实现基于SSL的FTPS



    目  录

        1、查看当前vsftpd是否具有ssl模块

        2、创建自签名证书

        3、查看证书

        4、配置vsftp支持ssl

        5、测试、利用filezilla 登录测试

        6、wireshark抓包结果


Vsfptd普通数据传输十分不安全,例如用户密码等很容易被窃取 


1、查看当前vsftpd是否具有ssl模块

[root@localhost ~]# ldd $(which vsftpd) |grep ssl

libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f55009bf000)

2、创建自签名证书

[root@localhost ~]# cd /etc/pki/tls/certs/
[root@localhost certs]# make vsftpd.pem
[root@localhost certs]# make vsftpd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365  \ 
 -out $PEM2 -set_serial 0 ; \
cat $PEM1 >  vsftpd.pem ; \
echo ""    >> vsftpd.pem ; \
cat $PEM2 >> vsftpd.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
..................................................+++
............................+++
writing new private key to '/tmp/openssl.x3aynR'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:mage
Organizational Unit Name (eg, section) []:ftp
Common Name (eg, your name or your server's hostname) []:172.16.250.90
Email Address []:[email protected]



3、查看证书

[root@localhost certs]# openssl x509 -in vsftpd.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=beijing, O=mage, OU=ftp, 
        CN=172.16.250.90/[email protected]
        Validity
            Not Before: Dec 20 15:44:44 2016 GMT
            Not After : Dec 20 15:44:44 2017 GMT
        Subject: C=CN, ST=beijing, L=beijing, O=mage, OU=ftp, 
        CN=172.16.250.90/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e4:7c:a3:98:d5:b6:a0:6c:3e:67:86:b0:98:79:
                    ec:3d:d2:6a:76:bf:43:2f:8f:f9:bd:29:c2:11:50:
                    7a:64:24:b6:bc:64:9b:53:62:e2:25:44:7f:f4:ef:
                    ea:81:01:92:ae:3a:02:f9:0a:75:92:00:62:97:64:
                    a9:1e:d8:c0:89:4b:e0:1c:84:ea:d1:49:9b:80:97:
                    a8:42:8d:00:ae:41:91:f7:3b:7e:19:58:32:57:2e:
                    6f:b3:e4:84:59:cc:4e:fe:04:6e:76:a2:6f:8b:ac:
                    5e:6c:98:28:1d:28:cb:d7:7f:df:e0:9c:85:eb:93:
                    bf:c3:d7:8e:35:80:03:bf:8e:19:92:dd:4b:39:c3:
                    68:27:d2:4a:5e:b4:18:5d:02:08:2a:ce:66:00:64:
                    25:83:5b:dc:aa:9c:da:b2:5f:2e:59:bb:b7:eb:f0:
                    2c:e2:63:a4:f8:e0:2e:38:d8:ad:ba:0e:05:96:e5:
                    91:26:87:a6:a0:64:c5:bd:b0:ad:00:4e:b0:be:e2:
                    91:35:f2:36:5b:b3:56:f7:0a:fa:3d:e9:f9:4f:6b:
                    ab:c0:2b:2a:a4:0b:d7:f7:5b:06:86:c1:85:59:b8:
                    6a:78:1b:55:05:e9:5c:51:dd:d3:0e:1a:75:0e:f1:
                    3a:b3:42:e6:62:02:d4:8b:30:fb:36:ec:75:5a:6d:
                    43:89
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                C6:F8:38:E5:9A:17:9B:0E:D8:31:BE:DE:4E:29:14:DD:7F:
                EF:FB:FE
            X509v3 Authority Key Identifier: 
                keyid:C6:F8:38:E5:9A:17:9B:0E:D8:31:BE:DE:4E:29:14:
                DD:7F:EF:FB:FE
            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         dd:5f:de:d3:ff:53:ba:3a:69:7c:46:78:38:b1:07:b6:cd:5a:
         5d:aa:fc:fb:4d:19:63:a9:06:1e:95:8c:56:2f:c5:1f:3c:7e:
         b2:6d:9c:7e:ec:c6:ba:60:6c:25:b5:35:6a:87:32:06:0c:37:
         89:f1:b1:c2:bd:4a:17:91:2a:a7:5f:f9:56:eb:64:a5:b1:1c:
         b1:db:f2:dc:eb:60:fc:37:4c:ca:c2:68:9b:f5:36:77:d4:36:
         43:e8:4b:54:48:72:f8:dc:fe:80:96:c0:6a:1d:2a:95:5a:f9:
         47:2e:14:1f:7a:ba:db:d2:5b:5c:6e:d6:4b:d1:f9:1b:4d:26:
         a2:47:69:14:23:52:f5:13:d7:2f:57:f2:d4:be:77:c8:b0:c5:
         4f:04:43:66:5e:fe:8e:2f:5b:e7:8b:f3:6b:b1:13:a1:cd:95:
         90:f5:94:2f:b6:75:0d:67:45:58:36:d8:82:7d:ac:fd:79:2c:
         28:24:d9:a2:98:02:30:31:8a:91:a5:c6:15:49:c6:91:19:ae:
         90:5a:fb:57:ff:c7:36:27:5b:29:e1:79:ea:7b:33:68:2b:1a:
         e7:89:0e:96:7d:ac:eb:d3:81:d6:5f:35:ca:bb:3d:cf:1e:f7:
         87:28:00:c8:c9:ff:9e:50:ca:aa:13:66:29:be:2c:f1:11:28:
         02:19:b3:ca

4、配置vsftp支持ssl

anonymous_enable=NO   #禁止匿名用户登录
chroot_local_user=YES    #禁锢所用系统用户在家目录中
ssl_enable=YES  #启用ssl
allow_anon_ssl=NO   #匿名不支持SSL
force_local_logins_ssl=YES   #本地用户登录加密
force_local_data_ssl=YES   #本地数据传输加密
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem   #证书

[root@localhost ~]# useradd  -s /sbin/nologin  wang    创建测试用户
[root@localhost ~]# passwd  wang

5、测试、利用filezilla 登录测试  


6、wireshark抓包结果