zoukankan      html  css  js  c++  java
  • The Eighth week (Lucklyzpp)

    The Eighth week (Lucklyzpp)
          人的一切行动,都产生于“愿望”,如果不想,任何事都不可能在现实出现,有了想法,坚持下去,总会看见——曙光

    1、创建私有CA并进行证书申请。

    [13:27:23 root@lucklyzpp8 ~]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
    mkdir: 已创建目录 '/etc/pki/CA'
    mkdir: 已创建目录 '/etc/pki/CA/certs'
    mkdir: 已创建目录 '/etc/pki/CA/crl'
    mkdir: 已创建目录 '/etc/pki/CA/newcerts'
    mkdir: 已创建目录 '/etc/pki/CA/private'
    [14:22:01 root@lucklyzpp8 ~]#tree /etc/pki/CA/
    /etc/pki/CA/
    ├── certs
    ├── crl
    ├── newcerts
    └── private
    [14:22:10 root@lucklyzpp8 ~]#touch /etc/pki/CA/index.txt
    [14:22:20 root@lucklyzpp8 ~]##echo 0F > /etc/pki/CA/serial
    [14:22:28 root@lucklyzpp8 ~]##openssl ca -in /data/app1/app1.csr -out
    [14:23:01 root@lucklyzpp8 ~]##openssl ca -in /data/app1/app1.csr -out /etc/pk
    pkcs11/ pki/    
    [14:23:01 root@lucklyzpp8 ~]##openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000

    "创建CA的私钥"

    [14:24:21 root@lucklyzpp8 ~]#cd /etc/pki/CA/
    [14:24:30 root@lucklyzpp8 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
    14:24:39 root@lucklyzpp8 CA]#tree
    .
    ├── certs
    ├── crl
    ├── index.txt
    ├── newcerts
    └── private
        └── cakey.pem
    [14:24:51 root@lucklyzpp8 CA]#ll private/
    总用量 4
    -rw------- 1 root root 1679 10月 29 14:24 cakey.pem

    给CA颁发自签名证书

    [14:25:18 root@lucklyzpp8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:zhengzhou
    Locality Name (eg, city) [Default City]:zhengzhou
    Organization Name (eg, company) [Default Company Ltd]:zhengpp
    Organizational Unit Name (eg, section) []:devops
    Common Name (eg, your name or your server's hostname) []:ca.zheng.org
    Email Address []:admin@zheng.org  
    [14:27:29 root@lucklyzpp8 CA]#tree
    .
    ├── cacert.pem
    ├── certs
    ├── crl
    ├── index.txt
    ├── newcerts
    └── private
        └── cakey.pem
    [14:27:33 root@lucklyzpp8 CA]#ll
    总用量 4
    -rw-r--r-- 1 root root 1448 10月 29 14:27 cacert.pem
    drwxr-xr-x 2 root root    6 10月 29 14:22 certs
    drwxr-xr-x 2 root root    6 10月 29 14:22 crl
    -rw-r--r-- 1 root root    0 10月 29 14:22 index.txt
    drwxr-xr-x 2 root root    6 10月 29 14:22 newcerts
    drwxr-xr-x 2 root root   23 10月 29 14:24 private
    [14:27:51 root@lucklyzpp8 CA]##openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
    [14:28:06 root@lucklyzpp8 CA]#sz cacert.pem 

    用户生成私钥和证书申请

    [14:35:39 root@lucklyzpp8 CA]#mkdir /data/app1
    [14:35:51 root@lucklyzpp8 CA]#(umask 066; openssl genrsa -out   /data/app1/app1.key 2048)
    Generating RSA private key, 2048 bit long modulus (2 primes)
    ....................................................................+++++

    生成证书申请文件

    [14:51:13 root@lucklyzpp8 app1]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 15 (0xf)
            Validity
                Not Before: Oct 29 06:54:21 2021 GMT
                Not After : Oct 29 06:54:21 2022 GMT
            Subject:
                countryName               = CN
                stateOrProvinceName       = zhengzhou
                organizationName          = zhengpp
                organizationalUnitName    = devops
                commonName                = app1.zheng.org
                emailAddress              = root@zheng.org
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    07:DE:7C:D0:98:A3:3E:31:08:96:88:D0:D2:9D:74:E7:01:4F:96:CC
                X509v3 Authority Key Identifier: 
                    keyid:F2:4E:BC:7C:F6:54:ED:61:27:5E:0A:E6:83:D7:26:40:7C:12:78:31
    
    Certificate is to be certified until Oct 29 06:54:21 2022 GMT (365 days)
    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y
    
    [14:55:21 root@lucklyzpp8 ~]##openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
    [14:56:01 root@lucklyzpp8 ~]#tree /etc/pki/CA/
    /etc/pki/CA/
    ├── cacert.pem
    ├── certs
    │?? └── app1.crt
    ├── crl
    ├── index.txt
    ├── index.txt.attr
    ├── index.txt.old
    ├── newcerts
    │?? └── 0F.pem
    ├── private
    │?? └── cakey.pem
    ├── serial
    └── serial.old
    
    4 directories, 9 files
    
    [14:56:40 root@lucklyzpp8 ~]#cat /etc/pki/CA/certs/app1.crt 
    [14:57:07 root@lucklyzpp8 ~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
    
    
    [14:57:44 root@lucklyzpp8 ~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -issuer
    issuer=C = CN, ST = zhengzhou, L = zhengzhou, O = zhengpp, OU = devops, CN = ca.zheng.org, emailAddress = admin@zheng.org
    [14:57:46 root@lucklyzpp8 ~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
    subject=C = CN, ST = zhengzhou, O = zhengpp, OU = devops, CN = app1.zheng.org, emailAddress = root@zheng.org
    [14:58:17 root@lucklyzpp8 ~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial
    serial=0F

    #验证指定编号对应证书的有效性

    [14:58:53 root@lucklyzpp8 ~]#openssl ca -status 0F
    [14:58:59 root@lucklyzpp8 ~]#cat /etc/pki/CA/index.txt
    [14:59:19 root@lucklyzpp8 ~]#cat /etc/pki/CA/serial
    [14:59:46 root@lucklyzpp8 ~]#cat /etc/pki/CA/serial.old 

    将证书相关文件发送到用户端使用

    [15:01:56 root@lucklyzpp8 ~]#cp /etc/pki/CA/certs/app1.crt /data/app1/
    [15:02:05 root@lucklyzpp8 ~]#tree /data/app1/
    /data/app1/
    ├── app1.crt
    ├── app1.csr
    └── app1.key
    [15:04:43 root@lucklyzpp8 data]#sz app1/app1.crt 

    证书吊销

    [15:14:57 root@lucklyzpp8 data]#openssl ca -revoke /etc/pki/CA/newcerts/0F.pem 
    [15:42:23 root@lucklyzpp8 data]#cat /etc/pki/CA/index.txt
    R    221029065421Z    211029074223Z    0F    unknown    /C=CN/ST=zhengzhou/O=zhengpp/OU=devops/CN=app1.zheng.org/emailAddress=root@zheng.org
    生成证书吊销列表文件
    [15:43:51 root@lucklyzpp8 data]#echo 01 > /etc/pki/CA/crlnumber
    [15:44:48 root@lucklyzpp8 data]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
    Using configuration from /etc/pki/tls/openssl.cnf
    [15:44:52 root@lucklyzpp8 data]#cat /etc/pki/CA/crlnumber
    [15:45:06 root@lucklyzpp8 data]#cat /etc/pki/CA/crl.pem 
    [15:47:28 root@lucklyzpp8 data]#sz /etc/pki/CA/crl.pem

     

    2、总结ssh常用参数、用法

    sh服务和sshd服务:ssh服务是运行在客户端,而sshd服务运行在服务端

    配置文件路径
    /etc/ssh/sshd_config

    格式
    ssh [user@]host [COMMAND]
    ssh [-l user] host [COMMAND]
    常见选项
    -p port #远程服务器监听的端口
    -b #指定连接的源IP
    -v #调试模式
    -C #压缩方式
    -X #支持x11转发
    -t #强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2   ssh  
    remoteserver3
    -o option   如:-o StrictHostKeyChecking=no
    -i <file>  #指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,
    ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等

    1. 首先在客户端生成一对密钥(ssh-keygen)
    2. 并将客户端的公钥ssh-copy-id 拷贝到服务端
    3. 当客户端再次发送一个连接请求,包括ip、用户名
    4. 服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP和用户,就会随机生
    成一个字符串,例如:magedu
    5. 服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端
    6. 得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端
    7. 服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录

    实现基于 key 验证

    [18:08:01 root@lucklyzpp8 data]#ssh-keygen
    [18:08:36 root@lucklyzpp8 ~]#ll .ssh/
    [18:08:38 root@lucklyzpp8 ~]#cat .ssh/id_rsa.pub 
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCaeeH/NIds+MsEhwtj0nCjY5FkS8mV7JvPqgP+4i+VjJU7FZHOGSIShkzdIz5ZXQPnz3KPo4lFjIkkZGUpuzY+lqVt8qAaLX/k60VGQeARavW/hnOd309xOMHKc587wNJq68mRwSje09ie8e3LJwYiFTXwvFdvdu6ihBrqAWaJZ2TQMk1B3YK9J/6Fcsus6R5Btr5VyHdH/if1OZS2xHjYHBj0qcnuLKA8Vh5/trm6RE65n/UILLo9MVk9ZFdmwc5vWnktwCpIVdC0H+/9QtOCDQF0b9u7aCiqN24oHadS2cKXCUY9BwDaPw9GvBcwGH7KhcXv6Xuc94mDD8+x1zszMwVld9UaeTF+ZGrryCvrX/KcKRWrxgEZk0RQbPJIs855sTECtM1DZ8FqH9WKiH7RS/sz5itGc5baiylUZbb+yD+DSQqSkybvV5KcFoBQ07RfXQ/hddSqjqCsZEcuFZV2y4RdvfLk7ICAT3WCQznZx/imWp83Vlx+DApNSW6oJsM= root@lucklyzpp8
    [18:09:16 root@lucklyzpp8 ~]#ssh-copy-id root@192.168.33.130
    [18:11:10 root@lucklyzpp8 ~]#ssh 192.168.33.130
    Last failed login: Fri Sep 10 15:34:02 CST 2021 from 192.168.33.131 on ssh:notty
    There was 1 failed login attempt since the last successful login.
    Last login: Fri Sep 10 10:50:44 2021 from 192.168.33.2
    [15:35:25 root@web2 ~]#cat /etc/redhat-release 
    CentOS Linux release 7.9.2009 (Core)
    [15:35:33 root@web2 ~]#ll .ssh/
    总用量 4
    -rw------- 1 root root 569 9月  10 15:34 authorized_keys

    3、总结sshd服务常用参数。

    Port
    ListenAddress IP   # 设置绑定的ip地址
    LoginGraceTime 2m  #设定登陆超时时间
    PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
    StrictModes yes #检查.ssh/文件的所有者,权限等
    MaxAuthTries 6 #最大尝试次数
    MaxSessions 10 #同一个连接最大会话
    PubkeyAuthentication yes #基于key验证
    PermitEmptyPasswords no #空密码连接
    PasswordAuthentication yes #基于用户名和密码连接
    GatewayPorts no
    ClientAliveInterval 10 #单位:秒
    ClientAliveCountMax 3 #默认3
    UseDNS yes #可以关闭DNS反解析,提升登陆速度
    GSSAPIAuthentication yes #提高速度可改为no
    MaxStartups #未认证连接最大值,默认值10
    Banner /path/file
    #以下可以限制可登录用户的办法:
    AllowUsers user1 user2 user3
    DenyUsers
    AllowGroups
    DenyGroups
    

    4、搭建dhcp服务,实现ip地址申请分发

    确保都是在仅主机模式下进行。

    systemctl stop firewalld
    setenforce 0
    yum install -y dhcp
    文件的模版:
    /usr/share/doc/dhcp*/dhcpd.conf.example

    配置内容 subnet
    192.168.33.0 netmask 255.255.255.0 { ##网段和掩码 range 192.168.33.200 192.168.33.230; ##地址范围 option domain-name-servers 202.96.128.166; ## dns服务器地址 option domain-name "lukly.com"; ##该网段的域名,可以省略 option routers 192.168.33.1; ##网关 option broadcast-address 192.168.33.255; ##广播地址 default-lease-time 300; ## 租约时间 max-lease-time 7200; ## 最大租约时间

    systemctl start dhcpd

    通过配置Windows客服端,进行自动获取IP。

  • 相关阅读:
    sharepoint2013保存当前输入的列表
    网站模板的下载和使用
    sharepoint获取是否为输入域用户SharePoint PeopleEditor 控件的使用
    sharepoint指定的人可以看到列表项
    js隐藏显示div
    如何为同一IE浏览器中打开多个页面
    CDC相关知识点总结
    find 命令使用总结
    find 命令search使用
    verilog behavioral modeling --loop statement
  • 原文地址:https://www.cnblogs.com/zpkf/p/15509816.html
Copyright © 2011-2022 走看看