基於ssl的ftp詳細配置過程
阿新 • • 發佈:2020-10-10
ftps:基於ssl的ftp
ssl_enable=YES //啟用vsftpd對ssl的支援的功能
all_anon_ssl=NO //是否啟用匿名使用者使用ssl,一般都是否定
force_local_data_ssl=YES //是否強制本地使用者資料傳輸必須基於ssl
force_local_logins_ssl=YES //是否強制本地使用者登入的時候,帳號密碼也基於ssl
ssl_tlsv1=YES //是否支援tlsv1
ssl_tlsv2=NO //是否支援tlsv2 預設情況下v2和v3都是不支援的
ssl_tlsv3=YES //是否支援ltsv3
rsa_cert_file=/etc/vsftpd/vsftpd.cert
//要想建立ssl會話,必須要有證書,給vsftpd建立一個證書
rsa_private_key_file=/etc/vsftpd/ssl/vsftp.key
建立證書:
- [[email protected]~]#cd/etc/pki/CA/
- [[email protected]CA]#(umask077;opensslgenrsa1024>private/cakey.pem)
- 在建立自簽證書前首先要修改配置檔案
- [[email protected]CA]#vim../tls/openssl.cnf
- 修改dir=../../CA為dir=/etc/pki/CA
儲存退出
- [[email protected]
- Youareabouttobeaskedtoenterinformationthatwillbeincorporated
- intoyourcertificaterequest.
- WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
- Therearequiteafewfieldsbutyoucanleavesomeblank
- Forsomefieldstherewillbeadefaultvalue,
- Ifyouenter'.'
- -----
- CountryName(2lettercode)[GB]:CN
- StateorProvinceName(fullname)[Berkshire]:HA
- LocalityName(eg,city)[Newbury]:ZZ
- OrganizationName(eg,company)[MyCompanyLtd]:YANG
- OrganizationalUnitName(eg,section)[]:Tech
- CommonName(eg,yournameoryourserver'shostname)[]:ca.yang.com
- EmailAddress[]:[email protected]
建立目錄:
- [[email protected]CA]#mkdircrlcertsnewcerts
建立檔案
- [[email protected]CA]#touchindex.txt
- [[email protected]CA]#echo01>serial
下面開始為fstpd建立私鑰,建立證書,頒發請求,再由CA簽署就可以了
- [[email protected]CA]#cd/etc/vsftpd
- [[email protected]vsftpd]#mkdirssl
- [[email protected]vsftpd]#cdssl
- [[email protected]ssl]#(umask077;opensslgenrsa1024>vsftpd.key)
- [[email protected]ssl]#opensslreq-new-keyvsftpd.key-outvsftpd.csr-days3650
- Youareabouttobeaskedtoenterinformationthatwillbeincorporated
- intoyourcertificaterequest.
- WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
- Therearequiteafewfieldsbutyoucanleavesomeblank
- Forsomefieldstherewillbeadefaultvalue,
- Ifyouenter'.',thefieldwillbeleftblank.
- -----
- CountryName(2lettercode)[GB]:CN
- StateorProvinceName(fullname)[Berkshire]:HA
- LocalityName(eg,city)[Newbury]:ZZ
- OrganizationName(eg,company)[MyCompanyLtd]:YANG
- OrganizationalUnitName(eg,section)[]:Tech
- CommonName(eg,yournameoryourserver'shostname)[]:ftp.yang.com//此處一定要和你的主機名一致
- EmailAddress[]:[email protected]
- Pleaseenterthefollowing'extra'attributes
- tobesentwithyourcertificaterequest
- Achallengepassword[]:
- Anoptionalcompanyname[]:
簽署證書
- [[email protected]ssl]#opensslca-invsftpd.csr-outvsftpd.crt
一直yes就OK了
- [[email protected]ssl]#ll
- total24
- -rw-r--r--1rootroot3180Oct921:49vsftpd.crt
- -rw-r--r--1rootroot680Oct921:44vsftpd.csr
- -rw-------1rootroot891Oct921:39vsftpd.key
證書製作完畢
定義證書的配置檔案
- [[email protected]vsftpd]#vimvsftpd.conf
- 新增一下內容
- #ForSSL
- ssl_enable=YES
- force_local_data_ssl=YES
- force_local_logins_ssl=YES
- ssl_tlsv1=YES
- ssl_sslv3=YES
- ssl_sslv2=NO
- rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
- rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
儲存退出
重啟服務,檢視埠,觀察是否正常
- [[email protected]vsftpd]#servicevsftpdrestart
- Shuttingdownvsftpd:[OK]
- Startingvsftpdforvsftpd:[OK]
- [[email protected]vsftpd]#netstat-tnlp|grep21
- tcp000.0.0.0:210.0.0.0:*LISTEN10671/vsftpd
效果如下所示,傳輸的報文已經加密成密文
轉載於:https://blog.51cto.com/inspriion/1050017