1.创建CA相关目录和文件
1.新建目录和写入编号
[root@centos8:~]#
mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
[root@centos8:~]#
touch /etc/pki/CA/index.txt
[root@centos8:~]#
echo 01 > /etc/pki/CA/serial
2.创建CA的私钥
[root@centos8:~]#
cd /etc/pki/CA
[root@centos8:/etc/pki/CA]#
(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................................+++++
..........................+++++
e is 65537 (0x010001)
3.给CA颁发自签名证书
[root@centos8:/etc/pki/CA]#
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SHAANXI
Locality Name (eg, city) [Default City]:XIAN
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:[email protected]
1.新建用户目录
[root@centos8:/data]#
mkdir /data/app1
2.生成私钥文件
[root@centos8:/data]#
(umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................................+++++
...................+++++
e is 65537 (0x010001)
3.生成证书申请文件
[root@centos8:/data]#
openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SHAANXI
Locality Name (eg, city) [Default City]:XIAN
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4.CA颁发证书
[root@centos8:/etc/pki/CA]#
openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Apr 2 04:11:18 2022 GMT
Not After : Dec 27 04:11:18 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = SHAANXI
localityName = XIAN
organizationName = magedu
organizationalUnitName = it
commonName = app1.magedu.org
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A5:49:2E:05:E5:71:7E:49:24:6D:53:8B:25:2A:B6:ED:4B:82:03:1A
X509v3 Authority Key Identifier:
keyid:BE:82:E7:B4:19:3C:8B:69:D8:26:52:60:11:9C:8F:9E:2A:8A:CB:74
Certificate is to be certified until Dec 27 04:11:18 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos8:/etc/pki/CA]#
6.发到windows进行安装查看
sz /etc/pki/CA/certs/app1.crt
ssh是secure shell protocol的简称,是通过加密的方式实现远程登录,替代传统的telnet。
ssh命令常用选项:
-p port #远程服务器监听的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-t #强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh
remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i #指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, /.ssh/id_ed25519,/.ssh/id_rsa等
参数:连接主机的IP地址和具体的执行操作。
例如连接远程主机:ssh [user@]host [COMMAND]
1.登录远程主机
直接登录
ssh [email protected] #登录root用户可以省略root@
实现跳板登陆
ssh -t 10.0.0.8 ssh -t 10.0.0.7 ssh 10.0.0.6
2.远程执行命令
ssh 10.0.0.8 "sed -i.bak' /StrictHostKeyChecking/s/.*/StrictHostKeyChecking no/' /etc/ssh/ssh_config"
3.在远程主机运行本地shell脚本
[root@centos8 ~]#hostname -I
10.0.0.8
[root@centos8 ~]#cat test.sh
#!/bin/bash
hostname -I
[root@centos8 ~]#ssh 10.0.0.18 /bin/bash < test.sh
[email protected]'s password:
10.0.0.18
4.实现基于密钥的登录方式
①生成密钥
[root@centos8:/etc/pki/CA]#
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Passphrases do not match. Try again.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:6Pgja9xbF81k87dorWnCuCK4KjmcJkcGa4KUxmCvSBY [email protected]
The key's randomart image is:
+---[RSA 3072]----+
| |
|.E |
|+ + + |
|.B . . = o |
|Bo. . S . o . .|
|=oo o . o..|
|++..o.. . + o o |
|=+..+ooo o o..o |
|++.ooo+o... oo |
+----[SHA256]-----+
②拷贝到远程主机
[root@centos8:/etc/pki/CA]#
ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
③基于key的登录,不需要输入密码。
[root@centos8:/etc/pki/CA]#
ssh 10.0.0.7
Last login: Sat Apr 2 06:11:37 2022 from 10.0.0.1
[root@centos7:~]#
服务器端的配置文件: /etc/ssh/sshd_config
Port #生产建议修改 默认22
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6 #pecifies the maximum number of authentication
attempts permitted per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file
#以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers user1 user2 user3
AllowGroups g1 g2
DenyGroups g1 g2
1.安装dhcp-server服务
[root@centos8:~]#
yum -y install dhcp-server
Repository extras is listed more than once in the configuration
Repository AppStream is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository epel is listed more than once in the configuration
Last metadata expiration check: 2:05:10 ago on Sat 02 Apr 2022 11:20:59 AM CST.
Package dhcp-server-12:4.3.6-45.el8.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
2.修改配置文件关键步骤
[root@centos8:~]#
vim /etc/dhcp/dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers 180.76.76.76,223.5.5.5;
default-lease-time 86400;
max-lease-time 106400;
# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.170 10.0.0.180;
option routers 10.0.0.2;
}
3.启动DHCP服务
[root@centos8:~]#
systemctl enable --now dhcpd
Created symlink /etc/systemd/system/multi-user.target.wants/dhcpd.service → /usr/lib/systemd/system/dhcpd.service.
[root@centos8:~]#
systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enable>
Active: active (running) since Sat 2022-04-02 13:35:20 CST; 1>
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 3949 (dhcpd)
Status: "Dispatching packets..."
Tasks: 1 (limit: 18575)
Memory: 8.7M
CGroup: /system.slice/dhcpd.service
└─3949 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -u>
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Copyright 2004->
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: All rights rese>
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: For info, pleas>
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Source compiled>
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Wrote 1 leases >
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Listening on LP>
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Sending on LP>
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Sending on So>
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Server starting>
Apr 02 13:35:20 centos8.wwzroom.org systemd[1]: Started DHCPv4 S>
lines 1-22/22 (END)
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2022-04-02 13:35:20 CST; 14s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 3949 (dhcpd)
Status: "Dispatching packets..."
Tasks: 1 (limit: 18575)
Memory: 8.7M
CGroup: /system.slice/dhcpd.service
└─3949 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Copyright 2004-2017 Internet Systems Consortium.
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: All rights reserved.
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: For info, please visit https://www.isc.org/software/dhcp/
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Source compiled to use binary-leases
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Wrote 1 leases to leases file.
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Listening on LPF/eth0/00:0c:29:e6:aa:b6/10.0.0.0/24
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Sending on LPF/eth0/00:0c:29:e6:aa:b6/10.0.0.0/24
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Sending on Socket/fallback/fallback-net
Apr 02 13:35:20 centos8.wwzroom.org dhcpd[3949]: Server starting service.
Apr 02 13:35:20 centos8.wwzroom.org systemd[1]: Started DHCPv4 Server Daemon.
4.其他主机主动获得动态dhcp
[root@centos7:~]#
dhclient -d
Internet Systems Consortium DHCP Client 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/eth0/00:0c:29:40:ac:3b
Sending on LPF/eth0/00:0c:29:40:ac:3b
Sending on Socket/fallback
DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x7c89e52e)
DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x7c89e52e)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 7 (xid=0x57b07d3)
DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x57b07d3)
DHCPOFFER from 10.0.0.8
DHCPACK from 10.0.0.8 (xid=0x57b07d3)
5.查询具体情况
[root@centos8:/var/lib/dhcpd]#
cat dhcpd.leases
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.3.6
# authoring-byte-order entry is generated, DO NOT DELETE
authoring-byte-order little-endian;
lease 10.0.0.170 {
starts 5 2022/04/01 14:09:15;
ends 6 2022/04/02 14:09:15;
tstp 6 2022/04/02 14:09:15;
cltt 5 2022/04/01 14:09:15;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet 00:0c:29:40:ac:3b;
uid "\000VM\037:<\237%^\231\201>\311\331@\254;";
set vendor-class-identifier = "PXEClient:Arch:00000:UNDI:002001";
}
server-duid "\000\001\000\001)\331\221[\000\014)\346\252\300";
lease 10.0.0.171 {
starts 6 2022/04/02 05:39:30;
ends 0 2022/04/03 05:39:30;
cltt 6 2022/04/02 05:39:30;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet 00:0c:29:40:ac:3b;
}