第九周作業
1、詳細描述一次加密通訊的過程,結合圖示最佳。
TCP/IP協議元件可以使不同網路,不同作業系統的主機之間進行通訊。TCP模型共分為四層,如下
1.應用層 (Application):應用層是個很廣泛的概念,有一些基本相同的系統級 TCP/IP 應用以及應用協議,也有許多的企業商業應用和網際網路應用,如http協議。
2.傳輸層 (Transport):傳輸層包括 UDP 和 TCP,UDP 幾乎不對報文進行檢查,而 TCP 提供差錯檢查機制,TCP三次握手建立連線,四次握手斷開連線
3.網路層 (Network):網路層協議由一系列協議組成,包括 ICMP、IGMP、RIP、OSPF、IP(v4,v6)、BGP、ISIS 等
4.資料鏈路層 (Link):又稱為物理資料網路介面層,負責報文傳輸,定義物理介面的規範
如上,我們可以看到,在TCP/IP模型中,定義了資料通訊的規範,但TCP/IP並不提供更為安全的加密機制,因此在網路通訊中,需要加入SSL協議,為資料通訊提供更高的安全性。SSL協議能夠保證互動雙方的資料按密文方式傳輸,第三方在沒有私鑰的情況下幾乎無法破解,從而到達保密的目的。下面我們來看看SSL雙向認證是如何工作的吧。
一:瀏覽器傳送一個連線請求給伺服器;伺服器將自己的證書(包含伺服器公鑰S_PuKey)、對稱加密演算法種類及其他相關資訊返回客戶端;
二:客戶端瀏覽器檢查伺服器傳送到CA證書是否由自己信賴的CA中心簽發。若是,執行4步;否則,給客戶一個警告資訊:詢問是否繼續訪問。
三:客戶端瀏覽器比較證書裡的資訊,如證書有效期、伺服器域名和公鑰S_PK,與伺服器傳回的資訊是否一致,如果一致,則瀏覽器完成對伺服器的身份認證。
四:伺服器要求客戶端傳送客戶端證書(包含客戶端公鑰C_PuKey)、支援的對稱加密方案及其他相關資訊。收到後,伺服器進行相同的身份認證,若沒有通過驗證,則拒絕連線;
五:伺服器根據客戶端瀏覽器傳送到密碼種類,選擇一種加密程度最高的方案,用客戶端公鑰C_PuKey加密後通知到瀏覽器;
六:客戶端通過私鑰C_PrKey解密後,得知伺服器選擇的加密方案,並選擇一個通話金鑰key,接著用伺服器公鑰S_PuKey加密後傳送給伺服器;
七:伺服器接收到的瀏覽器傳送到訊息,用私鑰S_PrKey解密,獲得通話金鑰key
之後的資料通訊都是通過對稱加密來進行通訊的了。
圖示:
2、描述建立私有CA的過程,以及為客戶端發來的證書請求進行辦法證書。
建立CA伺服器
1.初始化環境
[[email protected]~]#cd/etc/pki/CA/ [[email protected]CA]#touch/etc/pki/CA/{index.txt,serial} [[email protected]CA]#echo01>/etc/pki/CA/serial
2.生成金鑰
[[email protected]CA]#(umask077;opensslgenrsa-out/etc/pki/CA/private/cakey.pem2048) GeneratingRSAprivatekey,2048bitlongmodulus .................................+++ ................................................................................................................................................................................................................................+++ eis65537(0x10001)
3.自簽證書
openssl命令:
req: 生成證書籤署請求
-news: 新請求
-key /path/to/keyfile: 指定私鑰檔案
-out /path/to/somefile:
-x509: 生成自簽署證書
-days n: 有效天數
[[email protected]CA]#opensslreq-new-x509-key/etc/pki/CA/private/cakey.pem-out/etc/pki/CA/cacert.pem-days3655 Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank. ----- CountryName(2lettercode)[XX]:CN#國家名 StateorProvinceName(fullname)[]:XJ#省份 LocalityName(eg,city)[DefaultCity]:WS#城市名 OrganizationName(eg,company)[DefaultCompanyLtd]:YTJ#公司名 OrganizationalUnitName(eg,section)[]:OPS#部門名 CommonName(eg,yournameoryourserver'shostname)[]:JYM#主機名 EmailAddress[]:[email protected]#郵箱
客戶端申請證書
4.客戶端生成金鑰對
[[email protected]~]#mkdir/etc/httpd/ssl/ [[email protected]~]#(umask077;opensslgenrsa-out/etc/httpd/ssl/httpd.key2048) GeneratingRSAprivatekey,2048bitlongmodulus .......+++ .....................+++ eis65537(0x10001)
5.生成證書籤署請求
[[email protected]~]#opensslreq-new-key/etc/httpd/ssl/httpd.key-out/etc/httpd/ssl/httpd.csr Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank. ----- CountryName(2lettercode)[XX]:CN StateorProvinceName(fullname)[]:XJ LocalityName(eg,city)[DefaultCity]:WS OrganizationName(eg,company)[DefaultCompanyLtd]:YTJ OrganizationalUnitName(eg,section)[]:OPS CommonName(eg,yournameoryourserver'shostname)[]:JYM EmailAddress[]:[email protected] Pleaseenterthefollowing'extra'attributes tobesentwithyourcertificaterequest Achallengepassword[]:123456#一個加密的密碼 Anoptionalcompanyname[]:RA#可選公司
6.把簽署請求檔案傳送給CA伺服器
[[email protected]ssl]#scphttpd.csr[email protected]:/root Theauthenticityofhost'192.168.101.129(192.168.101.129)'can'tbeestablished. RSAkeyfingerprintise5:84:6c:f7:c0:60:3d:0b:39:b6:1e:12:0d:48:8b:07. Areyousureyouwanttocontinueconnecting(yes/no)?y [email protected]'spassword: httpd.csr100%10661.0KB/s00:00
7.CA伺服器驗證資訊並簽署證書
[[email protected]~]#opensslca-in/root/httpd.csr-out/root/httpd.crt-days365 Usingconfigurationfrom/etc/pki/tls/openssl.cnf Checkthattherequestmatchesthesignature Signatureok CertificateDetails: SerialNumber:1(0x1) Validity NotBefore:Oct3120:07:582016GMT NotAfter:Oct3120:07:582017GMT Subject: countryName=CN stateOrProvinceName=XJ organizationName=YTJ organizationalUnitName=OPS commonName=JYM emailAddress=[email protected] X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeComment: OpenSSLGeneratedCertificate X509v3SubjectKeyIdentifier: C4:ED:C0:CE:98:5A:B9:AF:FE:E0:59:54:DB:E1:2A:96:99:A4:B7:28 X509v3AuthorityKeyIdentifier: keyid:C2:1A:DE:02:69:35:41:AF:98:EB:72:69:EB:AE:74:49:72:52:2B:C6 CertificateistobecertifieduntilOct3120:07:582017GMT(365days) Signthecertificate?[y/n]:y 1outof1certificaterequestscertified,commit?[y/n]y Writeoutdatabasewith1newentries DataBaseUpdated
8.將CA伺服器簽署好的證書發還客戶端
[[email protected]~]#scp/root/httpd.crt[email protected]:/etc/httpd/ssl/ Theauthenticityofhost'192.168.101.130(192.168.101.130)'can'tbeestablished. RSAkeyfingerprintisef:85:f8:aa:1c:de:41:5a:fd:93:8d:9f:83:f7:a2:ff. Areyousureyouwanttocontinueconnecting(yes/no)?y Pleasetype'yes'or'no':yes Warning:Permanentlyadded'192.168.101.130'(RSA)tothelistofknownhosts. NastyPTRrecord"192.168.101.130"issetupfor192.168.101.130,ignoring [email protected]'spassword: httpd.crt100%44914.4KB/s00:00
3、搭建一套DNS伺服器,負責解析magedu.com域名(自行設定主機名及IP)
(1)、能夠對一些主機名進行正向解析和逆向解析;
http://jiayimeng.blog.51cto.com/10604001/1852025
(2)、對子域cdn.magedu.com進行子域授權,子域負責解析對應子域中的主機名;
http://jiayimeng.blog.51cto.com/10604001/1869624
(3)、為了保證DNS服務系統的高可用性,請設計一套方案,並寫出詳細的實施過程
4、請描述一次完整的http請求處理過程;
客戶端向伺服器端傳送請求
伺服器端接受並處理客戶端的請求
獲取請求報文中請求的資源
構建響應報文
傳送響應報文
記錄日誌
5、httpd所支援的處理模型有哪些,他們的分別使用於哪些環境。
prefork:多程序模型,每個程序響應一個請求,一個主程序:負責生成n個子程序,子程序也稱為工作程序,每個子程序處理一個使用者請求,也會預先生成多個空閒程序,隨時等待請求到達
worker:多執行緒模型,每個執行緒響應一個請求,一個主程序,生成多個子程序,每個子程序負責生成多個執行緒,每個執行緒響應一個請求m程序,n執行緒 m*n
event:事件驅動模型,每個執行緒響應n個請求,一個主程序,生成多個子程序,每個程序直接響應多個請求,m*n
6、建立httpd伺服器(基於編譯的方式進行),要求:
提供兩個基於名稱的虛擬主機:
(a)www1.stuX.com,頁面檔案目錄為/web/vhosts/www1;錯誤日誌為/var/log/httpd/www1.err,訪問日誌為/var/log/httpd/www1.access;
(b)www2.stuX.com,頁面檔案目錄為/web/vhosts/www2;錯誤日誌為/var/log/httpd/www2.err,訪問日誌為/var/log/httpd/www2.access;
(c)為兩個虛擬主機建立各自的主頁檔案index.html,內容分別為其對應的主機名;
(d)通過www1.stuX.com/server-status輸出httpd工作狀態相關資訊,且只允許提供帳號密碼才能訪問(status:status);
一、編譯安裝apache 1.準備編譯環境 [[email protected]~]#yumgroupinstallDevelopmentTools;yumgroupinstallServerPlatformDevelopment 2.安裝依賴包 [[email protected]~]#yuminstallpcre-devel-y 3.下載原始碼包 [[email protected]~]#wget [[email protected]~]#wget [[email protected]~]#wget 4.編譯安裝apache,apr,apr-util [[email protected]~]#tarxfapr-1.5.2.tar.bz2 [[email protected]~]#cdapr-1.5.2 [[email protected]apr-1.5.2]#./configure--prefix=/usr/local/apr [[email protected]apr-1.5.2]#make&&makeinstall [[email protected]~]#tarxfapr-util-1.5.4.tar.bz2 [[email protected]~]#cdapr-util-1.5.4 [[email protected]apr-util-1.5.4]#./configure--prefix=/usr/local/apr-util--with-apr=/usr/local/apr [[email protected]apr-util-1.5.4]#make&&makeinstall [[email protected]~]#tarxfhttpd-2.4.23.tar.bz2 [[email protected]~]#cdhttpd-2.4.23 [[email protected]httpd-2.4.23]#./configure--prefix=/usr/local/apache--sysconfdir=/etc/httpd--enable-so--enable-ssl--enable-cgi--enable-rewrite--with-zlib--with-pcre--with-apr=/usr/local/apr--with-apr-util=/usr/local/apr-util--enable-modules=most--enable-mpms-shared=all --perfix=/usr/local/apache指定安裝路徑; --sysconfdir=/etc/httpd指定配置檔案路徑; --enable-soapache核心裝載DSO,但實際不編譯任何動態模組; --enable-ssl支援ssl模組; --enable-cgi支援cgi模組; --enable-rewrite支援url重寫; --with-zlib支援zlib庫檔案; --with-pcre包含pcre函式; --with-apr=/usr/local/apr指定apr的路徑; --with-apr-util=/usr/local/apr-util指明apr-util路徑; --enable-modules=most支援模組;支援共享模組; --with-mpm=event載入模組event [[email protected]httpd-2.4.23]#make&&makeinstall 5.修改httpd的主配置檔案 [[email protected]~]#vim/etc/httpd/httpd.conf #加入PidFile,修改使用者與組 PidFile"/var/run/httpd.pid" Userapache Groupapache 6.提供sysv服務指令碼/etc/rc.d/init.d/httpd,內容如下: [[email protected]~]#vim/etc/rc.d/init.d/httpd #!/bin/bash # #httpdStartupscriptfortheApacheHTTPServer # #chkconfig:-8515 #description:ApacheisaWorldWideWebserver.Itisusedtoserve\ #HTMLfilesandCGI. #processname:httpd #config:/etc/httpd/conf/httpd.conf #config:/etc/sysconfig/httpd #pidfile:/var/run/httpd.pid #Sourcefunctionlibrary. ./etc/rc.d/init.d/functions if[-f/etc/sysconfig/httpd];then ./etc/sysconfig/httpd fi #StarthttpdintheClocalebydefault. HTTPD_LANG=${HTTPD_LANG-"C"} #Thiswillpreventinitlogfromswallowingupapass-phrasepromptif #mod_sslneedsapass-phrasefromtheuser. INITLOG_ARGS="" #SetHTTPD=/usr/sbin/httpd.workerin/etc/sysconfig/httpdtouseaserver #withthethread-based"worker"MPM;BEWARNEDthatsomemodulesmaynot #workcorrectlywithathread-basedMPM;notablyPHPwillrefusetostart. #Pathtotheapachectlscript,serverbinary,andshort-formformessages. apachectl=/usr/local/apache/bin/apachectl httpd=${HTTPD-/usr/local/apache/bin/httpd} prog=httpd pidfile=${PIDFILE-/var/run/httpd.pid} lockfile=${LOCKFILE-/var/lock/subsys/httpd} RETVAL=0 start(){ echo-n$"Starting$prog:" LANG=$HTTPD_LANGdaemon--pidfile=${pidfile}$httpd$OPTIONS RETVAL=$? echo [$RETVAL=0]&&touch${lockfile} return$RETVAL } stop(){ echo-n$"Stopping$prog:" killproc-p${pidfile}-d10$httpd RETVAL=$? echo [$RETVAL=0]&&rm-f${lockfile}${pidfile} } reload(){ echo-n$"Reloading$prog:" if!LANG=$HTTPD_LANG$httpd$OPTIONS-t>&/dev/null;then RETVAL=$? echo$"notreloadingduetoconfigurationsyntaxerror" failure$"notreloading$httpdduetoconfigurationsyntaxerror" else killproc-p${pidfile}$httpd-HUP RETVAL=$? fi echo } #Seehowwewerecalled. case"$1"in start) start ;; stop) stop ;; status) status-p${pidfile}$httpd RETVAL=$? ;; restart) stop start ;; condrestart) if[-f${pidfile}];then stop start fi ;; reload) reload ;; graceful|help|configtest|fullstatus) $apachectl[email protected] RETVAL=$? ;; *) echo$"Usage:$prog{start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}" exit1 esac exit$RETVAL 7.賦予指令碼執行許可權 [[email protected]~]#chmod+x/etc/rc.d/init.d/httpd 8.加入服務列表 [[email protected]~]#chkconfig--addhttpd 9.啟動服務 [[email protected]~]#servicehttpdstart 10.如有老版本,更改path路徑,並清除快取 [[email protected]~]#vim/etc/profile.d/httpd.sh exportPATH=/usr/local/apache/bin:$PATH [[email protected]~]#./etc/profile.d/httpd.sh [[email protected]~]#./etc/profile.d/httpd.sh [[email protected]~]#hash-r
###########編輯虛擬主機配置檔案################# #編輯配置檔案 [[email protected]~]#vim/etc/httpd/httpd.conf #Virtualhosts Include/etc/httpd/extra/httpd-vhosts.conf#啟用虛擬主機 #禁用主站的目錄 #DocumentRoot"/usr/local/apache/htdocs" #新增虛擬主機訪問許可權 <Directory"/web/vhosts/www1"> optionsnone allowoverridenone Requireallgranted </Directory> <Directory"/web/vhosts/www2"> optionsnone allowoverridenone Requireallgranted </Directory> #編輯虛擬主機配置 [[email protected]~]#vim/etc/httpd/extra/httpd-vhosts.conf <VirtualHost192.168.101.131:80> ServerNamewww1.stuX.com#虛擬主機名 DocumentRoot"/web/vhosts/www1"#根目錄 CustomLog"/var/log/httpd/www1.access"common#訪問日誌 ErrorLog"/var/log/httpd/www1.err"#錯誤日誌 </VirtualHost> <VirtualHost192.168.101.131:80> ServerNamewww2.stuX.com DocumentRoot"/web/vhosts/www2" CustomLog"/var/log/httpd/www2.access"common ErrorLog"/var/log/httpd/www2.err" </VirtualHost> #建立目錄與檔案 [[email protected]~]#cd/var/log/httpd/ [[email protected]httpd]#touch{www1,www2}.{access,err} [[email protected]~]#mkdir-pv/web/vhosts/{www1,www2} mkdir:已建立目錄"/web" mkdir:已建立目錄"/web/vhosts" mkdir:已建立目錄"/web/vhosts/www1" mkdir:已建立目錄"/web/vhosts/www2" #匯入文字 [[email protected]~]#echowww1.stuX.com>/web/vhosts/www1/index.html [[email protected]~]#echowww2.stuX.com>/web/vhosts/www2/index.html #修改本機的hosts檔案,使VirtualHost與hosts檔案的對應一直。 [[email protected]~]#vim/etc/hosts 127.0.0.1localhostlocalhost.localdomainlocalhost4localhost4.localdomain4 ::1localhostlocalhost.localdomainlocalhost6localhost6.localdomain6 192.168.101.131www1.stuX.com 192.168.101.131www2.stuX.com #測試 [[email protected]~]#curlhttp://www1.stuX.com www1.stuX.com [[email protected]~]#curlhttp://www2.stuX.com www2.stuX.com #www1.stuX.com/server-status輸出httpd工作狀態相關資訊 #在/etc/httpd/extra/httpd-vhosts.conf中 <VirtualHost192.168.101.131:80> ServerNamewww1.stuX.com DocumentRoot"/web/vhosts/www1" CustomLog"/var/log/httpd/www1.access"common ErrorLog"/var/log/httpd/www1.err" <Location/server-status> SetHandlerserver-status AuthTypeBasic AuthName"Server-Status" AuthUserFile"/etc/httpd/.htpasswd" Requirevalid-user </Location> </VirtualHost> #生成密碼驗證檔案 [[email protected]~]#htpasswd-c-m.htpasswdstatus Newpassword: Re-typenewpassword: Addingpasswordforuserstatus
7、為第6題中的第2個虛擬主機提供https服務,使得使用者可以通過https安全的訪問此web站點;
(1)要求使用證書認證,證書中要求使用的國家(CN)、州(HA)、城市(ZZ)和組織(MageEdu);
(2)設定部門為Ops,主機名為www2.stuX.com,郵件為[email protected];
#建立所需檔案 [[email protected]~]#cd/etc/pki/CA/ [[email protected]CA]#touchindex.txt [[email protected]CA]#echo01>serial #建立私有CA [[email protected]~]#cd/etc/pki/CA [[email protected]CA]#(umask077;opensslgenrsa-outprivate/cakey.pem2048) GeneratingRSAprivatekey,2048bitlongmodulus ........+++ .............................+++ eis65537(0x10001) [[email protected]CA]#opensslreq-new-x509-keyprivate/cakey.pem-days7300-outcacert.pem Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank. ----- CountryName(2lettercode)[XX]:CN StateorProvinceName(fullname)[]:HA LocalityName(eg,city)[DefaultCity]:ZZ OrganizationName(eg,company)[DefaultCompanyLtd]:MageEdu OrganizationalUnitName(eg,section)[]:Ops CommonName(eg,yournameoryourserver'shostname)[]:www2.stuX.com EmailAddress[]:admin.stuX.com #web主機請求CA [[email protected]CA]#cd/etc/httpd/ [[email protected]httpd]#mkdirssl [[email protected]httpd]#cdssl [[email protected]ssl]#(umask077;opensslgenrsa-outhttpd.key2048) GeneratingRSAprivatekey,2048bitlongmodulus ...........................................................................................................................................................................................................................................+++ ..........+++ eis65537(0x10001)) [[email protected]ssl]#opensslreq-new-keyhttpd.key-days365-outhttpd.csr Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank. ----- CountryName(2lettercode)[XX]:CN StateorProvinceName(fullname)[]:HA LocalityName(eg,city)[DefaultCity]:ZZ OrganizationName(eg,company)[DefaultCompanyLtd]:MageEdu OrganizationalUnitName(eg,section)[]:Ops CommonName(eg,yournameoryourserver'shostname)[]:www2.stuX.com EmailAddress[]:jym.stuX.com Pleaseenterthefollowing'extra'attributes tobesentwithyourcertificaterequest Achallengepassword[]: Anoptionalcompanyname[]: #CA稽核後簽署證書 [email protected]ssl]#opensslca-inhttpd.csr-outhttpd.crt-days365 Usingconfigurationfrom/etc/pki/tls/openssl.cnf Checkthattherequestmatchesthesignature Signatureok CertificateDetails: SerialNumber:1(0x1) Validity NotBefore:Nov508:28:252016GMT NotAfter:Nov508:28:252017GMT Subject: countryName=CN stateOrProvinceName=HA organizationName=MageEdu organizationalUnitName=Ops commonName=www2.stuX.com emailAddress=jym.stuX.com X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeComment: OpenSSLGeneratedCertificate X509v3SubjectKeyIdentifier: 01:36:B9:A9:B7:29:8C:3E:08:75:75:4D:B3:F7:4C:F2:BB:EF:77:95 X509v3AuthorityKeyIdentifier: keyid:37:AC:65:4A:5A:38:A4:CD:43:61:42:BE:03:FE:D1:84:45:29:F9:CC CertificateistobecertifieduntilNov508:28:252017GMT(365days) Signthecertificate?[y/n]:y 1outof1certificaterequestscertified,commit?[y/n]y Writeoutdatabasewith1newentries DataBaseUpdated #檢視簽署記錄 [[email protected]CA]#catindex.txt V 171105082825Z 01 unknown /C=CN/ST=HA/O=MageEdu/OU=Ops/CN=www2.stuX.com/emailAddress=jym.stuX.com #配置httpd使用SSL認證,修改或註釋SSL檔案位置等資訊 [[email protected]CA]#yuminstallmod_ssl-y [[email protected]CA]#cd/etc/httpd/conf.d/ [[email protected]conf.d]#vimssl.conf <VirtualHost192.168.101.131:443> ServerNamewww2.stuX.com:443 DocumentRoot"/web/vhosts/www2" CustomLog"/var/log/httpd/www2.ssl.access"common ErrorLog"/var/log/httpd/www2.ssl.err" SSLEngineon SSLCertificateFile"/etc/httpd/ssl/httpd.crt" SSLCertificateKeyFile"/etc/httpd/ssl/httpd.key" </VirtualHost>
8、建立samba共享,共享目錄為/data,要求:(描述完整的過程)
1)共享名為shared,工作組為magedu;
2)新增組develop,新增使用者gentoo,centos和ubuntu,其中gentoo和centos以develop為附加組,ubuntu不屬於develop組;密碼均為使用者名稱;
3)新增samba使用者gentoo,centos和ubuntu,密碼均為“mageedu”;
4)此samba共享shared僅允許develop組具有寫許可權,其他使用者只能以只讀方式訪問;
5)此samba共享服務僅允許來自於172.16.0.0/16網路的主機訪問;
1.安裝samba服務 [[email protected]~]#yuminstallsambasamba-client-y 2.建立組與使用者 [[email protected]~]#groupadddevelop [[email protected]~]#useradd-Gdevelopgentoo [[email protected]~]#useradd-Gdevelopcentos [[email protected]~]#useraddubuntu [[email protected]~]#echo"gentoo"|passwd--stdingentoo 更改使用者gentoo的密碼。 passwd:所有的身份驗證令牌已經成功更新。 [[email protected]~]#echo"centos"|passwd--stdincentos 更改使用者centos的密碼。 passwd:所有的身份驗證令牌已經成功更新。 [[email protected]~]#echo"ubuntu"|passwd--stdinubuntu 更改使用者ubuntu的密碼。 passwd:所有的身份驗證令牌已經成功更新。 3.新增samba使用者 [[email protected]~]#smbpasswd-acentos [[email protected]~]#smbpasswd-aubuntu [[email protected]~]#smbpasswd-agentoo 4.配置檔案 [[email protected]~]#vim/etc/samba/smb.conf workgroup=magedu#工作組 hostsallow=127.192.168.12.192.168.13.172.16. [shared] comment=nighttext path=/data writelist=+develop 5.啟動服務 [[email protected]~]#servicenmbstart 啟動NMB服務:[確定] [[email protected]~]#servicesmbstart 啟動SMB服務:[確定]
9、搭建一套檔案vsftp檔案共享服務,共享目錄為/ftproot,要求:(描述完整的過程)
1)基於虛擬使用者的訪問形式;
2)匿名使用者只允許下載,不允許上傳;
3)禁錮所有的使用者於其家目錄當中;
4)限制最大併發連線數為200:;
5)匿名使用者的最大傳輸速率512KB/s
6)虛擬使用者的賬號儲存在mysql資料庫當中。
7)資料庫通過NFS進行共享。
1.安裝ftp [[email protected]~]#yuminstallvsftpd 2.修改配置 [[email protected]vsftpd]#vimvsftpd.conf #允許匿名使用者 anonymous_enable=YES #允許系統使用者 local_enable=YES #本地使用者寫許可權 write_enable=YES #ftp訪問檔案的預設許可權 local_umask=022 #匿名使用者建立目錄 #anon_mkdir_write_enable=YES #允許匿名使用者上傳 anon_upload_enable=NO #鎖定所有ftp本地使用者與檔案中的指定的使用者在其家目錄 chroot_local_user=YES chroot_list_enable=YES #(defaultfollows) chroot_list_file=/etc/vsftpd/chroot_list #家目錄 local_root=/ftproot anon_root=/ftproot
轉載於:https://blog.51cto.com/jiayimeng/1868015