zoukankan      html  css  js  c++  java
  • 马哥博客作业第八周

    1、对称加密过程由那三部分组成

     A通过密钥key加密信息,得到密文

    将密文传输给B

    B通过同样的密钥key解密密文,得到信息

     

    2、使用 openssl 中的 aes 对称加密算法对文件 file.txt 进行加密,然后解密 

    openssl enc -e -aes128 -a -in file.txt -out file.aes128 -pass pass:123456

    openssl enc -d -aes128 -a -in file.aes128 -out file_decrypt.txt -pass pass:123456

     

    3、搭建CA和申请证书

    以下//开头的行表示注释和说明,蓝色的字表示标准输出内容

     

    //初始化环境
    [root@centos8 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
    [root@centos8 ~]# touch /etc/pki/CA/index.txt
    [root@centos8 ~]# echo 0F > /etc/pki/CA/serial

     

    //创建密钥
    //()内的设定只在子shell内生效, umask指定掩码, -out选项指定了生成的私钥存放位置,2048 指定秘钥的长度
    [root@centos8 ~]# cd /etc/pki/CA
    [root@centos8 CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
    Generating RSA private key, 2048 bit long modulus (2 primes)
    .........................................................................................................+++++
    .................+++++
    e is 65537 (0x010001)

     

    //创建自签名证书
    //参数含义 req:生成证书签署请求 -x509:生成自签署证书 -days :证书的有效天数 -new:新请求 -key :指定私钥文件 -out :证书文件位置
    [root@centos8 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Shanghai
    Locality Name (eg, city) [Default City]:Shanghai
    Organization Name (eg, company) [Default Company Ltd]:Magedu
    Organizational Unit Name (eg, section) []:Linux
    Common Name (eg, your name or your server's hostname) []:gehaibao
    Email Address []:.

     

    //下面为app1申请证书,首先生成app1的密钥
    [root@centos8 CA]# mkdir ~/homework/app1
    [root@centos8 CA]# (umask 066; openssl genrsa -out ~/homework/app1/app1.key 2048)
    Generating RSA private key, 2048 bit long modulus (2 primes)
    .................................+++++
    .........+++++
    e is 65537 (0x010001)

     

    //生成app1的证书请求,默认需要有国家,省份,组织和CA一致
    [root@centos8 CA]# openssl req -new -key ~/homework/app1/app1.key -out ~/homework/app1/app1.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Shanghai
    Locality Name (eg, city) [Default City]:Shanghai
    Organization Name (eg, company) [Default Company Ltd]:Magedu
    Organizational Unit Name (eg, section) []:Linux
    Common Name (eg, your name or your server's hostname) []:app1
    Email Address []:.

     

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

     

    //将app1的证书请求发给CA
    [root@centos8 CA]# cp ~/homework/app1/app1.csr /etc/pki/CA/csr/app1.csr

     

    //CA签署证书
    [root@centos8 CA]# openssl ca -in /etc/pki/CA/csr/app1.csr -out /etc/pki/CA/certs/app1.crt -days 365
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
    Serial Number: 15 (0xf)
    Validity
    Not Before: Jul 21 06:58:07 2020 GMT
    Not After : Jul 21 06:58:07 2021 GMT
    Subject:
    countryName = CN
    stateOrProvinceName = Shanghai
    organizationName = Magedu
    organizationalUnitName = Linux
    commonName = app1
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment:
    OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:
    19:13:A8:FF:10:28:C6:C7:D9:DB:24:05:64:36:95:DD:E3:71:E5:E0
    X509v3 Authority Key Identifier:
    keyid:FB:98:56:1B:AB:CA:9A:8F:50:FA:BE:92:3B:EB:52:4D:69:09:E6:55

     

    Certificate is to be certified until Jul 21 06:58:07 2021 GMT (365 days)
    Sign the certificate? [y/n]:y

     


    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

     

    //将证书发给app1
    [root@centos8 CA]# cp /etc/pki/CA/certs/app1.crt ~/homework/app1/app1.crt

     

     

    4、使用脚本实现多个用户key验证免密登录

    设有以下主机:ip

    本地主机 c1:10.0.0.11 ,c2:10.0.0.12

    远程主机 s1:10.0.0.21 ,s2:10.0.0.22

    为方便,设他们的用户名和密码均为root和123456。现在想要编写脚本auto_ssh.sh,在s1上运行脚本后使得c1,c2可以免密登录s1,s2

     

    //建立文件夹/root/auto_ssh

    [root@centos8 ~]# mkdir ~/auto_ssh

     

    //编写配置文件ssh_client.cfg与ssh_server.cfg,里面分别存放本地主机和远程主机的ip,用户名和密码

    [root@centos8 auto_ssh]# cat ssh_client.cfg
    10.0.0.11 root 123456
    10.0.0.12 root 123456
    [root@centos8 auto_ssh]# cat ssh_server.cfg
    10.0.0.21 root 123456
    10.0.0.22 root 123456

    //编写脚本auto_ssh.sh,这个脚本会在s1上安装sshpass,并登录c1,c2执行脚本key_transmitted.sh

    [root@centos8 auto_ssh]# cat auto_ssh.sh

    #!/bin/bash

    #安装sshpass
    rpm -q epel-release &> /dev/null || yum -y install epel-release && echo epel installed
    rpm -q sshpass &> /dev/null || yum -y install sshpass && echo sshpass installed

    #依次访问client_cfg文件中的本地机进行配置
    while read line;do
      ip=`echo $line | cut -d " " -f1`
      user=`echo $line | cut -d " " -f2`
      passwd=`echo $line | cut -d " " -f3`
      echo ip is $ip
      #把server_cfg文件传到远程主机上
      sshpass -p $passwd scp /root/auto_ssh/ssh_server.cfg $user@$ip:/root
      #执行key_transmitted.sh
      sshpass -p $passwd ssh -o StrictHostKeyChecking=no $user@$ip bash -s < ./key_transmitted.sh
    done < /root/homework/auto_ssh/ssh_client.cfg

    [root@centos8 auto_ssh]# chmod +x auto_ssh.sh

    //编写脚本key_transmit.sh,这个脚本会在本地主机上生成密钥对,并把公钥传到server.cfg上的远程主机上

    [root@centos8 auto_ssh]# cat key_transmit.sh
    #!/bin/bash

    #在本地主机上安装sshpass
    rpm -q epel-release &> /dev/null || yum -qy install epel-release && echo epel installed
    rpm -q sshpass &> /dev/null || yum -qy install sshpass && echo sshpass installed

    #生成私钥公钥对
    [ ! -f /root/.ssh/id_rsa.pub ] && ssh-keygen -f /root/.ssh/id_rsa &> /dev/null && echo key generated

    #将公钥传到所有远程主机上
    while read line;do
      ip=`echo $line | cut -d " " -f1`
      user=`echo $line | cut -d " " -f2`
      passwd=`echo $line | cut -d " " -f3`
      echo ip is $ip
      sshpass -p $passwd ssh-copy-id -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa.pub $user@$ip &> /dev/null
      echo key transmitted
    done < /root/ssh_server.cfg
    [root@centos8 auto_ssh]# chmod +x key_transmit.sh

    //最后文件夹/root/auto_ssh之下一共有两个配置文件和两个脚本,执行auto_ssh.sh即可完成目标

    [root@centos8 auto_ssh]# ls
    ssh_client.cfg ssh_server.cfg auto_ssh.sh key_transmit.sh

     

     

     

     

     

  • 相关阅读:
    Unity3D-光照贴图技术
    登岳麓山
    第一个OC程序
    Unity3D之碰撞体,刚体
    TypeError: 'stepUp' called on an object that does not implement interface HTMLInputElement
    QQ互联登录回调路径错误redirect uri is illegal(100010)
    Quartz.Net使用
    C# 文件相关操作
    微信扫码支付模式一和模式二的区别
    ankhSVN安装后,VS2010使用
  • 原文地址:https://www.cnblogs.com/gehaibao/p/13341389.html
Copyright © 2011-2022 走看看