1、创建私有CA并进行证书申请。
创建CA相关目录和文件
[root@centos8 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@centos8 ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@centos8 ~]# touch /etc/pki/CA/index.txt
[root@centos8 ~]# echo 0F > /etc/pki/CA/serial
创建CA的私钥
[root@centos8 ~]# cd /etc/pki/CA/
[root@centos8 CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..........................................................................+++++
.............................+++++
e is 65537 (0x010001)
[root@centos8 CA]# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[root@centos8 CA]# ll private/
total 4
-rw------- 1 root root 1679 Mar 7 03:25 cakey.pem
[root@centos8 CA]# cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAs2AA8HSWenLclT9I6X7b9gjicSm/NFijMgNI0My7gnMxZujy
1+6RN0rzHtkdB+aYuvLqIxOgbJQBchSQWifOhg9EJnRXPv3XZv3QGb5T3kIFktFs
G9lqLN4ORn7NQv/Ukg1WgMiNvBqEorHE6NisZ6PA8JHIUe1/GsdcUGfi9aMvNc7o
g/mKCvNj9y7COFJlx+HMNdarXAt3MKfkIhaNjI8FLBNFswIBuXxRJwdDGr9crLUm
AhrMkq7Aa74a4jokjBNoOISGQzeFEKyyM/KIPRqXvVJMRqmqQjfl/RcJrprcVNCi
nYMz+l7OUMA2SxWdZJQ0bfcKb3ltN+eYbyHlCQIDAQABAoIBAQCu7Wj9FjXJpEpJ
ojXQv85y2ac7BKNawTYlh95zAbW7OetrmLF6s0UazxTZeJI/Kjq31j1Ph8xjFtNy
FWvRABD/29NyTPLok1SFM/DFqj7P+ULGM0Viw1wv9T2msfIq7KK47Bj37p2KW7IN
l5+YE/XN/HwkH4djnmDeFJ2KLEXBlYgc7hMbN3+2mUMm+VbUTE+Ny5QUydfbGq6h
N23djkHZDRIBy2wGbn0xHffrinz5yN6yAPxQotuYVgbSuHKApMmH2vmp0Yg+QJ2Y
c/zGyBSL1/UK4G6pc5dljCHpd6vxS+iDjfscpsICBnt/JDnK9/WOTbt/m2ds/J5S
/B10p4EhAoGBAN9ILGGeTB9M9cns3Xp4EoXhpTLbAxQwrY1fG8YklGlyS3bpDAoM
L6KgbvnyYlDO8FzGtMFoiC3Le0Z/HF4B4ToiJWpfkgfUIuX2OKekVTPJbSS8F5MB
lrrP0mM4qkLi66JgzFMWit3u3QOghAuv7xtthz/RAOQTqgFfAd/ndNQ3AoGBAM2o
x4ml1dASthKGZ/ns6AbCp78yhf5EcnqLw11ir97LR5S9QS1qqjzgWn+joqMhU6j7
wr82yMH7VIySLKC8v8zqJuVQhdszy6x+VApTWi8rPWtuWXrXJ2BE+dhNcGA3/nbO
mGxz1Q+b5UQ1geP78tGJky5Nl8B9Lxdx3a0OHPC/AoGBAN7Wyix27uQCS//GHVjA
A0SI6fWybQU2e89vD2oWUeRXRIedmP1iIhx9X6SmyoZ5sZv2WKn6aIbD4Pl/nNEZ
sS3yrELYtQaJKnc14F83fC1eJ0aVTjXSTRuOlBugjxSIIsGBOArooZlTblLTXVXI
tas7CdOgBPKbyXzq1BUhjBDLAoGAZspZER9mAp2XiyLKjUwvnFFmblXeSvwDC+UX
PHG63WxU1q7RCNYrSEoKcYlkHIznt6o96DyFkw7/b1MQIzaz1sOhtTPN84Wr4wcx
EggfJzxBcpSw/IjVEXToO4hZBn52HQOdg3dRon+U08a6qSygbMKKYbY+huMKynkL
BxfqtxkCgYEA119DAWYp6ubviJATfpfSmGPfQBJWYvY5ZJgFArYvR6W8EyQru5z2
Z9Vli/VTY8ifkWcHxPgVGRoZDrr8t5RnLMaF65JZJfVTMH8TjAaBY397T5EjZnDH
emGMYU2v4POapzIKQx9lGAh7kc1lsrAH3JeMy4jwVeused8OtSTu52s=
-----END RSA PRIVATE KEY-----
给CA颁发自签名证书
[root@centos8 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:zhejiang
Locality Name (eg, city) [Default City]:hangzhou
Organization Name (eg, company) [Default Company Ltd]:sakura.com
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server hostname) []:ca.sakura.com
Email Address []:[email protected]
[root@centos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
74:5e:8c:7c:f5:00:34:3f:32:68:24:1d:2f:70:2b:62:08:ec:23:96
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = zhejiang, L = hangzhou, O = sakura.com, OU = devops, CN = ca.sakura.com, emailAddress = [email protected]
Validity
Not Before: Mar 6 19:31:52 2022 GMT
Not After : Mar 3 19:31:52 2032 GMT
Subject: C = CN, ST = zhejiang, L = hangzhou, O = sakura.com, OU = devops, CN = ca.sakura.com, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b3:60:00:f0:74:96:7a:72:dc:95:3f:48:e9:7e:
db:f6:08:e2:71:29:bf:34:58:a3:32:03:48:d0:cc:
bb:82:73:31:66:e8:f2:d7:ee:91:37:4a:f3:1e:d9:
1d:07:e6:98:ba:f2:ea:23:13:a0:6c:94:01:72:14:
90:5a:27:ce:86:0f:44:26:74:57:3e:fd:d7:66:fd:
d0:19:be:53:de:42:05:92:d1:6c:1b:d9:6a:2c:de:
0e:46:7e:cd:42:ff:d4:92:0d:56:80:c8:8d:bc:1a:
84:a2:b1:c4:e8:d8:ac:67:a3:c0:f0:91:c8:51:ed:
7f:1a:c7:5c:50:67:e2:f5:a3:2f:35:ce:e8:83:f9:
8a:0a:f3:63:f7:2e:c2:38:52:65:c7:e1:cc:35:d6:
ab:5c:0b:77:30:a7:e4:22:16:8d:8c:8f:05:2c:13:
45:b3:02:01:b9:7c:51:27:07:43:1a:bf:5c:ac:b5:
26:02:1a:cc:92:ae:c0:6b:be:1a:e2:3a:24:8c:13:
68:38:84:86:43:37:85:10:ac:b2:33:f2:88:3d:1a:
97:bd:52:4c:46:a9:aa:42:37:e5:fd:17:09:ae:9a:
dc:54:d0:a2:9d:83:33:fa:5e:ce:50:c0:36:4b:15:
9d:64:94:34:6d:f7:0a:6f:79:6d:37:e7:98:6f:21:
e5:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C7:F6:04:27:18:EF:C3:48:2B:3F:3B:47:79:97:D3:22:B8:72:99:C9
X509v3 Authority Key Identifier:
keyid:C7:F6:04:27:18:EF:C3:48:2B:3F:3B:47:79:97:D3:22:B8:72:99:C9
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
8b:c4:d6:06:7d:38:23:f1:09:0c:54:05:47:3d:97:ef:49:0c:
4a:33:7d:4f:08:14:4c:0a:4e:94:1a:45:d4:37:62:17:dc:ed:
e6:d3:95:bc:6b:89:e9:7a:ff:ef:26:e1:c5:ca:9a:77:b6:f9:
bf:1d:8a:a4:1d:98:c0:a9:3b:4d:6d:64:df:63:21:4b:6c:1a:
88:19:48:0e:bf:bf:30:ed:b4:67:e6:ec:26:23:fe:eb:90:82:
fd:65:70:ed:19:9f:19:2d:a3:06:b6:1a:c9:93:0d:09:3f:89:
f7:c4:c8:8a:49:1e:97:f2:e4:11:6f:c6:1f:53:ef:59:6d:a0:
70:76:53:db:0a:78:98:95:d6:aa:8a:28:82:a9:b1:19:b7:7a:
08:49:3a:70:f4:07:03:7b:93:81:5b:d3:28:f6:8f:d3:4f:20:
0a:07:14:c2:fd:b3:31:51:ee:9a:f2:a7:bf:8e:a1:91:fb:b2:
da:96:9b:b7:fa:c2:59:5c:4d:67:d7:65:b1:ac:f1:51:7c:14:
80:b0:54:4e:9a:54:8f:05:f9:18:57:72:c8:f5:d7:c2:69:3e:
8a:cc:a3:be:be:94:18:f3:eb:d0:7e:62:60:1a:13:94:1b:42:
a9:6a:65:43:3b:63:ff:46:70:87:43:02:a0:d5:ca:94:9e:81:
ab:fb:08:eb
用户生成私钥和证书申请
[root@centos8 ~]# mkdir /data/app1
#生成私钥文件
[root@centos8 ~]# (umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................+++++
...+++++
e is 65537 (0x010001)
[root@centos8 ~]# cat /data/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAt3HStqXxYhoZvdRi37BPNuKYlsIkZqNVr3cPLukp5ULNXAoY
q4Ue4ACIfy9AJgNog252AVf9EBfxyncXlJ8dmfwZmXQLkYHoxPaE1zIScn0RSmmy
gP9CfiPXPd5f37/xOcx431bTj7N4hQW8ijcDoEGfA7O0sFvTDxt63KFMAvINka4s
7EIm7HZi5sCcOX9N0jacqCd2w2fRNg/4dS1wZhXOc5RVrY3FdU/Gghktfc1FlAbX
jqrOVdlX6ubVIwp2g+wbZiFQCXD88G3CtAYoADdiU7JqbJIXi/DvK2RVcVe3F5RX
sH2vGXg/PsXmyUYw/plrECG0gFmnfTEiJPKztQIDAQABAoIBAGzRXEl0joe/K93r
iuteTt8j85gaejVYVo/LdHpDXdLdmawrYQ793J7MMiwf/1GNXAX7FI0fgMJ3MbsE
gjxrVsftP9JDgElEYqvUAGEXFtJLVmJp6LWUtgDVieztaLn1xkafAGSbwMvRjoB6
MqlakRATXRx5EYo8LiscBfmyxMBJjG+ZwpO0w3qa+5j7bPl7ceWrWVVxT6p4ik0d
ua5NbzcDmCaW9EmcG/9argJEhtSq7A1mVFT3GmPG7/a35x1bEWPNSoorW4dZcgVE
iFQIxIpkBLm9gR5Q0+YmIH1ckRu+B9sj6Tx2UNl2ENPurU5HwN1sN3TO6h5i0huk
IyRYU4ECgYEA4UdcXAAWXjUzE2VW4RMpZjC8NrgLWGzb5fxRLviOA/zO4ubuDlXv
bAp5VN8TsVfuYjNl0/B73YwsmvQLBCtj9xfMYL91Uc7iSZy0TDoJtV8yqzB22RMU
G5LY2XtbLUPdKFacStsw/WiGEdTq7sVuAMl58PorCQnjqwP2Ulljd7kCgYEA0HYA
4oITxGZ2Ie/xV/kbVBDcyQY+lylsrKFkw6pa5xnKT3F47aZ6dqHRe6PLgMajsnYv
lP5vHAT1LN9qsxbgHKd6HPTCB1MZnAZEgIIk9ISRPvZVmW/rzuKqTtKjyKPN7Ufp
PpZZfJ4DuzB9X8M5oE2w8qNQyVmqNytn93yRod0CgYBvokkmXfS3om05A1LWHgS5
2xSpmPImU2t0wGAKgqj9WN28musEt5j5VQdjA1hi3UwH5ahkKht3YesIrj53Rnk3
DNf+aWHdtEN2buz5iRkeg5o8MrvyPf4M2+wReYtpFuQVBTZV8eCI8q7dT0FMKRGl
2jFPNOj2hawIJuJ9VEZyIQKBgFde3ggRlM9gUmru8ix5D+cwGhl3MIySpCXGj0Ej
CW6K9KxPVuvkNre6It67S/PxTXLi7hZ4fYE04r2n9kSRdeUMnLW+MAR54+XtCpEB
+xMw7N+Cx2XD7wWLIu5egp75aLnmxe+hfGgqok22iRW18VUquts3cAi0OA9fdffY
kgFRAoGAVL1DMfw/y30gRiiUD0ph6jRdgUeBhOpEwSo2+00mQ+RD+oS0EoHaMF2F
tMLyFi7RphJy0kV+9ozvtvRMC9WDuwMX9f26ABG3S00wsaTX44IufBS6KqsVEa3e
Y0wndXXVxktz86DmyLf4iEPKplEbUQh3cEoBUWPERJ5HrfP+D/Y=
-----END RSA PRIVATE KEY-----
#生成证书申请文件
[root@centos8 ~]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:zhejiang
Locality Name (eg, city) [Default City]:hz
Organization Name (eg, company) [Default Company Ltd]:sakura.com
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server hostname) []:app.sakura.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos8 ~]# ll /data/app1/
total 8
-rw-r--r-- 1 root root 1106 Mar 7 03:43 app1.csr
-rw------- 1 root root 1675 Mar 7 03:40 app1.key
CA颁发证书
[root@centos8 ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Mar 6 19:57:25 2022 GMT
Not After : Nov 30 19:57:25 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = zhejiang
organizationName = sakura.com
organizationalUnitName = IT
commonName = app.sakura.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DB:95:EF:24:08:00:83:3B:DA:E0:2F:29:AF:FB:94:D4:1B:7C:2F:35
X509v3 Authority Key Identifier:
keyid:C7:F6:04:27:18:EF:C3:48:2B:3F:3B:47:79:97:D3:22:B8:72:99:C9
Certificate is to be certified until Nov 30 19:57:25 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
2、总结ssh常用参数、用法
ssh基础知识
ssh: secure shell protocol, 22/tcp,安全的远程登录,实现加密通信,代替传统的 telnet 协议。SSH 协议版本:v1:基于CRC-32做MAC,不安全;man-in-middle 和 v2:双方主机协议选择安全的MAC方式,基于DH算法做密钥交换,基于RSA或DSA实现身份认证。常用软件:CentOS 默认安装的OpenSSH和另一个ssh协议的开源项目dropbear。
命令格式
ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]
常用选项
-p port #远程服务器监听的端口,默认为22,一般生产环境中都会修改成其他的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-t #强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3
-o option #如:-o StrictHostKeyChecking=no
-i #指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等
3、总结sshd服务常用参数。
主要参数及默认值 | 基本作用和用途 |
---|---|
Port 22 | sshd服务的默认端口 ,生产中都会修改,如2222、8822端口,可以提高安全性 |
ListenAddress 0.0.0.0 | 设定sshd服务监听IP地址 一般保持0.0.0.0 |
Protocol 2 | SSH协议版本 |
HostKey /etc/ssh/ssh_host_rsa_key | SSH协议版本为2时,RSA私钥存放的位置。 |
HostKey /etc/ssh/ssh_host_dsa_key | SSH协议版本为2时,DSA私钥存放的位置。 |
PermitRootLogin yes | 设定是否允许root用户直接登录 |
StrictModes yes | 当远程用户私钥改变时则直接拒绝连接 |
MaxAuthTries 6 | 密码最多输入错误次数 |
MaxSessions 10 | 同时连接的最大终端数 |
PasswordAuthentication yes | 是否允许密码验证,默认允许 |
PermitEmptyPasswords no | 是否允许空密码登陆(不安全),默认为不允许 |
AllowAgentForwarding yes | SSH转发功能默认打开 |
AllowTcpForwarding yes | TCPTCP转发功能 |
GatewayPorts no | 远程端口转发并实现网关功能,此项必须设定为yes |
LoginGraceTime 2m | 没有输入密码时,自动断开时间 |
ClientAliveInterval 0 | 间隔多久客户端和服务器端没有操作就断开连接 |
ClientAliveCountMax 3 | 检测几次后发现没有操作断开,此项和上一项结合一起使用 |
UseDNS no | 是否使用名称解析,默认不启用 |
GSSAPIAuthentication no | GSSAPI的认证 |
MaxStartups 10:30:100 | 未验证的最大连接数 |
Banner none | 登录前提示的信息 |
AllowUsers | 允许哪些用户登录(白名单) |
DenyUsers | 不允许哪些用户登录(黑名单) |
AllowGroups | 允许哪些组登录(白名单) |
DenyGroups | 不允许哪些组登录(黑名单) |
4、搭建dhcp服务,实现ip地址申请分发
[root@sakura:~] # yum -y install dhcp-server
[root@sakura:~] # vim /etc/dhcp/dhcpd.conf
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "sarkura.com";
option domain-name-servers 180.76.76.76,223.5.5.5;
default-lease-time 84600;
max-lease-time 7200;
# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.170 10.0.0.200;
option routers 10.0.0.2;
next-server 10.0.0.8;
filename "pxelinux.0";
}
[root@sakura:~] # systemctl enable --now dhcpd