ApacheFTPServer的SSL模式用脚本命令的方式连接(五)

1、需求

希望能实现自动化的、参数可配置的,批量的对指定目录和文件服务器进行文件传输功能,用FTP+SSL加密实现。设计用shell脚本实现,但是标准的Linux FTP客户端是不支持FTPS连接的,脚本中ftps命令是无效的。

2、SurgeFTP

它首先是一个FTP服务器,能实现更精细化的管理服务器,并提供远程Web管理支持。其中SSLFTP客户端是它的组件之一,可以实现ftps命令连接FTPS服务。官方文档:

What FTP client can I use with SSL/TLS

SurgeFTP is distributed with SSLFTP, a simple command line client very similar to the standard UNIX/DOS 'FTP' client. e.g.

 	c:> sslftp my.server
	Username: xxx
	Password: yyy
	sslftp> dir
	sslftp> get important.dat
	sslftp> quit
This same client is available for multiple platforms.
There are also many SSL gui clients now available, 'smartftp' is one good example, see http://www.smartftp.com/

After installing SurgeFTP the SSLFTP, install script is left in the main SurgeFTP directory, sslftp_install.exe. You can distribute this to any systems that need to install the SSLFTP client, as it is a self extracting archive to install the command line utility.

There is no fee charged for the use of SSLFTP, it is freely distributable.

Please note: SSLFTP is only currently licensed for use with SurgeFTP servers, but it will work with any in a pinch. This means that we will fix any bug with SSLFTP if it cannot talk with SurgeFTP. We cannot gaurantee that we can fix problems with it not talking to other FTP servers.

(Note2: sslftp.exe was originally called sftp.exe. It was re-named to avoid conflicts)

重点SSLFTP是免费的支持FTPS命令连接,下载链接: SurgeFTP. 文档链接: manual.
下载之后就是一个surgeftp_23f2_linux64.tar.gz文件,解压安装,并创建秘钥对,连接测试。

#解压文件到当前目录
tar -xzvf surgeftp_23f2_linux64.tar.gz
##切换到解压的目标文件夹下
./install.sh
#创建文件,创建秘钥对时用的
touch random.data
#创建秘钥对,生成证书请求,命令后输入名称
#回答所有问题,然后输入密码
#生成密钥时需要输入多次密码确认
./surgeftp_ca.sh YOUR.SERVER.NAME

ApacheFTPServer的SSL模式用脚本命令的方式连接(五)_第1张图片
我的名称是vmclient,除了我们random.data文件,剩余的都是sh脚本生成的,我们来看sh脚本里的代码

if test $1
then
echo ""
else
echo ""
echo " usage:    surgeftp_ca.sh server-name cert-bits"
echo ""
echo " server-name    is DNS name of server."
echo " cert-bits      is number of bits for certificate, e.g. 128, 256, ... 2048"
echo ""
echo " output files:"
echo "   server-name.key        - your key generated from random.data"
echo "   server-name.de.key     - your key with pass code removed"
echo "   server-name.csr        - send this file only to certificate authority to order real CA certificate"
echo "   surge_priv.pem         - self signed & ready to use certificates for surgeftp"
echo "   surge_cert.pem         - self signed & ready to use certificates for surgeftp"
fi

if test -f random.data 
then

echo   Generate the Key from random data
openssl genrsa -des3 -rand random.data -out $1.key $2

echo   Generate Certificate Request
openssl req -config ./openssl.cnf -new -key $1.key -out $1.csr

echo   Generate a temporary self-signed Certificate
openssl x509 -req -days 365 -in $1.csr -signkey $1.key -out $1.crt

echo   remove passcode encryption, SurgeFTP does not currently have option for decoding this
openssl rsa -in $1.key -out $1.de.key

echo   create self signed key and certificate for SurgeFTP.
cp $1.de.key surge_priv.pem
cp $1.crt surge_cert.pem

else

echo Please create a file called random.data that has random
echo information in it, at least 2MB uncompressed or 50KB compressed,
echo it can be anything! but must be unique data.
echo We recomend creating large bitmap file with Paint program
echo maybe start with existing picture, draw lots of scriggles
echo on it in different colors, save it as random.png,
echo compress it with pkzip or arj or compress
echo or ace or any compresser you have.
echo then save final file as random.data
echo and then rerun surgeftp_ca.sh

fi

这里我们就明白了为什么要创建random.data文件了,也可以知道创建了哪些文件和声明含义。

3、服务器认证,连接测试

我们将csr证书请求,复制到服务器中,结合秘钥生成二级证书,添加到服务器信任库中,重启ApacheFTPServer,一定要重启!将我们刚刚添加的证书文件,读取到服务器中。

Usage: sslftp [options] [site.name] 

Options:
  -d                Print debug information
  -version          Print version number
  -i                Don't prompt for confirmations (Default)
  -nossl            Don't attempt to use SSL encryption
  -n                Disable auto login from /root/.netrc file
  -a                Anonymous login
  -asksave          Ask if you want to save login details
  -implicit_port n  Sets and activates Implicit ftp port
  -TLSv1            use TLSv1 protocol only
  -SSLv2            use SSLv2 protocol only
  -SSLv3            use SSLv3 protocol only
  -s:file           Run commands in stored file
  -script file      Run commands in stored file
  -run file         Run commands in stored file
  -record file      Record ftp commands in a file suitable for -run switch
  -randomize        Seed the pseudo random number generator
  -cert file        Use specified client certificate file (in .pem format)
  -key file         Use specified client private key file (in .pem format)
  -pass password    Optionally specify password for client private key file
  -netrc netrc.txt  Specify path to file to store/retrieve usernames and passwords

上面是sslftp命令帮助信息作参考

sslftp 192.168.1.223 -implicit_port 21 -key surge_priv.pem -cert surge_cert.pem -pass 123456

Connected to 192.168.1.223
starting SSL/TLS
sslinit 3
Using certificate & key from "surge_cert.pem" & "surge_priv.pem"
Negotiated secure protocol TLSv1.2, using an AESGCM cipher.
220 Service ready for new user.
200 Command PBSZ okay.
200 Command PROT okay.
(secure) User: admin
331 User name okay, need password for admin.
(secure) Password: *****
230 User logged in, proceed.
Type in "save" to save login details to /root/.netrc

到这里连接成功。

4、抓包测试,是否加密

#服务器安装抓包工具
yum install -y tcpdump
#查看当前使用的网卡
ip addr
1: lo: ,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: ,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:ac:7b:2e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.175/24 brd 192.168.1.255 scope global noprefixroute dynamic enp0s3
       valid_lft 5686sec preferred_lft 5686sec
    inet6 fe80::a00:27ff:feac:7b2e/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
#执行抓包
tcpdump -i enp0s3 -w /home/weatherservice.cap

下面是抓包的信息信息,可以用wireshark打开文件
ApacheFTPServer的SSL模式用脚本命令的方式连接(五)_第2张图片
加密成功,大功告成!

你可能感兴趣的:(ApacheFTPServer,JAVA,FTPS)