Currently in use on the Internet, such as FTP, Telnet, POP etc in essence are not secure, they are in use on the network in clear text password and data transmitted, the hacker is very easy to intercept these passwords and data, thus undermining the integrity and confidentiality of the data.
This article describes how to use the SSH software under Linux is not a secure network environment through password mechanism to guarantee the security of data transmission. The English name is SSH SecureSHell. Through the use of SSH, you can put all transferred data is encrypted, so even if the network hackers to hijack the data transmitted by the user, if you cannot decrypt it, nor on data transfer constitutes a real threat. In addition, the transmission of data is compressed, so you can speed up the transmission speed. SSH has many features, it can replace Telnet and FTP, POP provides a security "transmission channel". In non-secure network communication environments, it provides strong authentication (authentication) and very secure communications environment. SSH is determined by the client and service side of software, there are two incompatible versions 1.x and 2.x is:. The client program used SSH2.x is unable to connect to the service looks SSH1.x. OpenSSH2.x while supporting SSH1.x and 2.x. SSH provides two levels of security validation: a is for security authentication based on passwords. As long as the user knows the password, account number and can log on to the remote host. All transferred data is encrypted, but cannot guarantee that users are connecting to the server that the user wants to connect to the server. You may have other servers in the impersonate the real server, there is a potential threat. The second is based on the key security validation. Need to rely on the key, the user must create a public key/private key pair, and the public key is placed in the need to access the server. If you need to connect to a SSH server and client software will make a request to the server, the request uses the user's keys for security verification. After the server receives the request, the first server on the user's home directory to find the user's public key, and then take it and users of public keys sent for comparison. If the two keys match, the server uses the public key encryption, "question" and have it sent to the client software. Client software after you receive the "question" can be used to decrypt the user's private key and send it to the server. Install and start the SS in RedHatLinux7 and its release is included in the packages associated with OpenSSH, if not, you can download from the home page of OpenSSH RPM package installed, OpenSSH is the home page address is: www.openssh.com. Main install the following packages: openssh-3.5p1-6, 6, openssh-server-3.5p1-openssh-askpass-gnome-3.5p1-6, 6, openssh-clients-3.5p1-openssh-askpass-3.5p1-6. Use the following command to install: first query system is installed on the above packages. # Rpm-qa | grepopenss if you have not installed then do the following command. # Rpm-ivhopenssh-3.5p1-6 # rpm-ivhopenssh-server-3.5p1-6 # rpm-ivhopenssh-askpass-gnome-3.5p1-6 # rpm-ivhopenssh-clients-3.5p1-6 # rpm-ivhopenssh-askpass-3.5p1-6 after the installation has completed, you can use the following two commands for a start. # Servicesshdstart #/etc/rc.d/initd/sshdstart also, if you want the system to automatically run when you start the service, you will need to use the Setup command, in network service configuration options, select the sshd daemon. After you finish the installation start the OpenSSH, use the following command to test it out. Ssh-l [username] [addressoftheremoteost] if the OpenSSH is working correctly, you will see the following message: Theauthenticityofhost [hostname] can'tbeestablised. Keyfingerprintis10245f:a0:0b:65:d3:82:df:ab:44:62:6d:98:9c:fe:e9:52. Areyousureyouwanttocontinueconnecting(yes/no)? At the first login, OpenSSH will prompt the user does not know the login host, simply type "yes", you will get the login identification tag of the "host" to "~/.ssh/know_hosts" file. Second visit to this host when they no longer show this message again. Then SSH prompt the user for a user account on the remote host's password. In this way, an SSH connection is established, then you can use telnet as easily use SS. SSH key management (1) it is necessary to generate your own key pair using the following command to generate a public/private key pair: ssh-keygent type. If the remote host using SSH2.x will use this command: ssh-keygend. In the sameHost both SSH1 and SSH2 key is no problem, because the key is present in different files. Ssh-keygen command to run after it displays the following information: # ssh-keygen-trsa Generatingpublic/privatersakeypair. Enterfileinwhichtosavethekey(/home/.username/ssh/id_rsa): Enterpassphrase(emptyfornopassphrase): Entersamepassphraseagain: Youridentificationhasbeensavedin/home/.username/.ssh/id_rsa. Yourpublickeyhasbeensavedin/home/.username/.ssh/id_rsa.pub. Thekeyfingerprintis: 38:25:c1:4d:5d:d3:89:bb:46:67:bf:52:af:c3:17:0c username@localhost GeneratingRSAkeys: Keygenerationcomplete. "Ssh-keygen-d" command to do the same work, but it's a pair of keys for the save path by default as:/home/[user]/.ssh/id_dsa (private key) and/home/[user]/.ssh/id_dsa.pub (public key). Now the user has a pair of keys: a public key to distribute to all users want to use SSH to log in to the remote host looks; private keys to take custody of preventing other people know. Use the "ls-l ~/.ssh/identity" or "ls-l ~/.ssh/id_dsa" command displays the file access permission must be "-rw-------". If you suspect that your key has been known to others, you should immediately generate a new key. Of course, doing so will also need to redistribute a public key, for normal use. 2. distribute the public keys for each user needs to use SSH connection on a remote server, all in their own home directory create a ".ssh" subdirectory, the user's public key "identity.pub" copied to this directory and rename it to "authorized_keys". And then execute the command: chmod644.ssh/authorized_keys this step is essential. Because, if a user other than the others on the "authorized_keys" file has write permissions, if subjected to unlawful destruction, SSH will not work properly. If the user wants to log on from a different computer to a remote host, the "keys" authorized_ files can have multiple public keys. In this case, you must restart the new computer to generate a pair of keys, and then put the generated "identify.pub" file copy and paste to the remote host "authorized_keys" file. Of course, on the new computer users must have an account, but the key is password protected. It is important that when a user cancels out of this account, you have to remember to delete the key. Configuring the SSH client on the Linux client to use SSH, advantage is more convenient to operate, without additional software. But the disadvantage is not very intuitive. Users only need to use the system-provided default profile "/etc/ssh/ssh_config" and use the following simple command to log://user test for the remote server www.test.com # ssh-ltestwww.test.com following this section mainly introduces the configuration to use Windows environment of the putty tools to log in to the SSH server. The tools being used fairly common, and can be downloaded free from the Internet. Currently the latest version of the Internet to: putty0.58, the version installed, do the following steps to configure: 1. open the software, enter the configuration interface and software initial Session window opens automatically. 2. in the interface right half area 【 HostName (orIPaddress) 】 edit box, enter the log on to the remote server address, here set to: 192.168.10.1, port edit box, enter the default port number 22, and then click 【 Save 】 button to save the input configuration, as shown in Figure 1. Figure 1 Configuring IP address and port number 3. click 【 Open 】 button, the software to connect to the server, display the connection as a result, users can make the appropriate remote management operations. Configure automatic login SSH in SSH's described above, each time the user logs on the server will need to enter the password for the user, is in some trouble. Since SSH key mechanisms used in full, then you must configure the system, to achieve a configuration that do not have to enter your password for easy logon to the end, the following Windows client, for example, shows how to auto login to SSH in. In Windows, use the previously described putty client software also allows you to easily implement an automatic logon, mainly using the putty tool kit comes with puttygen tool to generate a public/private key pair, the same principles and under Linux, the following describes the configuration details. 1. open puttygenTools to generate a public/private key pair, as shown in Figure 2, select the type of key generated SSH2RSA. Figure 2 main interface 2PuttygenGenerator. click 【 Generate 】 button, enter the public/private key pair generation interface, users need to keep the interface space, move the mouse to ensure that key generated random performance. 3. successful public/private key pair is generated, the system prompts the user to save the public key/private key pair. Click the button and 【 Savepublickey 】 【 Saveprivatekey 】 button, specify the path to save the public key and private key. 4. use putty connections on the server, copy the contents of the public key file to the server in the main directory, use your own account to log on to a remote system, and then execute the following command. Then use Notepad to open the file, select all id_rsa1.pub, press CTRL + C to copy to the Clipboard, and then in the Putty window, press SHIFT + Ins paste, and then press Ctrl + D keys, complete file creation. This is the process of completing public key distribution.
No comments:
Post a Comment