2021-04-26十四周

1、创建私有CA并进行证书申请（利用openssl工具）

##创建CA

1、查看CA证书存放目录是否存在
[02:15:01  root@lvs-rs2 ~]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private

2、创建CA的私钥文件
[02:15:12  root@lvs-rs2 ~]#cd /etc/pki/CA/
[02:17:44  root@lvs-rs2 CA]#openssl genrsa -out private/cakey.pem  2048
Generating RSA private key, 2048 bit long modulus
..................+++
..+++
e is 65537 (0x10001)
[02:18:46  root@lvs-rs2 CA]#ls -l private/cakey.pem 
-rw-r--r-- 1 root root 1675 Apr 27 02:18 private/cakey.pem
[02:19:02  root@lvs-rs2 CA]#chmod 600 private/cakey.pem

3、生成CA自签名证书并查看自签名文件
[02:19:26  root@lvs-rs2 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SJZ
Locality Name (eg, city) [Default City]:SJZ
Organization Name (eg, company) [Default Company Ltd]:zf
Organizational Unit Name (eg, section) []:zf.com
Common Name (eg, your name or your server's hostname) []:zf.com
Email Address []:
[02:26:23  root@lvs-rs2 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            99:22:b1:f6:6c:a9:9b:2a
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=SJZ, L=SJZ, O=zf, OU=zf.com, CN=zf.com
        Validity
            Not Before: Apr 27 06:26:17 2021 GMT
            Not After : Apr 25 06:26:17 2031 GMT
        Subject: C=CN, ST=SJZ, L=SJZ, O=zf, OU=zf.com, CN=zf.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9b:20:50:52:9d:ad:d9:b5:a6:6f:3a:bd:45:8f:
                    42:0c:37:7f:af:80:b1:52:29:e2:79:3f:13:a7:af:
                    76:fb:0b:b8:47:46:79:6b:31:48:20:de:3a:1c:3b:
                    8f:55:1e:63:7d:82:66:55:90:a7:9c:de:a6:09:22:
                    e5:29:41:03:3a:c2:77:3c:05:cb:18:72:2d:72:29:
                    8e:aa:86:09:bf:45:5b:8c:10:05:03:12:02:67:ab:
                    1a:8c:f0:c6:13:0e:ec:13:79:1e:9a:4c:02:72:4a:
                    57:de:d7:20:a4:22:1b:1f:e5:a0:37:f6:12:1b:95:
                    a2:5e:24:87:3d:d0:a7:62:2c:33:70:39:0f:07:78:
                    2f:f6:57:97:03:65:84:85:5e:f7:52:3e:07:b1:24:
                    9c:64:4e:db:15:91:c5:74:f9:bf:39:73:6e:29:c7:
                    32:21:ba:d3:f0:71:a4:fb:06:af:1f:b5:f8:7d:4a:
                    09:25:67:11:ab:43:41:80:55:40:fa:6a:e4:7f:84:
                    16:06:be:09:34:8e:43:dc:65:d0:f3:b7:c0:4b:07:
                    c0:d5:e3:cc:36:cc:5c:6c:3a:e1:b3:b6:1d:b6:7c:
                    0d:13:e4:e3:bc:3e:c0:05:3c:d1:c1:f2:75:dd:36:
                    05:9c:49:70:18:46:a3:3d:b9:33:bc:7d:3f:30:4a:
                    99:21
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                11:B5:29:90:41:5A:64:69:4E:01:D9:34:B9:9D:CD:96:2F:B9:AE:57
            X509v3 Authority Key Identifier: 
                keyid:11:B5:29:90:41:5A:64:69:4E:01:D9:34:B9:9D:CD:96:2F:B9:AE:57

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         20:54:43:8b:62:37:2e:d9:0f:bd:b1:09:29:3e:67:3b:b3:94:
         b9:6f:39:dc:17:55:2d:11:65:74:6d:16:a1:c1:35:92:aa:2d:
         25:e7:fc:8f:0f:f8:d2:db:2f:75:c8:2f:70:a8:00:25:ff:26:
         d4:4f:5f:8e:61:03:29:f0:e4:e0:83:18:25:be:29:84:fe:c0:
         28:40:c5:94:a9:4e:86:3f:42:74:b5:78:83:ec:3b:f3:78:89:
         be:ce:81:4d:f2:f7:10:8d:f8:d3:5a:d0:d8:ea:41:13:ec:f7:
         52:78:97:e9:69:e3:f1:96:b7:a8:f6:eb:c0:b9:11:11:38:dd:
         b7:da:fa:1c:6c:47:a4:e4:98:88:ea:76:8e:21:26:13:77:46:
         99:ec:51:dc:11:7b:a4:c6:c2:92:4c:b2:db:5d:05:67:a2:ec:
         b4:d7:78:f9:85:ad:97:69:f4:99:80:64:a9:45:db:bd:d7:24:
         fa:40:44:68:1b:f3:4f:40:d3:f5:b4:9c:87:30:85:87:a5:f5:
         2c:f5:f5:73:8f:99:ff:c7:9b:06:08:05:3c:a7:e9:8d:76:18:
         97:d5:8f:d4:63:4c:df:2d:20:93:f8:0a:d2:75:c1:c1:72:3d:
         03:f9:67:02:ec:9e:8b:ad:71:ce:fb:7a:8a:b0:a2:31:ff:d6:
         27:5f:54:3e

##申请并颁发证书
1、创建申请主机的私钥证书
[03:32:27  root@lvs-rs2 CA]#openssl genrsa -out /data/http.pub.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................+++
.................+++
e is 65537 (0x10001)
[04:49:36  root@lvs-rs2 CA]#chmod 600 /data/http.pub.key 
2、创建所需证书主机的申请文件
[04:51:11  root@lvs-rs2 CA]#openssl req -new -key /data/http.pub.key -out /data/http.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SJZ
Locality Name (eg, city) [Default City]:SJZ
Organization Name (eg, company) [Default Company Ltd]:zf
Organizational Unit Name (eg, section) []:www.zf.com
Common Name (eg, your name or your server's hostname) []:zf
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3、CA签署证书并颁发给请求者
[04:58:28  root@lvs-rs2 CA]#openssl ca -in /data/http.csr -out /etc/pki/CA/certs/http.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 27 08:58:36 2021 GMT
            Not After : Apr 25 08:58:36 2031 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = SJZ
            organizationName          = zf
            organizationalUnitName    = www.zf.com
            commonName                = zf
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                E7:9C:2B:2A:5F:A0:99:05:BB:26:9B:3B:D8:3C:7D:C6:E7:27:20:6F
            X509v3 Authority Key Identifier: 
                keyid:11:B5:29:90:41:5A:64:69:4E:01:D9:34:B9:9D:CD:96:2F:B9:AE:57

Certificate is to be certified until Apr 25 08:58:36 2031 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


###备注：存放目录不全，颁发证书会报相对应的错误
[04:54:31  root@lvs-rs2 CA]#openssl ca -in /data/http.csr -out /etc/pki/CA/certs/http.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
139769883940752:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
139769883940752:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[04:56:19  root@lvs-rs2 CA]#touch index.txt
[04:56:29  root@lvs-rs2 CA]#openssl ca -in /data/http.csr -out /etc/pki/CA/certs/http.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140340128941968:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
140340128941968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

###生成目录参考文件
[05:00:38  root@lvs-rs2 CA]#cat /etc/pki/tls/openssl.cnf 
[ ca ]
default_ca  = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir     = /etc/pki/CA       # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
#unique_subject = no            # Set to 'no' to allow creation of
                    # several ctificates with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.

certificate = $dir/cacert.pem   # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
                    # must be commented out to leave a V1 CRL
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions = usr_cert      # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions    = crl_ext

default_days    = 365           # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = sha256        # use SHA-256 by default
preserve    = no            # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy      = policy_match

# For the CA policy
[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

ssh服务得相关介绍

1、客户端ssh常用参数、用法

1、ssh命令基础总结
1.1、客户端ssh相关介绍
      ssh命令是ssh客户端允许实现对远程系统验证地加密安全访问
      用户在远程连接ssh服务器时，会复制ssh服务器/etc/ssh/ssh_host*key.pub文件中的公钥到客户机得~./ssh/know_hosts中，下次连接时，会自动匹配相对应私钥，不能匹配，将拒绝连接。
1.2、ssh命令相关软件包
     [23:28:59  root@lvs-rs2 ~]#rpm -qa openssh*
     openssh-clients-7.4p1-16.el7.x86_64
     openssh-server-7.4p1-16.el7.x86_64
     openssh-7.4p1-16.el7.x86_64
1.3、ssh命令格式总结
     ssh [user@]host [command]
     ssh [-l user]  host [command]
1.4、ssh名令常见选项总结
      -p port：指定远程服务器得端口
      -b：指定连接得源ip
      -v：调试模式
      -C：压缩方式
      -x：支持×11抓发
      -t：强制伪tty分配
      -o：option（配置文件中选项）
      -i ：指定私钥文件路径，实现基于key验证，默认使用文件~/.ssh/id_dsa,~/.ssh/id_ecdsa,~/.ssh/id_ed25519，~/.ssh/id_rsa等

2、服务端sshd服务常用参数

2.1、服务器端的配文件路径
          /etc/ssh/sshd_config
2.2、服务端配置文件帮助手册
          man 5 sshd_config
2.3、服务器端常用配置参数选项
Port 22
ListenAddress 0.0.0.0
LoginGraceTime 2m
PermitRootLogin yes            ubuntu不允许root远程ssh登陆
MaxAuthTries 6
MaxSessions 10                同一个连接最大会话
PubkeyAuthentication yes     基于key验证PermitEmptyPasswords no   空密码连接
PasswordAuthentication yes     基于用户名和密码的连接
GatewayPorts no
ClientAliveCountMax 3
UseDNS yes                                  提高连接速度建议修改
GSSAPIAuthentication yes     提高连接速度建议修改
MaxStartups                  未认证连接最大值，默认值10
Banner /path/file

3、ssh服务优化相关案例

3.1、设置ssh空闲60秒后自动退出登录

[01:43:37  root@lvs-rs2 ~]#vim /etc/ssh/sshd_config 
ClientAliveInterval     60
ClientAliveCountMax   0
[01:59:51  root@lvs-rs2 ~]#systemctl restart sshd

3.2、解决ssh登陆缓慢问题

[01:43:37  root@lvs-rs2 ~]#vim /etc/ssh/sshd_config 
UseDNS no
GSSAPIAuthentication no
[01:59:51  root@lvs-rs2 ~]#systemctl restart sshd

生成12位随机密码

[02:03:40  root@lvs-rs2 ~]#tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12| xargs
iosSyXBKVqRg
[02:03:41  root@lvs-rs2 ~]#openssl rand -base64 9
G9t8UmyzYO8i