江南才子 发表于 2021-6-30 20:35:40

openSSL ssh

1、 openSSL

  官网:https://www.openssl.org/
  OpenSSL计划在1998年开始,其目标是发明一套自由的加密工具,在互联网上使用。OpenSSL以EricYoung以及Tim Hudson两人开发的SSLeay为基础,随着两人前往RSA公司任职,SSLeay在1998年12月停止开发。因此在1998年12月,社群另外分支出OpenSSL,继续开发下去OpenSSL管理委员会当前由7人组成有13个开发人员具有提交权限(其中许多人也是OpenSSL管理委员会的一部分)。只有两名全职员工(研究员),其余的是志愿者该项目每年的预算不到100万美元,主要依靠捐款。 TLS 1.3的开发由 Akamai 赞助OpenSSL是一个开放源代码的软件库包,应用程序可以使用这个包来进行安全通信,同时确认另一端连线者的身份。这个包广泛被应用在互联网的网页服务器上其主要库是以C语言所写成,实现了基本的加密功能,实现了SSL与TLS协议。OpenSSL可以运行OpenVMS、 Microsoft Windows以及绝大多数类Unix操作系统上(包括Solaris,Linux,Mac OS X与各种版本的开放源代码BSD操作系统)
  心脏出血漏洞:OpenSSL 1.0.1版本(不含1.0.1g)含有一个严重漏洞,可允许***者读取服务器的内存信息。该漏洞于2014年4月被公诸于世,影响三分之二的活跃网站
  包括三个组件:
  libcrypto:用于实现加密和解密的库
  libssl:用于实现ssl通信协议的安全库
  openssl:多用途命令行工具

1.2在centos8上实现私有CA和证书申请

1.2.1    创建CA相关目录和文件

#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files
#生成证书索引数据库文件
#touch /etc/pki/CA/index.txt
#指定第一个颁发证书的序列号
#echo 01 > /etc/pki/CA/serial  index.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示
#openssl ca -in /data/app1/app1.csr -out
/etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
140040142845760:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r')
140040142845760:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:
#openssl ca -in /data/app1/app1.csr -out
/etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140240559408960:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r')
140240559408960:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:
1.2.2    创建CA的私钥

#cd /etc/pki/CA/
#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....................................+++++
.............+++++
e is 65537 (0x010001)
#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

4 directories, 3 files
#ll private/cakey.pem
-rw------- 1 root root 1679 Jun 14 20:17 private/cakey.pem

#cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA4AyF5Z8utDHOkwRTSUN6pfRSrL5luDLP/+RkEFqQXNywAsqO
WS9i8qsSLw768SmbGPiTvRezrADkk4ouZhfKsf5nZjc3c/xXi0Jh19FD10cllJ2T
FfGcBV32a/TspuYaPnMebLNndYTVesY9VsWOxszccjCMDhb2utoItwRXrq0/zS3v
qLy5iBZu5kVUxvYFug/5/b2X6+1ZwbQPRwcS/6T5HnRR1zzlEjfNJH/L38kV2DdI
cDsyP45QZuArw7nchV/TXDEStYD+pPzFQQyVuOZ0ZxGuny3AkoMcN3ddC9SCGJbN
J7wDtyZjWVv81dWsCOSaxzcEnnokLLQgKUsWpwIDAQABAoIBAQDW8ey7YL4Tzfza
+rlUflJ6SC3Q4FECKG14mAqPzfLVxDtwUhfC5D1PhmPJlduV5k6P5FsIfGa5S5n/
GgBtncGuhd15KNwggCUUyzjHLlKhg/Y/3/Suhr8iPwUciTtI21SuOQ8lRfCpxChy
wyEx0BKsEvoi6wRSuCE5HdhijN36CxyxwAcFddtPw9nBAkDmnqrdRhBpbc2O5P1M
aw/+zmEPqa5O8R6HCqgr+eRgNGIg9PICAG6Qer4VvQjLpTAR2oRioNdmdDAl5JC7
9UScFrx6Cyrule23Ac36zMLtJYK28Zc3tt8mO+klCuj6HdeIG9owgb2lGxOgsYP1
f7Dyi1sRAoGBAPFcgfnm4dLfv/mDzUU2igfz0ArS8OXixO5ZWFYDkkQQVh9zmzwJ
YZ6SODBoYrViCH1NsnAMNfzM80WCURUF30l8EUyF7sepRV54ams01izbsdBcpv/z
yscabSxrhJ20rthid3AxVIZnuKruqVhMfAiXy5CNz2bOK8nfm+/hijulAoGBAO2j
NsyzcjESg1q2QUw0GnRwOoUvQMpAQtwnVTMBhMk1vHNee5QCBHvJd4ESXTLO3PJh
xr8YEA+79rvNdvYjzh9Q2TkH5upBrJ6Aqs/TkhN8otLKzl75wmjbwZ0/q6QVQjiB
qcdoJz3aoSMMehKmaGi8SPAjTQzU84MLwy/0HudbAoGAEzDy2McF77mAzzsuqDE0
+nrlcObi5rSIShdqkbRI/gZ6gpezoStxyqT/uMGkD54S5Lu303b1F/vH4CADiHNm
FLa7vWTs3o1UCbXzaEDUQs7ZLaMgWDuvRPOR+LU33z5NpMD3lEEn4mP+6ACAEJhM
SHahZgYQlrEQBEY2ZPV/A00CgYBny183H7XjyzNGXs68ixF3BEH7RD1nWZQadq+W
/LXT8L2kIoOVjSAKNWAWJ0A/3ezRjXVyp/7z8GR/eOnZ7p+sO/L1Hwd0EEVmYcq5
xa5LBqhTq7Nh9nM8u6egmFvO6l4nMjNG3q4tLR4uodd75+U4weyVvsV7slO+TFfv
zQ/mewKBgQDAxXLlVw9I2nFEl7MWkNwk2FzZ5J0NPUL9fTc1/tsthgE3Z4bm8vzR
en3S99/btlCEPX1JXJ2pXUmTvXyOo4ZzK1KlfX85Iid45NjATSY5NrafgR7714TX
jHtFdr4MZsbrss/4jatBBOWxZybYX1h+biaD/+tVLtcyKOO6blwlGg==
-----END RSA PRIVATE KEY-----
1.2.3    给CA颁发自签名证书

#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:JiangXi
Locality Name (eg, city) :NanChang
Organization Name (eg, company) :magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:admin@magedu.org
#tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

4 directories, 4 files
#cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID/TCCAuWgAwIBAgIUVBlKcy1c7uBtYCfgMnh0KcpZGzQwDQYJKoZIhvcNAQEL
BQAwgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdKaWFuZ1hpMREwDwYDVQQHDAhO
YW5DaGFuZzEPMA0GA1UECgwGbWFnZWR1MQ8wDQYDVQQLDAZkZXZvcHMxFjAUBgNV
BAMMDWNhLm1hZ2VkdS5vcmcxHzAdBgkqhkiG9w0BCQEWEGFkbWluQG1hZ2VkdS5v
cmcwHhcNMjEwNjE0MTIyNjM2WhcNMzEwNjEyMTIyNjM2WjCBjTELMAkGA1UEBhMC
Q04xEDAOBgNVBAgMB0ppYW5nWGkxETAPBgNVBAcMCE5hbkNoYW5nMQ8wDQYDVQQK
DAZtYWdlZHUxDzANBgNVBAsMBmRldm9wczEWMBQGA1UEAwwNY2EubWFnZWR1Lm9y
ZzEfMB0GCSqGSIb3DQEJARYQYWRtaW5AbWFnZWR1Lm9yZzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAOAMheWfLrQxzpMEU0lDeqX0Uqy+Zbgyz//kZBBa
kFzcsALKjlkvYvKrEi8O+vEpmxj4k70Xs6wA5JOKLmYXyrH+Z2Y3N3P8V4tCYdfR
Q9dHJZSdkxXxnAVd9mv07KbmGj5zHmyzZ3WE1XrGPVbFjsbM3HIwjA4W9rraCLcE
V66tP80t76i8uYgWbuZFVMb2BboP+f29l+vtWcG0D0cHEv+k+R50Udc85RI3zSR/
y9/JFdg3SHA7Mj+OUGbgK8O53IVf01wxErWA/qT8xUEMlbjmdGcRrp8twJKDHDd3
XQvUghiWzSe8A7cmY1lb/NXVrAjkmsc3BJ56JCy0IClLFqcCAwEAAaNTMFEwHQYD
VR0OBBYEFOWNke0V96+yX3EOmltGd3hnQLWpMB8GA1UdIwQYMBaAFOWNke0V96+y
X3EOmltGd3hnQLWpMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AHYARZNPnhdtUGjE7MhBgPD2dfctSev9fWXa2u3YRSTH3HvpPS4obVoxAe37cuD5
dsQlGZCJ8ydqwSg1RcKu9b/TnSe8Q3TDJsbp8rQfjoRL/x8W47H0AyyBJRYU3JnG
No4toSOgMcYZzAGewffKL9mWLkL1F8pnksTPJnLtiFNqyTL3nBF9qSUl7fUev52h
U2c2/79YPedziKb098qSdzCn0TdfCixq718Iq+lYfaVREjPgC3XXuup1ZWJJEPRi
LFydiQxgvV2PklVPY1Yg0pZnlvWqgKQRaNNef6I3iifI8r93kcUwTwwBKR4+eVri
ChFdOU0zFgji9SNOiZsCwwE=
-----END CERTIFICATE-----

#查看证书内容
#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
    Data:
      Version: 3 (0x2)
      Serial Number:
            54:19:4a:73:2d:5c:ee:e0:6d:60:27:e0:32:78:74:29:ca:59:1b:34
      Signature Algorithm: sha256WithRSAEncryption
      Issuer: C = CN, ST = JiangXi, L = NanChang, O = magedu, OU = devops, CN = ca.magedu.org, emailAddress = admin@magedu.org
      Validity
            Not Before: Jun 14 12:26:36 2021 GMT
            Not After : Jun 12 12:26:36 2031 GMT
      Subject: C = CN, ST = JiangXi, L = NanChang, O = magedu, OU = devops, CN = ca.magedu.org, emailAddress = admin@magedu.org
      Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                  00:e0:0c:85:e5:9f:2e:b4:31:ce:93:04:53:49:43:
                  7a:a5:f4:52:ac:be:65:b8:32:cf:ff:e4:64:10:5a:
                  90:5c:dc:b0:02:ca:8e:59:2f:62:f2:ab:12:2f:0e:
                  fa:f1:29:9b:18:f8:93:bd:17:b3:ac:00:e4:93:8a:
                  2e:66:17:ca:b1:fe:67:66:37:37:73:fc:57:8b:42:
                  61:d7:d1:43:d7:47:25:94:9d:93:15:f1:9c:05:5d:
                  f6:6b:f4:ec:a6:e6:1a:3e:73:1e:6c:b3:67:75:84:
                  d5:7a:c6:3d:56:c5:8e:c6:cc:dc:72:30:8c:0e:16:
                  f6:ba:da:08:b7:04:57:ae:ad:3f:cd:2d:ef:a8:bc:
                  b9:88:16:6e:e6:45:54:c6:f6:05:ba:0f:f9:fd:bd:
                  97:eb:ed:59:c1:b4:0f:47:07:12:ff:a4:f9:1e:74:
                  51:d7:3c:e5:12:37:cd:24:7f:cb:df:c9:15:d8:37:
                  48:70:3b:32:3f:8e:50:66:e0:2b:c3:b9:dc:85:5f:
                  d3:5c:31:12:b5:80:fe:a4:fc:c5:41:0c:95:b8:e6:
                  74:67:11:ae:9f:2d:c0:92:83:1c:37:77:5d:0b:d4:
                  82:18:96:cd:27:bc:03:b7:26:63:59:5b:fc:d5:d5:
                  ac:08:e4:9a:c7:37:04:9e:7a:24:2c:b4:20:29:4b:
                  16:a7
                Exponent: 65537 (0x10001)
      X509v3 extensions:
            X509v3 Subject Key Identifier:
                E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9
            X509v3 Authority Key Identifier:
                keyid:E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         76:00:45:93:4f:9e:17:6d:50:68:c4:ec:c8:41:80:f0:f6:75:
         f7:2d:49:eb:fd:7d:65:da:da:ed:d8:45:24:c7:dc:7b:e9:3d:
         2e:28:6d:5a:31:01:ed:fb:72:e0:f9:76:c4:25:19:90:89:f3:
         27:6a:c1:28:35:45:c2:ae:f5:bf:d3:9d:27:bc:43:74:c3:26:
         c6:e9:f2:b4:1f:8e:84:4b:ff:1f:16:e3:b1:f4:03:2c:81:25:
         16:14:dc:99:c6:36:8e:2d:a1:23:a0:31:c6:19:cc:01:9e:c1:
         f7:ca:2f:d9:96:2e:42:f5:17:ca:67:92:c4:cf:26:72:ed:88:
         53:6a:c9:32:f7:9c:11:7d:a9:25:25:ed:f5:1e:bf:9d:a1:53:
         67:36:ff:bf:58:3d:e7:73:88:a6:f4:f7:ca:92:77:30:a7:d1:
         37:5f:0a:2c:6a:ef:5f:08:ab:e9:58:7d:a5:51:12:33:e0:0b:
         75:d7:ba:ea:75:65:62:49:10:f4:62:2c:5c:9d:89:0c:60:bd:
         5d:8f:92:55:4f:63:56:20:d2:96:67:96:f5:aa:80:a4:11:68:
         d3:5e:7f:a2:37:8a:27:c8:f2:bf:77:91:c5:30:4f:0c:01:29:
         1e:3e:79:5a:e2:0a:11:5d:39:4d:33:16:08:e2:f5:23:4e:89:
         9b:02:c3:01  选项说明:
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
1.2.4    CA给用户生成私钥和证书申请

#mkdir /data/app1
#(umask 066;openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............................+++++
...............................................................................................................................................+++++
e is 65537 (0x010001)
#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:JiangXi
Locality Name (eg, city) :NanChang
Organization Name (eg, company) :magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:grain@magedu.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#ll /data/app1/
total 8
-rw-r--r-- 1 root root 1054 Jun 14 21:01 app1.csr
-rw------- 1 root root 1679 Jun 14 20:56 app1.key  默认三项内容必须和CA一致:国家,省份,组织,如果不同,会出现以下提示
#openssl ca -in /data/app2/app2.csr -out
/etc/pki/CA/certs/app2.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field is different between
CA certificate (beijing) and the request (hubei)
1.2.5    CA颁发证书

#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
      Serial Number: 1 (0x1)
      Validity
            Not Before: Jun 14 14:18:05 2021 GMT
            Not After : Mar 10 14:18:05 2024 GMT
      Subject:
            countryName               = CN
            stateOrProvinceName       = JiangXi
            organizationName          = magedu
            organizationalUnitName    = it
            commonName                = app1.magedu.org
            emailAddress            = grain@magedu.org
      X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                93:6C:B7:BD:A1:7A:F5:10:1C:FD:78:FC:99:A1:D3:E0:26:06:B9:50
            X509v3 Authority Key Identifier:
                keyid:E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9

Certificate is to be certified until Mar 10 14:18:05 2024 GMT (1000 days)
Sign the certificate? :y


1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files
1.2.6    查看证书

#cat /etc/pki/CA/certs/app1.crt
Certificate:
    Data:
      Version: 3 (0x2)
      Serial Number: 1 (0x1)
      Signature Algorithm: sha256WithRSAEncryption
      Issuer: C=CN, ST=JiangXi, L=NanChang, O=magedu, OU=devops, CN=ca.magedu.org/emailAddress=admin@magedu.org
      Validity
            Not Before: Jun 14 14:18:05 2021 GMT
            Not After : Mar 10 14:18:05 2024 GMT
      Subject: C=CN, ST=JiangXi, O=magedu, OU=it, CN=app1.magedu.org/emailAddress=grain@magedu.org
      Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                  00:bb:3d:ee:80:8e:57:89:6d:fb:88:ce:ae:2f:86:
                  10:c5:b5:0b:ff:25:bd:30:40:ee:21:c1:cc:92:2e:
                  99:72:3f:78:9b:af:8a:c2:4e:72:fe:b5:33:97:62:
                  a8:91:9a:4d:6d:fc:e2:d7:fd:9c:dc:07:2b:9c:a9:
                  a7:de:66:34:96:b9:a1:49:c4:23:07:db:c9:80:19:
                  93:cb:1d:35:e0:10:af:e5:9f:5a:2a:82:92:42:d2:
                  aa:ee:ba:4c:85:cf:b1:fd:6b:a9:fb:d3:f9:35:c2:
                  75:7b:19:e7:1c:03:60:15:bd:25:c9:43:42:d5:5e:
                  96:65:e3:b2:17:59:22:9c:80:ef:5d:c4:77:6c:3e:
                  5a:4f:c8:c7:6b:0c:a0:24:dc:ad:8f:40:e7:c1:f1:
                  e5:f8:39:f5:c6:0b:ff:df:a3:67:22:46:7a:f7:a6:
                  b2:36:df:6a:d9:f1:49:96:4e:1c:56:15:38:84:ba:
                  84:25:ee:4f:46:c1:c8:22:3d:50:f1:51:38:29:43:
                  b8:6a:e2:d3:ce:34:3b:99:b1:59:d6:c1:a6:e4:9f:
                  01:14:88:b4:17:10:80:51:87:ae:fe:d4:f6:8d:6e:
                  d0:3a:6e:6a:6d:75:94:a5:d7:55:1a:4b:ed:28:4c:
                  aa:11:d6:67:64:d1:6c:a1:af:64:c3:ae:50:3d:ea:
                  bc:7b
                Exponent: 65537 (0x10001)
      X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                93:6C:B7:BD:A1:7A:F5:10:1C:FD:78:FC:99:A1:D3:E0:26:06:B9:50
            X509v3 Authority Key Identifier:
                keyid:E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9

    Signature Algorithm: sha256WithRSAEncryption
         9f:c6:59:1f:a9:99:6c:11:2a:0c:e8:08:39:08:21:dc:7c:5d:
         69:ed:0a:33:a9:43:90:87:a6:14:c5:da:b0:65:27:b7:ad:9c:
         7d:60:55:ad:79:76:a6:63:80:2e:c4:fb:c8:17:91:32:60:39:
         96:f1:6f:22:d1:85:08:97:fd:2b:6d:62:a2:ad:8c:02:07:db:
         cf:78:2f:e0:04:74:b9:8d:dc:54:d6:c6:05:65:55:93:4e:32:
         75:26:d9:63:94:56:43:91:ee:89:40:60:14:ff:38:49:34:ef:
         c0:2e:9a:16:79:ee:f7:fe:6a:10:5d:5b:e9:b7:c4:16:41:a7:
         1d:ef:1f:33:6c:ad:20:17:e2:a5:8b:79:6d:fc:50:d5:4f:c8:
         9e:a9:84:f7:35:25:ab:c4:b4:d5:e4:12:a6:a4:66:b7:39:6f:
         4b:f1:8a:06:97:fd:c9:17:ad:53:2d:24:ff:13:38:16:a7:2a:
         ff:84:20:14:e5:27:7a:78:7d:8d:d1:15:19:48:a3:0a:d5:25:
         dd:89:6e:d8:c6:aa:51:94:64:2d:21:2a:13:65:57:1e:bd:3f:
         f4:1e:1f:be:6f:b1:38:41:46:19:23:b6:a0:8d:b7:27:56:5f:
         b9:a0:e0:41:19:e7:38:72:98:d2:74:8b:91:33:80:80:47:63:
         0d:f0:69:80
-----BEGIN CERTIFICATE-----
MIID/DCCAuSgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCQ04x
EDAOBgNVBAgMB0ppYW5nWGkxETAPBgNVBAcMCE5hbkNoYW5nMQ8wDQYDVQQKDAZt
YWdlZHUxDzANBgNVBAsMBmRldm9wczEWMBQGA1UEAwwNY2EubWFnZWR1Lm9yZzEf
MB0GCSqGSIb3DQEJARYQYWRtaW5AbWFnZWR1Lm9yZzAeFw0yMTA2MTQxNDE4MDVa
Fw0yNDAzMTAxNDE4MDVaMHgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdKaWFuZ1hp
MQ8wDQYDVQQKDAZtYWdlZHUxCzAJBgNVBAsMAml0MRgwFgYDVQQDDA9hcHAxLm1h
Z2VkdS5vcmcxHzAdBgkqhkiG9w0BCQEWEGdyYWluQG1hZ2VkdS5vcmcwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7Pe6AjleJbfuIzq4vhhDFtQv/Jb0w
QO4hwcySLplyP3ibr4rCTnL+tTOXYqiRmk1t/OLX/ZzcByucqafeZjSWuaFJxCMH
28mAGZPLHTXgEK/ln1oqgpJC0qruukyFz7H9a6n70/k1wnV7GeccA2AVvSXJQ0LV
XpZl47IXWSKcgO9dxHdsPlpPyMdrDKAk3K2PQOfB8eX4OfXGC//fo2ciRnr3prI2
32rZ8UmWThxWFTiEuoQl7k9GwcgiPVDxUTgpQ7hq4tPONDuZsVnWwabknwEUiLQX
EIBRh67+1PaNbtA6bmptdZSl11UaS+0oTKoR1mdk0Wyhr2TDrlA96rx7AgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBSTbLe9oXr1EBz9ePyZodPgJga5UDAfBgNV
HSMEGDAWgBTljZHtFfevsl9xDppbRnd4Z0C1qTANBgkqhkiG9w0BAQsFAAOCAQEA
n8ZZH6mZbBEqDOgIOQgh3Hxdae0KM6lDkIemFMXasGUnt62cfWBVrXl2pmOALsT7
yBeRMmA5lvFvItGFCJf9K21ioq2MAgfbz3gv4AR0uY3cVNbGBWVVk04ydSbZY5RW
Q5HuiUBgFP84STTvwC6aFnnu9/5qEF1b6bfEFkGnHe8fM2ytIBfipYt5bfxQ1U/I
nqmE9zUlq8S01eQSpqRmtzlvS/GKBpf9yRetUy0k/xM4Fqcq/4QgFOUnenh9jdEV
GUijCtUl3Ylu2MaqUZRkLSEqE2VXHr0/9B4fvm+xOEFGGSO2oI23J1ZfuaDgQRnn
OHKY0nSLkTOAgEdjDfBpgA==
-----END CERTIFICATE-----
1.2.7    将证书相关文件发送到用户端使用

#cp /etc/pki/CA/certs/app1.crt /data/app1/
#tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key

0 directories, 3 files
1.2.8 证书的吊销

#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│   ├── app1.crt
│   └── app2.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   ├── 01.pem
│   └── 02.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 12 files
#openssl ca -status 02
Using configuration from /etc/pki/tls/openssl.cnf
02=Valid (V)
#openssl ca -revoke /etc/pki/CA/newcerts/02.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 02.
Data Base Updated
#openssl ca -status 02
Using configuration from /etc/pki/tls/openssl.cnf
02=Revoked (R)
1.2.9    生成证书吊销列表文件

#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140431109904192:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/crlnumber','r')
140431109904192:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
#echo 01 > /etc/pki/CA/crlnumber
#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
#cat /etc/pki/CA/crlnumber
02
2、ssh服务

  SSH协议版本:

[*]v1:基于CRC-32做MAC,不安全;man-in-middle
[*]v2:双方主机协议选择安全的MAC方式,基于DH算法做密钥交换,基于RSA或DSA实现身份认证

2.1   ssh常用参数、用法

  用法:

2.1.1    远程登录

#口令登录
1、ssh user@ip      //远程登录服务器的user用户,默认端口22
2、ssh host            //通过地址远程登录服务器相同账户,端口默认22
3、ssh user@host -p 10000    // ssh使用远程主机的10000端口进行连接

#公钥登录
1、ssh-keygen          #在$HOME/.ssh/目录下,会新生成两个文件: id_rsa.pub和id_rsa,前者是公钥,后者是私钥
2、ssh-copy-id user@host    #公钥复制到远程主机host上面,之后可以直接公钥登录基于密钥的登录方式1. 首先在客户端生成一对密钥(ssh-keygen)
2. 并将客户端的公钥ssh-copy-id 拷贝到服务端
3. 当客户端再次发送一个连接请求,包括ip、用户名
4. 服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP和用户,就会随机生
成一个字符串,例如:magedu
5. 服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端6. 得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端
7. 服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录
2.1.2    SSH远程操作


[*]远程执行命令
ssh host
ssh host /bin/bash < test.sh      #远程执行本地的脚本  参数:
-p port:    远程服务器监听的端口
-b            指定连接的源IP
-v            调试模式
-C            压缩方式
-X            支持X11转发
-t            强制伪tty分配,如 ssh -t remoteserver1 ssh -t remoteserver2 sshremoteserver3
-o option      如:-o StrictHostKeyChecking=no
-i <file>      指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等  范例:
#ssh -t 10.0.0.8 ssh -t 10.0.0.7 ssh 10.0.0.6
root@10.0.0.8's password:
root@10.0.0.7's password:
root@10.0.0.6's password:
Last login: Fri May 22 09:10:28 2020 from 10.0.0.7
#  远程执行命令
#ssh 10.0.0.8 "sed -i.bak
'/StrictHostKeyChecking/s/.*/StrictHostKeyChecking no/' /etc/ssh/ssh_config"
root@10.0.0.8's password:
#  在远程主机运行本地shell脚本
#hostname -I
10.0.0.8
#cat test.sh
#!/bin/bash
hostname -I
#ssh 10.0.0.18 /bin/bash < test.sh
root@10.0.0.18's password:
10.0.0.18
2.1.3    scp

  实现本机与远程主机之间的数据拷贝
#本地复制远程主机文件(把远程的文件复制到本地)
scp root@ip:/var/test/test.tar.gz /var/test/test.tar.gz
#远程主机复制本地文件(把本地文件复制到远程主机)
scp /var/test/test.tar.gz root@ip:/var/test/test.tar.gz

#本地复制远程主机目录
scp -r root@ip:/var/test/ /var/test/
2.1.4    绑定本地端口

ssh -D 8080 user@host    #SSH会建立一个socket监听本地的8080端口,一旦有数据传向8080端口,就自动把它转移到SSH连接上面,发往远程主机
2.1.5    SSH本地端口转发

ssh -L localport:remotehost:remotehostport sshserver  选项
-f 后台启用
-N 不打开远程shell,处于等待状态
-g 启用网关功能

#当访问本机的9527的端口时,被加密后转发到sshsrv的ssh服务,再解密被转发到telnetsrv:23
#data<-->localhost:9527 <-->localhost:XXXXX<-->sshsrv:22<-->sshsrv:YYYYY<-->telnetsrv:23
ssh –L 9527:telnetsrv:23 -Nfg sshsrv
telnet 127.0.0.1 9527
2.1.6    SSH远程端口转发

ssh -R sshserverport:remotehost:remotehostport sshserver

#让sshsrv侦听9527端口的访问,如有访问,就加密后通过ssh服务转发请求到本机ssh客户端,再由本机解密后转发到telnetsrv:23
#Data<-->sshsrv:9527<-->sshsrv:22<-->localhost:XXXXX<-->localhost:YYYYY<-->telnetsrv:23
ssh –R 9527:telnetsrv:23 –Nf sshsrv
2.1.7    SSH动态端口转发

#当用firefox访问internet时,本机的1080端口做为代理服务器,firefox的访问请求被转发到sshserver上,由sshserver替之访问internet
ssh -D 1080 root@sshserver -fNg
#在本机firefox设置代理socket proxy:127.0.0.1:1080
curl --socks5 127.0.0.1:1080 http://www.google.com
3、 sshd服务配置

  服务器端: sshd
  服务器端的配置文件: /etc/ssh/sshd_config
  服务器端的配置文件帮助: man 5 sshd_config
  常用参数:
Port
LintenAddress ip
LoginGraceTime 2m
permitRootLogin yes            #默认ubuntu不允许root远程ssh登录
StrictModes yes                #检查.ssh/ 文件的所有者,权限等
MaxAuthTries6
Maxsessions    10                #同一个连接最大会话
PubkeyAuthentication yes   #基于key验证
PermitEmptyPasswords no         #空密码连接
PasswordAuthentication yes    #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10         #单位;秒
ClientAliveCountMax 3         #默认3
UseDNS yes                     #提高速度可改为No
GSSAPIAuthentication yes      #提高速度可改为no
MaxStartups                   #未认证连接最大值,默认值10
Banner /path/file

#以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers
AllowGroups
DenyGroups  范例:设置ssh 空闲60s自动注销
vim /etc/ssh/sshd_config
ClientAliveInterval60
ClientAliveCountMax0

Service sshd restart
#注意: 新开一个连接才有效  范例:解决ssh登录缓慢的问题
vim /etc/ssh/sshd_config
UseDNS no
GSSAPIAuthentication no

systemctl restart sshd  范例:在ubuntu上启用root远程ssh登录
vim/etc/ssh/sshd_config
#PermitRootLogin prohibit-password   注释掉此行
PermitRootLogin yes      修改为此形式

systemctl restart sshd
页: [1]
查看完整版本: openSSL ssh