 2. install prngd and sshd's startup scripts:::::::::::::: S98prngd:::::::::::::: #!/bin/s pid = would/usr/bin/ps-e |/usr/bin/grepprngd |/usr/bin/sed-e ' s/^ *//'-e's/. *//' would case $ 1in ' start ')/usr/local/sbin/prngd/var/spool/prngd/pool;;
'stop') if["${pid}"!=""] ten /usr/bin/kill${pid} i ;; *) echo"usage:/etc/init.d/prngd{start|stop}" ;; esac :::::::::::::: S98ssd :::::::::::::: #!/bin/s pid=`/usr/bin/ps-e|/usr/bin/grepsshd|/usr/bin/sed-e's/^*//'-e's/.*//'` case$1in 'start') /usr/local/sbin/ssd ;; 'stop') if["${pid}"!=""] ten /usr/bin/kill${pid} i ;; *) echo"usage:/etc/init.d/sshd{start|stop}" ;; 3. use prngd esac generate pseudo-random number initial seed cat/var/log/syslog/var/adm/messages >/usr/local/etc/prngd/prngd-seed mkdir/var/spool/prngd/etc/rc2.d/S98prngdstart check prngd is working:/usr/local/bin/egc.pl/var/spool/prngd/poolget shows such as: 9151bitsofentropyinpool 4. increase the sshd user mkdir/var/empty chownroot/var/empty chgrpsys/var/empty chmod755/var/empty groupaddssd useradd-c ' gsshd – sshdprivsep ' – d/var/empty-s/bin/falsessd 5. modify the tcpd control files/etc/hosts.allow and/etc/hosts.deny ALL: n.n.n.n # login host IP 6. in the server-side creation of host key on ssh-keygen – trsa1-f/usr/local/etc/ssh_host_key-N "" ssh-keygen – tdsa-f/usr/local/etc/ssh_host_dsa_key – N ssh-keygen – trsa ""-f/usr/local/etc/ssh_host_rsa_key-N "" start ssd:/etc/rc2.d/S98sshdstart 7. close the telnet and FTP services, modify/etc/inetd.conf file,
kill-HUP close telnet and FTP services on the client to do the following tests UNIX client: Ssh [-lusername] [-pport]//If you use the-v parameter, enter debug state, this is a very good help tools (replacing telnet) Sftp [-lusername] [-pport] (replacing ftp) client for WINDOWS: Securecrt3.4.5//the session configuration, use the password authentication mode for more than the default install Securefx2.0.3 that SSH password validation. In order to ensure that only a single sign-on server, without modifying the sshd configuration after the restart process cannot log on to the management of the problem, continue to use telnet and FTP services, combined with the use of key authentication mode SSHD and/etc/hosts.allow file, do the following: ### ### ### ## ## ## ## internalnetwork ##### ##### ##### ##### ##### ALL: n.n.n.n # operator1ALL: n.n.n.n # operator2 ### ### ### ### ### ### outnetwork ##### ##### ##### ##### ##### ##### sshd: ALL # RSAaut so that administrators in your company's fixed IP address still can easily log on to the host, but if you are at home or away on business, because IP addresses are fixed, you can verify by sshd keys to sign in. Server configuration:/usr/local/etc/sshd_conig: # $ OpenBSD: sshd_config, v1.562002/06/2023: 37: 12markusExp $ # Thisisthesshdserversystem-wideconfigurationfile.See # sshd_config (5) formoreinformation. #ThissshdwascompiledwithPATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin #Thestrategyusedforoptionsinthedefaultsshd_configshippedwit #OpenSSHistospecifyoptionswiththeirdefaultvaluewere #possible,butleavethemcommented.Uncommentedoptionschangea #defaultvalue. #Port22 #Protocol2,1 #ListenAddress0.0.0.0 #ListenAddress:: #HostKeyforprotocolversion1 HostKey/usr/local/etc/ssh_host_key #HostKeysforprotocolversion2 HostKey/usr/local/etc/ssh_host_rsa_key HostKey/usr/local/etc/ssh_host_dsa_key #Lifetimeandsizeofephemeralversion1serverkey KeyRegenerationInterval3600 ServerKeyBits768 #Logging #obsoletesQuietModeandFascistLogging SyslogFacilityAUT LogLevelINO #Authentication: #LoginGraceTime600 #PermitRootLoginyes #StrictModesyes RSAAuthenticationyes PubkeyAuthenticationyes AuthorizedKeysFile.ssh/authorized_keys #rhostsauthenticationshouldnotbeused #RhostsAuthenticationno #Don'treadtheuser's~/.rhostsand~/.shostsfiles #IgnoreRhostsyes #Forthistoworkyouwillalsoneedhostkeysin/usr/local/etc/ssh_known_osts #RhostsRSAAuthenticationno #similarforprotocolversion2 #HostbasedAuthenticationno #Changetoyesifyoudon'ttrust~/.ssh/known_hostsor #RhostsRSAAuthenticationandHostbasedAuthentication #IgnoreUserKnownHostsno #Todisabletunneledcleartextpasswords,changetonoere! PasswordAuthenticationyes PermitEmptyPasswordsno #Changetonotodisables/keypasswords #ChallengeResponseAuthenticationyes #Kerberosoptions #KerberosAuthenticationno #KerberosOrLocalPasswdyes #KerberosTicketCleanupyes #AFSTokenPassingno #KerberosTGTPassingonlyworkswiththeAFSkaserver #KerberosTgtPassingno #Setthisto'yes'toenablEPAMkeyboard-interactiveauthentication # Warning: enablingthismaybypassthesettingof'PasswordAuthentication ' # PAMAuthenticationViaKbdIntyes # X11Forwardingno # X11DisplayOffset10 # X11UseLocalhostyes # PrintMotdyes # PrintLastLogyes # KeepAliveyes # UseLoginno UsePrivilegeSeparationyes Compressionyes # MaxStartups10 # nodefaultbannerpat # Banner/some/pat # VerifyReverseMappingno # overridedefaultofnosubsystems Subsystemsftp/usr/local/libexec/sftp-server here closed the SSH password authentication methods, the use of RSA key authentication method, the user will need to use on the server – trsa ssh-keygen in their own home directory .ssh directory automatically generates a key pair, id_rsa id_rsa.pub (private key) and (public key), and then manually copy the id_rsa.pub into autohrized_keys id_rsa file. and will and id_rsa .. Pub files are transmitted to the client to save the good, also remove the server-side id_rsa and id_rsa.pub file. Client test: if it is a UNIX client, the id_rsa id_rsa.pub is placed in the user and the home directory of the .ssh subdirectory, you can use ssh and sftp for testing; if it is a Windows client, you can specify the authencation to SECURECRT publickey methods, and properties in the selection in the sessionsettings useidentityfile, specify specific id_rsa file location, you can log in. In this way, only those with key users can log on. Of course, have to protect your key is not compromised, for security reasons, the server needs to be scheduled to change each user's key. Through the above on the intranet server security configuration for the integration of security and convenience.
No comments:
Post a Comment