I want to have many friends who use SecureCrt as the client software for SSH, but I rarely use his RSA / DSA encryption function. How do you still don't know what RSA is?
SSH, especially OpenSSH, is a similar to Telnet or RSH, and the SSH client can also be used to log in to the remote machine. The required only the remote machine is running SSHD, the SSH server process. However, different from telnet is that the SSH protocol is very safe. Encrypted data streams to ensure the integrity of the data stream, and even safe and reliable authentication it uses a special algorithm.
However, although SSH is really great, there is still an SSH function component that is often ignored. This component is OpenSSH's RSA / DSA key authentication system that can replace the standard security password authentication system used by OpenSSH default.
The foundation of OpenSSH's RSA and DSA certification protocols is a pair of specially generated keys, namely a dedicated key and a public key. Advantages of using these keys based authentication systems are: In many cases, it is possible to establish a secure connection without having to manually enter a password.
Ok, I know how RSA and DSA take a moment, as for the principle, I will not talk about it, I am interested in friends to see the principle of a public key. More than SecureCRT supports RSA / DSA, other SSH client software supports similar RSA / DSA, but it seems to be uncommon. I am just taking the most typical SecureCrt to illustrate how RSA uses to cooperate with the SSH service under Linux.
My environment: redhat9.0 openssh-3.5p1-6 SecureCrt 4.0
The server OpenSSH We can't set it first. After the client is set, we will return to the head to set the SSH.
We created a new link, click on attribute: (Figure 1)
The default verification method is Password, changed him to RSA, then the system will pop up a pop-up box (Figure 2)
Let you confirm whether to create a wizard using the RSA Socoon Key, Of course, "Yes" (Figure 3)
Next step: (Figure 4)
This step is filled in your protective key password, this password should be remembered, you have to have this password in the future, Comment will fill it.
Next: (Figure 5)
Let you choose the number of digits, the default 1024
Next: (Figure 6)
When you move your mouse, the system will automatically generate a mespock and key according to the frequency of your mouse.
Next: (Figure 7)
After the RSA Society, you will make you save, the name is default or changed, and you will pay attention to SecureCrt only look for the path. You guarantee that SecureCrt can find your key.
Well, the client's work is completed. Here is the configuration of the Linux server.
Pass the RSA table we have just created to your server, and the default is Identity.pub
Then in Linux, if your key is created for Linux user Frank, then we first create a .ssh directory in Frank's host directory.
Mkdir /Home/frank/.ssh
CHMOD O X / HOME / FRANK
CHMOD 700 /HOME/frank/.ssh
Then lead the public to Authorized_keys file, because we use ssh1, if it is ssh2, it is authorized_keys2
Cat iDentity.pub> /Home/frank/.ssh/authorized_keys
CHMOD 644 /HOME/frank/.ssh/authorized_keys
The setting of permissions is very important, because unsafe setting security settings will make you can't use RSA function, if you debug, find a wrong prompt to find a public, first look at whether the permission is set correctly! OK, now the server is also set, you can now use the secureCRT RSA authentication mode to connect the SSH server, if you connect proper, you should pop up a dialog box, let you enter your password (Figure 8)
Just enter the password we protect the key to the key. After you finish it, you can go smoothly.
There is also a step setting, since everyone has successfully used the SSH RSA function, then you must only support RSA verification, otherwise it is not necessary to support the normal password and support RSA. If it doesn't improve the security, we have necessary Let OpenSS only support RSA verification. If you have not successfully used the RSA function, you don't have to look, or you will first implement the above first.
To achieve OpenSS only support RSA authentication, we only need to modify
Vi / etc / ssh / sshd_config
Set
PasswordAuthentication No
Ok, you now try again before the normal password verification method, it should be the following error message (Figure 9)
Great server only supports RSA's verification mode, OK
You can access the SSH server with the rsa key key in the future, but your key can be saved, anyway, I am saved in my U disk, carry it with you, once your users lose my key, must be in the server The end deletes it, so even if the person gets the key, it will not go :)
Reference documentation
OpenSSH key management http://www-900.ibm.com/developerWorks/cn/linux/security/openssh/part1/index.shtml
