第八周作业
1、创建私有CA并进行证书申请。
#创建CA相关目录和文件
mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
#index.txt和serial文件在颁发证书时需要使用
touch /etc/pki/CA/index.txt
echo 0F > /etc/pki/CA/serial
openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
#创建CA的私钥
cd /etc/pki/CA/
(umask 066; openssl genrsa -out private/cakey.pem 2048)
#给CA颁发自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
#查看证书信息
Linux系统上查看:openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Windows系统上查看:sz /etc/pki/CA/cacert.pem (将文件cacert.pem传到windows上,修改文件名为cacert.pem.crt即可查看)
#生成证书申请文件
openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:root@magedu.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
注:默认有三项内容必须和CA一致:国家,省份,组织
#CA颁发证书
openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
#验证指定编号对应证书的有效性
openssl ca -status 0F
2、总结ssh常用参数、用法
#格式
ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]#选项
-p port #远程服务器监听的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-t #强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i <file> #指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等#范例
# 指定端口连接主机
ssh -p 8796 10.0.0.150
#禁止首次连接的询问过程
sed -i.bak '/StrictHostKeyChecking/s/.*/StrictHostKeyChecking no/' /etc/ssh/ssh_config
ssh 10.0.0.8 "sed -i.bak
#依次连接多个主机
ssh -t 10.0.0.150 ssh -t 10.0.0.151 ssh 10.0.0.1523、总结sshd服务常用参数。
#常用参数
Port #生产建议修改
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6 #指定最大认证次数
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file4、搭建dhcp服务,实现ip地址申请分发
# dhcp软件安装
yum -y install dhcp#查询dhcp主要相关文件
/usr/sbin/dhcpd dhcp #服务主程序
/etc/dhcp/dhcpd.conf #dhcp服务配置文件
/usr/share/doc/dhcp-server/dhcpd.conf.example #dhcp服务配置范例文件
/usr/lib/systemd/system/dhcpd.service #dhcp服务service文件
/var/lib/dhcpd/dhcpd.leases #地址分配记录
#客户端包dhcp-client
/usr/sbin/dhclient #客户端程序
/var/lib/dhclient #自动获取的IP信息#参考配置样例
/usr/share/doc/dhcp-4.2.5/dhcpd.conf.example
#配置文件参数dhcpd.conf
option domain-name "test.net";
option domain-name-servers 180.76.76.76, 223.5.5.5;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.10 10.0.0.100;
range 10.0.0.110 10.0.0.200;
option routers 10.0.0.2;
next-server 10.0.0.150;
filename "pxelinux.0";
}
host testclient {
hardware ethernet d4:be:d9:ee:2d:eb;
fixed-address 10.0.0.106;
default-lease-time 86400;
max-lease-time 864000;
option routers 10.0.0.254;
option domain-name-servers 114.114.114.114,8.8.8.8 ;
option domain-name "testdhcp.net";
}
#DHCP配置文件其它配置选项
#next-server:提供引导文件的服务器IP地址
#filename: 指明引导文件名称
subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.10 192.168.100.100;
range 192.168.100.150 192.168.100.200;
option routers 192.168.100.1;
next-server 192.168.1.100; #TFTP服务器地址
filename "pxelinux.0"; #bootloader启动文件的名称
}
# dhcp 客户端申请地址的过程
dhclient -d
#DHCP客户端的日志
ls /var/lib/dhclient/
cat /var/lib/dhclient/dhclient.leases
#DHCP服务器的日志
tail -f /var/lib/dhcpd/dhcpd.leases
#范例: DHCP服务器给指定主机分配固定IP
vim /etc/dhcp/dhcpd.conf
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.50 10.0.0.100;
range 10.0.0.150 10.0.0.200;
option routers 10.0.0.2;
next-server 10.0.0.150;
filename "pxelinux.0";
}
host test {
hardware ethernet d4:be:d9:ee:2d:eb;
fixed-address 10.0.0.101;
}
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· TypeScript + Deepseek 打造卜卦网站:技术与玄学的结合
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗?
· 【译】Visual Studio 中新的强大生产力特性
· 10年+ .NET Coder 心语 ── 封装的思维:从隐藏、稳定开始理解其本质意义
· 【设计模式】告别冗长if-else语句:使用策略模式优化代码结构