ssh服务

ssh安全远程登录,实现加密的通信,为当下最为流行的远程登陆协议

openssh: ssh协议的开源实现,CentOS 默认安装

客户端

  • Linux Client: ssh, scp, sftp,slogin
  • Windows Client:xshell, MobaXterm,putty, securecrt, sshsecureshellclient

ssh客户端命令

ssh在链接服务器时会复制/etc/ssh/ssh_host*key.pub文件中的公钥到客户端的~/.ssh/know_hosts中下次连接时,会自动匹配相对应的私钥,不能匹配,将拒绝连接

ssh客户端配置文件

[root@localhost ssh]# vim /etc/ssh/ssh_config
#StrictHostKeyChecking ask
#首次登录不显示检查提示
#   StrictHostKeyChecking ask 
 StrictHostKeyChecking no 
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#使命sed修改
[root@centos7 ~]#sed -i.bak '/StrictHostKeyChecking/s/.*/StrictHostKeyChecking no/' /etc/ssh/ssh_config

语法

ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]

选项

-p port #远程服务器监听的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-t #强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2   ssh   
remoteserver3
-o option   如:-o StrictHostKeyChecking=no 
-i <file>  #指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa, 
~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等
#远程执行命令
[root@localhost /]# ssh 10.0.0.8 "hostname"
The authenticity of host '10.0.0.8 (10.0.0.8)' can't be established.
ECDSA key fingerprint is SHA256:9SU7k10xmQmgt3TNiKnl8sc6AH43RG/7DnY2X8KtfC0.
ECDSA key fingerprint is MD5:51:b9:77:8d:82:13:ad:a8:56:ce:40:4f:d7:a0:e5:11.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.8' (ECDSA) to the list of known hosts.
root@10.0.0.8's password: 
centos8-1
[root@localhost /]# 

ssh客户端工具

SCP

scp是一个可以远程复制的工具

语法

scp [options] [user@]host:/sourcefile /destpath
scp [options] /sourcefile [user@]host:/destpath
scp [options] [user@]host1:/sourcetpath [user@]host2:/destpath

选项

-C 压缩数据流
-r 递归复制
-p 保持原文件的属性信息
-P PORT 指明remote host的监听的端口

rsync

rsync工具可以基于ssh和rsync协议实现高效率的远程系统之间复制文件,使用安全的shell连接做为传 输方式,比scp更快,基于增量数据同步,即只复制两方不同的文件,此工具来自于rsync包

注意:通信两端主机都需要安装 rsync 软件

#源文件路径/的区别
rsync  -av /etc server1:/tmp #复制目录和目录下文件
rsync  -av /etc/ server1:/tmp #只复制目录下文件

选项

-n 模拟复制过程
-v 显示详细过程
-r 递归复制目录树
-p 保留权限
-t 保留修改时间戳
-g 保留组信息
-o 保留所有者信息
-l 将软链接文件本身进行复制(默认)
-L 将软链接文件指向的文件复制
-u 如果接收者的文件比发送者的文件较新,将忽略同步
-z 压缩,节约网络带宽
-a 存档,相当于-rlptgoD,但不保留ACL(-A)和SELinux属性(-X)
--delete 源数据删除,目标数据也自动同步删除

sftp

交互式文件传输工具,用法和传统的ftp工具相似,利用ssh服务实现安全的文件上传和下载 使用ls cd mkdir rmdir pwd get put等指令,可用?或help获取帮助信息

sftp user@IP

ssh服务端配置

服务器端:sshd

服务器端的配置文件: /etc/ssh/sshd_config

服务器端的配置文件帮助:man 5 sshd_config

#/etc/ssh/sshd_config 文件常用参数
Port        #生产建议修改
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes   #检查.ssh/文件的所有者,权限等
MaxAuthTries   6     #最大失败次数.
MaxSessions  10         #同一个连接最大会话
PubkeyAuthentication yes     #基于key验证
PermitEmptyPasswords no      #空口令连接
PasswordAuthentication yes   #基于用户名和口令连接
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups    #未认证连接最大值,默认值10
Banner /path/file
#以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers user1 user2 user3
AllowGroups g1 g2
DenyGroups g1 g2

私有CA的搭建证书颁发

建立私有CA的俩种办法

  • openca:OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件 需要单独安装软件
  • openssl:相关包 openssl和openssl-libs

openssl-libs的配置文件详解

[root@localhost date]# vim /etc/pki/tls/openssl.cnf   #证书配置文件
####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # 存放CA证书的总目录centos8中没有自带,centos7中是默认存在
certs           = $dir/certs            # 存放证书的路径
crl_dir         = $dir/crl              # 存放证书吊销列表
database        = $dir/index.txt        # 所有用户颁发证书的数据库存放索引文件
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several certs with same subject.
new_certs_dir   = $dir/newcerts         # 存放新证书的文件夹

certificate     = $dir/cacert.pem       # CA的自签名证书
serial          = $dir/serial           # 序列号,存放所有证书的编号需要人为指定开始数值
crlnumber       = $dir/crlnumber        # 证书吊销列表的编号
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # 证书吊销列表的文件
private_key     = $dir/private/cakey.pem# CA的私钥

default_days    = 365                   # 证书有效期
default_crl_days= 30                    # 吊销列表的有销期
default_md      = sha256                # 加密算法
preserve        = no                    # keep passed DN ordering

policy          = policy_match  #证书匹配策略

#证书匹配有三种匹配策略
#match:要求申请填写的信息跟CA设置信息必须一致
#optional:可有可无,跟CA设置信息可不一致
#supplied:必须填写这项申请信息

# For the CA policy
[ policy_match ]     #语句块对应policy
countryName             = match    #国家
stateOrProvinceName     = match    #省份
organizationName        = match    # 组织名称
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

#openssl-libs的相关文件
[root@localhost date]# rpm -ql openssl-libs
/etc/pki/tls
/etc/pki/tls/certs
/etc/pki/tls/ct_log_list.cnf
/etc/pki/tls/misc
/etc/pki/tls/openssl.cnf
/etc/pki/tls/private

centos8 实现私有CA并颁发证书

#创建对应目录
[root@localhost ~]# mkdir /etc/pki/CA/{certs,crl,newcerts,private} -p
[root@localhost ~]# touch /etc/pki/CA/index.txt 
[root@localhost ~]# echo 01 > /etc/pki/CA/serial
#生成私钥文件
[root@localhost ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
#生成CA的自签名证书
[root@localhost date]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
Can't open cakey.pem for reading, No such file or directory
139639693092672:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('cakey.pem','r')
139639693092672:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
unable to load Private Key
[root@localhost date]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:NM
Locality Name (eg, city) [Default City]:huhehaote
Organization Name (eg, company) [Default Company Ltd]:jiahang
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.jiahang.com
Email Address []:
[root@localhost date]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
    └── cakey.pem
#生成用户私钥文件和证书申请
[root@localhost date]# mkdir http   # 创建服务目录
#生成用户私钥
[root@localhost date]# (umask 077; openssl genrsa -out /date/http/http.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..........+++++
.................+++++
e is 65537 (0x010001)
#生成证书申请文件
[root@localhost http]# openssl req -new -key /date/http/http.key -out /date/http/http.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:NM
Locality Name (eg, city) [Default City]:huhthaote
Organization Name (eg, company) [Default Company Ltd]:jiahang
Organizational Unit Name (eg, section) []:caigou
Common Name (eg, your name or your server's hostname) []:www.jiahang.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost http]#
#默认有三项内容必须和CA一致:国家,省份,组织,如果不同,会出现报错
#CA颁发证书
[root@localhost http]# openssl ca -in /date/http/http.csr -out /etc/pki/CA/certs
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jan 16 08:28:39 2022 GMT
            Not After : Jan 16 08:28:39 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = NM
            organizationName          = jiahang
            organizationalUnitName    = caigou
            commonName                = www.jiahang.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                3A:AE:81:A1:6D:D3:33:DD:EA:51:8F:47:97:D5:71:42:F9:36:0A:75
            X509v3 Authority Key Identifier:
                keyid:EE:B9:DF:94:65:FF:EF:BC:D6:0D:4D:31:65:CC:55:EC:6E:29:34:3

Certificate is to be certified until Jan 16 08:28:39 2023 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost http]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── http.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files
#证书出现申请完成可以发送到客户段开始使用
#验证证书有效性
[root@localhost http]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
#证书吊销
[root@localhost ~]# openssl ca -revoke  /etc/pki/CA/newcerts/01.crt
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@localhost ~]# cat /etc/pki/CA/index.txt
R       230116082839Z   220116094716Z   01      unknown /C=CN/ST=NM/O=jiahang/OU=caigou/CN=www.jiahang.com
[root@localhost ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)
[root@localhost ~]# echo 01 > /etc/pki/CA/crlnumber
[root@localhost ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem

微信截图_20220116174528.png
微信截图_20220116174536.png

DHCP服务搭建

[root@localhost ~]# yum -y install dhcp-server   #安装dhcp服务
#使用自带模板配置文件覆盖配置文件
[root@localhost ~]# cp /usr/share/doc/dhcp-server/dhcpd.conf.example  /etc/dhcp/dhcpd.conf
#修改一下参数
[root@centos6 ~]#vim /etc/dhcp/dhcpd.conf
option domain-name "example.org"; 
option domain-name-servers 114.114.114.114,8.8.8.8;  #指定dns地址
subnet 10.0.0.0 netmask 255.255.255.0 {   #指定网段 需指定本地网卡同段地址
  range 10.0.0.250 10.0.0.253;   #指定分配IP
  option routers 10.0.0.254;    #指定网关
  default-lease-time 600;       #默认租期时间
  max-lease-time 7200;          #最大租约时间
}
[root@localhost ~]# systemctl restart dhcpd
#客户端修改网卡地址为dhcp自动获取验证网卡地址