In small and medium-sized heterogeneous networks, many users choose Linux as network operating system, with its simple configuration and users familiar with the graphical interface provides Internet service, Telnet is one of the services it provides.
The most basic Telnet application is used to log on to the Internet, remote, shared resources in a remote system. It enables you to sit in on net computer keyboard to enter through the network before the another computer with Internet access, and is responsible for user input of each character is passed to the host, and then will host the output of each information echo on the screen. This connectivity can occur in the same room of the computer or in the world-wide have access to the Internet computer. The Telnet service and other network applications like belonging to a client/server model, once connected, the client can access server provides all the services. But traditional network services programs are, in essence, telnet is not safe because it is on a network with cleartext transmission of passwords and data, people with ulterior motives are easily intercepted by the passwords and data. Furthermore, the service's security authentication mode is also has its weaknesses, it is vulnerable to man-in-the-middle (man-in-the-middle) this form of attack. The so-called "man-in-the-middle attack, is the" middleman "posing as a real server to receive your data on to the server, and then pretend you put data to the real server. Server and data transfer between your being "middleman" changed hands and feet after after done, there will be a very serious problem. SSH (SecureShell) is a remote online service operation server more secure solution. It was originally from Finland, a company developing, but due to copyright restrictions and encryption algorithms, many people use free alternative software OpenSSH. Openssh is OpenBSDProject development and maintenance, bundled with SSH protocol suite of software. User via OpenSSH can put all transferred data is encrypted, so that the "in-the-middle attack could not be achieved, but OpenSSH there two security legacy: the password, key crack (use dictionary file to the solution password) and OpenSSH may be placed in the Trojans. A brief introduction, SRP SRP full name: SecureRemotePassword (secure remote password), it is an open source authentication protocol. Use the SRP of client/server not on the network in clear text or encrypted transmission of passwords, so you can completely eliminate password fraud. Ensure that the password can be safely transmitted over the network. The basic idea is to prevent a passive or active network intruders use dictionary attacks. Standford University Department of computer science has developed the SRP package that provides password-based authentication and session encryption security mechanisms, without requiring the user or the network management in key management or distribution. SRP for everyone to provide transparent password security, and no other expensive initial overhead, such as blocking other Security Suite software, etc. Unlike other security software, SRP suite is a complete implementation of password authentication package, not a temporary solution. And the standard of comparison, the SRP/etc/shadow-style security in every aspect is quite good. Using SRP for the user and Manager have the following benefits: SRP boycott "passwordsniffing" (password sniffing) attacks. In one session using SRP authentication, the listener will not monitor to any transmission of passwords on your network. In the remote login software, clear text password delivery is the biggest security hole. Any person can use a simple sniffer (sniffer) tool to get your login to the remote system's key. SRP against dictionary attacks. A system of protection simple password sniffing is not enough. If an attacker using a brute force attack, dictionary attack, for example, they are not the simple direct sniffing passwords, but rather to keep track of the entire conversation, and then put the whole information and the dictionary of common passwords. Even a Kerberos system on this attack is also fragile. SRP boycotting the first dictionary attack, password safe handling. The algorithm used is an attacker to brute force attacks against the former requires that the attacker must be executed once impossible for large calculations. SRP may even protect against password of "active" attacks. Therefore, even if the intruder has the capacity and network contact, nor can you crack the SRP. So even if the user is using a very fragile password, nor will it allow intruders easily cracked. SRP for the end user is completely transparent. Because there is no so-called "key chain" (keyrings) and certificates (certificates), or "instruments" (ticket). Your password is the key. SRP simply protect the key, but better than the old, weak key protection mechanism. SRP from the Manager's perspective it is easy to implement. There is no so-called "key server, certificate authentication, and authentication servers, and so this concept. SRP password file in the standard Unix password file, the software itself, in collaboration with the system password and SRP password file consistency, no extra maintenance system. SRP authentication a user when an encrypted key exchange. This means that a login session is to be encrypted, but resist the so-called network monitoring and maliciously tampered with. Users in the remote read on their letterhead, is to use the encrypted information 128-bit, this is when users login automatically processed, and the user does not have to care about what you need in itself does not require encryption. System complete encryption, and then sent to the user's here. In addition SRP authentication without using encryption, which makes it better than based on public/private key authentication mode speed faster, safer. SRP default use 128-biT's CAST encryption algorithm. CAST-128 in RFC2144 (http://srp.stanford.edu/srp/rfc2144.txt) are defined. Standards of the SRP also supports 56-bit DES as well as 48-bit DES. Advanced cryptographic means of support Triple-DES. This article describes how to set up the Telnet Server based SRP. Operating environment RedhatLinux9.0. Second, software download and compile the SRP software home page is: http://srp.stanford.edu latest version 2.1.1, install the SRP before to install OpenSSL. # Wgethttp://srp.stanford.edu/source/srp-2.1.1.tar.gz # cp/usr/src/redhat/SOURCES #. # make/configure--with-openssl =/usr/src/redhat/SOURCES/openssl-0.9.6--wit-pam; establish index makeinstall password system EPS EPS name: ExponentialPasswordSystem (index of cryptography), SRP package already includes EPS source code. 1. Introduction to PAM PAM module installed: PAM name: PluggableAuthenticationModule (embedded authentication module). It originally had a SUN company development; was soon accepted by the Linux community, and the development of additional modules. Its goal is to provide a set can be used to authenticate a user function library, which will be certified from application development. Linux-PAM processing four independent (management). They are: certification management; account management; session management; and password management. PAM works: (1) call an application to receive the program's service. (2) PAM application calls the background of the PAM library. (3) PAM library in/etc/pam.d/directory to find the details about the application configuration file, the file tell PAM, this application uses the authentication mechanism. (4) PAM library loading the required authentication module. (5) these modules can let PAM and application session functions for communication. (6) session to the user request for information. (7) the user in response to these requirements, provide the requested information.
No comments:
Post a Comment