The Eighth week (Lucklyzpp)
人的一切行动,都产生于“愿望”,如果不想,任何事都不可能在现实出现,有了想法,坚持下去,总会看见——曙光
1、创建私有CA并进行证书申请。
[13:27:23 root@lucklyzpp8 ~]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private} mkdir: 已创建目录 '/etc/pki/CA' mkdir: 已创建目录 '/etc/pki/CA/certs' mkdir: 已创建目录 '/etc/pki/CA/crl' mkdir: 已创建目录 '/etc/pki/CA/newcerts' mkdir: 已创建目录 '/etc/pki/CA/private' [14:22:01 root@lucklyzpp8 ~]#tree /etc/pki/CA/ /etc/pki/CA/ ├── certs ├── crl ├── newcerts └── private [14:22:10 root@lucklyzpp8 ~]#touch /etc/pki/CA/index.txt [14:22:20 root@lucklyzpp8 ~]##echo 0F > /etc/pki/CA/serial [14:22:28 root@lucklyzpp8 ~]##openssl ca -in /data/app1/app1.csr -out [14:23:01 root@lucklyzpp8 ~]##openssl ca -in /data/app1/app1.csr -out /etc/pk pkcs11/ pki/ [14:23:01 root@lucklyzpp8 ~]##openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
"创建CA的私钥"
[14:24:21 root@lucklyzpp8 ~]#cd /etc/pki/CA/ [14:24:30 root@lucklyzpp8 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048) 14:24:39 root@lucklyzpp8 CA]#tree . ├── certs ├── crl ├── index.txt ├── newcerts └── private └── cakey.pem [14:24:51 root@lucklyzpp8 CA]#ll private/ 总用量 4 -rw------- 1 root root 1679 10月 29 14:24 cakey.pem
给CA颁发自签名证书
[14:25:18 root@lucklyzpp8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:zhengzhou Locality Name (eg, city) [Default City]:zhengzhou Organization Name (eg, company) [Default Company Ltd]:zhengpp Organizational Unit Name (eg, section) []:devops Common Name (eg, your name or your server's hostname) []:ca.zheng.org Email Address []:admin@zheng.org [14:27:29 root@lucklyzpp8 CA]#tree . ├── cacert.pem ├── certs ├── crl ├── index.txt ├── newcerts └── private └── cakey.pem [14:27:33 root@lucklyzpp8 CA]#ll 总用量 4 -rw-r--r-- 1 root root 1448 10月 29 14:27 cacert.pem drwxr-xr-x 2 root root 6 10月 29 14:22 certs drwxr-xr-x 2 root root 6 10月 29 14:22 crl -rw-r--r-- 1 root root 0 10月 29 14:22 index.txt drwxr-xr-x 2 root root 6 10月 29 14:22 newcerts drwxr-xr-x 2 root root 23 10月 29 14:24 private [14:27:51 root@lucklyzpp8 CA]##openssl x509 -in /etc/pki/CA/cacert.pem -noout -text [14:28:06 root@lucklyzpp8 CA]#sz cacert.pem
用户生成私钥和证书申请
[14:35:39 root@lucklyzpp8 CA]#mkdir /data/app1 [14:35:51 root@lucklyzpp8 CA]#(umask 066; openssl genrsa -out /data/app1/app1.key 2048) Generating RSA private key, 2048 bit long modulus (2 primes) ....................................................................+++++
生成证书申请文件
[14:51:13 root@lucklyzpp8 app1]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 15 (0xf) Validity Not Before: Oct 29 06:54:21 2021 GMT Not After : Oct 29 06:54:21 2022 GMT Subject: countryName = CN stateOrProvinceName = zhengzhou organizationName = zhengpp organizationalUnitName = devops commonName = app1.zheng.org emailAddress = root@zheng.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 07:DE:7C:D0:98:A3:3E:31:08:96:88:D0:D2:9D:74:E7:01:4F:96:CC X509v3 Authority Key Identifier: keyid:F2:4E:BC:7C:F6:54:ED:61:27:5E:0A:E6:83:D7:26:40:7C:12:78:31 Certificate is to be certified until Oct 29 06:54:21 2022 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y [14:55:21 root@lucklyzpp8 ~]##openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000 [14:56:01 root@lucklyzpp8 ~]#tree /etc/pki/CA/ /etc/pki/CA/ ├── cacert.pem ├── certs │?? └── app1.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │?? └── 0F.pem ├── private │?? └── cakey.pem ├── serial └── serial.old 4 directories, 9 files [14:56:40 root@lucklyzpp8 ~]#cat /etc/pki/CA/certs/app1.crt [14:57:07 root@lucklyzpp8 ~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text [14:57:44 root@lucklyzpp8 ~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -issuer issuer=C = CN, ST = zhengzhou, L = zhengzhou, O = zhengpp, OU = devops, CN = ca.zheng.org, emailAddress = admin@zheng.org [14:57:46 root@lucklyzpp8 ~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject subject=C = CN, ST = zhengzhou, O = zhengpp, OU = devops, CN = app1.zheng.org, emailAddress = root@zheng.org [14:58:17 root@lucklyzpp8 ~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial serial=0F
#验证指定编号对应证书的有效性
[14:58:53 root@lucklyzpp8 ~]#openssl ca -status 0F [14:58:59 root@lucklyzpp8 ~]#cat /etc/pki/CA/index.txt [14:59:19 root@lucklyzpp8 ~]#cat /etc/pki/CA/serial [14:59:46 root@lucklyzpp8 ~]#cat /etc/pki/CA/serial.old
将证书相关文件发送到用户端使用
[15:01:56 root@lucklyzpp8 ~]#cp /etc/pki/CA/certs/app1.crt /data/app1/ [15:02:05 root@lucklyzpp8 ~]#tree /data/app1/ /data/app1/ ├── app1.crt ├── app1.csr └── app1.key [15:04:43 root@lucklyzpp8 data]#sz app1/app1.crt
证书吊销
[15:14:57 root@lucklyzpp8 data]#openssl ca -revoke /etc/pki/CA/newcerts/0F.pem [15:42:23 root@lucklyzpp8 data]#cat /etc/pki/CA/index.txt R 221029065421Z 211029074223Z 0F unknown /C=CN/ST=zhengzhou/O=zhengpp/OU=devops/CN=app1.zheng.org/emailAddress=root@zheng.org 生成证书吊销列表文件 [15:43:51 root@lucklyzpp8 data]#echo 01 > /etc/pki/CA/crlnumber [15:44:48 root@lucklyzpp8 data]#openssl ca -gencrl -out /etc/pki/CA/crl.pem Using configuration from /etc/pki/tls/openssl.cnf [15:44:52 root@lucklyzpp8 data]#cat /etc/pki/CA/crlnumber [15:45:06 root@lucklyzpp8 data]#cat /etc/pki/CA/crl.pem [15:47:28 root@lucklyzpp8 data]#sz /etc/pki/CA/crl.pem
2、总结ssh常用参数、用法
sh服务和sshd服务:ssh服务是运行在客户端,而sshd服务运行在服务端
配置文件路径/etc/ssh/sshd_config
格式 ssh [user@]host [COMMAND] ssh [-l user] host [COMMAND] 常见选项 -p port #远程服务器监听的端口 -b #指定连接的源IP -v #调试模式 -C #压缩方式 -X #支持x11转发 -t #强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3 -o option 如:-o StrictHostKeyChecking=no -i <file> #指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等
1. 首先在客户端生成一对密钥(ssh-keygen)
2. 并将客户端的公钥ssh-copy-id 拷贝到服务端
3. 当客户端再次发送一个连接请求,包括ip、用户名
4. 服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP和用户,就会随机生
成一个字符串,例如:magedu
5. 服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端
6. 得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端
7. 服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录
实现基于 key 验证
[18:08:01 root@lucklyzpp8 data]#ssh-keygen [18:08:36 root@lucklyzpp8 ~]#ll .ssh/ [18:08:38 root@lucklyzpp8 ~]#cat .ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCaeeH/NIds+MsEhwtj0nCjY5FkS8mV7JvPqgP+4i+VjJU7FZHOGSIShkzdIz5ZXQPnz3KPo4lFjIkkZGUpuzY+lqVt8qAaLX/k60VGQeARavW/hnOd309xOMHKc587wNJq68mRwSje09ie8e3LJwYiFTXwvFdvdu6ihBrqAWaJZ2TQMk1B3YK9J/6Fcsus6R5Btr5VyHdH/if1OZS2xHjYHBj0qcnuLKA8Vh5/trm6RE65n/UILLo9MVk9ZFdmwc5vWnktwCpIVdC0H+/9QtOCDQF0b9u7aCiqN24oHadS2cKXCUY9BwDaPw9GvBcwGH7KhcXv6Xuc94mDD8+x1zszMwVld9UaeTF+ZGrryCvrX/KcKRWrxgEZk0RQbPJIs855sTECtM1DZ8FqH9WKiH7RS/sz5itGc5baiylUZbb+yD+DSQqSkybvV5KcFoBQ07RfXQ/hddSqjqCsZEcuFZV2y4RdvfLk7ICAT3WCQznZx/imWp83Vlx+DApNSW6oJsM= root@lucklyzpp8 [18:09:16 root@lucklyzpp8 ~]#ssh-copy-id root@192.168.33.130 [18:11:10 root@lucklyzpp8 ~]#ssh 192.168.33.130 Last failed login: Fri Sep 10 15:34:02 CST 2021 from 192.168.33.131 on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Fri Sep 10 10:50:44 2021 from 192.168.33.2 [15:35:25 root@web2 ~]#cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) [15:35:33 root@web2 ~]#ll .ssh/ 总用量 4 -rw------- 1 root root 569 9月 10 15:34 authorized_keys
3、总结sshd服务常用参数。
Port ListenAddress IP # 设置绑定的ip地址 LoginGraceTime 2m #设定登陆超时时间 PermitRootLogin yes #默认ubuntu不允许root远程ssh登录 StrictModes yes #检查.ssh/文件的所有者,权限等 MaxAuthTries 6 #最大尝试次数 MaxSessions 10 #同一个连接最大会话 PubkeyAuthentication yes #基于key验证 PermitEmptyPasswords no #空密码连接 PasswordAuthentication yes #基于用户名和密码连接 GatewayPorts no ClientAliveInterval 10 #单位:秒 ClientAliveCountMax 3 #默认3 UseDNS yes #可以关闭DNS反解析,提升登陆速度 GSSAPIAuthentication yes #提高速度可改为no MaxStartups #未认证连接最大值,默认值10 Banner /path/file #以下可以限制可登录用户的办法: AllowUsers user1 user2 user3 DenyUsers AllowGroups DenyGroups
4、搭建dhcp服务,实现ip地址申请分发
确保都是在仅主机模式下进行。
systemctl stop firewalld setenforce 0 yum install -y dhcp 文件的模版: /usr/share/doc/dhcp*/dhcpd.conf.example
配置内容 subnet 192.168.33.0 netmask 255.255.255.0 { ##网段和掩码 range 192.168.33.200 192.168.33.230; ##地址范围 option domain-name-servers 202.96.128.166; ## dns服务器地址 option domain-name "lukly.com"; ##该网段的域名,可以省略 option routers 192.168.33.1; ##网关 option broadcast-address 192.168.33.255; ##广播地址 default-lease-time 300; ## 租约时间 max-lease-time 7200; ## 最大租约时间
systemctl start dhcpd
通过配置Windows客服端,进行自动获取IP。