1、创建私有CA并进行证书申请。
[root@cenos8 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@cenos8 ~]# cd /etc/pki/CA
[root@cenos8 CA]# ls
certs crl newcerts private
[root@cenos8 CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@cenos8 CA]# touch index.txt
[root@cenos8 CA]# echo 0F > serial
[root@cenos8 CA]# ls
certs crl index.txt newcerts private serial
[root@cenos8 ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 10
Using configuration from /etc/pki/tls/openssl.cnf
Can't open /etc/pki/CA/private/cakey.pem for reading, No such file or directory
140309506324288:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_vate/cakey.pem','r')
140309506324288:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:7
unable to load CA private key
[root@cenos8 ~]# cd /etc/pki/CA
[root@cenos8 CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.......+++++
........................................................+++++
[root@cenos8 CA]# ll private
total 4
-rw-------. 1 root root 1679 Aug 26 16:32 cakey.pem
[root@cenos8 CA]# cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA42pKKyC8KYok4lyvJRpNmJhbH+27+93HDpTfEVXqAoiQN3Z0
u/W2F9QfSMlq03YgEN/OonFcgmAkJ4S5Uu0TQUkgJu42ZXsy23+93rU3ai9peTrt
OyN1wU1DJMfR0CtYRxK4FLELjEa8FZ3N4f6CHP/swQGq8LNzMwF6Ydr7daHUU5Dh
ZGVRDDcy4qly7PhLYYDUthNHluKeQiUxsY3EeWs1KLpobG21kaF6od72nnULZds9
m4eLvH8eEysZMLKFKHZZfBgJjSvWC2/T39Q9YrKlvBcXP/HVMkFyYVqULVSPxAEh
bBc+Zt7zl+BDOiVMqXbLP6qH6WbAjpTmZ12fOQIDAQABAoIBAQCYlKDsrMryR/iV
U8BDcZFsd5R0KKp+w38h3mqIFA+s4Xl5bOXHkoU5GZ5f1JvzAwdiqvbV8J8z7lNz
nE5HQD8yB2EmHZ+rmOw3b06yFP34JZVrvEic7B6+shsBm3u/YsWY8gtF/r+Tv4XE
LxuKrJsZ3/A2UushEhWRvEUjUKx0b/rXryqAUdPY3OiFnqvN9bjJJHCMQuMaQmeF
ZrNruBC1NsPuTKouta6FqEKe9rFDaz+WfZ5vSyNMizF2l18jPH7ztRnrkh7gMpWF
eAimjI+t9FQYbAxtbK9T+cK3dgBj3K5Lps0PcHeVh7c0/A2PmRS58V3fRQEbjN6p
7MUvgbetAoGBAPUNcZj+oEL2MaTaj6JXUsp+by8e5SZdN/cpakEyhJcgp3srKnUW
6BUe/uydm+pOtvflgmZFdKthYZVhF0ckJdvcZn4m4xLcZSZS6q3u4Iq4Ahlu2qI6
qCiPF7cQ+RJj9RCIH635ntbJlGKwpadQ7TmLYJxHHdy/8PvySABOSu6LAoGBAO2T
IsTkjFGHtDCaRez+Cb4eMjAanBgOApn2mC1c7Xk2Oz12guOQ3FyhhV4KunTVY8hO
QNBqEyn+orNyrTWAxsyE5umlMIZP46QVDtCiM7ukLLy8jWVMZzGFZnx7QYETvjtj
UwRWnV5c/bv/47ZT2fW41dto2ePBK5sbSCuy1UXLAoGBAMa6bFGCzT0AoynqBWnG
H2IQPuKbz4HZPzW15HGTImvdE3WTgA8M0JGwXVROTM8rnr5S5flCgmcpxhV6c4JC
EmHGz2em6ae2DGGUBLWhb3+P0kQF3lCJ+S1LPhQ8M4Fyhp8thWN1eBb/ytJuJykV
PAzatzKFifYnwqrPxQxacfIZAoGBAKEX7zChZQB3y1hVk+rSi5qt8QwrTwMEpQDv
dFr2M1TI0DyqGrDibnolUEDnd213sNSHM23fL6V/M6YIsaig7KyLxeRSjefVTh/Z
45TXF8s51NgZ5qr0ttieg1MPZOh4kbrFa+p6LPVqiucq6aadjyMOtXy0yWKlfsML
KdHvzqwnAoGAJNWFya3OrxPA9/iPpkRAr9iLgAbGYR5GZSxVcKYPZ5vgLltT6ZXP
Xvjn+kk1faJ6M4ZICT8Ep5dKrvzA6CIp7clW5yxGN1zcxwn1HsQlB3ZBzu8k2sYn
RJOMO9xWJnPoJm604W4gMYmcitPK1vlFoJHQTTzaKHq4hBOUycwuYHU=
-----END RSA PRIVATE KEY-----
[root@cenos8 CA]# cd
[root@cenos8 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:shenzehng^H^H^C
[root@cenos8 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:shenzheng
Organization Name (eg, company) [Default Company Ltd]:xiaozz
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:cenos8.xiaozz.org
Email Address []:516694894@qq.com
[root@cenos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@cenos8 ~]# cat /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIIEAzCCAuugAwIBAgIUUaICDOlGCEY179H2p6c52psCPaUwDQYJKoZIhvcNAQEL
BQAwgZAxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlndWFuZ2RvbmcxEjAQBgNVBAcM
CXNoZW56aGVuZzEPMA0GA1UECgwGeGlhb3p6MQswCQYDVQQLDAJpdDEaMBgGA1UE
AwwRY2Vub3M4LnhpYW96ei5vcmcxHzAdBgkqhkiG9w0BCQEWEDUxNjY5NDg5NEBx
cS5jb20wHhcNMjEwODI2MDgzNzU2WhcNMzEwODI0MDgzNzU2WjCBkDELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCWd1YW5nZG9uZzESMBAGA1UEBwwJc2hlbnpoZW5nMQ8w
DQYDVQQKDAZ4aWFvenoxCzAJBgNVBAsMAml0MRowGAYDVQQDDBFjZW5vczgueGlh
b3p6Lm9yZzEfMB0GCSqGSIb3DQEJARYQNTE2Njk0ODk0QHFxLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAONqSisgvCmKJOJcryUaTZiYWx/tu/vd
xw6U3xFV6gKIkDd2dLv1thfUH0jJatN2IBDfzqJxXIJgJCeEuVLtE0FJICbuNmV7
Mtt/vd61N2ovaXk67TsjdcFNQyTH0dArWEcSuBSxC4xGvBWdzeH+ghz/7MEBqvCz
czMBemHa+3Wh1FOQ4WRlUQw3MuKpcuz4S2GA1LYTR5binkIlMbGNxHlrNSi6aGxt
tZGheqHe9p51C2XbPZuHi7x/HhMrGTCyhSh2WXwYCY0r1gtv09/UPWKypbwXFz/x
1TJBcmFalC1Uj8QBIWwXPmbe85fgQzolTKl2yz+qh+lmwI6U5mddnzkCAwEAAaNT
MFEwHQYDVR0OBBYEFIzU1iDeCPi1nRICDaFpdmHIDToHMB8GA1UdIwQYMBaAFIzU
1iDeCPi1nRICDaFpdmHIDToHMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBACfeS8i9k3uslc7myFi/KWKrWkdm8uLPnTWMHxJME3FH5OVw8Jr6hMDQ
lzBWWTWtt70/TeQqm79Q32nmw89DImssefJrzvyCD7GYmR54kGDoCa6A7jmco8JF
/PS8MJj4p5R0x/ck+nmAyYCp3jI0UlKk8WVvgVgVEnnPSoEhD/L4gAo64sZjpwdc
d671myP6wsSHE/2bZDV4jJTbrW20LoeTG5teqqoa3HdNWz1/H8HOySlDS5jKjMDm
d/Xim5dQQ3PjYZksIFlGOclbI8jzlgwNXlovZ4bKb/YE4d6AV8CD7uAyhYwE8EcI
daqLvI7XkxYpM0CTpbEthMnYWR8LFHw=
-----END CERTIFICATE-----
[root@cenos8 ~]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
51:a2:02:0c:e9:46:08:46:35:ef:d1:f6:a7:a7:39:da:9b:02:3d:a5
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = guangdong, L = shenzheng, O = xiaozz, OU = it, CN = cenos8.xiaozz.org, emailAddress = 516694894@qq.com
Validity
Not Before: Aug 26 08:37:56 2021 GMT
Not After : Aug 24 08:37:56 2031 GMT
Subject: C = CN, ST = guangdong, L = shenzheng, O = xiaozz, OU = it, CN = cenos8.xiaozz.org, emailAddress = 516694894@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e3:6a:4a:2b:20:bc:29:8a:24:e2:5c:af:25:1a:
4d:98:98:5b:1f:ed:bb:fb:dd:c7:0e:94:df:11:55:
ea:02:88:90:37:76:74:bb:f5:b6:17:d4:1f:48:c9:
6a:d3:76:20:10:df:ce:a2:71:5c:82:60:24:27:84:
b9:52:ed:13:41:49:20:26:ee:36:65:7b:32:db:7f:
bd:de:b5:37:6a:2f:69:79:3a:ed:3b:23:75:c1:4d:
43:24:c7:d1:d0:2b:58:47:12:b8:14:b1:0b:8c:46:
bc:15:9d:cd:e1:fe:82:1c:ff:ec:c1:01:aa:f0:b3:
73:33:01:7a:61:da:fb:75:a1:d4:53:90:e1:64:65:
51:0c:37:32:e2:a9:72:ec:f8:4b:61:80:d4:b6:13:
47:96:e2:9e:42:25:31:b1:8d:c4:79:6b:35:28:ba:
68:6c:6d:b5:91:a1:7a:a1:de:f6:9e:75:0b:65:db:
3d:9b:87:8b:bc:7f:1e:13:2b:19:30:b2:85:28:76:
59:7c:18:09:8d:2b:d6:0b:6f:d3:df:d4:3d:62:b2:
a5:bc:17:17:3f:f1:d5:32:41:72:61:5a:94:2d:54:
8f:c4:01:21:6c:17:3e:66:de:f3:97:e0:43:3a:25:
4c:a9:76:cb:3f:aa:87:e9:66:c0:8e:94:e6:67:5d:
9f:39
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
8C:D4:D6:20:DE:08:F8:B5:9D:12:02:0D:A1:69:76:61:C8:0D:3A:07
X509v3 Authority Key Identifier:
keyid:8C:D4:D6:20:DE:08:F8:B5:9D:12:02:0D:A1:69:76:61:C8:0D:3A:07
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
27:de:4b:c8:bd:93:7b:ac:95:ce:e6:c8:58:bf:29:62:ab:5a:
47:66:f2:e2:cf:9d:35:8c:1f:12:4c:13:71:47:e4:e5:70:f0:
9a:fa:84:c0:d0:97:30:56:59:35:ad:b7:bd:3f:4d:e4:2a:9b:
bf:50:df:69:e6:c3:cf:43:22:6b:2c:79:f2:6b:ce:fc:82:0f:
b1:98:99:1e:78:90:60:e8:09:ae:80:ee:39:9c:a3:c2:45:fc:
f4:bc:30:98:f8:a7:94:74:c7:f7:24:fa:79:80:c9:80:a9:de:
32:34:52:52:a4:f1:65:6f:81:58:15:12:79:cf:4a:81:21:0f:
f2:f8:80:0a:3a:e2:c6:63:a7:07:5c:77:ae:f5:9b:23:fa:c2:
c4:87:13:fd:9b:64:35:78:8c:94:db:ad:6d:b4:2e:87:93:1b:
9b:5e:aa:aa:1a:dc:77:4d:5b:3d:7f:1f:c1:ce:c9:29:43:4b:
98:ca:8c:c0:e6:77:f5:e2:9b:97:50:43:73:e3:61:99:2c:20:
59:46:39:c9:5b:23:c8:f3:96:0c:0d:5e:5a:2f:67:86:ca:6f:
f6:04:e1:de:80:57:c0:83:ee:e0:32:85:8c:04:f0:47:08:75:
aa:8b:bc:8e:d7:93:16:29:33:40:93:a5:b1:2d:84:c9:d8:59:
1f:0b:14:7c
[root@cenos8 ~]# yum -y install lrzsz
[root@cenos8 ~]# sz /etc/pki/CA/cacert.pem
#将文件cacert.pem传到windows上,修改文件名为cacert.pem.crt,双击安装证书。
2、总结ssh常用参数、用法。
ssh命令是ssh客户端,允许实现对远程系统验证的加密安全访问。ssh客户端配置文件是:/etc/ssh/ssh_config。 ssh命令配合的常见选项: -P port:远程服务器监听的端口
ssh 10.0.0.8 -p 2222
-b 指定连接的源ip
ssh 10.0.0.8 -p 2222 -b 10.0.0.7
-v 调试模式
ssh 10.0.0.8 -p 2222 -v
-C 压缩方式 -X支持x11转发 支持将远程Linux主机上的图形工具在当前设备使用 -t 强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3 -o option 如:-o StrictHostKeyChecking=no -i <file> 指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, /.ssh/id_ed25519,/.ssh/id_rsa等
3、总结sshd服务常用参数。
sshd服务器端的配置文件:/etc/ssh/sshd_config 常用参数:
Port #端口生产建议修改
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6 #pecifies the maximum number of authentication
attempts permitted per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file
#以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers user1 user2 user3
AllowGroups g1 g2
DenyGroups g1 g2
4、搭建dhcp服务,实现ip地址申请分发
[root@centos8 ~]# yum -y install dhcp-server
[root@centos8 ~]# cp /usr/share/doc/dhcp-server/dhcpd.conf.example /etc/dhcp/dhcpd.conf
[root@centos8 ~]# cat /etc/dhcp/dhcpd.conf
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers 180.76.76.76, 223.5.5.5;
default-lease-time 86400;
max-lease-time 106400;
# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.150 10.0.0.180;
option routers 10.0.0.2;
next-server 10.0.0.100
filename "pxelinux.0";
}
host test {
hardware ethernet 00:0c:29:d8:f9:42;
fixed-address 10.0.0.123;
# This is a very basic subnet declaration.
subnet 10.254.239.0 netmask 255.255.255.224 {
range 10.254.239.10 10.254.239.20;
option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
}
重启dhcp服务
[root@centos8 ~]# systemctl start dhcpd
#dhcp 客户端申请地址的过程
dhclient -d
#DHCP服务器的日志
[root@centos8 ~]#tail -f /var/lib/dhcpd/dhcpd.leases
#DHCP客户端的日志
[root@centos7 ~]#ls /var/lib/dhclient/
dhclient.leases
[root@centos7 ~]#cat /var/lib/dhclient/dhclient.leases
