linux學習分享(第八週)
阿新 • • 發佈:2021-08-30
1、建立私有CA並進行證書申請。
#1、生成CA私鑰檔案 CA]# touch index.txt CA]# echo 01 > /etc/pki/CA/serial CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ...........................................+++ ...................+++ e is 65537 (0x10001) #2.生成CA自簽名證書 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:GUANGDONG Locality Name (eg, city) [Default City]:SHENZHEN Organization Name (eg, company) [Default Company Ltd]:XX Organizational Unit Name (eg, section) []:XX Common Name (eg, your name or your server's hostname) []:XX Email Address []:[email protected] #3.檢視根證書資訊 CA]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 8f:3e:41:8a:b3:83:48:b1 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=GUANGDONG, L=SHENZHEN, O=XX, OU=XX, CN=XX/[email protected] Validity Not Before: Aug 29 10:30:31 2021 GMT Not After : Aug 27 10:30:31 2031 GMT Subject: C=CN, ST=GUANGDONG, L=SHENZHEN, O=XX, OU=XX, CN=XX/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ae:e1:de:26:78:8d:60:2b:74:f3:20:12:3c:61: be:2d:db:93:84:a3:30:48:3a:70:ee:0f:e5:f4:21: 56:88:b7:4c:bf:e8:cc:c1:1f:f4:70:ca:d3:26:89: 87:e8:fc:5e:65:2e:16:03:f3:cd:7a:ce:0c:2e:2d: 42:aa:0d:4b:db:33:13:78:0d:46:fb:bd:d2:8c:cf: 7f:a0:00:8e:70:98:f0:f8:9c:b1:b1:80:80:04:6b: 1a:c0:7b:4e:15:56:48:66:07:8c:6e:ff:dd:e4:37: 37:71:72:13:54:45:56:ae:d9:42:69:e2:53:89:72: bb:11:6d:b9:9c:75:be:55:02:48:78:d2:1a:40:9f: 94:41:0f:92:7c:8d:eb:8b:8a:9f:45:8c:66:7c:d1: 18:08:2d:ff:02:17:8d:39:de:96:30:de:ab:7e:93: d7:e5:72:f8:87:cc:bb:a5:8c:ef:94:f4:35:6d:18: e8:36:1c:56:5e:55:f7:cd:3a:07:04:3f:20:90:53: 38:e7:cd:54:3a:8a:9b:e7:09:16:35:ac:b4:42:75: 09:df:18:31:ab:4b:ce:cb:d4:44:ae:99:0a:e2:18: 86:40:ee:0b:0f:33:1e:f6:5f:45:7b:44:18:68:47: cb:a5:f9:93:da:ee:41:2b:fb:8f:e2:a3:24:dc:ef: 85:0b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: E1:B7:16:9F:0C:26:3B:3D:FF:95:3D:8D:08:83:81:EE:2F:11:54:87 X509v3 Authority Key Identifier: keyid:E1:B7:16:9F:0C:26:3B:3D:FF:95:3D:8D:08:83:81:EE:2F:11:54:87 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 33:c7:07:45:5e:b8:67:ca:5e:65:b1:8c:46:20:b5:a1:7e:25: c7:d1:fd:a3:82:ee:c8:43:99:64:b4:94:c0:11:46:63:33:06: ee:be:fd:a0:1f:7c:5b:b8:39:c9:47:5c:8b:67:b8:77:2c:70: 08:48:00:d9:40:b5:54:34:ae:c1:24:9f:d6:74:51:80:5f:8c: 4b:07:19:52:32:54:bb:51:fb:91:9e:61:48:d7:b2:40:57:9c: 07:88:00:10:53:f9:08:df:7a:7d:27:31:37:26:ff:3b:6c:63: 6e:53:c5:b9:3c:7a:0e:ca:f8:3f:e2:31:86:7c:dc:22:95:2b: ee:2a:e4:85:3f:e6:eb:65:d2:8d:59:a3:f8:03:c7:78:d9:cb: 31:bd:d3:0e:c3:4c:43:be:91:2f:36:7a:cf:7f:fb:0c:8a:39: c5:86:5a:c6:b5:ad:62:96:aa:41:5a:00:f6:86:43:04:bb:58: 36:18:bb:3e:5e:6c:91:87:a4:2b:90:46:e6:5e:6f:e7:60:15: e0:bc:41:f9:72:f7:82:20:8f:bd:3a:06:18:45:11:1e:cb:78: 86:ed:62:1f:f0:95:e6:0c:e9:f3:ba:e5:2b:c4:15:b7:3c:86: e3:81:b3:4b:fa:f8:a7:80:da:1c:c4:e2:dc:ac:a2:ce:bd:16: ce:53:64:ed #4.生成主機私鑰檔案 CA]# mkdir /data && (umask 066;openssl genrsa -out /data/host3.key 2048) Generating RSA private key, 2048 bit long modulus ...................................................................................................................................................................+++ ...........................................+++ e is 65537 (0x10001) #5.生成主機請求檔案 CA]# openssl req -new -key /data/host3.key -out /data/host3.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:GUANGDONG Locality Name (eg, city) [Default City]:SHENZHEN Organization Name (eg, company) [Default Company Ltd]:XX Organizational Unit Name (eg, section) []:XX Common Name (eg, your name or your server's hostname) []:XX Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: #6.簽發證書 CA]# openssl ca -in /data/host3.csr -out /etc/pki/CA/certs/host3.crt -days 100 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Aug 29 10:56:52 2021 GMT Not After : Dec 7 10:56:52 2021 GMT Subject: countryName = CN stateOrProvinceName = GUANGDONG organizationName = XX organizationalUnitName = XX commonName = XX emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 3C:37:3B:1F:FB:22:BA:24:22:7D:86:33:39:EC:6E:31:3F:D2:A5:F8 X509v3 Authority Key Identifier: keyid:E1:B7:16:9F:0C:26:3B:3D:FF:95:3D:8D:08:83:81:EE:2F:11:54:87 Certificate is to be certified until Dec 7 10:56:52 2021 GMT (100 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
2、總結ssh常用引數、用法
格式: ssh [user@]host [COMMAND] ssh [-l user] host [COMMAND] 常見選項: -p port #遠端伺服器監聽的埠 -b #指定連線的源IP -v #除錯模式 -C #壓縮方式 -X #支援x11轉發 -t #強制偽tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3 -o option 如:-o StrictHostKeyChecking=no -i <file> #指定私鑰檔案路徑,實現基於key驗證,預設使用檔案: ~/.ssh/id_dsa,~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等
3、總結sshd服務常用引數。
1、SSH本地埠轉發
ssh -L localport:remotehost:remotehostport sshserver
選項:
-f 後臺啟用
-N 開遠端shell,處於等待狀態
-g 啟用閘道器功能
2、SSH遠端埠轉發
ssh -R sshserverport:remotehost:remotehostport sshserver
3、SSH動態埠轉發
4、X協議轉發
所有圖形化應用程式都是X客戶程式,能夠通過tcp/ip連線遠端X伺服器,資料沒有加密,但是它通過ssh安全隧道進行
4、搭建dhcp服務,實現ip地址申請分發
1、環境準備 DHCP伺服器 (centos 7.9 ens33:192.168.19.127 VMnet8) DHCP客戶端 (centos 7.9 ens33:192.168.19.127 VMnet8) 2、在DHCP伺服器上安裝DHCP服務端軟體 yum install -y dhcp 3、在DHCP伺服器上新增一塊網絡卡
4、建立並編輯網絡卡配置檔案
network-scripts]# cat ifcfg-ens37
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=ens37
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.2.6
PREFIX=24
GATEWAY=192.168.2.1
DNS1=192.168.2.1
5、檢視新加網絡卡硬體資訊
network-scripts]# ip a sh dev ens37
3: ens37: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:41:b3:9b brd ff:ff:ff:ff:ff:ff
inet 192.168.2.6/24 brd 192.168.2.255 scope global noprefixroute ens37
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe41:b39b/64 scope link
valid_lft forever preferred_lft forever
6、編輯DHCP服務端配置檔案 /etc/dhcp/dhcpd.conf,並新增如下內容
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.100 192.168.2.254;
option domain-name-servers 192.168.2.1;
option domain-name "test.cn";
option routers 192.168.2.1;
option broadcast-address 192.168.2.255;
default-lease-time 600;
max-lease-time 7200;
}
7、儲存並重啟服務
systemctl restart dhcpd
dhcp]# systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2021-08-30 16:05:36 CST; 3s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 1861 (dhcpd)
Status: "Dispatching packets..."
CGroup: /system.slice/dhcpd.service
└─1861 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
Aug 30 16:05:36 localhost.localdomain dhcpd[1861]: Sending on LPF/ens37/00:0c:29:41:b3:9b/192.168.2.0/24
Aug 30 16:05:36 localhost.localdomain dhcpd[1861]:
Aug 30 16:05:36 localhost.localdomain dhcpd[1861]: No subnet declaration for ens33 (192.168.19.127).
Aug 30 16:05:36 localhost.localdomain systemd[1]: Started DHCPv4 Server Daemon.
Aug 30 16:05:36 localhost.localdomain dhcpd[1861]: ** Ignoring requests on ens33. If this is not what
Aug 30 16:05:36 localhost.localdomain dhcpd[1861]: you want, please write a subnet declaration
Aug 30 16:05:36 localhost.localdomain dhcpd[1861]: in your dhcpd.conf file for the network segment
Aug 30 16:05:36 localhost.localdomain dhcpd[1861]: to which interface ens33 is attached. **
Aug 30 16:05:36 localhost.localdomain dhcpd[1861]:
Aug 30 16:05:36 localhost.localdomain dhcpd[1861]: Sending on Socket/fallback/fallback-net
8、在測試客戶端中新增網絡卡,選擇同樣的LAN區段
9、建立並編輯網絡卡配置檔案
network-scripts]# cat ifcfg-ens37
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=ens37
DEVICE=ens37
ONBOOT=yes
10、啟動客戶端網絡卡
ifup ens37
11、驗證客戶端新網絡卡是否獲取IP地址
network-scripts]# ip a sh dev ens37
4: ens37: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:81:ee:66 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.100/24 brd 192.168.2.255 scope global noprefixroute dynamic ens37
valid_lft 489sec preferred_lft 489sec
inet6 fe80::60fd:33ce:f16e:9f2d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
</broadcast,multicast,up,lower_up></broadcast,multicast,up,lower_up>