第八周

1、创建私有CA并进行证书申请。

function RootCA {
  local filepath=/etc/pki/CA/
  CAsubject="/C=CN/ST=Shanghai/O=MXX Company Ltd,/CN=*.mxx.com/emailAddress=yabao310@icloud.com"
  local con
  if ! [ -d /etc/pki/CA ];then
    echo -e $GREEN"CA目录不存在，开始创建CA目录..."$END
    mkdir -pv ${filepath}{certs,crl,newcerts,private}
    touch ${filepath}index.txt
    echo -n 01 > ${filepath}serial
    echo -n 01 > ${filepath}crlnumber
    openssl req -newkey rsa:1024 -subj "$CAsubject" -keyout ${filepath}private/cakey.pem -nodes -days 3650 -x509 -out ${filepath}cacert.pem
  else
   ! [ -e ${filepath}index.txt ] && { touch ${filepath}index.txt;echo -e $GREEN"index.txt创建成功！";}
   ! [ -e ${filepath}serial ] && { echo -n 01 > ${filepath}serial;echo -e $GREEN"serial创建成功！";}
   ! [ -e ${filepath}crlnumber ] && { echo -n 01 > ${filepath}crlnumber;echo -e $GREEN"crlnumber创建成功！";}
    if ! [ -e ${filepath}private/cakey.pem -o -e ${filepath}cacert.pem ];then
      echo -e $GREEN"生成cakey.pem|cacert.pem文件..."$END
      openssl req -utf8 -newkey rsa:1024 -subj "$CAsubject" -keyout ${filepath}private/cakey.pem -nodes -days 3650 -x509 -out ${filepath}cacert.pem
    fi
  fi
  if [ $? -eq 0 ];then
    color "设备配置为RootCA成功！" 0
  else
    color "RootCA配置失败！" 1
    return
  fi
  read -p "需要现在生成用户证书么？(yes or no)" con
  con=`echo $con | tr 'A-Z' 'a-z'`
  case $con in
    y|yes)
      certgen
      ;;
    n|no)
      return
      ;;
    *)
      inputerror
      ;;
  esac
}

function certgen {
  local INPUT
  read -p "生成多少个证书？" INPUT
  for((i=1;i<=$INPUT;i++));do
    local Rand=`openssl rand -base64 6|sed -rn 's/[/+]//g;p'`
    [ $INPUT -eq 2 ] && DN=([1]=Master [2]=Slave) || DN[$i]="centos-$i"
    ClientSubject="/C=CN/ST=Shanghai/O=MXX Company Ltd,/OU=$Rand/CN=${DN[$i]}.mxx.com"
    openssl req -newkey rsa:2048 -subj "$ClientSubject" -keyout ${filepath}private/user-${Rand}.key -nodes -out ${filepath}user-${Rand}.csr &> /dev/null
    openssl ca -days 3650 -in ${filepath}user-${Rand}.csr -cert ${filepath}cacert.pem -keyfile ${filepath}private/cakey.pem -out ${filepath}certs/user-${Rand}.crt -batch &> /dev/null
    #下面的命令虽然可以生成证书，但不会写index文件，感觉状态不太正常
    #openssl x509 -req -in ${filepath}user-${Rand}.csr -CA ${filepath}cacert.pem -CAkey ${filepath}private/cakey.pem -CAcreateserial -days 3650 -CAserial ${filepath}serial -out ${filepath}certs/user-${Rand}.crt
    echo -e $GREEN"**************************************生成证书信息**************************************"$END
    cat ${filepath}certs/user-${Rand}.crt | openssl x509 -noout -subject -dates -serial
  done
  chmod 600 ${filepath}private/*.key
  echo  "证书生成完成"
  echo -e $GREEN"**************************************生成证书文件如下**************************************"$END
  echo "证书存放目录: "${filepath}certs/
  echo "证书文件列表: "`ls -t1 | head -n $INPUT`
}

执行结果

CA目录不存在，开始创建CA目录...
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
Generating a RSA private key
............................+++++
...+++++
writing new private key to '/etc/pki/CA/private/cakey.pem'
-----
设备配置为RootCA成功！                                     [  OK  ]
需要现在生成用户证书么？(yes or no)y
生成多少个证书？2
**************************************生成证书信息**************************************
subject=C = CN, ST = Shanghai, O = "MXX Company Ltd,", OU = G9fNqx1, CN = Master.mxx.com
notBefore=Feb 16 18:57:23 2022 GMT
notAfter=Feb 16 18:57:23 2032 GMT
serial=01
**************************************生成证书信息**************************************
subject=C = CN, ST = Shanghai, O = "MXX Company Ltd,", OU = 6wQWWuId, CN = Slave.mxx.com
notBefore=Oct 16 18:57:23 2022 GMT
notAfter=Oct 16 18:57:23 2032 GMT
serial=02
证书生成完成
**************************************生成证书文件如下**************************************
证书存放目录: /etc/pki/CA/certs/
证书文件列表: user-6wQWWuId.crt user-G9fNqx1.crt
请选择您要执行的操作(1-10)：10
[root@centos8mini-2 ~]# 

2、总结ssh常用参数、用法

命令格式

ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]

-p，指定远端服务器的端口号；用法：ssh -p 9527 10.0.0.1
-b，指定源IP；ssh -b 192.168.1.204 10.0.0.1
-X，开启X11 forwarding，用于远程执行服务器上的图形化应用
-t，如果连接到远程服务器需要经过多跳中转，可以通过-t指定每一跳，直接一条命令连接到最后的远端主机上；如：ssh -t 192.168.1.1 ssh -t 10.0.0.1 ssh 172.16.0.1
-o，可以将配置文件中可定义的内容作为参数临时指定给当前会话，因为有些配置文件中的选项是没有对应的命令行选项的，如：ssh -o StrictHostKeyChecking=no 192.168.1.204
-D，动态应用层端口转发，监听本地一个端口，该端口接收的流量将通过SSH隧道发往远端服务器，然后根据流量的应用层协议决定远端服务器之后向谁建立新的连接来转发这些流量
-g，允许远端主机连接到本地的转发端口
-L 80:intra.example.com:80 gw.example.com，配置本地端口转发，本地监听一个端口80，将从这个端口下监听到的流量全部转发给远端的SSH服务器gw.example.com，SSH服务器会将流量进一步转发给命令中指定的intra.example.com:80；
-R 8080:xxx:80 public.example.com，本机作为SSH客户端，指定的public.example.com主机上的8080端口将作为远端的监听端口，任何发往这个端口的流量都会被SSH隧道传输到本机，本机会再次将这些流量转发给xxx主机的80端口；

3、总结sshd服务常用参数

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#修改端口号
#Port 22
#指定sshd可用的地址族，inet4或inet6
#AddressFamily any
#监听的IPv4地址
#ListenAddress 0.0.0.0
#监听的IPv6地址
#ListenAddress ::

#指定SSH使用的私钥文件
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#重新协商会话秘钥前可以允许传输的最大数据量
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#定义facility code
SyslogFacility AUTHPRIV
#sshd log异常的级别，INFO级别就开始记录log
#LogLevel INFO

# Authentication:
#用户登录失败多少次后服务器断开本次连接
#LoginGraceTime 2m
#允许root通过ssh登录，默认Ubuntu是prohibit-password，不允许密码和键盘交互式登录
PermitRootLogin yes
#是否允许ssh在用户登录前检查用户的home目录，文件所有者，权限等（检查~/.ssh)
#StrictModes yes
#每连接允许的最大认证尝试,失败次数到一半，后续的尝试都会被log下来
#MaxAuthTries 6
#一次网络连接中，最大允许打开的shell、login、或subsystem会话数量
#MaxSessions 10

#是否允许秘钥登录，默认允许
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#指定使用哪个文件作为秘钥验证登录的公钥文件
AuthorizedKeysFile  .ssh/authorized_keys


# To disable tunneled clear text passwords, change to no here!
#是否允许密码登录
#PasswordAuthentication yes
#是否允许空密码，默认不允许
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#是否允许Challenge-response认证
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no


# GSSAPI options
#是否允许用户基于GSSAPI认证
GSSAPIAuthentication yes
#用户logout时是否自动销毁用户的credential缓存信息
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
#启用PAM接口
UsePAM yes

#是否允许ssh-agent forwarding
#AllowAgentForwarding yes
#是否允许TCP Forwarding，可指定local或remote参数
#AllowTcpForwarding yes
#是否允许外部主机使用端口转发，默认是不允许
#GatewayPorts no
#是否允许X11 forwarding
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#是否允许分配pty
#PermitTTY yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
#ssh是否在用户交互式登录时输出/etc/Motd
PrintMotd no

#用户交互式登录时是否显示上一次用户登录的日期和时间，默认yes
#PrintLastLog yes
#是否发送tcp keepalive
#TCPKeepAlive yes
#是否处理~/.ssh/environemnt和在~/.ssh/authorized_keys中通过"environment="指定的环境变量
#PermitUserEnvironment no
#用户登录成功后是否启动压缩
#Compression delayed
#设置没有从客户端收到任何数据的间隔，到期后服务器会自动给客户端发送一个消息并等待响应
#ClientAliveInterval 0
#服务器给客户端发送alive消息后，没有接收到响应的最大次数，超出就会中断当前的ssh会话
#ClientAliveCountMax 3
#sshd是否解析远端主机的hostname，之后会将hostname再次通过DNS解析对应的IP，然后解析的IP需要和主机的IP一致，关闭则~/.ssh/authorized_keys文件中只能使用IP地址
#UseDNS no
#包含SSH守护进程ID的文件
#PidFile /var/run/sshd.pid
#最大数量的并发未认证连接，超过的连接将被drop，直到认证成功或者认证尝试全部失败后，空出数量可以给新的连接；
#格式：start:rate:full，当未认证连接超过10个后，以30%的比率开始drop新的未授权尝试；如果总数量到达100，则后续所有请求全drop；
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#定义除了banner，还额外发送的文本，会附加到banner后面
#VersionAddendum none

# no default banner path
#设置banner，或指定banner文件的路径
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem   sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

4、搭建dhcp服务，实现ip地址申请分发

function dhcp {
   if ! [ \( rpm -q dhcp-server \) ];then
   yum -y install dhcp-server
   fi
   local host=$1
   local mac=$2
   local fixip=$3
   read -p "IP网段设置为多少？(格式：192.168.1.0)" Net
   echo -e $GREEN"准备配置dhcp配置文件..."$END
cat > /etc/dhcp/dhcpd.conf <<EOF
subnet $Net netmask 255.255.255.0 {
  range ${Net:0:-2}.205 ${Net:0:-2}.240;
  option routers ${Net:0:-2}.1;
  option domain-name-servers 202.96.209.133;
  default-lease-time 600;
  max-lease-time 7200;
}
EOF
    #[ $? -eq 0 ] && color "配置成功" 0 || color "配置失败" 1
if [ $# -eq 3 ];then
cat >> /etc/dhcp/dhcpd.conf <<EOF
host $host {
  hardware ethernet $mac;
  fixed-address $fixip;
}
EOF
fi
    systemctl restart dhcpd
    #[ $? -eq 0 ] && color "重启服务成功" 0 || color "配置失败" 1
}

dhcp centos7mini-1 00:0c:09:82:25:66 192.168.155.206

Centos 7可以通过DHCP获取到地址

[root@centos8mini-2 ~]# bash aaa.sh
IP网段设置为多少？(格式：192.168.1.0)192.168.155.0
准备配置dhcp配置文件..
[root@centos8mini-2 ~]# cat /var/lib/dhcpd/dhcpd.leases
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.3.6

# authoring-byte-order entry is generated, DO NOT DELETE
authoring-byte-order little-endian;

server-duid "\000\001\000\001)\034\006\257\000\014)|\244\232";

lease 192.168.155.206 {
  starts 1 2021/11/08 16:02:59;
  ends 1 2021/11/08 16:12:59;
  cltt 1 2021/11/08 16:02:59;
  binding state active;
  next binding state free;
  rewind binding state free;
  hardware ethernet 00:0c:29:82:25:66;
  client-hostname "centos7mini-1";
}

[root@centos7mini-1 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.155.206  netmask 255.255.255.0  broadcast 192.168.155.255
        inet6 fe80::c765:663a:1e4b:4679  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:82:25:66  txqueuelen 1000  (Ethernet)
        RX packets 3110  bytes 585942 (572.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1214  bytes 195547 (190.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0