linux(8)
Q1:创建私有CA并进行证书申请
A1:
1.1 创建CA相关目录和文件
[root@CentOS84 ]#
[root@CentOS84 ]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@CentOS84 ]
[root@CentOS84 ]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@CentOS84 ]#
[root@CentOS84 ]#touch /etc/pki/CA/index.txt
[root@CentOS84 ]#echo 00 > /etc/pki/CA/serial
#00 为十六进制,如果输入000 后面执行命令会报错
[root@CentOS84 ]
[root@CentOS84 ]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial
4 directories, 2 files
[root@CentOS84 ]#ll /etc/pki/CA/certs/
total 0
[root@CentOS84 ]#ll /etc/pki/tls/
total 16
lrwxrwxrwx. 1 root root 49 Aug 12 2020 cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
drwxr-xr-x. 2 root root 73 Nov 19 01:33 certs
-rw-r--r--. 1 root root 412 Mar 30 2021 ct_log_list.cnf
drwxr-xr-x. 2 root root 6 Mar 30 2021 misc
-rw-r--r--. 1 root root 11225 Mar 30 2021 openssl.cnf
drwxr-xr-x. 2 root root 25 Nov 19 01:33 private
1.2创建CA的私钥
[root@CentOS84 ]#cd /etc/pki/CA/
[root@CentOS84 ]#pwd
/etc/pki/CA
[root@CentOS84 ]#
[root@CentOS84 ]#openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........+++++
........+++++
e is 65537 (0x010001)
[root@CentOS84 ]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[root@CentOS84 ]#ll private/
total 4
-rw------- 1 root root 1679 Jan 12 23:28 cakey.pem
[root@CentOS84 ]#cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3rgQHOY+lKqr04m8NpJ+Kfi4UPIMplTTt2M/fUxA/eoicyVS
BHK90fIYhWEd7C+X05l2vj7jdNcWj/2yvISDBa1KA343WOlv3qJ2NX160fkbU8m9
mbHVRgNEEDO2KrXc04T3a5AUqDIIuHCA4N3WxcId/X94aU5N0WsNUNsISG/XzasE
tZIIWVCF7MLrlqLw11SfORHAQgsNLa/AkMr5XloUZ4F1QeTs9cq1g+vR1QkS4A6g
IMASSrR54W/oGnSUgo9IzxrcIpFv/v1/lV13nYoJAl+vOSv1TfTrUceXDzrUCwka
Cn5MwmZORtryBMMCi6PIQ85Y48P+Z7zG+QRuEQIDAQABAoIBAQDFwEyePFloiznR
s8Qn+F6JScvuI1zT+xGZDUh8Kk6ypUc9Ue/G/1JHrVvUYey9n2yBdwuV1CUFw0zH
QQ2IkWf8jGbhPxpJmcu4tCudRvLcqQB4nvH4G4wwhAnVEPU4aw3NyYweN2oABZz0
lv/3qUFfigIy6RGy/tHdld3W4wQxu2O2SkaFczbMXoGFz8vQvS+/rxBJC3cvRVsl
PjBPJMKVZugTrEqtYMwp13D+nl55SUxwoVMoy+SwYO72vWxNgbEUVyUjsOoL/iTL
voBPTNgaFZqa9NMTj4FfpdPSBuaIAijQAbG/4REyLV3kzFzzDKF3TIT+7f7q3Wjh
R1ws/LbZAoGBAP9kz83Fzms/wtCtkmYzBnnXZlHzcCj9wRGsCwD5TeVPqFbyibyV
DCvnrpEUWaX2OF7bJ+2Fh7zZXX/PVHkyuSMNh5x/plTvOHgznsb9CNUcczO02ryh
Kumf0K9PtU38yanmeJ+xPz03ivbJRQw2HZZvEGPiJJP2IQPEsHxKxktbAoGBAN8/
ZYcPL4eG7xxbrtQ0wNz5Oz9FzuvNUYwsTGkqGQCexro3Zq5YzaAuHN5zQG0SGq80
34BP46OeWNqXFwd9P+WuC4L6mYTvcBZupJeA9v3/nd+jjl73aBD0VTFsf4LFNBa7
Zjoy3w+9Qy83yKiqzUdHwpifRsrqm8Gir6tnZmQDAoGBAKWZucDktS8HvgvPsHEC
Pv28NMWIwz5hI9KQquXrwZ2iJDaUt8kHIEhLxv6dom+hkvW2x1IVVmmWzDC2wECC
KlfXSwqoHrNOFmCioB7JLfP5qZ1qdLcBDjFEhm1WkupJsn2vSqHJrYbFQB87bME5
ScAkrg0GMs+aNdgarpE5bxCnAoGAQ1hijj2cfuvLkehucwF+9KoSn2G1rBiB8yEh
48+ZP0CmfmJcDVgon5uJhemKk9yURCpVCeYPq7oG39oYTmAQOH8qZdanHR0F2R6D
dFipKbJEs8QpHKjRsdujH4e1Z4OJ1RmvGvthouPbMpFHbOophsk1AMl7l5byaZVk
HPbSQnUCgYB6H4rruxGC4MPPEGi8qRwTuU6fy7G6gTihxgP9SlgjRC8EETXEV+EO
R+SyrqrO3rRMLNWhjjx2Iqw2FnG2UblxhQCEULdx+6Cr0ywCNEwmDl3zaSws+4+d
sZPXRX2/WbeJ5lh2+VFMn1RF+Ig1WiyRW3aro3j0yLGMAYqBzqWWXg==
-----END RSA PRIVATE KEY-----
[root@CentOS84 ]#
1.3给CA颁发自签名证书
[root@CentOS84 ]#
[root@CentOS84 ]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JiangSu
Locality Name (eg, city) [Default City]:NanJing
Organization Name (eg, company) [Default Company Ltd]:ShoneInfo
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.shoneinfo.com
Email Address []:admin@shoneinfo.com
[root@CentOS84 ]#
[root@CentOS84 ]#
[root@CentOS84 ]#
[root@CentOS84 ]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@CentOS84 ]#cat /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIIEBTCCAu2gAwIBAgIUS/iCQw1/fTvF4asILyp7nrtSSX8wDQYJKoZIhvcNAQEL
BQAwgZExCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdKaWFuZ1N1MRAwDgYDVQQHDAdO
YW5KaW5nMRIwEAYDVQQKDAlTaG9uZUluZm8xCzAJBgNVBAsMAklUMRkwFwYDVQQD
DBBjYS5zaG9uZWluZm8uY29tMSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBzaG9uZWlu
Zm8uY29tMB4XDTIyMDExMjE1MzM1MloXDTMyMDExMDE1MzM1MlowgZExCzAJBgNV
BAYTAkNOMRAwDgYDVQQIDAdKaWFuZ1N1MRAwDgYDVQQHDAdOYW5KaW5nMRIwEAYD
VQQKDAlTaG9uZUluZm8xCzAJBgNVBAsMAklUMRkwFwYDVQQDDBBjYS5zaG9uZWlu
Zm8uY29tMSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBzaG9uZWluZm8uY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rgQHOY+lKqr04m8NpJ+Kfi4UPIM
plTTt2M/fUxA/eoicyVSBHK90fIYhWEd7C+X05l2vj7jdNcWj/2yvISDBa1KA343
WOlv3qJ2NX160fkbU8m9mbHVRgNEEDO2KrXc04T3a5AUqDIIuHCA4N3WxcId/X94
aU5N0WsNUNsISG/XzasEtZIIWVCF7MLrlqLw11SfORHAQgsNLa/AkMr5XloUZ4F1
QeTs9cq1g+vR1QkS4A6gIMASSrR54W/oGnSUgo9IzxrcIpFv/v1/lV13nYoJAl+v
OSv1TfTrUceXDzrUCwkaCn5MwmZORtryBMMCi6PIQ85Y48P+Z7zG+QRuEQIDAQAB
o1MwUTAdBgNVHQ4EFgQU/2T0ewgZvcKQz0RnuvLmw/qV0d8wHwYDVR0jBBgwFoAU
/2T0ewgZvcKQz0RnuvLmw/qV0d8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAQEAe1/Uw0SmloZjgF5Cnk07H3j5m7DJ8ffH/xgG/OJ59ble0PmTofeG
ctzIeQUi9dKK1AnVFfb3rEMdhksZu6Z8zX81BsbjLwyraBk1cdtCM4OKtmrKCLSB
XzpL2E5KRhs9HPxq1yTozPiDHhm+i1O8nXAbDCwtqRxB90xVNSKuBoM31zqQgFpn
H6hVCFfqm6qWJxhZ34kcscdKE0GO8iDTTSvLzZeHK+Y1nt/2+KO6rw2QWQwU6fHi
MAtbFxHg75N7V8B5HqKCJJKrM7Sb2fGsMSATWmHmdecdtKi2cnwM6OmSU4qyBAJ+
xwpfvkkg6QAhzn4cqIB9s5thplhurd5mjg==
-----END CERTIFICATE-----
[root@CentOS84 ]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4b:f8:82:43:0d:7f:7d:3b:c5:e1:ab:08:2f:2a:7b:9e:bb:52:49:7f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = JiangSu, L = NanJing, O = ShoneInfo, OU = IT, CN = ca.shoneinfo.com, emailAddress = admin@shoneinfo.com
Validity
Not Before: Jan 12 15:33:52 2022 GMT
Not After : Jan 10 15:33:52 2032 GMT
Subject: C = CN, ST = JiangSu, L = NanJing, O = ShoneInfo, OU = IT, CN = ca.shoneinfo.com, emailAddress = admin@shoneinfo.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:de:b8:10:1c:e6:3e:94:aa:ab:d3:89:bc:36:92:
7e:29:f8:b8:50:f2:0c:a6:54:d3:b7:63:3f:7d:4c:
40:fd:ea:22:73:25:52:04:72:bd:d1:f2:18:85:61:
1d:ec:2f:97:d3:99:76:be:3e:e3:74:d7:16:8f:fd:
b2:bc:84:83:05:ad:4a:03:7e:37:58:e9:6f:de:a2:
76:35:7d:7a:d1:f9:1b:53:c9:bd:99:b1:d5:46:03:
44:10:33:b6:2a:b5:dc:d3:84:f7:6b:90:14:a8:32:
08:b8:70:80:e0:dd:d6:c5:c2:1d:fd:7f:78:69:4e:
4d:d1:6b:0d:50:db:08:48:6f:d7:cd:ab:04:b5:92:
08:59:50:85:ec:c2:eb:96:a2:f0:d7:54:9f:39:11:
c0:42:0b:0d:2d:af:c0:90:ca:f9:5e:5a:14:67:81:
75:41:e4:ec:f5:ca:b5:83:eb:d1:d5:09:12:e0:0e:
a0:20:c0:12:4a:b4:79:e1:6f:e8:1a:74:94:82:8f:
48:cf:1a:dc:22:91:6f:fe:fd:7f:95:5d:77:9d:8a:
09:02:5f:af:39:2b:f5:4d:f4:eb:51:c7:97:0f:3a:
d4:0b:09:1a:0a:7e:4c:c2:66:4e:46:da:f2:04:c3:
02:8b:a3:c8:43:ce:58:e3:c3:fe:67:bc:c6:f9:04:
6e:11
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FF:64:F4:7B:08:19:BD:C2:90:CF:44:67:BA:F2:E6:C3:FA:95:D1:DF
X509v3 Authority Key Identifier:
keyid:FF:64:F4:7B:08:19:BD:C2:90:CF:44:67:BA:F2:E6:C3:FA:95:D1:DF
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
7b:5f:d4:c3:44:a6:96:86:63:80:5e:42:9e:4d:3b:1f:78:f9:
9b:b0:c9:f1:f7:c7:ff:18:06:fc:e2:79:f5:b9:5e:d0:f9:93:
a1:f7:86:72:dc:c8:79:05:22:f5:d2:8a:d4:09:d5:15:f6:f7:
ac:43:1d:86:4b:19:bb:a6:7c:cd:7f:35:06:c6:e3:2f:0c:ab:
68:19:35:71:db:42:33:83:8a:b6:6a:ca:08:b4:81:5f:3a:4b:
d8:4e:4a:46:1b:3d:1c:fc:6a:d7:24:e8:cc:f8:83:1e:19:be:
8b:53:bc:9d:70:1b:0c:2c:2d:a9:1c:41:f7:4c:55:35:22:ae:
06:83:37:d7:3a:90:80:5a:67:1f:a8:55:08:57:ea:9b:aa:96:
27:18:59:df:89:1c:b1:c7:4a:13:41:8e:f2:20:d3:4d:2b:cb:
cd:97:87:2b:e6:35:9e:df:f6:f8:a3:ba:af:0d:90:59:0c:14:
e9:f1:e2:30:0b:5b:17:11:e0:ef:93:7b:57:c0:79:1e:a2:82:
24:92:ab:33:b4:9b:d9:f1:ac:31:20:13:5a:61:e6:75:e7:1d:
b4:a8:b6:72:7c:0c:e8:e9:92:53:8a:b2:04:02:7e:c7:0a:5f:
be:49:20:e9:00:21:ce:7e:1c:a8:80:7d:b3:9b:61:a6:58:6e:
ad:de:66:8e
[root@CentOS84 ]#
# 将证书传出到WIN10桌面,以备查看
[root@CentOS84 ]#sz /etc/pki/CA/cacert.pem
rz
Starting zmodem transfer. Press Ctrl+C to cancel.
Transferring cacert.pem...
100% 1 KB 1 KB/sec 00:00:01 0 Errors
[root@CentOS84 ]#
1.4用户生成私钥
[root@CentOS84 ]#mkdir /data/app1
[root@CentOS84 ]#openssl genrsa -out /data/app1/app001.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
.....................+++++
e is 65537 (0x010001)
[root@CentOS84 ]#cat /data/app1/app001.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtsBhrPNf09WPw3mxWxJ5xUgVJH8NUWy51Nz/uNynxnFGladJ
Hxhk1yxo1qkzpBdRJDpcjuCS+qMsAm3ELTjQYAeZdT7I5W1z20sxlFcW+xI42z0C
zK3CD3tP+g9nypC6tiq3A+EKj/xufQCNTavP9rdwrTmEVBTBjB0YKVa49qOn46be
kx0E+Z5ojWUY4iAMIeZiQxZTc8S5qdgSp/7WYcszZV6PsqWeHiMkFjxDRaH5Anq1
+5r87E2elE1lkIiCRgTcm+4nndM4DCP109uy1rjEX45BscHNEMcl8aegvBVH2tCk
cOveBXBRY9cp5x+7PY/kr6fHxwT5TVOGaG35aQIDAQABAoIBABSGBnIl4t0nXr3V
LNXNfV9qePVgT16Vl0kQiKd6IF1o20RzRQL4+lov4pY46lPDSpmG9F4XWmpLaOXc
7esmNkCSmelQ477gS+KUzzyZizsnELuOXoIeAW07q/+pOz7EgjNzGJqW61jAQKhJ
J5VRdkl+0GijzPikXBggLFZ4Js2L4vRxCzb/pioLeugaXA/+TfaSiz6Uqbi3Ntal
497t4209c5hL3Nl98ApVpB5ucNSSmG5iWwwcGfagVXhFCnEl+Z3sLrTUYZb/NX7r
KCRJwL1MSIcH63YDq7CLWMQTAL6VxRS684oICoqhScXzh/1Fz9S3y2APnst+rNmp
PtTx4AECgYEA3sXY0VyjJA9r0TUPEKyQtrvEzgE1e/DNACyiPYepPoTjXe5Q0Q+2
gV6fxclW4SfBA3l2sxjhlF81drIdL9IOERaDk5B4q3HipXeV8HRLyH98nEcnHcQO
xACFOIEuWGkwd0fzbXs2D8vN4SKo23KAMera6vfgGTmR7K+p132frjkCgYEA0gJl
b/5yL5qOzTP6nhwn5EFiEox0ln1eslQkNugQgKiP39bLVu/qVBzPqmb2qT8moOjr
Mj5NO2DFXq4Q8019aCVJMaK5tsRmHuOO43Hcil+vteShfQs5p4aNSmYMCWGxfLru
vFoJrmkVfD8MbiY66B894Gazr9XinrDt1wy6pLECgYEAzYkY/EFOO80GmuUrWyT7
97zSXYb8A7guTATiQ4bQ/d+5r0ZbxieLKV1WaDPVNrNo/32nqKJCLpSRTUwUZbSW
SenNx+45h2TxydzFuC50ZS5KmB2F1462WNxqDbISQnv6vXLjA5X0USqmbxt9U8sW
v/eBt9yvJFbbbda9CxbapvECgYB3Zo9fvm4TbK+WMeBitqVjnFzzKNI8oakOgNJa
OVTwoWWzoT7Y/ezfx8W2H3ZMQbBnuiXG2i80/E8bBqJygnMznEdiJh+qrz1UgJLD
8/+s2LxhEU1Td+devRxl2WEskFPGE84aXqK0e+CQVJRvp+LECMc4Z4vwBA4lpXiE
VSNk8QKBgHjp5xtlxiJgMAmUsJlOJdcMTl3LCiDPMDrSWA0dUDA1c5M0matzglZ/
bM1KqWc1SdpU8PnEqV3vzDvakoiSnVY5ZyTDfLpPKURSylKtlGyyYgqL/GV885r/
I+WIdcp5AuBLs7DjlqWIuGadUIIXHkhw9OacS/gCOngUUWCjezDf
-----END RSA PRIVATE KEY-----
[root@CentOS84 ]#tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@CentOS84 ]#cd /data/
[root@CentOS84 ]#tree
.
├── app1
│ └── app001.key
└── systeminfo.sh
1 directory, 2 files
# 生成证书申请文件
[root@CentOS84 ]#openssl req -new -key /data/app1/app001.key -out /data/app1/app001.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JiangSu
Locality Name (eg, city) [Default City]:NanJing
Organization Name (eg, company) [Default Company Ltd]:ShoneInfo
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.shoneinfo.com
Email Address []:app001@shoneinfo.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@CentOS84 ]#
[root@CentOS84 ]#
[root@CentOS84 ]#ll /data/app1
total 8
-rw-r--r-- 1 root root 1062 Jan 12 23:59 app001.csr
-rw------- 1 root root 1675 Jan 12 23:52 app001.key
[root@CentOS84 ]#
[root@CentOS84 ]#cd /etc/pki/CA/
[root@CentOS84 ]#ll
total 8
-rw-r--r-- 1 root root 1456 Jan 12 23:33 cacert.pem
drwxr-xr-x 2 root root 6 Jan 12 23:08 certs
drwxr-xr-x 2 root root 6 Jan 12 23:08 crl
-rw-r--r-- 1 root root 0 Jan 12 23:10 index.txt
drwxr-xr-x 2 root root 6 Jan 12 23:08 newcerts
drwxr-xr-x 2 root root 23 Jan 12 23:28 private
-rw-r--r-- 1 root root 4 Jan 12 23:11 serial
[root@CentOS84 ]#
1.5CA颁发证书
[root@CentOS84 ]#
[root@CentOS84 ]#openssl ca -in /data/app1/app001.csr -out /etc/pki/CA/certs/app001.crt -days 2000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 12 16:04:32 2022 GMT
Not After : Jul 5 16:04:32 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = JiangSu
organizationName = ShoneInfo
organizationalUnitName = IT
commonName = ca.shoneinfo.com
emailAddress = app001@shoneinfo.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F5:82:9C:01:4D:77:AD:69:E3:5A:62:81:CF:69:F9:BA:93:09:2B:39
X509v3 Authority Key Identifier:
keyid:FF:64:F4:7B:08:19:BD:C2:90:CF:44:67:BA:F2:E6:C3:FA:95:D1:DF
Certificate is to be certified until Jul 5 16:04:32 2027 GMT (2000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@CentOS84 ]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app001.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 00.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
[root@CentOS84 ]#
Q2:总结ssh常用参数、用法
A2:
ssh: secure shell protocol, 22/tcp,安全的远程登录,实现加密通信,代替传统的 telnet 协议。SSH 协议版本:v1:基于CRC-32做MAC,不安全;man-in-middle 和 v2:双方主机协议选择安全的MAC方式,基于DH算法做密钥交换,基于RSA或DSA实现身份认证。常用软件:CentOS 默认安装的OpenSSH和另一个ssh协议的开源项目dropbear。
命令格式:
ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]
常用选项:
-p port #远程服务器监听的端口,默认为22,一般生产环境中都会修改成其他的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-t #强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i <file> #指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等
常用用法:
# 不指定用户名时,会自动用当前客户机的账号去登录远程主机,因此一般都会指定目标SSH机的用户名登录,也就是范例二
summer@ubuntu180401:~$ hostname
ubuntu180401
summer@ubuntu180401:~$
summer@ubuntu180401:~$ ssh 192.168.250.101
summer@192.168.250.101's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Mon Dec 27 18:30:53 2021
[summer@CentOS84 ~]$ hostname
CentOS84
[summer@CentOS84 ~]$
Q3:总结sshd服务常用参数
A3:
sshd:openssh服务器守护进程。
服务器端:sshd
服务器端的配置文件: /etc/ssh/sshd_config
常用参数:
Port #生产建议修改
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6 #pecifies the maximum number of authentication
attempts permitted per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file
#以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers user1 user2 user3
AllowGroups g1 g2
DenyGroups g1 g2
ssh服务的最佳实践:
(1)建议使用非默认端口
(2)禁止使用protocol version 1
(3)限制可登录用户
(4)设定空闲会话超时时长
(5)利用防火墙设置ssh访问策略
(6)仅监听特定的IP地址
(7)基于口令认证时,使用强密码策略,比如:tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12|
xargs
(8)使用基于密钥的认证
(9)禁止使用空密码
(10)禁止root用户直接登录
(11)限制ssh的访问频度和并发在线数
(12)经常分析日志
Q4:搭建dhcp服务,实现ip地址申请分发
A4:
4.1检查并安装软件包
[root@CentOS84 ]#rpm -ql dhcp-server
package dhcp-server is not installed
[root@CentOS84 ]#yum provides dhcp-server
Last metadata expiration check: 1:45:38 ago on Thu 13 Jan 2022 01:28:32 PM CST.
dhcp-server-12:4.3.6-45.el8.x86_64 : Provides the ISC DHCP server
Repo : BaseOS
Matched from:
Provide : dhcp-server = 12:4.3.6-45.el8
[root@CentOS84 ]#yum -y install dhcp-server-12:4.3.6-45.el8.x86_64
Last metadata expiration check: 1:46:27 ago on Thu 13 Jan 2022 01:28:32 PM CST.
Dependencies resolved.
============================================================================================================================
Package Architecture Version Repository Size
============================================================================================================================
Installing:
dhcp-server x86_64 12:4.3.6-45.el8 BaseOS 530 k
Upgrading:
dhcp-client x86_64 12:4.3.6-45.el8 BaseOS 318 k
dhcp-common noarch 12:4.3.6-45.el8 BaseOS 207 k
dhcp-libs x86_64 12:4.3.6-45.el8 BaseOS 148 k
Transaction Summary
============================================================================================================================
Install 1 Package
Upgrade 3 Packages
Total download size: 1.2 M
Downloading Packages:
(1/4): dhcp-client-4.3.6-45.el8.x86_64.rpm 2.9 MB/s | 318 kB 00:00
(2/4): dhcp-libs-4.3.6-45.el8.x86_64.rpm 5.3 MB/s | 148 kB 00:00
(3/4): dhcp-common-4.3.6-45.el8.noarch.rpm 1.5 MB/s | 207 kB 00:00
(4/4): dhcp-server-4.3.6-45.el8.x86_64.rpm 2.6 MB/s | 530 kB 00:00
----------------------------------------------------------------------------------------------------------------------------
Total 5.7 MB/s | 1.2 MB 00:00
Running transaction check
# ...............................
Upgraded:
dhcp-client-12:4.3.6-45.el8.x86_64 dhcp-common-12:4.3.6-45.el8.noarch dhcp-libs-12:4.3.6-45.el8.x86_64
Installed:
dhcp-server-12:4.3.6-45.el8.x86_64
Complete!
[root@CentOS84 ]#
4.2验证安装的软件包、复制模板并修改配置文件
[root@CentOS84 ]#rpm -ql dhcp-server
/etc/NetworkManager
/etc/NetworkManager/dispatcher.d
/etc/dhcp
/etc/dhcp/dhcpd.conf
/etc/dhcp/dhcpd6.conf
/etc/openldap/schema
/etc/openldap/schema/dhcp.schema
/etc/sysconfig/dhcpd
/usr/bin/omshell
/usr/lib/.build-id
/usr/lib/.build-id/4a
/usr/lib/.build-id/4a/dab9a373b30d2cf3756b7eae76e04b964106ee
/usr/lib/.build-id/58
/usr/lib/.build-id/58/01369e8a07b56c0426ed16d31a0a4e8283d84d
/usr/lib/systemd/system/dhcpd.service
/usr/lib/systemd/system/dhcpd6.service
/usr/sbin/dhcpd
/usr/share/doc/dhcp-server
/usr/share/doc/dhcp-server/dhcp-lease-list.pl
/usr/share/doc/dhcp-server/dhcpd.conf.example
/usr/share/doc/dhcp-server/dhcpd6.conf.example
/usr/share/doc/dhcp-server/ldap
/usr/share/doc/dhcp-server/ldap/README.ldap
/usr/share/doc/dhcp-server/ldap/dhcp.schema
/usr/share/doc/dhcp-server/ldap/dhcpd-conf-to-ldap
/usr/share/man/man1/omshell.1.gz
/usr/share/man/man5/dhcpd.conf.5.gz
/usr/share/man/man5/dhcpd.leases.5.gz
/usr/share/man/man8/dhcpd.8.gz
/var/lib/dhcpd
/var/lib/dhcpd/dhcpd.leases
/var/lib/dhcpd/dhcpd6.leases
[root@CentOS84 ]#
# 查看默认的dhcpd.conf信息,默认配置基本为空,但是提示参考文件了
[root@CentOS84 ]#cat /etc/dhcp/dhcpd.conf
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp-server/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
[root@CentOS84 ]#
# 复制模板文件,并开始修改此文件
[root@CentOS84 ]#cp /usr/share/doc/dhcp-server/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite '/etc/dhcp/dhcpd.conf'? y
[root@CentOS84 ]#
[root@CentOS84 ]#vim /etc/dhcp/dhcpd.conf
## 修改下面这两段信息,指定DNS、网段和路由
# option definitions common to all supported networks...
option domain-name "shoneinfo.com";
option domain-name-servers 114.114.114.114, 61.177.7.1;
default-lease-time 60000;
max-lease-time 720000;
# DHCP server to understand the network topology.
subnet 192.168.250.0 netmask 255.255.255.0 {
range 192.168.250.11 192.168.250.30;
option routers 192.168.250.254;
}
# 验证修改后的文件
[root@CentOS84 ]#
[root@CentOS84 ]#cat /etc/dhcp/dhcpd.conf
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "shoneinfo.com";
option domain-name-servers 114.114.114.114, 61.177.7.1;
default-lease-time 60000;
max-lease-time 720000;
# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 192.168.250.0 netmask 255.255.255.0 {
range 192.168.250.11 192.168.250.30;
option routers 192.168.250.254;
}
# This is a very basic subnet declaration.
subnet 10.254.239.0 netmask 255.255.255.224 {
range 10.254.239.10 10.254.239.20;
option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
subnet 10.254.239.32 netmask 255.255.255.224 {
range dynamic-bootp 10.254.239.40 10.254.239.60;
option broadcast-address 10.254.239.31;
option routers rtr-239-32-1.example.org;
}
# A slightly different configuration for an internal subnet.
subnet 10.5.5.0 netmask 255.255.255.224 {
range 10.5.5.26 10.5.5.30;
option domain-name-servers ns1.internal.example.org;
option domain-name "internal.example.org";
option routers 10.5.5.1;
option broadcast-address 10.5.5.31;
default-lease-time 600;
max-lease-time 7200;
}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
host passacaglia {
hardware ethernet 0:0:c0:5d:bd:95;
filename "vmunix.passacaglia";
server-name "toccata.example.com";
}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
host fantasia {
hardware ethernet 08:00:07:26:c0:a5;
fixed-address fantasia.example.com;
}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
class "foo" {
match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
}
shared-network 224-29 {
subnet 10.17.224.0 netmask 255.255.255.0 {
option routers rtr-224.example.org;
}
subnet 10.0.29.0 netmask 255.255.255.0 {
option routers rtr-29.example.org;
}
pool {
allow members of "foo";
range 10.17.224.10 10.17.224.250;
}
pool {
deny members of "foo";
range 10.0.29.10 10.0.29.230;
}
}
[root@CentOS84 ]#
4.3启动并验证服务
[root@CentOS84 ]#systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2022-01-13 15:49:32 CST; 43s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 45129 (dhcpd)
Status: "Dispatching packets..."
Tasks: 1 (limit: 23544)
Memory: 5.4M
CGroup: /system.slice/dhcpd.service
└─45129 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
Jan 13 15:49:32 CentOS84 dhcpd[45129]: ** Ignoring requests on virbr0. If this is not what
Jan 13 15:49:32 CentOS84 dhcpd[45129]: you want, please write a subnet declaration
Jan 13 15:49:32 CentOS84 dhcpd[45129]: in your dhcpd.conf file for the network segment
Jan 13 15:49:32 CentOS84 dhcpd[45129]: to which interface virbr0 is attached. **
Jan 13 15:49:32 CentOS84 dhcpd[45129]:
Jan 13 15:49:32 CentOS84 dhcpd[45129]: Listening on LPF/eth0/00:0c:29:18:d0:d9/192.168.250.0/24
Jan 13 15:49:32 CentOS84 dhcpd[45129]: Sending on LPF/eth0/00:0c:29:18:d0:d9/192.168.250.0/24
Jan 13 15:49:32 CentOS84 dhcpd[45129]: Sending on Socket/fallback/fallback-net
Jan 13 15:49:32 CentOS84 dhcpd[45129]: Server starting service.
Jan 13 15:49:32 CentOS84 systemd[1]: Started DHCPv4 Server Daemon.
[root@CentOS84 ]#
[root@CentOS84 ]#ss -lutn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:*
udp UNCONN 0 0 192.168.122.1:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:67 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0%virbr0:67 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:111 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:17178 0.0.0.0:*
udp UNCONN 0 0 [::]:5353 [::]:*
udp UNCONN 0 0 [::]:111 [::]:*
udp UNCONN 0 0 [::]:61979 [::]:*
tcp LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
tcp LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
tcp LISTEN 0 128 [::]:111 [::]:*
tcp LISTEN 0 511 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 5 [::1]:631 [::]:*
[root@CentOS84 ]#
4.4在CentOS7客户端机器上启用一块新网卡,验证通过DHCP自动获取IP地址
[root@CentOS7 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:6a:3d:12 brd ff:ff:ff:ff:ff:ff
inet 192.168.250.7/24 brd 192.168.250.255 scope global noprefixroute ens192
valid_lft forever preferred_lft forever
inet6 fe80::938d:47d9:e863:bd67/64 scope link noprefixroute
valid_lft forever preferred_lft forever
# 下面就是新增加的网卡自动获取到的地址信息等
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:6a:3d:1c brd ff:ff:ff:ff:ff:ff
inet 192.168.250.11/24 brd 192.168.250.255 scope global noprefixroute dynamic ens224
valid_lft 59332sec preferred_lft 59332sec # 租期
inet6 fe80::3ada:8cc9:59de:52d6/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@CentOS7 ~]#
[root@CentOS84 ]#cat dhcpd.leases
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.3.6
# authoring-byte-order entry is generated, DO NOT DELETE
authoring-byte-order little-endian;
server-duid "\000\001\000\001)r\226\014\000\014)\030\320\331";
lease 192.168.250.11 {
starts 4 2022/01/13 08:23:49;
ends 5 2022/01/14 01:03:49;
cltt 4 2022/01/13 08:23:49;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet 00:0c:29:6a:3d:1c;
client-hostname "CentOS7";
}
[root@CentOS84 ]#
[root@CentOS84 ]#rpm -ql dhcp-server package dhcp-server is not installed [root@CentOS84 ]#yum provides dhcp-server Last metadata expiration check: 1:45:38 ago on Thu 13 Jan 2022 01:28:32 PM CST. dhcp-server-12:4.3.6-45.el8.x86_64 : Provides the ISC DHCP server Repo : BaseOS Matched from: Provide : dhcp-server =12:4.3.6-45.el8 [root@CentOS84 ]#yum -y install dhcp-server-12:4.3.6-45.el8.x86_64 Last metadata expiration check: 1:46:27 ago on Thu 13 Jan 2022 01:28:32 PM CST. Dependencies resolved. ============================================================================================================================ Package Architecture Version Repository Size ============================================================================================================================ Installing: dhcp-server x86_64 12:4.3.6-45.el8 BaseOS 530 k Upgrading: dhcp-client x86_64 12:4.3.6-45.el8 BaseOS 318 k dhcp-common noarch 12:4.3.6-45.el8 BaseOS 207 k dhcp-libs x86_64 12:4.3.6-45.el8 BaseOS 148 k Transaction Summary ============================================================================================================================ Install 1 Package Upgrade 3 Packages Total download size: 1.2 M Downloading Packages: (1/4): dhcp-client-4.3.6-45.el8.x86_64.rpm 2.9 MB/s |318 kB 00:00 (2/4): dhcp-libs-4.3.6-45.el8.x86_64.rpm 5.3 MB/s |148 kB 00:00 (3/4): dhcp-common-4.3.6-45.el8.noarch.rpm 1.5 MB/s |207 kB 00:00 (4/4): dhcp-server-4.3.6-45.el8.x86_64.rpm 2.6 MB/s |530 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------- Total 5.7 MB/s |1.2 MB 00:00 Running transaction check # ............................... Upgraded: dhcp-client-12:4.3.6-45.el8.x86_64 dhcp-common-12:4.3.6-45.el8.noarch dhcp-libs-12:4.3.6-45.el8.x86_64 Installed: dhcp-server-12:4.3.6-45.el8.x86_64 Complete![root@CentOS84 ]#
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· Manus爆火,是硬核还是营销?
· 终于写完轮子一部分:tcp代理 了,记录一下
· 别再用vector<bool>了!Google高级工程师:这可能是STL最大的设计失误
· 单元测试从入门到精通