OpenSSL和OpenSSH
OpenSSH
只允許白名單的用戶登錄
1、限制前:
[email protected]'s password:
[ww@qq ~]$ exit
logout
Connection to 10.201.106.129 closed.
[root@zz ~]# ssh [email protected]
[email protected]'s password:
[ee@qq ~]$ exit
2、限制後
[root@qq ~]# vim /etc/ssh/sshd_config
AllowUsers qq root
[root@qq ~]# service sshd reload
Reloading sshd: [ OK ]
2.1測試
[root@zz ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
[root@zz ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
[root@zz ~]#
[root@zz ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Jul 28 15:52:49 2016 from 10.201.106.128
[qq@qq ~]$
生成隨機數密碼
[root@qq ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 16 | xargs
rCHubvWwKIA4Fxk2
編譯安裝dropbear
1、下載解壓源碼包
[root@qq ~]# tar xf dropbear-2013.58.tar.bz2
2、閱讀安裝文檔,默認安裝在/usr/local/bin
[root@qq ~]# cd dropbear-2013.58
[root@qq dropbear-2013.58]# less INSTALL
Basic Dropbear build instructions:
- Edit options.h to set which features you want.
- Edit debug.h if you want any debug options (not usually required).
(If using a non-tarball copy, "autoconf; autoheader")
./configure (optionally with --disable-zlib or --disable-syslog,
or --help for other options)
Now compile:
make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp"
And install (/usr/local/bin is usual default):
……
3、檢查配置
[root@qq dropbear-2013.58]# ./configure
4、選擇要編譯的組件
[root@qq dropbear-2013.58]# make PROGRAMS=' dropbear scp dropbearkey dbclient'
5、安裝
[root@qq dropbear-2013.58]# make PROGRAMS=' dropbear scp dropbearkey dbclient' install
[root@qq dropbear-2013.58]# make PROGRAMS=' dropbear scp dropbearkey dbclient' install
install -d -m 755 /usr/local/sbin
install -m 755 dropbear /usr/local/sbin
chown root /usr/local/sbin/dropbear
chgrp 0 /usr/local/sbin/dropbear
install -d -m 755 /usr/local/bin
install -m 755 scp /usr/local/bin
chown root /usr/local/bin/scp
chgrp 0 /usr/local/bin/scp
install -d -m 755 /usr/local/bin
install -m 755 dropbearkey /usr/local/bin
chown root /usr/local/bin/dropbearkey
chgrp 0 /usr/local/bin/dropbearkey
install -d -m 755 /usr/local/bin
install -m 755 dbclient /usr/local/bin
chown root /usr/local/bin/dbclient
chgrp 0 /usr/local/bin/dbclient
[root@qq dropbear-2013.58]#
[root@qq dropbear-2013.58]# cd /usr/local/bin
[root@qq bin]# ls
dbclient dropbearkey scp
使用dropbear
1、生成密鑰
1.1 創建目錄
[root@qq bin]# mkdir /etc/dropbear
1.2 生成密鑰
[root@qq bin]# dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -s 2048
Will output 2048 bit rsa secret key to '/etc/dropbear/dropbear_rsa_host_key'
Generating key, this may take a while...
Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAmtSn/j31kRsMGL2pcW2GhRaPRyhdC3wbtwuajPbyAvNPf/AiLMD7m31ZbyzQTlARzufZWFSeXuyjyxUNfR5zcfrcVErbz8p2Wub8Qm1H9hGz90Syy7RahwcdCmiEtG/E91t83knmOMRgncDnqi7qlCVUy31/hn3A7Dynt8Zpmjya2XpgRmHhplN4JcF7HHQ6RUamkJPYI2g8/hIyEaLbAaJMFfN0XMj2Q9urvjjyRxbSsSTdjD2GEQUBL+rrkIoxQ3DDx/5d5TKYA/YelFmMckCUJtvaEJa8kbzCxy2nWGBjde3JLRemHrOL0AMNJghxC4EUYWoweCWHyxWf14mZzu16Q== root@qq
Fingerprint: md5 d9:61:9d:b3:a7:d7:0a:f7:45:bb:4b:4d:9f:a1:08:1a
[root@qq bin]#
[root@qq bin]# ls /etc/dropbear/dropbear_rsa_host_key
/etc/dropbear/dropbear_rsa_host_key
1.3 生成主機密鑰
[root@qq bin]# dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
Will output 1024 bit dss secret key to '/etc/dropbear/dropbear_dss_host_key'
Generating key, this may take a while...
Public key portion is:
ssh-dss AAAAB3NzaC1kc3MAAACBALUVJRlZA2gh8WZAoVppglsAPHOS//uDWQqaqE5ZOiCtvhOCky1KWku4sIZQ1cK3hGTKXT+BG+2bU0HG0izn2ETqearYQo1FdU5f5opY9mxQZuBWwsscMdPAi/VL1LTBBoCJvHxfzPZIHh5+6l1TQmAbV7xqRvwEK8Kg6LngNY6lAAAAFQDKEWBnLwZ4gD0ad4kBVt88aZUaZQAAAIAzB13qfUl+EGe3Goa1dYQYM3U8X7W+5kx83Qxa4EANbb89ORPQg33fM4UMBFrM0BnG2XGeHbmxLQdizWfVJb8KdK8tHYGyCJVSF+0a42lIxlIHFi0EB6QPfLfNyYsYoB/BfxqVhtoQTQiFhqGvY+SP66oQde6r+t0ad0yqxtw+9QAAAIAxrt0bbKFkTixyRIe/XJJqNE+7UMSStH4M0oEq7T6mpJPwhZHXkhI2g/9rQ8u0erDDVsiZ+/5mB4ZBzmWBPU4xzITWjHhp0YuWLV2CI2oRBR/P6Jvyw+4+/BTM/Afsqs/QOkKzQmYRW6+zLNM9f0TXxkGigTinnBgskZy9IJKEPg== root@qq
Fingerprint: md5 cc:d6:76:e2:1a:00:b0:2d:1d:49:67:f1:9d:e8:33:7f
[root@qq bin]#
[root@qq bin]#
[root@qq bin]# ls /etc/dropbear/
dropbear_dss_host_key dropbear_rsa_host_key
[root@qq bin]#
2、啓動服務
2.1 首先前臺測試
[root@qq bin]# dropbear -p :22022 -F -E
[61370] Jul 29 16:17:57 Not backgrounding
[root@qq bin]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 10 10.201.106.129:53 *:*
LISTEN 0 10 127.0.0.1:53 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 *:22 *:*
LISTEN 0 64 :::23 :::*
LISTEN 0 128 127.0.0.1:631 *:*
LISTEN 0 128 ::1:631 :::*
LISTEN 0 128 127.0.0.1:953 *:*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::43521 :::*
LISTEN 0 20 :::22022 :::*
LISTEN 0 20 *:22022 ##### *:*
LISTEN 0 128 *:35240 *:*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 *:111 *:*
2.2 遠程登錄測試
[root@zz ~]# ssh -P 22022 [email protected]
ssh: connect to host 22022 port 22: Invalid argument
[root@zz ~]# ssh -p 22022 [email protected]
The authenticity of host '[10.201.106.129]:22022 ([10.201.106.129]:22022)' can't be established.
RSA key fingerprint is d9:61:9d:b3:a7:d7:0a:f7:45:bb:4b:4d:9f:a1:08:1a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.201.106.129]:22022' (RSA) to the list of known hosts.
[email protected]'s password:
[root@qq ~]# pstree
init─┬─abrtd
├─acpid
├─atd
├─auditd───{auditd}
├─automount───4*[{automount}]
├─certmonger
├─console-kit-dae───63*[{console-kit-da}]
├─crond
├─cupsd
├─dbus-daemon───{dbus-daemon}
├─hald─┬─hald-runner─┬─hald-addon-acpi
│ │ ├─hald-addon-inpu
│ │ └─hald-addon-rfki
│ └─{hald}
├─login───bash
├─master─┬─pickup
│ └─qmgr
├─mcelog
├─5*[mingetty]
├─named───3*[{named}]
├─rpc.statd
├─rpcbind
├─rsyslogd───3*[{rsyslogd}]
├─2*[sshd───bash]
├─sshd─┬─sshd───sshd───bash
│ ├─sshd───bash
│ └─sshd───bash───dropbear───dropbear───bash───pstree
├─udevd───2*[udevd]
└─xinetd
[root@qq ~]#
[root@qq bin]# dropbear -p :22022 -F -E
[61370] Jul 29 16:17:57 Not backgrounding
[61414] Jul 29 16:22:24 Child connection from 10.201.106.128:33608
[61414] Jul 29 16:22:30 Password auth succeeded for 'root' from 10.201.106.128:33608
3、使用dbclient客戶端連接測試
[root@qq bin]# dbclient 10.201.106.128
[email protected]'s password:
Last login: Sun Jul 31 01:54:38 2016 from 10.201.106.1
[root@zz ~]# exit
logout
[root@qq bin]# [61414] Jul 29 16:30:09 Exit (root): Disconnect received
[root@qq bin]#
創建私有CA
私有CA默認配置文件( openssl的配置文件)
[root@qq bin]# cat /etc/pki/tls/openssl.cnf
CA目錄
[root@qq bin]# ll /etc/pki/CA/
total 16
drwxr-xr-x. 2 root root 4096 Oct 15 2014 certs #已簽署證書
drwxr-xr-x. 2 root root 4096 Oct 15 2014 crl #吊銷證書列表
drwxr-xr-x. 2 root root 4096 Oct 15 2014 newcerts #剛剛簽署完的證書
drwx------. 2 root root 4096 Oct 15 2014 private
1、創建所需要的文件
[root@zz ~]# cd /etc/pki/CA/
[root@zz CA]#
[root@zz CA]# touch index.txt ***
[root@zz CA]# ll
total 16
drwxr-xr-x. 2 root root 4096 May 9 20:32 certs
drwxr-xr-x. 2 root root 4096 May 9 20:32 crl
-rw-r--r--. 1 root root 0 Jul 31 07:15 index.txt
drwxr-xr-x. 2 root root 4096 May 9 20:32 newcerts
drwx------. 2 root root 4096 May 9 20:32 private
[root@zz CA]# echo 01 > serial ***
[root@zz CA]# ll
total 20
drwxr-xr-x. 2 root root 4096 May 9 20:32 certs
drwxr-xr-x. 2 root root 4096 May 9 20:32 crl
-rw-r--r--. 1 root root 0 Jul 31 07:15 index.txt
drwxr-xr-x. 2 root root 4096 May 9 20:32 newcerts
drwx------. 2 root root 4096 May 9 20:32 private
-rw-r--r--. 1 root root 3 Jul 31 07:15 serial
[root@zz CA]#
2、生成私鑰
[root@zz CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048 )
Generating RSA private key, 2048 bit long modulus
...+++
.................................+++
e is 65537 (0x10001)
[root@zz CA]#
[root@zz CA]# ll -l private/
total 4
-rw-------. 1 root root 1675 Jul 31 07:24 cakey.pem
3、生成自簽證書
[root@zz CA]# cd /etc/pki/CA/
[root@zz CA]# ls
certs crl index.txt newcerts private serial
[root@zz CA]# ls private/
cakey.pem
[root@zz CA]#
[root@zz CA]# openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:[email protected]
[root@zz CA]# ll
total 24
-rw-r--r--. 1 root root 1424 Jul 31 07:36 cacert.pem
drwxr-xr-x. 2 root root 4096 May 9 20:32 certs
drwxr-xr-x. 2 root root 4096 May 9 20:32 crl
-rw-r--r--. 1 root root 0 Jul 31 07:15 index.txt
drwxr-xr-x. 2 root root 4096 May 9 20:32 newcerts
drwx------. 2 root root 4096 Jul 31 07:24 private
-rw-r--r--. 1 root root 3 Jul 31 07:15 serial
[root@zz CA]#
發證
1、客戶端創建存放CA的目錄
[root@zz ~]# cd /etc/httpd/
[root@zz httpd]# ls
conf conf.d logs modules run
[root@zz httpd]#
[root@zz httpd]# mkdir ssl
[root@zz httpd]# ll
total 12
drwxr-xr-x. 2 root root 4096 Jun 17 13:42 conf
drwxr-xr-x. 2 root root 4096 Jun 14 21:50 conf.d
lrwxrwxrwx. 1 root root 19 Jun 14 21:09 logs -> ../../var/log/httpd
lrwxrwxrwx. 1 root root 29 Jun 14 21:09 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx. 1 root root 19 Jun 14 21:09 run -> ../../var/run/httpd
drwxr-xr-x. 2 root root 4096 Jul 31 09:11 ssl
[root@zz httpd]#
2、客戶端生成私鑰文件
[root@zz ssl]# (umask 077; openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
...+++
....+++
e is 65537 (0x10001)
[root@zz ssl]# ll
total 4
-rw-------. 1 root root 1675 Jul 31 09:56 httpd.key
[root@zz ssl]#
3、私鑰提取公鑰,生成證書請求
[root@qq tmp]# openssl req -new -key httpd.key -days 365 -out httpd.csrYou are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@zz ssl]# ls
httpd.csr httpd.key
4、上傳證書申請到CA服務器
[root@qq tmp]# scp httpd.csr [email protected]:/tmp
[email protected]'s password:
5、簽署證書
[root@zz CA]# openssl ca -in /tmp/httpd.csr -out certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 31 04:49:04 2016 GMT
Not After : Jul 31 04:49:04 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = MageEdu
organizationalUnitName = Ops
commonName = www.magedu.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A3:AD:F4:55:D9:B5:74:AA:A8:9B:ED:0F:47:36:07:7B:8A:59:98:6D
X509v3 Authority Key Identifier:
keyid:0B:9F:56:6A:38:75:94:CD:B2:35:6E:FA:91:00:37:7C:3F:35:E5:39
Certificate is to be certified until Jul 31 04:49:04 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@zz CA]#
[root@zz CA]# ls /tmp/
httpd.crt httpd.csr
[root@zz CA]#
6、查看簽署記錄
[root@zz CA]# cat index.txt
V 170731044904Z 01 unknown /C=CN/ST=Beijing/O=MageEdu/OU=Ops/CN=www.magedu.com/[email protected]
[root@zz CA]#
新生成的證書
[root@zz CA]# ls newcerts/
01.pem
[root@zz CA]#
保存並重命名證書
[root@zz CA]# cp newcerts/01.pem certs/httpd.pem
[root@zz CA]# ls certs/
httpd.pem
[root@zz CA]#
7、將簽署完的證書發還給客戶端
[root@zz CA]# scp /tmp/httpd.crt [email protected]:/etc/httpd
[email protected]'s password:
httpd.crt 100% 4623 4.5KB/s 00:00
[root@zz CA]#
中途使用scp發現了一個問題,之前便已安裝干擾了scp
1、查看scp依賴的ssh的路徑
[root@qq tmp]# rpm -ql openssh-clients
/etc/ssh/ssh_config
/usr/bin/.ssh.hmac
/usr/bin/scp
/usr/bin/sftp
/usr/bin/slogin
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-copy-id
/usr/bin/ssh-keyscan
/usr/libexec/openssh/ssh-pkcs11-helper
/usr/share/man/man1/scp.1.gz
/usr/share/man/man1/sftp.1.gz
/usr/share/man/man1/slogin.1.gz
/usr/share/man/man1/ssh-add.1.gz
/usr/share/man/man1/ssh-agent.1.gz
/usr/share/man/man1/ssh-copy-id.1.gz
/usr/share/man/man1/ssh-keyscan.1.gz
/usr/share/man/man1/ssh.1.gz
/usr/share/man/man5/ssh_config.5.gz
2、複製文件
[root@qq tmp]# /usr/bin/scp /tmp/httpd.crt [email protected]:/tmp
8、查看證書信息
[root@qq tmp]# openssl x509 -in httpd.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, O=MageEdu, OU=Ops, CN=ca.magedu.com/[email protected]
Validity
Not Before: Jul 31 04:49:04 2016 GMT
Not After : Jul 31 04:49:04 2017 GMT
Subject: C=CN, ST=Beijing, O=MageEdu, OU=Ops, CN=www.magedu.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:e8:0c:6e:a8:c1:92:48:7a:0e:78:f9:a8:84:
43:99:04:22:8d:04:c7:e1:28:b3:69:0f:aa:ae:4d:
7e:78:7d:31:72:3a:63:42:da:52:00:76:04:26:e1:
45:d3:e4:cc:9e:18:20:a6:4a:8a:98:cd:b0:09:15:
da:32:b6:fc:b0:54:02:c3:17:df:8a:aa:36:89:34:
e4:79:d4:ac:e9:df:9f:ef:a4:12:fd:98:ba:0d:cd:
a2:00:76:df:d3:1f:80:1b:1d:bc:84:5c:b1:12:d9:
10:df:ad:a1:9b:fe:06:46:b3:0d:b3:22:81:f8:e0:
73:87:fc:da:99:6f:ea:54:bb:73:3a:1c:a1:db:45:
ec:ad:8a:52:6f:65:70:66:ad:f1:99:a0:4c:6d:4c:
91:24:47:41:81:da:dd:22:99:d9:0f:f2:9f:00:a2:
f4:47:46:5b:f9:12:31:e6:2e:9a:8c:1c:f4:28:51:
2f:4f:0f:e3:aa:01:3a:bf:04:65:11:9c:ee:b1:68:
01:c0:3a:28:53:10:40:60:85:92:25:02:a9:8f:a1:
da:b7:fb:53:4f:bc:00:88:18:21:e7:ec:f6:5f:27:
b2:b1:20:56:59:1d:21:6f:cc:54:d7:ae:30:ce:74:
d4:ad:1a:7b:86:34:62:47:8b:ba:3e:14:ac:f1:7f:
90:bf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A3:AD:F4:55:D9:B5:74:AA:A8:9B:ED:0F:47:36:07:7B:8A:59:98:6D
X509v3 Authority Key Identifier:
keyid:0B:9F:56:6A:38:75:94:CD:B2:35:6E:FA:91:00:37:7C:3F:35:E5:39
Signature Algorithm: sha1WithRSAEncryption
35:71:e3:df:25:3a:b9:cd:21:74:15:a0:52:4c:fc:7f:98:8f:
71:3f:69:a7:1b:21:4b:47:bc:b0:65:27:4d:95:4d:fd:6f:85:
36:00:f4:ce:88:ab:6e:a9:20:d0:e7:69:81:76:1f:d2:bf:ac:
3f:58:f6:7f:86:3f:89:82:c9:44:fe:eb:bd:33:1d:27:87:04:
85:c0:c2:a9:4e:01:d5:7f:a9:4a:ac:20:b0:c7:69:11:4b:02:
f7:7f:36:01:a4:88:32:01:b9:1c:0d:a3:31:51:f8:15:8b:f8:
6c:9c:ea:88:d2:6e:a5:96:11:ca:83:5a:95:e8:81:5c:4f:e8:
22:2c:35:5f:4b:a5:e8:c3:4a:f1:ad:98:7f:13:14:8d:04:69:
74:2c:77:b0:14:93:24:fa:40:95:ca:4c:b4:ef:d1:13:22:25:
d3:d2:d5:e2:75:9a:50:eb:11:f6:90:94:ca:06:28:03:c4:ab:
3a:6b:68:22:bc:4d:ed:e2:d5:3f:61:70:1f:1b:37:df:31:81:
8a:be:3d:9b:11:92:af:7c:51:f3:1b:00:81:c5:4b:d3:30:30:
1b:6f:47:c7:02:2a:f2:1b:84:8c:be:63:05:ce:b0:3c:51:20:
8a:aa:a1:bf:a4:6f:63:41:16:63:0c:d2:39:45:88:77:cd:15:
be:33:c4:f1
[root@qq tmp]#
[root@qq tmp]#
[root@qq tmp]# openssl x509 -in httpd.crt -noout -subject
subject= /C=CN/ST=Beijing/O=MageEdu/OU=Ops/CN=www.magedu.com/[email protected]
[root@qq tmp]#
[root@qq tmp]#
[root@qq tmp]#
[root@qq tmp]# openssl x509 -in httpd.crt -noout -serial
serial=01
[root@qq tmp]#
