葛海豹

   ::  ::  ::  ::  :: 管理

1、对称加密过程由那三部分组成

 A通过密钥key加密信息,得到密文

将密文传输给B

B通过同样的密钥key解密密文,得到信息

 

2、使用 openssl 中的 aes 对称加密算法对文件 file.txt 进行加密,然后解密 

openssl enc -e -aes128 -a -in file.txt -out file.aes128 -pass pass:123456

openssl enc -d -aes128 -a -in file.aes128 -out file_decrypt.txt -pass pass:123456

 

3、搭建CA和申请证书

以下//开头的行表示注释和说明,蓝色的字表示标准输出内容

 

 

//初始化环境
[root@centos8 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
[root@centos8 ~]# touch /etc/pki/CA/index.txt
[root@centos8 ~]# echo 0F > /etc/pki/CA/serial

 

 

//创建密钥
//()内的设定只在子shell内生效, umask指定掩码, -out选项指定了生成的私钥存放位置,2048 指定秘钥的长度
[root@centos8 ~]# cd /etc/pki/CA
[root@centos8 CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................................................................................................+++++
.................+++++
e is 65537 (0x010001)

 

 

//创建自签名证书
//参数含义 req:生成证书签署请求 -x509:生成自签署证书 -days :证书的有效天数 -new:新请求 -key :指定私钥文件 -out :证书文件位置
[root@centos8 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:Magedu
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:gehaibao
Email Address []:.

 

 

//下面为app1申请证书,首先生成app1的密钥
[root@centos8 CA]# mkdir ~/homework/app1
[root@centos8 CA]# (umask 066; openssl genrsa -out ~/homework/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................+++++
.........+++++
e is 65537 (0x010001)

 

 

//生成app1的证书请求,默认需要有国家,省份,组织和CA一致
[root@centos8 CA]# openssl req -new -key ~/homework/app1/app1.key -out ~/homework/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:Magedu
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:app1
Email Address []:.

 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

 

//将app1的证书请求发给CA
[root@centos8 CA]# cp ~/homework/app1/app1.csr /etc/pki/CA/csr/app1.csr

 

 

//CA签署证书
[root@centos8 CA]# openssl ca -in /etc/pki/CA/csr/app1.csr -out /etc/pki/CA/certs/app1.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Jul 21 06:58:07 2020 GMT
Not After : Jul 21 06:58:07 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = Magedu
organizationalUnitName = Linux
commonName = app1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
19:13:A8:FF:10:28:C6:C7:D9:DB:24:05:64:36:95:DD:E3:71:E5:E0
X509v3 Authority Key Identifier:
keyid:FB:98:56:1B:AB:CA:9A:8F:50:FA:BE:92:3B:EB:52:4D:69:09:E6:55

 

Certificate is to be certified until Jul 21 06:58:07 2021 GMT (365 days)
Sign the certificate? [y/n]:y

 


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 

 

//将证书发给app1
[root@centos8 CA]# cp /etc/pki/CA/certs/app1.crt ~/homework/app1/app1.crt

 

 

4、使用脚本实现多个用户key验证免密登录

设有以下主机:ip

本地主机 c1:10.0.0.11 ,c2:10.0.0.12

远程主机 s1:10.0.0.21 ,s2:10.0.0.22

为方便,设他们的用户名和密码均为root和123456。现在想要编写脚本auto_ssh.sh,在s1上运行脚本后使得c1,c2可以免密登录s1,s2

 

//建立文件夹/root/auto_ssh

[root@centos8 ~]# mkdir ~/auto_ssh

 

//编写配置文件ssh_client.cfg与ssh_server.cfg,里面分别存放本地主机和远程主机的ip,用户名和密码

[root@centos8 auto_ssh]# cat ssh_client.cfg
10.0.0.11 root 123456
10.0.0.12 root 123456
[root@centos8 auto_ssh]# cat ssh_server.cfg
10.0.0.21 root 123456
10.0.0.22 root 123456

 

//编写脚本auto_ssh.sh,这个脚本会在s1上安装sshpass,并登录c1,c2执行脚本key_transmitted.sh

[root@centos8 auto_ssh]# cat auto_ssh.sh

#!/bin/bash

#安装sshpass
rpm -q epel-release &> /dev/null || yum -y install epel-release && echo epel installed
rpm -q sshpass &> /dev/null || yum -y install sshpass && echo sshpass installed

#依次访问client_cfg文件中的本地机进行配置
while read line;do
  ip=`echo $line | cut -d " " -f1`
  user=`echo $line | cut -d " " -f2`
  passwd=`echo $line | cut -d " " -f3`
  echo ip is $ip
  #把server_cfg文件传到远程主机上
  sshpass -p $passwd scp /root/auto_ssh/ssh_server.cfg $user@$ip:/root
  #执行key_transmitted.sh
  sshpass -p $passwd ssh -o StrictHostKeyChecking=no $user@$ip bash -s < ./key_transmitted.sh
done < /root/homework/auto_ssh/ssh_client.cfg

[root@centos8 auto_ssh]# chmod +x auto_ssh.sh

 

//编写脚本key_transmit.sh,这个脚本会在本地主机上生成密钥对,并把公钥传到server.cfg上的远程主机上

[root@centos8 auto_ssh]# cat key_transmit.sh
#!/bin/bash

#在本地主机上安装sshpass
rpm -q epel-release &> /dev/null || yum -qy install epel-release && echo epel installed
rpm -q sshpass &> /dev/null || yum -qy install sshpass && echo sshpass installed

#生成私钥公钥对
[ ! -f /root/.ssh/id_rsa.pub ] && ssh-keygen -f /root/.ssh/id_rsa &> /dev/null && echo key generated

#将公钥传到所有远程主机上
while read line;do
  ip=`echo $line | cut -d " " -f1`
  user=`echo $line | cut -d " " -f2`
  passwd=`echo $line | cut -d " " -f3`
  echo ip is $ip
  sshpass -p $passwd ssh-copy-id -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa.pub $user@$ip &> /dev/null
  echo key transmitted
done < /root/ssh_server.cfg
[root@centos8 auto_ssh]# chmod +x key_transmit.sh

 

//最后文件夹/root/auto_ssh之下一共有两个配置文件和两个脚本,执行auto_ssh.sh即可完成目标

[root@centos8 auto_ssh]# ls
ssh_client.cfg ssh_server.cfg auto_ssh.sh key_transmit.sh

 

 

 

 

 

 

posted on 2020-07-21 21:24  葛海豹  阅读(136)  评论(0编辑  收藏  举报