openssl私有CA及ssh总结

openssl私有CA及ssh总结

一、创建私有CA并进行证书申请

软件环境：

私有CA服务器端	客户端
操作系统：	操作系统：
CentOS Linux release 8.1.1911 (Core)	CentOS Linux release 7.8.2003 (Core)
内核版本：	内核版本：
4.18.0-147.el8.x86_64	3.10.0-1127.el7.x86_64
openssl版本：	openssl版本：
openssl-1.1.1g-12.el8_3.x86_64	openssl-1.0.2k-19.el7.x86_64
IP：	IP：
172.20.200.130	172.20.200.128

• 搭建私有CA服务器

1. 生成证书索引数据库文件，指定第一个颁发证书的序列号

   # pwd
   /etc/pki/CA
   [root@localhost CA]# touch /etc/pki/CA/index.txt
   [root@localhost CA]# 
   
   # echo 01 > /etc/pki/CA/serial
   
   

2. CA私有服务器端生成CA私钥

   # umask 066; openssl genrsa -out private/cakey.pem 2048
   Generating RSA private key, 2048 bit long modulus (2 primes)
   ...........................................+++++
   .....+++++
   e is 65537 (0x010001)
   [root@localhost CA]# 
   
   

3. CA私有服务器端生成CA自签名证书

   [root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [XX]:cn
   State or Province Name (full name) []:LiaoNing
   Locality Name (eg, city) [Default City]:LiaoNing
   Organization Name (eg, company) [Default Company Ltd]:Liao
   Organizational Unit Name (eg, section) []:Liao
   Common Name (eg, your name or your server's hostname) []:ca.server.org
   Email Address []:caadmin@server.org
   
   

• 客户端生成证书申请文件

1. 客户端主机生成私钥

   [root@xsd7 ~]# umask 066; openssl genrsa -out /etc/pki/CA/private/private.key
   Generating RSA private key, 2048 bit long modulus
   ..................................................................+++
   ........+++
   e is 65537 (0x10001)
   [root@xsd7 ~]# 
   
   

2. 生成证书申请文件

   [root@xsd7 ~]# openssl req -new -key /etc/pki/CA/private/private.key -out /etc/pki/CA/newcerts/req.csr
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [XX]:cn
   State or Province Name (full name) []:LiaoNing
   Locality Name (eg, city) [Default City]:LiaoNing
   Organization Name (eg, company) [Default Company Ltd]:Liao
   Organizational Unit Name (eg, section) []:Liao
   Common Name (eg, your name or your server's hostname) []:ca.server.org
   Email Address []:caadmin@server.org
   
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:
   
   

• 私有CA服务器端签署证书

  1. 客户端上传证书申请文件

     # scp 172.20.200.128:/etc/pki/CA/newcerts/req.csr /etc/pki/CA/newcerts
     The authenticity of host '172.20.200.128 (172.20.200.128)' can't be established.
     ECDSA key fingerprint is SHA256:5bbEySCjav+UmhZ1KvwijFUpF8/Pvr6THZk+NRCey/s.
     Are you sure you want to continue connecting (yes/no/[fingerprint])? yes     
     Warning: Permanently added '172.20.200.128' (ECDSA) to the list of known hosts.
     root@172.20.200.128's password: 
     req.csr                                      
     

  2. 签署证书

     [root@localhost newcerts]# openssl ca -in /etc/pki/CA/newcerts/req.csr -out /etc/pki/CA/certs/128.crt -days 100
     Using configuration from /etc/pki/tls/openssl.cnf
     Check that the request matches the signature
     Signature ok
     Certificate Details:
             Serial Number: 1 (0x1)
             Validity
                 Not Before: Mar  9 09:26:47 2021 GMT
                 Not After : Jun 17 09:26:47 2021 GMT
             Subject:
                 countryName               = cn
                 stateOrProvinceName       = LiaoNing
                 organizationName          = Liao
                 organizationalUnitName    = Liao
                 commonName                = ca.server.org
                 emailAddress              = caadmin@server.org
             X509v3 extensions:
                 X509v3 Basic Constraints: 
                     CA:FALSE
                 Netscape Comment: 
                     OpenSSL Generated Certificate
                 X509v3 Subject Key Identifier: 
                     58:10:11:13:EE:8D:9C:7B:CA:5D:20:8F:6A:38:69:E1:25:77:28:18
                 X509v3 Authority Key Identifier: 
                     keyid:D3:48:7A:4A:21:35:30:63:64:F9:F5:13:56:D9:E7:9F:C0:E8:60:00
     
     Certificate is to be certified until Jun 17 09:26:47 2021 GMT (100 days)
     Sign the certificate? [y/n]:y
     
     
     1 out of 1 certificate requests certified, commit? [y/n]y
     Write out database with 1 new entries
     Data Base Updated
     
     

• 客户端将证书导入到信任列表

  # scp 128.crt 172.20.200.128:/etc/pki/CA/certs
  root@172.20.200.128's password: 
  128.crt                               
  
  # cat 128.crt >> /etc/pki/tls/certs/ca-bundle.crt
  

二、ssh常用参数、用法总结

ssh客户端配置文件位置：/etc/ssh/ssh_config，禁止首次连接的询问配置：

#sed -i.bak '/StrictHostKeyChecking/s/.*/StrictHostKeyChecking
no/' /etc/ssh/ssh_config

ssh客户端常用选项：

-p port：远程服务器监听的端口
-b 指定连接的源IP
-v 调试模式
-C 压缩方式
-X 支持x11转发
-t 强制伪tty分配，如：ssh -t remoteserver1 ssh -t remoteserver2 ssh
remoteserver3
-o option 如：-o StrictHostKeyChecking=no
-i <file> 指定私钥文件路径，实现基于key验证，默认使用文件： ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, ~/.ssh/id_ed25519，~/.ssh/id_rsa等

1. 登录远端并执行命令

   # ssh 172.20.200.130 "sed -i.bak '/StrictHostKeyChecking/ s/.*/StrictHostKeyChecking no/' /etc/ssh/ssh_config"
   root@172.20.200.130's password: 
   
   

2. 远端机器执行本地脚本

   # cat cat.sh 
   #!/bin/bash
   cat /etc/ssh/ssh_config
   
   # ssh 172.20.200.130 < cat.sh 
   Pseudo-terminal will not be allocated because stdin is not a terminal.
   root@172.20.200.130's password: 
   PRD System!!
   Activate the web console with: systemctl enable --now cockpit.socket
   
   #	$OpenBSD: ssh_config,v 1.34 2019/02/04 02:39:42 dtucker Exp $
   
   # This is the ssh client system-wide configuration file.  See
   # ssh_config(5) for more information.  This file provides defaults for
   # users, and the values can be changed in per-user configuration files
   # or on the command line.
   
   # Configuration data is parsed as follows:
   #  1. command line options
   #  2. user-specific file
   #  3. system-wide file
   # Any configuration value is only changed the first time it is set.
   # Thus, host-specific definitions should be at the beginning of the
   # configuration file, and defaults at the end.
   
   # Site-wide defaults for some commonly used options.  For a comprehensive
   # list of available options, their meanings and defaults, please see the
   # ssh_config(5) man page.
   
   # Host *
   #   ForwardAgent no
   #   ForwardX11 no
   #   PasswordAuthentication yes
   #   HostbasedAuthentication no
   #   GSSAPIAuthentication no
   #   GSSAPIDelegateCredentials no
   #   GSSAPIKeyExchange no
   #   GSSAPITrustDNS no
   #   BatchMode no
   #   CheckHostIP yes
   #   AddressFamily any
   #   ConnectTimeout 0 
   StrictHostKeyChecking no  #已经修改成功
   #   IdentityFile ~/.ssh/id_rsa
   #   IdentityFile ~/.ssh/id_dsa
   #   IdentityFile ~/.ssh/id_ecdsa
   #   IdentityFile ~/.ssh/id_ed25519
   #   Port 22
   #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
   #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
   #   EscapeChar ~
   #   Tunnel no
   #   TunnelDevice any:any
   #   PermitLocalCommand no
   #   VisualHostKey no
   #   ProxyCommand ssh -q -W %h:%p gateway.example.com
   #   RekeyLimit 1G 1h
   #
   # To modify the system-wide ssh configuration, create a  *.conf  file under
   #  /etc/ssh/ssh_config.d/  which will be automatically included below
   Include /etc/ssh/ssh_config.d/*.conf
   [root@localhost ~]# 
   
   

3. 基于密钥登录

   # ssh-keygen    #生成密钥
   Generating public/private rsa key pair.
   Enter file in which to save the key (/root/.ssh/id_rsa): 
   Enter passphrase (empty for no passphrase): 
   Enter same passphrase again: 
   Your identification has been saved in /root/.ssh/id_rsa.
   Your public key has been saved in /root/.ssh/id_rsa.pub.
   The key fingerprint is:
   SHA256:q7cpBzOUqELNPz1t5pwvyc3w3MPAS9mMuU2/P32hz9k root@localhost.localdomain
   The key's randomart image is:
   +---[RSA 3072]----+
   |                 |
   |                 |
   |  o  . .         |
   | . o. o          |
   |.  .... S . *    |
   |. .  o+o * B + . |
   | .    .+O X O o o|
   |      ..oO B *.o=|
   |      .+o.o.  o=E|
   +----[SHA256]-----+
   [root@localhost ~]# 
   
   # ssh-copy-id root@172.20.200.130 #将/root/.ssh/id_rsa.pub内容添加到远端/root/.ssh/authorized_keys中
   /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
   /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
   /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
   root@172.20.200.130's password: 
   
   Number of key(s) added: 1
   
   Now try logging into the machine, with:   "ssh 'root@172.20.200.130'"
   and check to make sure that only the key(s) you wanted were added.
   
   # ssh root@172.20.200.130   #基于key登录成功
   PRD System!!
   Activate the web console with: systemctl enable --now cockpit.socket
   
   Last login: Tue Mar  9 19:19:19 2021 from 172.20.200.130
   
   

三、sshd服务常用参数

ssh服务配置文件位置: /etc/ssh/sshd_config，常用配置参数简要说明：

Port  #公网环境必须更改监听端口
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者，权限等
MaxAuthTries 6 #
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值，默认值10
Banner /path/file

修改配置后，需要重启服务# systemctl restart sshd