第八周-2022-01-13

1、创建私有CA并进行证书申请。

1.创建CA所需要的文件
mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
生成证书索引数据库文件
touch /etc/pki/CA/index.txt
指定第一个颁发证书的序列号（只需做一次）
echo 01 > /etc/pki/CA/serial

2.生成CA私钥
cd /etc/pki/CA/
(umask 066; openssl genrsa -out private/cakey.pem 2048)

3.生成CA自签名证书(交互式)
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
选项说明：
-new：生成新证书签署请求
-x509：专用于CA生成自签证书
-key：生成请求时用到的私钥文件
-days n：证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径

[root@centos01 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:mxcloud
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.mxcloud.com
Email Address []:[email protected]

4.用户生成私钥和证书申请
生成私钥文件
cd /data/test/
(umask 066; openssl genrsa -out /data/test/test.key 2048)
生成证书申请文件
openssl req -new -key /data/test/test.key -out /data/test/test.csr\

[root@centos01 test]# openssl req -new -key /data/test/test.key -out /data/test/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:mxcloud
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.mxcloud.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

5.CA颁发证书
openssl ca -in /data/test/test.csr -out /etc/pki/CA/certs/test.crt -days 1000

[root@centos01 test]# openssl ca -in /data/test/test.csr -out /etc/pki/CA/certs/test.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jan 11 09:22:46 2022 GMT
            Not After : Oct  7 09:22:46 2024 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = shanghai
            organizationName          = mxcloud
            organizationalUnitName    = it
            commonName                = www.mxcloud.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                F4:AB:30:DF:22:38:5F:A5:D0:07:5D:56:54:46:54:8D:91:01:32:93
            X509v3 Authority Key Identifier: 
                keyid:F8:07:91:B4:4D:D0:4E:77:64:41:C2:B4:0D:FB:46:47:80:1D:F0:56

Certificate is to be certified until Oct  7 09:22:46 2024 GMT (1000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

# 查看生成的证书
[root@centos01 test]# ls /etc/pki/CA/certs
test.crt
[root@centos01 test]# ls /etc/pki/CA/newcerts
01.pem
#查看数据库中的证书信息
[root@centos01 test]# cat /etc/pki/CA/index.txt
V   241007092246Z       01  unknown /C=CN/ST=shanghai/O=mxcloud/OU=it/CN=www.mxcloud.com/[email protected]
#查看证书有效性（01为证书编号）
[root@centos01 test]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)

2、总结ssh常用参数、用法

1.ssh 登录远程主机：
ssh -p 端口 用户名@远程主机IP
-p：远程服务器sshd服务监听端口，默认是22端口
-o：后面跟配置，如StrictHostKeyChecking=no
-t：通过远程主机1跳转到远程主机2

2.免密码登录
centos01登录centos02:
1）在centos01上生成密钥对：

[root@centos01 .ssh]# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:7NSCQY8up05cg7ow5aORHyeTMq4gnJXSf6u28qZ3UoU root@centos01
The key's randomart image is:
+---[RSA 2048]----+
|      .          |
|     . o         |
|      o o        |
|  . .o E o       |
| ..+o * S .      |
|.+++.= = .       |
|XoO =....        |
|+O @ =...        |
|+.o.O+=.         |
+----[SHA256]-----+

2）将公钥传到centos02

[root@centos01 .ssh]# ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.184.133 (192.168.184.133)' can't be established.
ECDSA key fingerprint is SHA256:2GxC5IDqZjJSzg0pc787myeCSE4Mn4hJfZlIobNvC+4.
ECDSA key fingerprint is MD5:38:87:f0:91:c0:c0:0e:6b:22:bb:ac:2a:f3:79:b1:90.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

3. ssh登录centos02

[root@centos01 .ssh]# ssh [email protected]
Last login: Wed Jan 12 17:41:55 2022 from 192.168.184.1
[root@centos02 ~]#

3、总结sshd服务常用参数。

服务器端配置文件：/etc/ssh/sshd_config
常用参数：
Port #服务监听端口
ListenAddress ip #监听IP
LoginGraceTime 2m #未登录成功的断开时间
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者，权限等
MaxAuthTries 6 #一次ssh连接，服务端可以最多尝试的密码次数，ssh客户端默认限制是3次
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no #是否允许远程主机连接本地的转发端口
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值，默认值10

4、搭建dhcp服务，实现ip地址申请分发

包名：（centos7：dhcp，centos8：dhcp-server）
配置文件：/etc/dhcp/dhcpd.conf

option domain-name-servers 180.76.76.76,223.5.5.5;
default-lease-time 86400;
max-lease-time 106400;
subnet 10.0.0.0 netmask 255.255.255.0 {
  range 10.0.0.100 10.0.0.200;
  option routers 10.0.0.2;
}

systemctl restart dhcpd

客户端验证：

[root@centos02 ~]# ip addr show ens33
2: ens33:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b5:21:8f brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.100/24 brd 10.0.0.255 scope global noprefixroute dynamic ens33
       valid_lft 86043sec preferred_lft 86043sec
    inet6 fe80::c34a:6ad5:7631:47b6/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever