Linux学习--第14周

原创

水云间学习 2021-03-22 10:22:01 ©著作权

©著作权归作者所有：来自51CTO博客作者水云间学习的原创作品，请联系作者获取转载授权，否则将追究法律责任

1、创建私有CA并进行证书申请

** (1) 创建CA相关目录和文件** [root@CentOS8 test]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private} mkdir: created directory '/etc/pki/CA' mkdir: created directory '/etc/pki/CA/certs' mkdir: created directory '/etc/pki/CA/crl' mkdir: created directory '/etc/pki/CA/newcerts' mkdir: created directory '/etc/pki/CA/private' [root@CentOS8 test]#tree /etc/pki/CA /etc/pki/CA ├── certs ├── crl ├── newcerts └── private ** (2) 创建CA的私钥** [root@CentOS8 test]#cd /etc/pki/CA [root@CentOS8 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus (2 primes) .................................................................+++++ ..........................................................+++++ e is 65537 (0x010001) [root@CentOS8 CA]#ll total 0 drwxr-xr-x 2 root root 6 Feb 5 22:13 certs drwxr-xr-x 2 root root 6 Feb 5 22:13 crl drwxr-xr-x 2 root root 6 Feb 5 22:13 newcerts drwxr-xr-x 2 root root 23 Feb 5 22:16 private [root@CentOS8 CA]#tree /etc/pki/CA/ /etc/pki/CA/ ├── certs ├── crl ├── newcerts └── private └── cakey.pem 4 directories, 1 file [root@CentOS8 CA]#ll private/ total 4 -rw------- 1 root root 1679 Feb 5 22:16 cakey.pem ** (3) 给CA颁发自签名证书** [root@CentOS8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:jiaozuo Organization Name (eg, company) [Default Company Ltd]:DCC Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:ca.lirui.org
Email Address []:aaa@lirui.org [root@CentOS8 CA]#tree pwd /etc/pki/CA ├── cacert.pem ├── certs ├── crl ├── newcerts └── private └── cakey.pem 4 directories, 2 files (4) 用户生成私钥和证书申请 [root@CentOS8 ~]#mkdir /data/app1 [root@CentOS8 app1]#(umask 066; openssl genrsa -out /data/app1/app1.key 2048) Generating RSA private key, 2048 bit long modulus (2 primes) .........+++++ ............................................................................................................................................................................................+++++ e is 65537 (0x010001) [root@CentOS8 app1]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:henan Locality Name (eg, city) [Default City]:jiaozuo Organization Name (eg, company) [Default Company Ltd]:DCC Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@CentOS8 app1]#ll total 8 -rw-r--r-- 1 root root 964 Feb 6 23:03 app1.csr -rw------- 1 root root 1675 Feb 6 23:01 app1.key 默认有三项内容必须和CA一致：国家，省份，组织，如果不同，会出现错误提示 (5) CA颁发证书 [root@CentOS8 app1]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 10 (0xa) Validity Not Before: Feb 6 15:13:26 2021 GMT Not After : Nov 3 15:13:26 2023 GMT Subject: countryName = CN stateOrProvinceName = henan organizationName = DCC organizationalUnitName = IT commonName = app1.lirui.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C6:76:BA:AB:AF:2D:F7:50:02:F9:37:A1:18:3B:F5:69:37:61:5F:AA X509v3 Authority Key Identifier: keyid:C0:40:4F:D3:4A:1D:E8:33:45:70:4E:1E:31:FD:D2:00:57:1F:35:D7 Certificate is to be certified until Nov 3 15:13:26 2023 GMT (1000 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@CentOS8 app1]#cd /etc/pki/CA [root@CentOS8 CA]#tree . ├── cacert.pem ├── certs │ └── app1.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │ └── 0A.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 9 files ** (6) 查看证书** [root@CentOS8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = henan, L = jiaozuo, O = DCC, OU = IT, CN = ca.lirui.org, emailAddress = aaa@lirui.org Validity Not Before: Feb 6 15:13:26 2021 GMT Not After : Nov 3 15:13:26 2023 GMT Subject: C = CN, ST = henan, O = DCC, OU = IT, CN = app1.lirui.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:9d:b2:71:a7:57:34:75:43:9c:0b:b5:2f:43:fd: 5d:ee:55:69:e4:f5:a7:c8:03:bb:0b:1f:e5:ab:81: b8:a2:f1:03:6f:fa:4b:18:ac:1e:ba:ad:ba:3b:39: 2b:4e:fe:c7:49:c8:8f:12:e0:fd:0d:66:87:8e:ab: 70:79:70:be:09:d9:ba:85:77:60:96:35:61:b8:aa: 07:02:a9:c6:7d:c9:44:32:cb:d0:f8:b5:48:2a:65: 30:9a:ce:a5:af:52:02:c8:88:60:ae:ae:fc:a3:96: e0:0c:85:ab:01:18:ff:af:12:c3:86:16:2d:f1:36: 48:49:73:ca:ba:92:11:41:e4:8b:62:a8:18:15:4c: e0:1c:b6:9c:b2:45:39:2b:66:43:a6:b5:21:75:45: b4:6b:11:38:e6:91:f2:28:a3:ee:89:01:4e:85:9e: dd:70:f6:3d:cf:1d:3b:16:57:96:18:6a:65:41:36: 64:94:4b:b0:4c:3e:63:ca:90:a4:a8:2d:07:58:ee: 6a:cd:ee:69:e3:1f:46:72:a7:64:a7:dc:88:77:5a: 6f:8b:6a:bb:4c:08:fa:bb:2b:68:01:71:e9:b3:92: 8a:83:bd:fd:fc:6c:3d:9a:9c:20:d1:15:c8:f3:cb: c4:cb:44:c6:2d:42:5f:44:37:67:53:8a:b1:fd:ea: eb:b1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C6:76:BA:AB:AF:2D:F7:50:02:F9:37:A1:18:3B:F5:69:37:61:5F:AA X509v3 Authority Key Identifier: keyid:C0:40:4F:D3:4A:1D:E8:33:45:70:4E:1E:31:FD:D2:00:57:1F:35:D7 Signature Algorithm: sha256WithRSAEncryption 4c:e3:9f:2f:d6:d9:50:85:03:e1:42:14:0e:91:ed:6e:48:e2: 22:4b:75:84:22:ae:10:62:a7:90:66:06:27:24:49:4d:92:73: 15:ca:6e:90:44:40:88:d1:90:bd:83:34:4c:99:97:08:4b:92: 10:40:2f:ad:f6:3e:b2:36:b7:b3:28:ae:17:22:4a:a0:9e:0a: 94:c4:56:5c:5c:fe:2e:26:ef:f0:31:1c:7d:8f:31:28:d6:a6: 60:01:38:29:b8:41:13:2b:3d:2b:f1:7b:99:f1:03:59:b4:68: 6a:23:32:d7:ea:3b:8d:c9:ea:87:cd:d8:04:86:1e:b5:c0:73: 7e:00:a0:bf:da:2c:b7:77:fb:44:f7:87:8c:9b:ad:6d:78:d0: 35:7d:e5:aa:18:e4:8b:6e:44:85:ef:e9:b9:f4:dc:49:47:2e: bb:ca:53:a8:8b:06:ae:6d:aa:2a:c9:a4:58:89:72:59:77:79: de:c0:1e:05:23:f6:fa:08:ca:37:90:8d:58:4c:1a:a7:65:44: 82:2b:b4:ef:b3:d7:41:02:f5:b9:b6:e8:9f:01:f7:b7:bf:2f: 6b:b4:9b:88:f3:76:77:c8:d7:02:b1:95:de:00:79:5e:b4:86: 8e:68:df:99:e2:9a:32:be:a6:f5:a8:65:35:00:7a:3d:91:27: 38:40:c0:c (7) 将证书相关文件发送到用户端使用 [root@CentOS8 CA]#cp /etc/pki/CA/certs/app1.crt /data/app1 [root@CentOS8 CA]#tree /data/app1 /data/app1 ├── app1.crt ├── app1.csr └── app1.key 0 directories, 3 files

2、总结ssh常用参数、用法

命令格式:
	ssh [option] [user@]host [COMMAND]
	ssh [option] [-l user] host [COMMAND]
常用选项
	-p port：远程服务器监听的端口
	-b 指定连接的源IP
	-v 调试模式
	-C 压缩方式
	-X 支持x11转发
	-t 强制伪tty分配，如：ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3
	-o option 如：-o StrictHostKeyChecking=no
	-i <file> 指定私钥文件路径，实现基于key验证，默认使用文件： ~/.ssh/id_dsa,~/.ssh/id_ecdsa, ~/.ssh/id_ed25519，~/.ssh/id_rsa等

3、总结sshd服务常用参数

服务器端的配置文件: /etc/ssh/sshd_config
常用参数：
	Port
	ListenAddress ip
	LoginGraceTime 2m
	PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
	StrictModes yes #检查.ssh/文件的所有者，权限等
	MaxAuthTries 6 #
	MaxSessions 10 #同一个连接最大会话
	PubkeyAuthentication yes #基于key验证
	PermitEmptyPasswords no #空密码连接
	PasswordAuthentication yes #基于用户名和密码连接
	GatewayPorts no
	ClientAliveInterval 10 #单位:秒
	ClientAliveCountMax 3 #默认3
	UseDNS yes #提高速度可改为no
	GSSAPIAuthentication yes #提高速度可改为no
	MaxStartups #未认证连接最大值，默认值10
	Banner /path/file