- 论坛徽章:
- 0
|
实施步骤:\n在每台服务器上\n1. 安装软件包: | openssh-3.4pl-sol7-sparc-localopenssl-0.96d-sol7-sparc-localzlib-1.1.4-sol7-sparc-localprngd-0.0.25-sol7-sparc-localegd-0.8-sol7-sparc-local |
2. 安装prngd和sshd的启动脚本 | ::::::::::::::S98prngd::::::::::::::#!/bin/shpid=`/usr/bin/ps -e | /usr/bin/grep prngd | /usr/bin/sed -e \'s/^ *//\' -e \'s/ .*//\'`case $1 in\'start\')/usr/local/sbin/prngd /var/spool/prngd/pool;;\'stop\')if [ \"${pid}\" != \"\" ]then/usr/bin/kill ${pid}fi;;*)echo \"usage: /etc/init.d/prngd {start|stop}\";;esac::::::::::::::S98sshd::::::::::::::#!/bin/shpid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/sed -e \'s/^ *//\' -e \'s/ .*//\'`case $1 in\'start\')/usr/local/sbin/sshd;;\'stop\')if [ \"${pid}\" != \"\" ]then/usr/bin/kill ${pid}fi;;*)echo \"usage: /etc/init.d/sshd {start|stop}\";;esac |
3. 用prngd生成伪随机初始种子数 | cat /var/log/syslog /var/adm/messages > /usr/local/etc/prngd/prngd-seedmkdir /var/spool/prngd/etc/rc2.d/S98prngd start |
检查prngd工作是否正常: /usr/local/bin/egc.pl /var/spool/prngd/pool get\n显示如: 9151 bits of entropy in pool\n4. 增加sshd用户 | mkdir /var/emptychown root /var/emptychgrp sys /var/emptychmod 755 /var/emptygroupadd sshduseradd –g sshd –c ‘sshd privsep’ –d /var/empty –s /bin/false sshd |
5. 修改tcpd的控制文件/etc/hosts.allow和/etc/hosts.deny\nALL:n.n.n.n #登录主机IP\n6. 在server端创建主机密钥对 | ssh-keygen –t rsa1 –f /usr/local/etc/ssh_host_key –N “”ssh-keygen –t dsa –f /usr/local/etc/ssh_host_dsa_key –N “”ssh-keygen –t rsa –f /usr/local/etc/ssh_host_rsa_key –N “”启动sshd:/etc/rc2.d/S98sshd start |
7. 关闭原telnet和ftp服务\n修改/etc/inetd.conf 文件,kill –HUP <inetd pid>关闭telnet和ftp服务\n8. 在客户端做以下测试\nUNIX客户端:\nSsh [-l username] [-p port] <hostname> //如果用-v参数,进入调试状态,这是一个很好的帮助工具(取代telnet)\nSftp [-l username] [-p port] <hostname>(取代ftp)\nWINDOWS:客户端\nSecurecrt 3.4.5 //在session的配置中,authentication使用password方式\nSecurefx2.0.3\n以上为默认安装情况,即SSH的密码验证。\n为了保证唯一的一台登录服务器的安全,又不至于在修改sshd配置后重启进程带来无法登录管理的问题,继续使用telnet和ftp服务,结合采用SSHD的密钥验证方式,并且在/etc/hosts.allow文件中做以下设置: | ################# internal network ######################ALL:n.n.n.n #operator1ALL:n.n.n.n #operator2################## out network ###########################sshd: ALL #RSA auth |
这样,管理员在公司的固定IP地址仍旧可以很方便地登录到主机上操作,而如果在家中或外出出差,由于IP地址是非固定的,可以通过sshd的密钥验证来进行登录。\n服务器配置如下: | /usr/local/etc/sshd_config:# $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $# This is the sshd server system-wide configuration file. See# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented. Uncommented options change a# default value.#Port 22#Protocol 2,1#ListenAddress 0.0.0.0#ListenAddress ::# HostKey for protocol version 1HostKey /usr/local/etc/ssh_host_key# HostKeys for protocol version 2HostKey /usr/local/etc/ssh_host_rsa_keyHostKey /usr/local/etc/ssh_host_dsa_key# Lifetime and size of ephemeral version 1 server keyKeyRegenerationInterval 3600ServerKeyBits 768# Logging#obsoletes QuietMode and FascistLoggingSyslogFacility AUTHLogLevel INFO# Authentication:#LoginGraceTime 600#PermitRootLogin yes#StrictModes yesRSAAuthentication yesPubkeyAuthentication yesAuthorizedKeysFile .ssh/authorized_keys# rhosts authentication should not be used#RhostsAuthentication no# Don\'t read the user\'s ~/.rhosts and ~/.shosts files#IgnoreRhosts yes# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts#RhostsRSAAuthentication no# similar for protocol version 2#HostbasedAuthentication no# Change to yes if you don\'t trust ~/.ssh/known_hosts for# RhostsRSAAuthentication and HostbasedAuthentication#IgnoreUserKnownHosts no# To disable tunneled clear text passwords, change to no here!PasswordAuthentication yesPermitEmptyPasswords no# Change to no to disable s/key passwords#ChallengeResponseAuthentication yes# Kerberos options#KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#AFSTokenPassing no# Kerberos TGT Passing only works with the AFS kaserver#KerberosTgtPassing no# Set this to \'yes\' to enable PAM keyboard-interactive authentication# Warning: enabling this may bypass the setting of \'PasswordAuthentication\'#PAMAuthenticationViaKbdInt yes#X11Forwarding no#X11DisplayOffset 10#X11UseLocalhost yes#PrintMotd yes#PrintLastLog yes#KeepAlive yes#UseLogin noUsePrivilegeSeparation yesCompression yes#MaxStartups 10# no default banner path#Banner /some/path#VerifyReverseMapping no# override default of no subsystemsSubsystem sftp /usr/local/libexec/sftp-server |
这里关闭了SSH的密码验证方式,采用RSA的密钥验证方法,用户需要首先在服务器上用ssh-keygen –t rsa在自己的主目录下.ssh目录里自动生成密钥对,id_rsa(私钥)和id_rsa.pub(公钥),然后手工将id_rsa.pub拷贝成autohrized_keys文件.并将id_rsa和id_rsa..pub文件传至客户端保存好,同时删除服务器端的id_rsa和id_rsa.pub文件。\n客户端测试:如果是UNIX客户端,将id_rsa和id_rsa.pub放在用户主目录的.ssh子目录下, 用ssh和sftp可以进行测试;如果是WINDOWS系统的客户端,可以通过SECURECRT指定authencation为publickey方式,并且在properties中的session settings中选用use identity file,指定具体的id_rsa的文件位置,即可登录。这样,只有拥有密钥对的用户才可以登录。当然,得保护好自己的钥匙不可泄露,为安全起见,服务器需要定时改变每个用户的密钥。\n通过以上对intranet内部服务器的安全配置,实现了安全性和方便性的整合。 |
|
免费注册
发表于 2008-03-02 02:11