1、创建私有CA并进行证书申请
1)创建CA相关目录和文件:
mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
touch /etc/pki/CA/index.txt
echo 0F > /etc/pki/CA/serial
2)创建CA私钥和自签证书:
cd /etc/pki/CA/
(umask 066; openssl genrsa -out private/cakey.pem 2048)
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
3)客户端生成用户私钥和证书申请:
mkdir /data/app1 -p
(umask 066;openssl genrsa -out /data/app1/http.key)
openssl req -new -key /data/app1/http.key -out /data/app1/http.csr
4)CA颁发证书:
将用户的证书申请(http.csr)上传到CA服务器
openssl ca -in /data/app1/http.csr -out /etc/pki/CA/certs/http.crt -days 1000
查看证书信息:
openssl x509 -in /etc/pki/CA/certs/http.crt -noout -text
2、SSH服务常用参数
ssh命令格式:
ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]
常见选项:
-p port #远程服务器监听的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-t #强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh
remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i <file> #指定私钥文件路径,实现基于key验证
举例:
ssh 192.168.1.2 /bin/bash < test.sh ##在远程主机上直接执行脚本
3、DHCP服务搭建
1)安装:
yum install dhcp -y
2)修改配置文件/etc/dhcp/dhcpd.conf,如下:
option domain-name "runcx.cn";
option domain-name-servers 223.6.6.6;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.10 10.0.0.100;
option routers 10.0.0.2;
}
3)重启dhcp服务:
systemctl enable --now dhcpd