目录
1、创建私有CA并进行证书申请。
1、创建CA和证书申请
[00:09:50 root@Centos8 app1]#touch /etc/pki/CA/index.txt
[00:11:40 root@Centos8 app1]#echo 01 > /etc/pki/CA/serial
#index和serial文件如不创建,在之后给用户颁发证书时会出现如下报错
[00:07:22 root@Centos8 app1]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
140533280032576:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/index.txt','r')
140533280032576:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
[00:09:50 root@Centos8 app1]#touch /etc/pki/CA/index.txt
[00:10:57 root@Centos8 app1]#tree /etc/pki/CA
/etc/pki/CA
|-- cacert.pem
|-- certs
|-- crl
|-- index.txt
|-- newcerts
`-- private
`-- cakey.pem
4 directories, 3 files
[00:11:30 root@Centos8 app1]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140366505142080:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/serial','r')
140366505142080:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
[00:11:40 root@Centos8 app1]#echo 01 > /etc/pki/CA/serial
[00:12:36 root@Centos8 app1]#cat /etc/pki/CA/serial
01
#Centos8需要先创建文件,centos7自带空文件
[22:49:44 root@Centos8 ~]#mkdir /etc/pki/CA/{certs,crl,newcerts,private} -pv
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[22:50:49 root@Centos8 ~]#tree /etc/pki/CA
/etc/pki/CA
|-- certs
|-- crl
|-- newcerts
`-- private
4 directories, 0 files
[22:51:04 root@Centos8 ~]#cd /etc/pki/CA
[22:53:09 root@Centos8 CA]#ls
certs crl newcerts private
#创建CA私钥,注意权限,centos8其实不用umask也行,centos7需要用umask定义权限。
[22:53:10 root@Centos8 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................................................................................................................................................+++++
..........+++++
e is 65537 (0x010001)
[22:54:03 root@Centos8 CA]#ls
certs crl newcerts private
[22:54:06 root@Centos8 CA]#ll private/cakey.pem
-rw------- 1 root root 1679 Aug 21 22:54 private/cakey.pem
#创建CA自签名证书
[22:57:44 root@Centos8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 36500 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hunan
Locality Name (eg, city) [Default City]:changsha
Organization Name (eg, company) [Default Company Ltd]:liuqixin
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.liuqixin.com
Email Address []:queyi0401@sina.com
[23:02:26 root@Centos8 CA]#ls
cacert.pem certs crl newcerts private
[23:08:51 root@Centos8 CA]#cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID/zCCAuegAwIBAgIUDCD67nrpGxnoxISkpln2XS9TEJowDQYJKoZIhvcNAQEL
BQAwgY0xCzAJBgNVBAYTAkNOMQ4wDAYDVQQIDAVodW5hbjERMA8GA1UEBwwIY2hh
bmdzaGExETAPBgNVBAoMCGxpdXFpeGluMQswCQYDVQQLDAJpdDEYMBYGA1UEAwwP
Y2EubGl1cWl4aW4uY29tMSEwHwYJKoZIhvcNAQkBFhJxdWV5aTA0MDFAc2luYS5j
b20wIBcNMjIwODIxMTUwMjI2WhgPMjEyMjA3MjgxNTAyMjZaMIGNMQswCQYDVQQG
EwJDTjEOMAwGA1UECAwFaHVuYW4xETAPBgNVBAcMCGNoYW5nc2hhMREwDwYDVQQK
DAhsaXVxaXhpbjELMAkGA1UECwwCaXQxGDAWBgNVBAMMD2NhLmxpdXFpeGluLmNv
bTEhMB8GCSqGSIb3DQEJARYScXVleWkwNDAxQHNpbmEuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6B6oTPFyErsw3ad4ZzHgw4fbRbhmmDkdCSb8
9iqwgewdxKvY6hgENy9OHZf8gxgxnTI4YZtxl1i7GRgsBZ5E8yB8YbrSMSgXUT+W
C6ZTJrGmnpw2c7YkOnMXfS0HaatYMjVRUxPxxJpxNWkcwGSVIA4VP6/hbCLku6pv
laqtmyqKlCu90lzKG0uyqawdxes/vGAsXseuiYbq1lZDjdm5lSzQWo2JshqAoijV
1xbBqlVXJs559jsnU8cdylZ8WorO2bdl1i3s8YUfkagEJ5euYTKLMouFk9ihwK4D
mZ09ZALu96LMeIXsc2YXLkRJpOYbubMJqKSG/4g1qXKO8irkaQIDAQABo1MwUTAd
BgNVHQ4EFgQU4OpU5fhEIkOA/YVbCRR5N95q4zIwHwYDVR0jBBgwFoAU4OpU5fhE
IkOA/YVbCRR5N95q4zIwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEArTCoQh3QFzTAXDkT0v4hA633QfLkxW5iJEJL53TrImyA4OKESN8jdJ0mhdG3
ruVhAZT5VH7wRChRUZzWCgkXaB8sPf9n6f/y+GtxdfotL4yrIvvP5CKW567qxZwT
n95rB/aE24XW1W7UV4PzcC5N3CNsHA7vqEAM6G6jmrlZ1K0sF1PBKIz0LaxguGHR
AgTz7hB/LhVNroKAUu5nGn0+p7DcfIonq9z56M5vmKUJurwmgHBmHovmAkQDuKYy
3F6NE9yEyU48RaM3GefND/u3LLw9WtFM7TjQEdQJc0qw8qgzcrnEg1vEc9MSgk+1
bgnDGY5wi201iLOxVR/QyW7LVA==
-----END CERTIFICATE-----
#查看CA
[23:08:56 root@Centos8 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:20:fa:ee:7a:e9:1b:19:e8:c4:84:a4:a6:59:f6:5d:2f:53:10:9a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = hunan, L = changsha, O = liuqixin, OU = it, CN = ca.liuqixin.com, emailAddress = queyi0401@sina.com
Validity
Not Before: Aug 21 15:02:26 2022 GMT
Not After : Jul 28 15:02:26 2122 GMT
Subject: C = CN, ST = hunan, L = changsha, O = liuqixin, OU = it, CN = ca.liuqixin.com, emailAddress = queyi0401@sina.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e8:1e:a8:4c:f1:72:12:bb:30:dd:a7:78:67:31:
e0:c3:87:db:45:b8:66:98:39:1d:09:26:fc:f6:2a:
b0:81:ec:1d:c4:ab:d8:ea:18:04:37:2f:4e:1d:97:
fc:83:18:31:9d:32:38:61:9b:71:97:58:bb:19:18:
2c:05:9e:44:f3:20:7c:61:ba:d2:31:28:17:51:3f:
96:0b:a6:53:26:b1:a6:9e:9c:36:73:b6:24:3a:73:
17:7d:2d:07:69:ab:58:32:35:51:53:13:f1:c4:9a:
71:35:69:1c:c0:64:95:20:0e:15:3f:af:e1:6c:22:
e4:bb:aa:6f:95:aa:ad:9b:2a:8a:94:2b:bd:d2:5c:
ca:1b:4b:b2:a9:ac:1d:c5:eb:3f:bc:60:2c:5e:c7:
ae:89:86:ea:d6:56:43:8d:d9:b9:95:2c:d0:5a:8d:
89:b2:1a:80:a2:28:d5:d7:16:c1:aa:55:57:26:ce:
79:f6:3b:27:53:c7:1d:ca:56:7c:5a:8a:ce:d9:b7:
65:d6:2d:ec:f1:85:1f:91:a8:04:27:97:ae:61:32:
8b:32:8b:85:93:d8:a1:c0:ae:03:99:9d:3d:64:02:
ee:f7:a2:cc:78:85:ec:73:66:17:2e:44:49:a4:e6:
1b:b9:b3:09:a8:a4:86:ff:88:35:a9:72:8e:f2:2a:
e4:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E0:EA:54:E5:F8:44:22:43:80:FD:85:5B:09:14:79:37:DE:6A:E3:32
X509v3 Authority Key Identifier:
keyid:E0:EA:54:E5:F8:44:22:43:80:FD:85:5B:09:14:79:37:DE:6A:E3:32
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
ad:30:a8:42:1d:d0:17:34:c0:5c:39:13:d2:fe:21:03:ad:f7:
41:f2:e4:c5:6e:62:24:42:4b:e7:74:eb:22:6c:80:e0:e2:84:
48:df:23:74:9d:26:85:d1:b7:ae:e5:61:01:94:f9:54:7e:f0:
44:28:51:51:9c:d6:0a:09:17:68:1f:2c:3d:ff:67:e9:ff:f2:
f8:6b:71:75:fa:2d:2f:8c:ab:22:fb:cf:e4:22:96:e7:ae:ea:
c5:9c:13:9f:de:6b:07:f6:84:db:85:d6:d5:6e:d4:57:83:f3:
70:2e:4d:dc:23:6c:1c:0e:ef:a8:40:0c:e8:6e:a3:9a:b9:59:
d4:ad:2c:17:53:c1:28:8c:f4:2d:ac:60:b8:61:d1:02:04:f3:
ee:10:7f:2e:15:4d:ae:82:80:52:ee:67:1a:7d:3e:a7:b0:dc:
7c:8a:27:ab:dc:f9:e8:ce:6f:98:a5:09:ba:bc:26:80:70:66:
1e:8b:e6:02:44:03:b8:a6:32:dc:5e:8d:13:dc:84:c9:4e:3c:
45:a3:37:19:e7:cd:0f:fb:b7:2c:bc:3d:5a:d1:4c:ed:38:d0:
11:d4:09:73:4a:b0:f2:a8:33:72:b9:c4:83:5b:c4:73:d3:12:
82:4f:b5:6e:09:c3:19:8e:70:8b:6d:35:88:b3:b1:55:1f:d0:
c9:6e:cb:54
[23:09:48 root@Centos8 CA]#sz cacert.pem
#或者也可以执行一条命令非交互式
[23:23:56 root@Centos8 ~]#openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.liuqixin.com" -keyout /data/app.key -nodes -x509 -days 365 -out /data/app.crt
Generating a RSA private key
.............+++++
...............................+++++
writing new private key to '/data/app.key'
-----
[23:24:31 root@Centos8 data]#cat app.key
-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALTHpoDzgLVIhAlm
GMqRHV9MUMm79/DP8Vig6PtCX26x+4TPcYUM8Ej6e9dRkcbMvgWFleIU19HeyocO
EMsykA5KzrjCXdqVNb1Mup9cbxr9pJltXA4tNiQlfEcp2S5KkrVU0IAFLn2S+UyO
W6VXrPiLBRkuqBb3LjaX3VQRindVAgMBAAECgYBSDikqcNxj7JVZ+siX8YRGhEpL
NxGUcZ5XnzoBCiBtC0ZiAxLA1J2gUmmx0yl69eXudbMRmmpXrWt6H81Jnhq6TqW2
mr+Zw0ORt0ghz4nr8hoZygUkYF+U2E9LP1Y7lDtTt0M6KYWHHiQGvFyw9r/BtFUy
qQfCxhMNTi6pxu0QYQJBAN0ysrhT+ls4y8kgaViMpL5f74uPNzCrVVTVaJt+0640
sEVIhOcY8OU8ZW1mIb4FhK3UJbDEQenU8iAhD7oJhfkCQQDROQKrmqp5pKNqrlSw
gRcpBYOt6mxqQmMjivJuJ3NiGyb9Gz3Zk0Aj+1tkKK6Xb6pJeu+rNH9C4QOIu3vy
uKM9AkEAkSDtX8FBls557llEpSOKB5o8Oe3aQSV41DM88iDRVBAfwyVkhZe4nj71
MUT8SIeoWMDDheoOcRQVVH08q0wKSQJBAM+L8m4w+7O38rQ9Q53kMQlsgvffeLTg
LmBv0ZYcZIWJ0d97SpuvSw1mp35wLOHkz9Qcs+vuI+BAPrVA5vAc4TECQQCe0nsV
p/s7fJhbv5nlU3J9DPkp5ZqU3ShmhGKREGcIzhzk/m319Aa2oit1lDrSHiKgAkOe
Ukk8qRKKLqwSSyDz
-----END PRIVATE KEY-----
[23:35:18 root@Centos8 data]#cat app.crt
-----BEGIN CERTIFICATE-----
MIICEjCCAXugAwIBAgIUbQDaKq3NI2PaWbtSPDLNMuSw/4swDQYJKoZIhvcNAQEL
BQAwGzEZMBcGA1UEAwwQd3d3LmxpdXFpeGluLmNvbTAeFw0yMjA4MjExNTI0MTha
Fw0yMjA5MjAxNTI0MThaMBsxGTAXBgNVBAMMEHd3dy5saXVxaXhpbi5jb20wgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALTHpoDzgLVIhAlmGMqRHV9MUMm79/DP
8Vig6PtCX26x+4TPcYUM8Ej6e9dRkcbMvgWFleIU19HeyocOEMsykA5KzrjCXdqV
Nb1Mup9cbxr9pJltXA4tNiQlfEcp2S5KkrVU0IAFLn2S+UyOW6VXrPiLBRkuqBb3
LjaX3VQRindVAgMBAAGjUzBRMB0GA1UdDgQWBBR/j/cdj4IZwEkb68ivG81RWj50
UTAfBgNVHSMEGDAWgBR/j/cdj4IZwEkb68ivG81RWj50UTAPBgNVHRMBAf8EBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4GBAGivziuBBi4n1dCtK75FTIwey+8PVV5Qy5+l
TuQ8tUKUyeqbhO9U1leLW76IiJtQYfz6Z7suxRmxbd7zeQrqS5PL0GKk2pv6so9q
taEPzEQqjfyfmlvsDonAwC0rR+v4xfmua8McDXrbcDMfeCbIAlWQajXSycXAOxtz
EXGYqZOL
-----END CERTIFICATE-----
#查看证书
[23:35:24 root@Centos8 data]#openssl x509 -in app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6d:00:da:2a:ad:cd:23:63:da:59:bb:52:3c:32:cd:32:e4:b0:ff:8b
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = www.liuqixin.com
Validity
Not Before: Aug 21 15:24:18 2022 GMT
Not After : Sep 20 15:24:18 2023 GMT
Subject: CN = www.liuqixin.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:b4:c7:a6:80:f3:80:b5:48:84:09:66:18:ca:91:
1d:5f:4c:50:c9:bb:f7:f0:cf:f1:58:a0:e8:fb:42:
5f:6e:b1:fb:84:cf:71:85:0c:f0:48:fa:7b:d7:51:
91:c6:cc:be:05:85:95:e2:14:d7:d1:de:ca:87:0e:
10:cb:32:90:0e:4a:ce:b8:c2:5d:da:95:35:bd:4c:
ba:9f:5c:6f:1a:fd:a4:99:6d:5c:0e:2d:36:24:25:
7c:47:29:d9:2e:4a:92:b5:54:d0:80:05:2e:7d:92:
f9:4c:8e:5b:a5:57:ac:f8:8b:05:19:2e:a8:16:f7:
2e:36:97:dd:54:11:8a:77:55
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
7F:8F:F7:1D:8F:82:19:C0:49:1B:EB:C8:AF:1B:CD:51:5A:3E:74:51
X509v3 Authority Key Identifier:
keyid:7F:8F:F7:1D:8F:82:19:C0:49:1B:EB:C8:AF:1B:CD:51:5A:3E:74:51
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
68:af:ce:2b:81:06:2e:27:d5:d0:ad:2b:be:45:4c:8c:1e:cb:
ef:0f:55:5e:50:cb:9f:a5:4e:e4:3c:b5:42:94:c9:ea:9b:84:
ef:54:d6:57:8b:5b:be:88:88:9b:50:61:fc:fa:67:bb:2e:c5:
19:b1:6d:de:f3:79:0a:ea:4b:93:cb:d0:62:a4:da:9b:fa:b2:
8f:6a:b5:a1:0f:cc:44:2a:8d:fc:9f:9a:5b:ec:0e:89:c0:c0:
2d:2b:47:eb:f8:c5:f9:ae:6b:c3:1c:0d:7a:db:70:33:1f:78:
26:c8:02:55:90:6a:35:d2:c9:c5:c0:3b:1b:73:11:71:98:a9:
93:8b
2、用户申请证书
[23:36:46 root@Centos8 data]#mkdir app1
#生成用户私钥文件app1
[23:49:42 root@Centos8 data]#(umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................+++++
..................................................................+++++
e is 65537 (0x010001)
[23:51:12 root@Centos8 data]#cd app1
[23:51:19 root@Centos8 app1]#ls
app1.key
[23:51:20 root@Centos8 app1]#ll
total 4
-rw------- 1 root root 1679 Aug 21 23:51 app1.key
#通过私钥(app1.key)生成证书申请文件 app1.csr,注意 国家 省份 组织名,需要与CA的保持一致
[00:04:41 root@Centos8 app1]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hunan
Locality Name (eg, city) [Default City]:xiangtan
Organization Name (eg, company) [Default Company Ltd]:liuqixin
Organizational Unit Name (eg, section) []:sale
Common Name (eg, your name or your server's hostname) []:www.liuqixin.com
Email Address []:queyi0401@sina.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[00:07:19 root@Centos8 app1]#ll
total 8
-rw-r--r-- 1 root root 1062 Aug 22 00:07 app1.csr
-rw------- 1 root root 1679 Aug 21 23:51 app1.key
[00:07:22 root@Centos8 app1]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
140533280032576:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/index.txt','r')
140533280032576:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
[00:09:50 root@Centos8 app1]#touch /etc/pki/CA/index.txt
[00:10:55 root@Centos8 app1]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140246065383232:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/serial','r')
140246065383232:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
[00:10:57 root@Centos8 app1]#tree /etc/pki/CA
/etc/pki/CA
|-- cacert.pem
|-- certs
|-- crl
|-- index.txt
|-- newcerts
`-- private
`-- cakey.pem
4 directories, 3 files
[00:11:30 root@Centos8 app1]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140366505142080:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/serial','r')
140366505142080:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
[00:11:40 root@Centos8 app1]#echo 01 > /etc/pki/CA/serial
[00:12:36 root@Centos8 app1]#cat /etc/pki/CA/serial
01
#CA文件夹里需要有index和serial文件
[00:12:47 root@Centos8 app1]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 21 16:12:58 2022 GMT
Not After : May 17 16:12:58 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = hunan
organizationName = liuqixin
organizationalUnitName = sale
commonName = www.liuqixin.com
emailAddress = queyi0401@sina.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9B:3C:99:CC:B6:A1:30:0B:FA:02:D3:52:EE:48:F4:6D:A4:95:83:92
X509v3 Authority Key Identifier:
keyid:E0:EA:54:E5:F8:44:22:43:80:FD:85:5B:09:14:79:37:DE:6A:E3:32
Certificate is to be certified until May 17 16:12:58 2025 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[00:13:34 root@Centos8 app1]#tree /etc/pki/CA
/etc/pki/CA
|-- cacert.pem
|-- certs
| `-- app1.crt
|-- crl
|-- index.txt
|-- index.txt.attr
|-- index.txt.old
|-- newcerts
| `-- 01.pem
|-- private
| `-- cakey.pem
|-- serial
`-- serial.old
4 directories, 9 files
#index文件放了用户证书的一些信息,serial 放下一个证书的序列编号,newcrts备份证书文件
[00:19:55 root@Centos8 app1]#cat /etc/pki/CA/index.txt
V 250517161258Z 01 unknown /C=CN/ST=hunan/O=liuqixin/OU=sale/CN=www.liuqixin.com/emailAddress=queyi0401@sina.com
[00:29:32 root@Centos8 app1]#cat /etc/pki/CA/serial
02
#验证证书的有效性 02还未颁发不存在。
[00:29:41 root@Centos8 app1]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
[00:31:34 root@Centos8 app1]#openssl ca -status 02
Using configuration from /etc/pki/tls/openssl.cnf
Serial 02 not present in db.
Error verifying serial 02!
2、总结ssh常用参数、用法
2.1 openssh 客户端命令:
ssh命令是
ssh
客户端,允许实现对远程系统经验证地加密安全访问。
当用户远程连接ssh
服务器时,会复制
ssh
服务器
/etc/ssh/ssh_host*key.pub
文件中的公钥到客户机的 ~/.ssh/know_hosts中。下次连接时,会自动匹配相对应的私钥,不能匹配,将拒绝连接。
ssh客户端配置文件:
/etc/ssh/ssh_config
格式:
ssh
[user@]host [COMMAND]
ssh
[-l user] host [COMMAND]
常见选项:
-p
port
#
远程服务器监听的端口
-b
#
指定连接的源
IP
-v
#
调试模式
-C
#
压缩方式
-X
#
支持
x11
转发
-t
#
强制伪
tty
分配,如:
ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3
-o
option
如:
-o
StrictHostKeyChecking
=
no
-i
<file>
#
指定私钥文件路径,实现基于
key
验证,默认使用文件:
~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,
~/.ssh/id_rsa
等
2.2 ssh加ip登录
ssh直接跟目标主机ip等登录时,会默认以当前的用户名称作为目标主机的用户去登录,如果目标主机不存在该名称的用户,则无法登录,如果存在,输入目标主机的用户密码后可登录。
[23:59:43 root@Centos7 .ssh]#ssh 10.0.0.8
The authenticity of host '10.0.0.8 (10.0.0.8)' can't be established.
ECDSA key fingerprint is SHA256:K526dKDqAS4LHOwztpl8+AAlfFFm6ANjeN3eMXnrsqc.
ECDSA key fingerprint is MD5:c4:c9:bf:ef:73:f9:93:c6:d1:14:fa:3a:e7:16:de:e4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.8' (ECDSA) to the list of known hosts.
root@10.0.0.8's password:
Last login: Tue Sep 27 23:51:44 2022 from 10.0.0.7
[23:59:56 root@Centos8 ~]#
ssh能实现加密通信,不过首次连接时的安全性是无法保证的,如果有中间人的存在,发了一份假的公钥,则我们后续的连接也是不安全的,所以可以在首次连接时进行验证。但是连接时提供的目标主机公钥是经过哈希算法加密过的,一般人看不懂,有个很简单的方法就是目标主机自己连接自己,将显示出的经过哈希算法加密的公钥与ssh客户端进行对比。
[23:58:47 root@Centos8 ssh]#ssh 127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:K526dKDqAS4LHOwztpl8+AAlfFFm6ANjeN3eMXnrsqc.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
2.3 ssh指定用户登录
ssh也可根据目标主机上已有的用户,进行指定用户名+ip的方式登录,如果之前已经连接过目标主机,再次连接时只需输入目标主机中的指定用户登录密码即可。
[00:04:36 root@Centos7 .ssh]#ssh haha@10.0.0.8
haha@10.0.0.8's password:
Last login: Sun Aug 21 18:07:27 2022
[00:06:31 haha@Centos8 ~]$
2.4 ssh首次登陆免公钥确认登录
上面谈到首次连接时需要进行公钥的确认,输入“yes”,如果企业内部不使用外网,连接时的安全性会有所增加,一台台机器去确认公钥会比较麻烦。不想进行公钥的确认也可以实现,ssh客户端的配置文件为/etc/ssh/ssh_config,找到“StrictHostKeyChecking ask ”,将ask改为no即可。
sed -i.bak '/StrictHostKeyChecking/s/.*/StrictHostKeyChecking no/' /etc/ssh/ssh_config
另一种方法是不修改配置文件,加上-o来执行命令完成免公钥确认。
#进入know_hosts删除10.0.0.8的记录行后,在执行-o选项。
[00:13:53 root@Centos7 .ssh]#vim known_hosts
[00:14:05 root@Centos7 .ssh]#ssh -o StrictHostKeyChecking=no 10.0.0.8
Warning: Permanently added '10.0.0.8' (ECDSA) to the list of known hosts.
root@10.0.0.8's password:
Last login: Wed Sep 28 00:13:49 2022 from 10.0.0.7
[00:14:24 root@Centos8 ~]#
2.5 ssh远程主机执行命令和脚本
ssh可以帮我们在不切换到目标主机的情况下,远程执行命令
[00:18:26 root@Centos7 .ssh]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:d7:7e:da brd ff:ff:ff:ff:ff:ff
inet 10.0.0.7/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fed7:7eda/64 scope link
valid_lft forever preferred_lft forever
[00:18:42 root@Centos7 .ssh]#ssh 10.0.0.8 ip a
root@10.0.0.8's password:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:d0:74:54 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fed0:7454/64 scope link
valid_lft forever preferred_lft forever
同时我们也可远程执行脚本,笔者以centos7为客户端,创建一个脚本内容很简单,就是新建a.txt,执行 ssh 10.10.10.8 /bin/bash < sshtest.sh 命令,即可在名为Centos8的目标主机看到多出指定名称文件
[00:20:59 root@Centos7 data]#ls
selinux
[00:21:00 root@Centos7 data]#vim sshtest.sh
[00:22:13 root@Centos7 data]#ls
selinux sshtest.sh
[00:22:14 root@Centos7 data]#chmod a+x sshtest.sh
[00:22:32 root@Centos7 data]#ls
selinux sshtest.sh
[00:22:33 root@Centos7 data]#bash sshtest.sh
[00:22:40 root@Centos7 data]#ls
a.txt selinux sshtest.sh
[00:22:43 root@Centos7 data]#
[00:24:18 root@Centos8 ssh]#cd /data
[00:24:22 root@Centos8 data]#ls
app.crt app.key app1 get_release_pkg.sh
[00:24:23 root@Centos8 data]#
[00:22:43 root@Centos7 data]#ssh 10.0.0.8 /bin/bash < sshtest.sh
root@10.0.0.8's password:
[00:25:46 root@Centos7 data]#
[00:24:23 root@Centos8 data]#ls
a.txt app.crt app.key app1 get_release_pkg.sh
[00:25:51 root@Centos8 data]#
2.6 指定端口号登录
ssh远程登录时,默认的端口号为22,在实际生产过程中可能会不太安全,这时我们可以考虑更换端口号。linux系统端口号范围为0-65535,其中0不使用;1-1023 由系统保留,只能由root用户使用;1024-4999 由客户端程序自由分配;5000-65535 由服务器端程序自由分配。修改端口号需要修改/etc/ssh/sshd_config配置文件信息,找到“Port 22”改为想要的数字,笔者这边以6666为例,修改保存后,需执行 service sshd restart / systemctl restart sshd 命令生效。
[00:28:44 root@Centos8 ssh]#cat sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
......
[00:28:57 root@Centos8 ssh]#
[00:30:43 root@Centos8 ssh]#cat sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 6666
#AddressFamily any
.......此时,如果客户端是无法直接连接的,必须加上-p和端口号才能登录
[00:33:26 root@Centos7 data]#ssh 10.0.0.8
ssh: connect to host 10.0.0.8 port 22: Connection refused
[00:33:31 root@Centos7 data]#ssh -p 6666 10.0.0.8
root@10.0.0.8's password:
Last login: Wed Sep 28 00:33:20 2022 from 10.0.0.7
[00:33:40 root@Centos8 ~]#
2.7 ssh 强制为终端分配 多级跳板登录
强制伪终端分配这一功能有点类似于跳板,比如客户端A想去登录服务器端C,而C屏蔽掉了A的ip,A是无法直接登录C的。如果此时中间有一个B的存在,A能够正常连接到B,并且B能够连接到C,则能实现A→B→C的登录。
笔者这边准备三台虚拟机,ip地址分别为10.0.0.7/8/18,7/8/18,分别代表A B C,
[00:43:27 root@Centos8 ~]#hostname -I
10.0.0.18
[00:43:37 root@Centos8 ~]#iptables -A INPUT -s 10.0.0.7 -j REJECT
[00:44:15 root@Centos8 ~]#
[00:44:24 root@Centos7 data]#hostname -I
10.0.0.7
[00:44:31 root@Centos7 data]#ssh 10.0.0.18
ssh: connect to host 10.0.0.18 port 22: Connection refused
[00:44:43 root@Centos7 data]#
[00:44:43 root@Centos7 data]#ssh -p 6666 10.0.0.8
root@10.0.0.8's password:
Last login: Wed Sep 28 00:33:40 2022 from 10.0.0.7
[00:45:57 root@Centos8 ~]#ssh 10.0.0.18
The authenticity of host '10.0.0.18 (10.0.0.18)' can't be established.
ECDSA key fingerprint is SHA256:zFPiGGoB0qHOcNRwtYgZxl3Fqd2yxGyCDKw3qX6fIBQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.18' (ECDSA) to the list of known hosts.
root@10.0.0.18's password:
Last login: Wed Sep 28 00:43:27 2022 from 10.0.0.1
[00:46:12 root@Centos8 ~]#hostname -I
10.0.0.18
[00:46:23 root@Centos8 ~]#
以上是分步跳板登录目标主机,当然这样的登录方式会比较麻烦,我们可以使用-t,直接一条命令实现登录,即执行 ssh -t 10.0.0.8 ssh 10.0.0.18 命令,最后一次跳板不需要加 -t。
[00:49:06 root@Centos7 data]#ssh -t 10.0.0.8 ssh 10.0.0.18
ssh: connect to host 10.0.0.8 port 22: Connection refused
[00:49:22 root@Centos7 data]#ssh -p 6666 -t 10.0.0.8 ssh 10.0.0.18
root@10.0.0.8's password:
root@10.0.0.18's password:
Last login: Wed Sep 28 00:46:12 2022 from 10.0.0.8
[00:49:48 root@Centos8 ~]#hostname -I
10.0.0.18
[00:50:10 root@Centos8 ~]#
2.8 scp和rsync,sftp
scp命令是ssh客户端常用的命令之一,它可以帮助我们实现远程拷贝功能。笔者这边准备两台虚拟机,分别名为Centos7和Centos8,Centos7将/data/test下的三个文件远程拷贝给Centos8,执行 scp -r /data/test/ 10.0.0.8:/data 命令,此时Centos8查看/data目录,发现有了/test文件夹,并且里面包含了指定文件,scp操作同文件名同路径时会覆盖目标旧文件。
[21:10:06 root@Centos8 data]#ls
app.crt app.key app1 get_release_pkg.sh
[21:10:06 root@Centos8 data]#
[21:08:53 root@Centos7 data]#cd test
[21:08:57 root@Centos7 test]#ls
a.txt b.txt c.txt
[21:08:57 root@Centos7 test]#
[21:13:16 root@Centos7 ~]#scp -P 6666 -r /data/test 10.0.0.8:/data
root@10.0.0.8's password:
a.txt 100% 0 0.0KB/s 00:00
b.txt 100% 0 0.0KB/s 00:00
c.txt 100% 0 0.0KB/s 00:00
[21:13:48 root@Centos7 ~]#
[21:10:06 root@Centos8 data]#ls
app.crt app.key app1 get_release_pkg.sh test
[21:13:55 root@Centos8 data]#cd test
[21:14:32 root@Centos8 test]#ls
a.txt b.txt c.txt
[21:14:33 root@Centos8 test]#
如果是在生产中,文件内容比较大,使用scp来更新数据会比较麻烦,此时就可以用上rsync命令。rsync基于增量数据同步,即只复制两方不同的文件。执行 rsync 命令,对比Centos7和接收者Centos8对应文件夹下的文件生成时间,可见是相同的
[21:15:48 root@Centos8 data]#ll test
total 0
-rw-r--r-- 1 root root 0 Sep 28 21:15 a.txt
-rw-r--r-- 1 root root 0 Sep 28 21:15 b.txt
-rw-r--r-- 1 root root 0 Sep 28 21:15 c.txt
[21:21:36 root@Centos8 data]#
[21:21:14 root@Centos7 ~]#ll /data/test/
总用量 4
-rw-r--r-- 1 root root 6 9月 28 21:21 a.txt
-rw-r--r-- 1 root root 0 9月 28 21:07 b.txt
-rw-r--r-- 1 root root 0 9月 28 21:07 c.txt
[21:21:25 root@Centos7 ~]#
[21:39:16 root@Centos7 ~]#rsync -e 'ssh -p 6666' -av /data/test 10.0.0.8:/data
root@10.0.0.8's password:
sending incremental file list
test/
test/a.txt
test/b.txt
test/c.txt
sent 251 bytes received 77 bytes 93.71 bytes/sec
total size is 6 speedup is 0.02
[21:40:20 root@Centos7 ~]#
[21:39:45 root@Centos8 data]#ll test
total 4
-rw-r--r-- 1 root root 6 Sep 28 21:21 a.txt
-rw-r--r-- 1 root root 0 Sep 28 21:07 b.txt
-rw-r--r-- 1 root root 0 Sep 28 21:07 c.txt
[21:40:44 root@Centos8 data]#
可见,rsync在远程数据更新时确实比scp更实用。当然,如果我们在本地主机上删除了某个文件,要想保证对方也同步删除,还需加上--delete。我们再对b.txt进行更改,同时执行 rsync -av --delete /data/test 10.0.0.8:/data 命令,显示删除了对方的a.txt,同时对b.txt进行了数据更新
[21:39:45 root@Centos8 data]#ll test
total 4
-rw-r--r-- 1 root root 6 Sep 28 21:21 a.txt
-rw-r--r-- 1 root root 0 Sep 28 21:07 b.txt
-rw-r--r-- 1 root root 0 Sep 28 21:07 c.txt
[21:40:20 root@Centos7 ~]#rm -rf /data/test/a.txt
[21:50:27 root@Centos7 ~]#vim /data/test/b.txt
[21:50:43 root@Centos7 ~]#rsync -e 'ssh -p 6666' -av --delete /data/test 10.0.0.8:/data
root@10.0.0.8's password:
sending incremental file list
deleting test/a.txt
test/
test/b.txt
sent 157 bytes received 53 bytes 84.00 bytes/sec
total size is 5 speedup is 0.02
[21:51:06 root@Centos7 ~]#
[21:40:44 root@Centos8 data]#ll test
total 4
-rw-r--r-- 1 root root 5 Sep 28 21:50 b.txt
-rw-r--r-- 1 root root 0 Sep 28 21:07 c.txt
[21:51:14 root@Centos8 data]#
sftp是一种交互式文件传输工具,用法和传统的ftp工具相似,利用ssh服务实现安全的文件上传和下载。执行 sftp 10.0.0.8 命令,远程登录操作,可以查看主机相关文件等,如果是查看本机情况,需要在命令前加!,同时可实现上传和下载等功能,使用ls cd mkdir rmdir pwd get put等指令,可用?或help获取帮助信息。
sftp [user@]host
sftp> help
[21:59:20 root@Centos7 ~]#sftp -P 6666 10.0.0.8
root@10.0.0.8's password:
Connected to 10.0.0.8.
sftp> ls
anaconda-ks.cfg centos8mini_new_set.sh get_release_pkg.sh user.sh user.txt
sftp> cd /data
sftp> ls
app.crt app.key app1 get_release_pkg.sh test
sftp> cd /data/
sftp> ls
app.crt app.key app1 get_release_pkg.sh test
sftp> get app.crt
Fetching /data/app.crt to app.crt
/data/app.crt 100% 778 227.0KB/s 00:00
sftp> exit
[22:01:06 root@Centos7 ~]#ls
10.0.0.24 10.0.0.8 anaconda-ks.cfg app.crt centos7mini_new_set.sh dos_attack.sh get_release_pkg.sh root@Centos8
[22:01:07 root@Centos7 ~]#ll
总用量 44
-rwxr-xr-x 1 root root 713 8月 24 23:19 10.0.0.24
-rwxr-xr-x 1 root root 713 8月 24 23:18 10.0.0.8
-rw-------. 1 root root 1584 7月 29 22:07 anaconda-ks.cfg
-rw-r--r-- 1 root root 778 9月 28 22:01 app.crt
-rwxr-xr-x 1 root root 713 8月 24 23:17 root@Centos8
[22:01:16 root@Centos7 ~]#
2.9 基于key验证
由于不同的主机之间实现远程登录需要输入密码,这种情况有时是不安全的,基于key验证是在客户端上生成公钥私钥对,同时将自己的公钥放入目标远程主机中,从而实现免密登录。只要客户端的私钥不被偷走,就不会产生安全问题,同时私钥是可以再加密的,中间人偷走了也打不开。笔者这里以Centos7主机为客户端,清空之前实验留下的 .ssh目录下的数据,执行 ssh-keygen 命令即可生成公钥私钥对,默认的为rsa算法,如果想填其他的也可以,因为是实验,笔者这边就不对私钥进行加密了。此时会自动生成.ssh目录,并将id_rsa.pub和id_rsa放在里面
[22:01:16 root@Centos7 ~]#ls -a
. 10.0.0.8 .bash_history .bashrc dos_attack.sh root@Centos8 .viminfo
.. anaconda-ks.cfg .bash_logout centos7mini_new_set.sh get_release_pkg.sh .ssh .vimrc
10.0.0.24 app.crt .bash_profile .cshrc .pki .tcshrc
[22:24:01 root@Centos7 ~]#rm -rf .ssh
[22:24:20 root@Centos7 ~]#ls
10.0.0.24 10.0.0.8 anaconda-ks.cfg app.crt centos7mini_new_set.sh dos_attack.sh get_release_pkg.sh root@Centos8
[22:24:22 root@Centos7 ~]#ls -a
. 10.0.0.8 .bash_history .bashrc dos_attack.sh root@Centos8 .vimrc
.. anaconda-ks.cfg .bash_logout centos7mini_new_set.sh get_release_pkg.sh .tcshrc
10.0.0.24 app.crt .bash_profile .cshrc .pki .viminfo
[22:24:24 root@Centos7 ~]#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:UVWzgBw35Qr2DeexCW2n/cSbAJj2ypAV8KQYdfiAC60 root@Centos7
The key's randomart image is:
+---[RSA 2048]----+
| ..ooo=o+=o+ |
| . ooo=.*. = o |
| o...+*o.o B .|
| E . ++.o.O O |
| oS .o.* +|
| o . ..+|
| o o.|
| |
| |
+----[SHA256]-----+
[22:25:16 root@Centos7 ~]#ls -a
. 10.0.0.8 .bash_history .bashrc dos_attack.sh root@Centos8 .viminfo
.. anaconda-ks.cfg .bash_logout centos7mini_new_set.sh get_release_pkg.sh .ssh .vimrc
10.0.0.24 app.crt .bash_profile .cshrc .pki .tcshrc
[22:25:23 root@Centos7 ~]#
我们将生成的公钥发送到目标主机中,即执行 ssh-copy-id -i .ssh/id_rsa.pub 10.0.0.8 命令,这一步操作时还是要进行手动确认的,此时目标主机Centos8中会自动生成.ssh目录,并将Centos7的公钥放入到.ssh目录下的authorized_keys中
[22:28:05 root@Centos7 ~]#ssh-copy-id -p 6666 -i .ssh/id_rsa.pub 10.0.0.8
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
The authenticity of host '[10.0.0.8]:6666 ([10.0.0.8]:6666)' can't be established.
ECDSA key fingerprint is SHA256:K526dKDqAS4LHOwztpl8+AAlfFFm6ANjeN3eMXnrsqc.
ECDSA key fingerprint is MD5:c4:c9:bf:ef:73:f9:93:c6:d1:14:fa:3a:e7:16:de:e4.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.0.0.8's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '6666' '10.0.0.8'"
and check to make sure that only the key(s) you wanted were added.
[22:28:28 root@Centos7 ~]#cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvO4ImjwsrpNsoCDy+pWH4cUNO9+roUrEEISvzmb9LnlAIMj9QRY+/9+svqPXMFBcsid/8nkEZ5jBmkKKYq3ulESYScBdVbkZe71fsI4Saes8j3VxM2lfnFrhr5SQ10j5CTXazXQzhvh1jZ/1h2FJYQ1pqkVL5jQAP9xNJ9LCRU/zCHxEpz0FdpqBQ6+XmI1NbYoUQp2Vy+nA6FskvybiNq6LZZP4Tuxw2agVWNb8i0OlhkuPRqedHQMkPCSX4rDi/oubDUXKKOFL2kOVggnpL7lZ7jLRB3xRR5T6LRGZ6aXBiO4ewFih3GlvtmxMO+MFQUwH0rXbzQoZoL1Ob1X3 root@Centos7
[22:29:14 root@Centos7 ~]#
[22:30:07 root@Centos8 .ssh]#cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvO4ImjwsrpNsoCDy+pWH4cUNO9+roUrEEISvzmb9LnlAIMj9QRY+/9+svqPXMFBcsid/8nkEZ5jBmkKKYq3ulESYScBdVbkZe71fsI4Saes8j3VxM2lfnFrhr5SQ10j5CTXazXQzhvh1jZ/1h2FJYQ1pqkVL5jQAP9xNJ9LCRU/zCHxEpz0FdpqBQ6+XmI1NbYoUQp2Vy+nA6FskvybiNq6LZZP4Tuxw2agVWNb8i0OlhkuPRqedHQMkPCSX4rDi/oubDUXKKOFL2kOVggnpL7lZ7jLRB3xRR5T6LRGZ6aXBiO4ewFih3GlvtmxMO+MFQUwH0rXbzQoZoL1Ob1X3 root@Centos7
[22:30:14 root@Centos8 .ssh]#
[22:31:08 root@Centos7 ~]#ssh -p 6666 10.0.0.8
Last login: Wed Sep 28 21:12:33 2022 from 10.0.0.7
[22:31:17 root@Centos8 ~]#hostname -I
10.0.0.8
[22:31:24 root@Centos8 ~]#
2.10 自动登录ssh工具 sshpass
sshpass是一款自动登录ssh工具,允许用-p参数指明明文mi码直接登录远程服务器。sshpass由epel源提供。
sshpass
用于非
交互
SSH
的密码验证,一般用在
sh
脚本中,无须再次输入密码(本机
known_hosts
文件中有的主机才能
生效)。它允许你用
-p
参数指定明文密码,然后直接登录远程服务器,它支持密码从命令行、文件、环
境变量中读取。
[22:46:15 root@Centos7 ~]#sshpass -p 123 ssh -p 6666 -o StrictHostKeyChecking=no root@10.0.0.8
Last login: Wed Sep 28 22:31:17 2022 from 10.0.0.7
[22:46:40 root@Centos8 ~]#hostname -I
10.0.0.8
[22:46:54 root@Centos8 ~]#exit
logout
Connection to 10.0.0.8 closed.
[22:46:59 root@Centos7 ~]#
[22:54:36 root@Centos7 ~]#sshpass -p 123 ssh -o StrictHostKeyChecking=no root@10.0.0.18
Warning: Permanently added '10.0.0.18' (ECDSA) to the list of known hosts.
Last login: Wed Sep 28 22:52:42 2022 from 10.0.0.8
[22:56:29 root@Centos8 ~]#hostname -I
10.0.0.18
[22:56:39 root@Centos8 ~]#exit
logout
Connection to 10.0.0.18 closed.
[22:56:47 root@Centos7 ~]#sshpass -p 123 ssh-copy-id -i .ssh/id_rsa.pub -o StrictHostKeyChecking=no root@10.0.0.18
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -o 'StrictHostKeyChecking=no' 'root@10.0.0.18'"
and check to make sure that only the key(s) you wanted were added.
[22:58:39 root@Centos7 ~]#cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvO4ImjwsrpNsoCDy+pWH4cUNO9+roUrEEISvzmb9LnlAIMj9QRY+/9+svqPXMFBcsid/8nkEZ5jBmkKKYq3ulESYScBdVbkZe71fsI4Saes8j3VxM2lfnFrhr5SQ10j5CTXazXQzhvh1jZ/1h2FJYQ1pqkVL5jQAP9xNJ9LCRU/zCHxEpz0FdpqBQ6+XmI1NbYoUQp2Vy+nA6FskvybiNq6LZZP4Tuxw2agVWNb8i0OlhkuPRqedHQMkPCSX4rDi/oubDUXKKOFL2kOVggnpL7lZ7jLRB3xRR5T6LRGZ6aXBiO4ewFih3GlvtmxMO+MFQUwH0rXbzQoZoL1Ob1X3 root@Centos7
[22:59:11 root@Centos7 ~]#
[22:58:29 root@Centos8 ~]#ls -a
. .bash_history .bash_profile .config .tcshrc .vimrc
.. .bash_logout .bashrc .cshrc .viminfo anaconda-ks.cfg
[22:58:31 root@Centos8 ~]#ls -a
. .bash_history .bash_profile .config .ssh .viminfo anaconda-ks.cfg
.. .bash_logout .bashrc .cshrc .tcshrc .vimrc
[22:58:44 root@Centos8 ~]#cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvO4ImjwsrpNsoCDy+pWH4cUNO9+roUrEEISvzmb9LnlAIMj9QRY+/9+svqPXMFBcsid/8nkEZ5jBmkKKYq3ulESYScBdVbkZe71fsI4Saes8j3VxM2lfnFrhr5SQ10j5CTXazXQzhvh1jZ/1h2FJYQ1pqkVL5jQAP9xNJ9LCRU/zCHxEpz0FdpqBQ6+XmI1NbYoUQp2Vy+nA6FskvybiNq6LZZP4Tuxw2agVWNb8i0OlhkuPRqedHQMkPCSX4rDi/oubDUXKKOFL2kOVggnpL7lZ7jLRB3xRR5T6LRGZ6aXBiO4ewFih3GlvtmxMO+MFQUwH0rXbzQoZoL1Ob1X3 root@Centos7
[22:58:56 root@Centos8 ~]#hostname -I
10.0.0.18
[22:59:11 root@Centos7 ~]#ssh 10.0.0.18
Last login: Wed Sep 28 22:56:29 2022 from 10.0.0.7
[23:03:24 root@Centos8 ~]#hostname -I
10.0.0.18
[23:03:40 root@Centos8 ~]#exit
logout
Connection to 10.0.0.18 closed.
[23:03:45 root@Centos7 ~]#hostname -I
10.0.0.7
[23:03:49 root@Centos7 ~]#
3、总结sshd服务常用参数。
服务器端:sshd
服务器端的配置文件: /etc/ssh/sshd_config
服务器端的配置文件帮助:man 5 sshd_config
3.1 常用参数:
Port
#
生产建议修改
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin
yes
#
默认
ubuntu
不允许
root
远程
ssh
登录
StrictModes
yes
#
检查
.ssh/
文件的所有者,权限等
MaxAuthTries
6
#pecifies the maximum number of authentication
attempts permitted per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.
MaxSessions
10
#
同一个连接最大会话
PubkeyAuthentication
yes
#
基于
key
验证
PermitEmptyPasswords no
#
空密码连接
PasswordAuthentication
yes
#
基于用户名和密码连接
GatewayPorts no
ClientAliveInterval
10
#
单位
:
秒
ClientAliveCountMax
3
#
默认
3
UseDNS
yes
#
提高速度可改为
no
GSSAPIAuthentication
yes
#
提高速度可改为
no
MaxStartups
#
未认证连接最大值,默认值
10
Banner /path/file
#
以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers user1 user2 user3
AllowGroups g1 g2
DenyGroups g1 g2
3.2 设置 ssh 空闲60s 自动注销
Vim /etc/ssh/sshd_config
ClientAliveInterval
60
ClientAliveCountMax
0
Service sshd
restart
#
注意:新开一个连接才有效
3.3 解决ssh登录缓慢的问题
vim
/etc/ssh/sshd_config
UseDNS no
GSSAPIAuthentication no
systemctl
restart
sshd
在
ubuntu
上启用
root
远程
ssh
登录
#
修改
sshd
服务配置文件
vim
/etc/ssh/sshd_config
#PermitRootLogin prohibit-password
注释掉此行
PermitRootLogin
yes
修改为下面形式
systemctl
restart
sshd
3.4 ssh服务的最佳实践
建议使用非默认端口
禁止使用
protocol version 1
限制可登录用户
设定空闲会话超时时长
利用防火墙设置
ssh
访问策略
仅监听特定的
IP
地址
基于口令认证时,使用强密码策略,比如:
tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12|
xargs
使用基于密钥的认证
禁止使用空密码
禁止
root
用户直接登录
限制
ssh
的访问频度和并发在线数
经常分析日志
4、搭建dhcp服务,实现ip地址申请分发
33 [2022-09-30 23:31:03] [root] [10.0.0.1]: yum install -y dhcp-server
34 [2022-09-30 23:31:41] [root] [10.0.0.1]: rpm -ql dhcp-server
35 [2022-09-30 23:33:03] [root] [10.0.0.1]: cat /usr/lib/systemd/system/dhcpd.service
36 [2022-09-30 23:34:16] [root] [10.0.0.1]: systemctl status dhcpd
37 [2022-09-30 23:34:43] [root] [10.0.0.1]: systemctl enable --now dhcpd
38 [2022-09-30 23:34:58] [root] [10.0.0.1]: systemctl status dhcpd
39 [2022-09-30 23:35:32] [root] [10.0.0.1]: cat /var/log/messages
40 [2022-09-30 23:36:25] [root] [10.0.0.1]: rpm -ql dhcp-server
41 [2022-09-30 23:36:51] [root] [10.0.0.1]: cat /etc/dhcp/dhcpd.conf
42 [2022-09-30 23:39:09] [root] [10.0.0.1]: cp /usr/share/doc/dhcp-server/dhcpd.conf.example
43 [2022-09-30 23:39:40] [root] [10.0.0.1]: cp /usr/share/doc/dhcp-server/dhcpd.conf.example /etc/dhcp/dhcpd.conf
44 [2022-09-30 23:58:06] [root] [10.0.0.1]: vim /etc/dhcp/dhcpd.conf
#修改/etc/dhcp/dhcpd.conf 配置文件第27行的子网段为10.0.0.0(意义是给本网段提供服务),可开启dhcpd服务
[00:03:49 root@Centos8 ~]#systemctl start dhcpd
[00:04:13 root@Centos8 ~]#systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2022-10-01 00:04:13 CST; 5s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 3911597 (dhcpd)
Status: "Dispatching packets..."
Tasks: 1 (limit: 12253)
Memory: 5.4M
CGroup: /system.slice/dhcpd.service
└─3911597 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
Oct 01 00:04:13 Centos8 dhcpd[3911597]: Source compiled to use binary-leases
Oct 01 00:04:13 Centos8 dhcpd[3911597]: Wrote 0 class decls to leases file.
Oct 01 00:04:13 Centos8 dhcpd[3911597]: Wrote 0 deleted host decls to leases file.
Oct 01 00:04:13 Centos8 dhcpd[3911597]: Wrote 0 new dynamic host decls to leases file.
Oct 01 00:04:13 Centos8 dhcpd[3911597]: Wrote 0 leases to leases file.
Oct 01 00:04:13 Centos8 dhcpd[3911597]: Listening on LPF/eth0/00:0c:29:b3:2e:4a/10.0.0.0/24
Oct 01 00:04:13 Centos8 systemd[1]: Started DHCPv4 Server Daemon.
Oct 01 00:04:13 Centos8 dhcpd[3911597]: Sending on LPF/eth0/00:0c:29:b3:2e:4a/10.0.0.0/24
Oct 01 00:04:13 Centos8 dhcpd[3911597]: Sending on Socket/fallback/fallback-net
Oct 01 00:04:13 Centos8 dhcpd[3911597]: Server starting service.
#监听在67端口
[00:04:18 root@Centos8 ~]#ss -ntul
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:67 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:111 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::]:111 [::]:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::]:111 [::]:*
tcp LISTEN 0 128 [::]:22 [::]:*
#改一下第8行的DNS,和第10 11行的租期。
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers 180.76.76.76, 223.5.5.5;
default-lease-time 86400;
max-lease-time 106400;
# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;
#修改一下第27 28 29行的子网 网段和网关。保存后再重启服务
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.150 10.0.0.180;
option routers 10.0.0.2;
next-server 10.0.0.18;
filename "pxelinux.0";
}
#另外再加next-server和filename行是后期方便TFTP开启和寻找下载文件。
[00:06:48 root@Centos8 ~]#systemctl restart dhcpd
[00:15:34 root@Centos8 ~]#systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2022-10-01 00:15:34 CST; 3s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 3956109 (dhcpd)
Status: "Dispatching packets..."
Tasks: 1 (limit: 12253)
Memory: 5.4M
CGroup: /system.slice/dhcpd.service
└─3956109 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
Oct 01 00:15:34 Centos8 dhcpd[3956109]: Source compiled to use binary-leases
Oct 01 00:15:34 Centos8 dhcpd[3956109]: Wrote 0 class decls to leases file.
Oct 01 00:15:34 Centos8 dhcpd[3956109]: Wrote 0 deleted host decls to leases file.
Oct 01 00:15:34 Centos8 dhcpd[3956109]: Wrote 0 new dynamic host decls to leases file.
Oct 01 00:15:34 Centos8 dhcpd[3956109]: Wrote 0 leases to leases file.
Oct 01 00:15:34 Centos8 dhcpd[3956109]: Listening on LPF/eth0/00:0c:29:b3:2e:4a/10.0.0.0/24
Oct 01 00:15:34 Centos8 dhcpd[3956109]: Sending on LPF/eth0/00:0c:29:b3:2e:4a/10.0.0.0/24
Oct 01 00:15:34 Centos8 dhcpd[3956109]: Sending on Socket/fallback/fallback-net
Oct 01 00:15:34 Centos8 dhcpd[3956109]: Server starting service.
Oct 01 00:15:34 Centos8 systemd[1]: Started DHCPv4 Server Daemon.
[23:32:33 root@Centos7 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:17:e7:55 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.17/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe17:e755/64 scope link
valid_lft forever preferred_lft forever
[00:20:12 root@Centos7 ~]#vim /etc/sysconfig/network-scripts/ifcfg-eth0
#修改eth0网卡内容为
DEVICE=eth0
BOOTPROTO=dhcp
#保存文件后,在重启机器,ip已变为150.
[00:28:01 root@Centos7 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:17:e7:55 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.150/24 brd 10.0.0.255 scope global noprefixroute dynamic eth0
valid_lft 86306sec preferred_lft 86306sec
inet6 fe80::20c:29ff:fe17:e755/64 scope link
valid_lft forever preferred_lft forever
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
