第十四周作业

1、创建私有CA并进行证书申请。

#创建自签名证书
[root@centos8 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Generating a RSA private key
........................++++
...........++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:sz
Organization Name (eg, company) [Default Company Ltd]:yy
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:yyang
Email Address []:
[root@centos8 ~]# ll
total 12
-rw-------. 1 root root 1555 Sep  1  2020 anaconda-ks.cfg
-rw-r--r--  1 root root 1972 Mar 14 23:38 ca.crt
-rw-------  1 root root 3272 Mar 14 23:38 ca.key

#自制key和csr

[root@centos8 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.yyang.com.key -out www.yyang.com.csr
Generating a RSA private key
...............................................................................................................................................................++++
.......................................................++++
writing new private key to 'www.yyang.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:gd    
Locality Name (eg, city) [Default City]:sz
Organization Name (eg, company) [Default Company Ltd]:jiaoyu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:yyang.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

#签发证书
[root@centos8 ~]# openssl x509 -req -days 3650 -in www.yyang.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.yyang.com.crt
Signature ok
subject=C = CN, ST = gd, L = sz, O = jiaoyu, OU = it, CN = yyang.com
Getting CA Private Key

#查看证书

[root@centos8 ~]# openssl x509 -in www.yyang.com.crt -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            0e:0d:13:bb:a8:f8:63:68:7c:17:6f:27:04:89:27:f2:a6:95:35:70
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = gd, L = sz, O = yy, OU = it, CN = yyang
        Validity
            Not Before: Mar 14 15:46:43 2021 GMT
            Not After : Mar 12 15:46:43 2031 GMT
        Subject: C = CN, ST = gd, L = sz, O = jiaoyu, OU = it, CN = yyang.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:b5:21:03:ec:12:97:7a:9e:78:71:19:a5:bc:b5:
                    9f:6f:fa:09:04:41:11:23:a2:20:87:df:81:19:5d:
                    9e:56:64:1a:ad:47:72:e0:0d:33:03:95:b5:c2:12:
                    11:78:6c:a6:87:e2:2e:0d:b4:6a:87:65:cd:ee:7c:
                    06:77:02:57:b6:01:85:cf:8d:84:1b:2b:8f:ac:e2:
                    4e:51:77:37:cf:6a:96:ff:a4:de:f4:06:32:92:0c:
                    a4:1d:1a:32:be:fa:14:bc:4c:62:25:c9:7d:80:68:
                    10:0e:a1:aa:2a:d6:d3:99:4a:21:6b:53:cd:22:bd:
                    ca:b6:db:6d:4e:a1:c9:ed:fb:e6:48:dd:91:7d:18:
                    6b:a4:5b:2f:72:8d:48:23:d5:32:b5:87:57:38:32:
                    a6:4c:48:90:35:fe:7c:38:6c:b3:f4:fb:24:cb:24:
                    9a:8b:d0:e4:86:2f:1b:aa:c7:52:cb:b4:34:7b:0a:
                    d5:1d:85:20:77:2b:81:98:e6:e7:d7:82:68:39:2a:
                    d3:79:4a:6d:aa:b3:a2:2d:b3:d4:c5:45:19:95:d9:
                    f2:33:d4:c9:3e:c9:bb:65:a1:d6:2e:2f:4c:a8:d6:
                    0c:be:9e:30:ca:58:95:93:1e:80:36:a7:a5:83:1a:
                    0c:8b:90:71:74:91:45:9a:a8:fa:9d:5b:f1:31:30:
                    aa:b0:a4:5e:7e:98:51:01:d9:d3:55:b5:46:fd:72:
                    eb:62:25:ff:78:97:fe:21:05:15:e8:3e:f7:78:89:
                    17:26:76:07:2a:32:81:bb:92:7d:f0:db:26:0b:5a:
                    d8:81:f7:fa:c0:00:83:9e:28:a7:bb:3f:9e:d9:1e:
                    90:ae:77:23:12:03:9c:1b:38:c2:57:cf:ea:85:73:
                    04:dd:a8:90:e9:ce:98:30:04:4c:22:73:1e:42:6a:
                    98:df:28:6c:ff:97:45:e3:af:c2:5e:db:48:c1:bb:
                    5d:63:1c:d8:7c:72:92:9f:f7:87:66:e5:ad:ea:d9:
                    41:01:05:41:6c:43:9c:16:54:71:a5:f4:01:27:2c:
                    02:c6:6e:51:bc:55:64:aa:f6:99:69:84:f3:4e:12:
                    57:62:3d:0c:f1:9f:ec:0b:7f:a7:77:63:1a:ab:85:
                    ff:28:dc:d7:b5:41:8f:fa:f1:9d:c6:16:03:e5:cb:
                    2c:27:fd:23:67:4a:99:a2:93:3b:fa:d8:39:a9:4f:
                    73:5c:e4:a0:0b:ce:d8:67:33:f0:42:d5:dc:b8:e5:
                    05:e6:a2:94:73:10:eb:24:ec:00:f3:06:79:62:fe:
                    4a:09:0f:bf:6f:2d:57:a4:9b:f6:f6:00:68:fa:10:
                    44:24:69:0e:3c:c9:60:1f:a5:79:02:a0:ab:97:cd:
                    14:71:c7
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         2d:7f:63:be:88:b8:98:cb:44:3b:1f:ed:c5:64:5a:18:21:2a:
         73:b5:da:31:57:1f:67:d4:b2:42:f9:87:37:f4:0c:96:7b:45:
         92:e9:c9:64:88:80:40:4b:d0:b0:aa:f2:2b:80:92:a1:e9:ac:
         ef:db:76:13:44:02:35:94:36:29:d1:11:89:f0:14:d8:4a:44:
         e6:e6:54:90:71:5b:19:9c:b7:af:13:6b:58:12:7f:f3:bc:ca:
         6d:7f:18:4b:5a:b2:4e:b8:3d:0f:40:c7:98:03:e7:cf:d6:2f:
         d0:8b:3d:c6:b7:f6:11:c9:b9:ff:14:df:b1:79:d6:e7:4e:a3:
         92:b5:aa:18:fd:13:1f:7c:13:61:0b:3c:df:31:02:06:77:65:
         25:1f:2d:47:23:9c:73:7e:c0:27:9a:ca:db:e9:98:e4:ea:73:
         4e:30:e5:ec:84:25:de:61:b1:94:ca:a9:8f:b4:6e:d9:56:47:
         ef:bc:08:f0:ae:07:2c:5d:21:36:bb:b6:85:cc:11:dd:f9:e5:
         37:4a:76:b0:7a:63:fd:2a:f8:e6:7c:71:94:3e:78:e8:37:6a:
         fb:f7:64:9d:a3:28:4c:0d:8a:d1:20:44:28:7d:09:3c:8b:8d:
         15:32:6f:13:07:40:0b:bf:13:5a:82:84:b5:6e:f9:33:64:0f:
         fd:f1:e8:2a:42:46:31:20:e7:a4:f4:4f:db:85:30:5f:4a:ac:
         d0:ec:a6:2e:e4:db:13:cf:ad:3b:78:f0:f6:2c:ba:ef:12:ee:
         d5:a6:59:5f:c2:41:72:cb:b0:bf:9a:29:46:18:b7:11:ac:97:
         f5:53:85:39:c0:ba:c4:c0:71:67:b3:e7:4a:fd:00:c0:f0:85:
         7f:cc:ce:90:eb:b5:e5:ed:a0:d5:e4:82:2f:b9:38:ea:fd:3f:
         31:0e:6f:7d:bd:f9:d2:ca:fb:74:e0:81:b2:78:27:9c:59:b8:
         a1:f8:2b:c0:a0:4d:a3:0a:4c:f6:e8:34:7e:53:6c:25:40:23:
         e4:2c:a9:c4:24:e2:63:25:62:46:78:ef:45:fa:42:c8:56:38:
         3b:d9:a5:1f:f4:b4:93:c0:29:34:c5:00:e4:b9:dd:ae:03:2c:
         a5:97:d4:f4:41:1b:99:71:8d:cb:3e:99:3d:aa:a5:0c:39:cc:
         93:24:ef:a8:8f:e3:1f:19:c6:c1:ea:1d:49:d8:67:5e:5f:3a:
         af:6f:bc:a6:78:21:b3:73:d5:2a:39:b1:c2:bf:bd:5c:53:9f:
         2e:e3:ff:fc:b5:22:28:dd:44:c0:5a:6d:4e:4e:5e:35:3b:52:
         e8:06:f5:fc:0c:33:ad:d3:e0:27:39:ce:27:2b:0b:7a:53:47:
         2b:e3:3e:35:7e:07:11:12

2、总结ssh常用参数、用法

用法：
1.远程登录
口令登录
(1) ssh user@ip //远程登录服务器的user用户，端口默认22
(2) ssh host //通过地址远程登录服务器相同账号，端口默认22
(3) ssh user@host -p 10086 //ssh直接连接远程主机的10086端口

公钥登录
(1) ssh-keygen //在$HOME/.ssh/目录下，会新生成两个文件：id_rsa.pub和id_rsa。前者是你的公钥，后者是你的私钥。

(2) ssh-copy-id user@host //公钥传送到远程主机host上面，之后可以直接登录

2.SSH远程操作
1）远程执行命令
ssh [user@]host [COMMAND]
ssh [user@]host /bin/bash < test.sh //远程执行本地的脚本
参数：
-p port：远程服务器监听的端口
-b 指定连接的源IP
-v 调试模式
-C 压缩方式
-X 支持x11转发
-t 强制伪tty分配，如：ssh -t remoteserver1 ssh -t remoteserver2 ssh
remoteserver3
-o option 如：-o StrictHostKeyChecking=no
-i 指定私钥文件路径，实现基于key验证，默认使用文件： ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, _{/.ssh/id_ed25519，}/.ssh/id_rsa等

2）scp 跨机远程拷贝
实现本机与远程机器之间的数据拷贝

scp一般有六种使用方法
本地复制远程文件：（把远程的文件复制到本地）
scp [email protected]:/val/test/test.tar.gz /val/test/test.tar.gz
远程复制本地文件：（把本地的文件复制到远程主机上）
scp /val/test.tar.gz [email protected]:/val/test.tar.gz
本地复制远程目录：（把远程的目录复制到本地）
scp -r [email protected]:/val/test/ /val/test/
远程复制本地目录：（把本地的目录复制到远程主机上）
scp -r ./ubuntu_env/ [email protected]:/home/pipi
pika:/media/pika/files/machine_learning/datasets$scp -r SocialNetworks/ [email protected]:/media/data/pipi/datasets

本地复制远程文件到指定目录：（把远程的文件复制到本地）
scp [email protected]:/val/test/test.tar.gz /val/test/
远程复制本地文件到指定目录：（把本地的文件复制到远程主机上）
scp /val/test.tar.gz [email protected]:/val/

3）绑定本地端口
ssh -D 8080 user@host
SSH会建立一个socket，去监听本地的8080端口。一旦有数据传向那个端口，就自动把它转移到SSH连接上面，发往远程主机。

4）本地端口转发
ssh -L localport:remotehost:remotehostport sshserver

-f 后台启用
-N 不打开远程shell，处于等待状态
-g 启用网关功能

范例：
ssh 2121:host2:21 -Nfg host3
host1与host2之间无法连通，host3，可以同时连通前面两台主机。指定SSH绑定本地端口2121，然后指定host3将所有的数据，转发到目标主机host2的21端口

5）远程端口转发
ssh -R sshserverport:remotehost:remotehostport sshserver
范例：
ssh -fNgR 2121:host2:21 host1
外网host1与内网host2之间无法连通，host3是一台内网机器。R参数也是接受三个值，分别是"远程主机端口:目标主机:目标主机端口"。这条命令的意思，就是让host1监听它自己的2121端口，然后将所有数据经由host3，转发到host2的21端口。

6） SSH动态端口转发

ssh -D 1080 root@sshserver -fNg

当用firefox访问internet时，本机的1080端口做为代理服务器，firefox的访问请求被转发到sshserver上，由sshserver替之访问internet

在本机firefox设置代理socket proxy:127.0.0.1:1080
curl --socks5 127.0.0.1:1080 http://www.google.com

3、总结sshd服务常用参数。

服务器端的配置文件: /etc/ssh/sshd_config
服务器端的配置文件帮助：man 5 sshd_config

常用参数：

Port
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes   #检查.ssh/文件的所有者，权限等
MaxAuthTries   6     #
MaxSessions  10         #同一个连接最大会话
PubkeyAuthentication yes     #基于key验证
PermitEmptyPasswords no      #空密码连接
PasswordAuthentication yes   #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups    #未认证连接最大值，默认值10
Banner /path/file
#以下可以限制可登录用户的办法：
AllowUsers user1 user2 user3
DenyUsers
AllowGroups
DenyGroups