TCP/IP:安全
A--> B
机密性:明文传输(ftp,http,smtp,telnet)
完整性:10 (100)
身份验证:
机密性:plaintext --> 转换规则 --> ciphertext
ciphertext --> 转换规则 --> plaintext
转换算法:保证数据机密性的最核心不是算法本身,而是密钥,换一种密钥非常简单,要换算法非常难;
对称加密:计算速度快,算法,安全性完全依赖于密钥,无法对密钥有效管理;
数据完整性:A-->B
Eve
单向加密算法:提取数据特征码;
输入一样:输出必然相同
雪崩效应:输入的微小改变,将会引起结果的巨大改变
定长输出:无论原始数据多大,结果大小都是相同的
不可逆:无法根据特征码还原原来的数据
A:plaintext:footprint --> B
E:plaintext2:footprint --> B
A:plaintext:(footprint) --> B
协商生成密码:密钥交换(Internet Key Exchange,IKE)
Diffie-Hellman协议:
A --> B
P, g (大素数,生成数)
A:x
B:y
A:g^x%p --> B
B:g^y%p --> A
g,p,g^x%p,g^y%p
A:(g^y%p)^x=g^yx%p
B:(g^x%p)^y=g^xy%p
密钥交换算法
公钥加密算法:非对称加密算法
密钥对:
公钥:p,公钥是从私钥中提取出来的;
私钥:s,非常长;
公钥加密必须使用私钥解密,反之亦然;
发送方用自己的私钥加密数据,可以实现身份验证
发送方用对方的公钥加密数据,可以保证数据的机密性
公钥加密算法很少用来加密数据:速度太慢
PKI:Public Key Infrastructure公钥基础设施
CA:Certificate Authority证书颁发机构
私钥应该加密存放,私钥加密固然可以保护私钥,每次使用私钥加密数据都需要输入密码;
证书格式:
X509,pkcs12
X509:
公钥及有效期限
证书的合法拥有者
证书该如何被使用
CA的信息
CA签名的校验码
PKI:TLS/SSL:x509证书
PKI:OpenGPG
TLS/SSL Handshake(握手):
SSL:Secure Socket Layer安全套接字层,SSLv2,SSLv3,处于应用层和传输层之间;
TLS:Transport Layer Security传输层安全,TLSv1相当于SSLv3;
SSL会话建立过程:
以http为例,http是基于tcp的,因此双方在建立http会话之前要三次握手,在tcp完成握手之后,本来双方就互相通信,有了https就不是这样,首先客户端向服务器发起会话请求,服务器端此时不会直接去跟客户端传递http协议包的,而是先跟客户端互相协商建立ssl会话,比如使用ssl版本号(SSLv2,SSLv3,TLSv1),一旦协商好了,服务器端将会将自己的证书发给客户端,客户端在获取到证书以后要验证证书是否是信任机构颁发的,还要验证这个证书是不是完整的,如果是就拿着证书的公钥使用,客户端将会生成会话密钥,https的主要作用在于接下来的web服务器数据会话传递是通过加密方式实现的,加密一定要用对称加密算法,非对称的速度太慢,既然是对称加密就需要加密密码,如何生成密码,它们不是密钥交换实现的,而是客户端通过随机数选择生成一个随机的对称密钥,并且将这个密码通过服务器端的公钥加密以后传递给服务器端,服务器端就可以通过这个密码加密数据给客户端发送数据,在双方协商不但要协商ssl协议,还要协商双方使用的机密算法;
对称加密:
DES:Data Encription Standard标准数据加密,56bit
3DES:
AES:Advanced高级加密标准,128bit
AES192,AES256,AES512
Blowfish
对称加密工具:
openssl
gpg
单向加密:
MD4
MD5:128bit
SHA1:160bit
SHA192,SHA256,SHA384
CRC-32:循环冗余校验码,校验码机制
公钥加密:(加密/签名)
身份认证(数字签名)
数据加密
密钥交换
RSA:既可以加密又能实现签名
DSA:只能实现签名,美国国家安全局
ElGamal:商业算法
OpenSSL:SSL的开源实现,功能非常强大,几乎了实现世面上所有主流的加密算法,而且工作性能也非常好;
libcrpto:通用加密库,库文件,任何软件要想实现加密功能,只需要链接到libcrpto,就可以调用加密功能,提供了各种加密函数
libssl:TLS/SSL的实现
基于会话的、实现了身份认证、数据机密性和会话完整性的TLS/SSL库
openssl:多用途命令行工具
实现私有证书办法机构
OpenSSL官方站点:http://www.openssl.org/
子命令:
openssl实现私有CA:
1、生成一堆密钥
2、生成自签署证书
openssl genrsa -out /PATH/TO/KEYFILENAME NUMBITS(生成私钥,类型rsa加密,-out保存公钥文件,NUMBITS公钥位数)
openssl rsa -in /PATH/TO/KEYFILENAME -pubout(在私钥中提取公钥,类型rsa加密,-in指定私钥文件,-pubout提取公钥)
[root@Smoke ~]# rpm -q openssl(查看有没有安装openssl的RPM包)
openssl-0.9.8e-22.el5
[root@Smoke ~]# rpm -ql openssl(查看openssl安装生成那些文件)
/etc/pki/CA
/etc/pki/CA/private
/etc/pki/tls
/etc/pki/tls/cert.pem
/etc/pki/tls/certs
/etc/pki/tls/certs/Makefile
/etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/make-dummy-cert
/etc/pki/tls/misc
/etc/pki/tls/misc/CA
/etc/pki/tls/misc/c_hash
/etc/pki/tls/misc/c_info
/etc/pki/tls/misc/c_issuer
/etc/pki/tls/misc/c_name
/etc/pki/tls/openssl.cnf(让openssl工作成私有CA的时候用到)
/etc/pki/tls/private(从本行到首行都是配置文件)
/lib/.libcrypto.so.0.9.8e.hmac(通用加密库)
/lib/.libcrypto.so.6.hmac
/lib/.libssl.so.0.9.8e.hmac(TLS/SSL的实现)
/lib/.libssl.so.6.hmac
/lib/libcrypto.so.0.9.8e
/lib/libcrypto.so.6
/lib/libssl.so.0.9.8e
/lib/libssl.so.6
/usr/bin/openssl(openssl二进制程序)
/usr/lib/openssl
/usr/lib/openssl/engines
/usr/lib/openssl/engines/lib4758cca.so
/usr/lib/openssl/engines/libaep.so
/usr/lib/openssl/engines/libatalla.so
/usr/lib/openssl/engines/libchil.so
/usr/lib/openssl/engines/libcswift.so
/usr/lib/openssl/engines/libgmp.so
/usr/lib/openssl/engines/libnuron.so
/usr/lib/openssl/engines/libsureware.so
/usr/lib/openssl/engines/libubsec.so
/usr/share/doc/openssl-0.9.8e
/usr/share/doc/openssl-0.9.8e/CHANGES
/usr/share/doc/openssl-0.9.8e/FAQ
/usr/share/doc/openssl-0.9.8e/INSTALL
/usr/share/doc/openssl-0.9.8e/LICENSE
/usr/share/doc/openssl-0.9.8e/NEWS
/usr/share/doc/openssl-0.9.8e/README
/usr/share/doc/openssl-0.9.8e/README.FIPS
/usr/share/doc/openssl-0.9.8e/c-indentation.el
/usr/share/doc/openssl-0.9.8e/openssl.txt
/usr/share/doc/openssl-0.9.8e/openssl_button.gif
/usr/share/doc/openssl-0.9.8e/openssl_button.html
/usr/share/doc/openssl-0.9.8e/ssleay.txt
/usr/share/man/man1/asn1parse.1ssl.gz
/usr/share/man/man1/ca.1ssl.gz
/usr/share/man/man1/ciphers.1ssl.gz
/usr/share/man/man1/crl.1ssl.gz
/usr/share/man/man1/crl2pkcs7.1ssl.gz
/usr/share/man/man1/dgst.1ssl.gz
/usr/share/man/man1/dhparam.1ssl.gz
/usr/share/man/man1/dsa.1ssl.gz
/usr/share/man/man1/dsaparam.1ssl.gz
/usr/share/man/man1/ec.1ssl.gz
/usr/share/man/man1/ecparam.1ssl.gz
/usr/share/man/man1/enc.1ssl.gz
/usr/share/man/man1/errstr.1ssl.gz
/usr/share/man/man1/gendsa.1ssl.gz
/usr/share/man/man1/genrsa.1ssl.gz
/usr/share/man/man1/md2.1ssl.gz
/usr/share/man/man1/md4.1ssl.gz
/usr/share/man/man1/md5.1ssl.gz
/usr/share/man/man1/mdc2.1ssl.gz
/usr/share/man/man1/nseq.1ssl.gz
/usr/share/man/man1/ocsp.1ssl.gz
/usr/share/man/man1/openssl.1ssl.gz
/usr/share/man/man1/pkcs12.1ssl.gz
/usr/share/man/man1/pkcs7.1ssl.gz
/usr/share/man/man1/pkcs8.1ssl.gz
/usr/share/man/man1/req.1ssl.gz
/usr/share/man/man1/ripemd160.1ssl.gz
/usr/share/man/man1/rsa.1ssl.gz
/usr/share/man/man1/rsautl.1ssl.gz
/usr/share/man/man1/s_client.1ssl.gz
/usr/share/man/man1/s_server.1ssl.gz
/usr/share/man/man1/s_time.1ssl.gz
/usr/share/man/man1/sess_id.1ssl.gz
/usr/share/man/man1/sha.1ssl.gz
/usr/share/man/man1/sha1.1ssl.gz
/usr/share/man/man1/smime.1ssl.gz
/usr/share/man/man1/speed.1ssl.gz
/usr/share/man/man1/spkac.1ssl.gz
/usr/share/man/man1/sslpasswd.1ssl.gz
/usr/share/man/man1/sslrand.1ssl.gz
/usr/share/man/man1/verify.1ssl.gz
/usr/share/man/man1/version.1ssl.gz
/usr/share/man/man1/x509.1ssl.gz
/usr/share/man/man5/config.5ssl.gz
/usr/share/man/man5/x509v3_config.5ssl.gz
/usr/share/man/man7/des_modes.7ssl.gz
[root@Smoke ~]# openssl version(查看openssl版本号)
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
[root@Smoke ~]# openssl ?
openssl:Error: '?' is an invalid command.(?问号是个无效的命令,但是可以显示帮助信息)
Standard commands(标准命令)
asn1parse ca ciphers crl crl2pkcs7
dgst dh dhparam dsa dsaparam
enc(加密) engine errstr gendh gendsa
genrsa nseq ocsp passwd pkcs12
pkcs7 pkcs8 prime rand req
rsa rsautl s_client s_server s_time
sess_id smime speed(加密测速) spkac verify
version x509
Message Digest commands (see the `dgst' command for more details)(信息摘要算法相关的命令)
md2 md4 md5 rmd160 sha
sha1
Cipher commands (see the `enc' command for more details)(加密命令)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb base64 bf bf-cbc bf-cfb
bf-ecb bf-ofb cast cast-cbc cast5-cbc
cast5-cfb cast5-ecb cast5-ofb des des-cbc
des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx rc2 rc2-40-cbc
rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40
[root@Smoke ~]# openssl speed des(测试openssl对各种加密算法支持的速度,这种速度可以对当前系统性能加密性能进行评估的)
Doing des cbc for 3s on 16 size blocks: 10478118 des cbc's in 2.91s
Doing des cbc for 3s on 64 size blocks: 2684334 des cbc's in 2.89s
Doing des cbc for 3s on 256 size blocks: 670000 des cbc's in 2.90s
Doing des cbc for 3s on 1024 size blocks: 165703 des cbc's in 2.88s
Doing des cbc for 3s on 8192 size blocks: 20509 des cbc's in 2.91s
Doing des ede3 for 3s on 16 size blocks: 3811454 des ede3's in 2.89s
Doing des ede3 for 3s on 64 size blocks: 953281 des ede3's in 2.87s
Doing des ede3 for 3s on 256 size blocks: 236931 des ede3's in 2.88s
Doing des ede3 for 3s on 1024 size blocks: 59735 des ede3's in 2.90s
Doing des ede3 for 3s on 8192 size blocks: 7447 des ede3's in 2.88s
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
built on: Wed Jan 18 10:10:56 EST 2012
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/
include -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer
-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_USE_NEW_FUNCTIONS -fno-strict
-aliasing -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes(每16字节一个块) 64 bytes 256 bytes 1024 bytes 8192 bytes
des cbc 57611.65k(每秒处理多少数据) 59445.46k 59144.83k 58916.62k 57735.30k
des ede3 21101.48k 21257.83k 21060.53k 21092.63k 21182.58k
提示:如果不指定算法,对所有算法都进行测试;
[root@Smoke ~]# whatis enc(查看enc有几张节中的man文档)
enc (1ssl) - symmetric cipher routines
[root@Smoke ~]# man enc(查看openssl子命令enc的man帮助文档)
openssl enc -ciphername(加密算法名字) [-in filename](从那个文件读出来) [-out filename](加密结果保存什么文件里) [-pass arg]
[-e](加密) [-d](解密) [-a] [-A] [-k password](加密密钥) [-kfile filename] [-K key] [-iv IV] [-p] [-P] [-bufsize number]
[-nopad] [-debug]
-salt:实现更高的安全性,openssl 0.9.5以后版本支持;
-a:基于64机制进行数据处理,因为是纯文本的,先对文本进行base64编码;
[root@Smoke ~]# whatis passwd(查看passwd有几章节的man文档)
passwd (1) - update user's authentication tokens
passwd (5) - password file
passwd (rpm) - The passwd utility for setting/changing passwords using PAM
passwd [sslpasswd] (1ssl) - compute password hashes
[root@Smoke ~]# man sslpasswd(查看openssl子命令passwd的man帮会组文档)
对文件进行加密:
[root@Smoke ~]# cp /etc/inittab ./(复制inittab文件到当前目录)
[root@Smoke ~]# openssl enc -des3 -salt -a -in inittab -out inittab.des3(对inittab文件进行加密,enc加密,-des3加密算法,-salt实现更高
安全性,-a对文本进行base64编码,-in文件来源,-out加密后的文件)
enter des-ede3-cbc encryption password:(输入密码)
Verifying - enter des-ede3-cbc encryption password:
[root@Smoke ~]# ls inittab*(查看inittab字符开头的文件)
inittab inittab.des3
[root@Smoke ~]# rm inittab(删除inittab文件)
rm: remove regular file `inittab'? y
[root@Smoke ~]# cat inittab.des3(查看inittab.des3文件内容)
U2FsdGVkX1+2JyfqyJqlrtoREioBzl+ALF/4MHIeqQuot6KnqLQwFhQgQz6vdmtI
gva87lnG6o2+165y+c2WsXZ8mG58QcUrrPWSMEH9LCaKeKy1kqh8uPw9wOgYAAEB
9+9H7SHhx36OabADkmOgHJpv10sOR3YzRK+e/XF4Q2tC9SSpQDiYuun6yp30lBHi
7foCpWNvztqUmTQT42xcmvZnBm3BH9RZK2mTHDqJ8A8Umx52joDWA1MVJq739YkX
TaONo58jcV52sdIrmBKAq9gfOD95KMON3hidv9xjunGAYclkHcbwn3qcLj6e8oio
zW4llmjWVW6lGcl2pWJidV7gTz/hThZR5bvFc+OFs22tWtP6Gm+pxpYQu7g/jcnS
iLJfUsW05UFyFviyIII8bwhhR1uQF0b8huQ1zcSVU5wyvNgJHpi3Bo0by28bYQ7z
Vld6Ytry2IDISzVM6n+D8W7sMbL3deikYBj/XA8V7vgV1xc9au21zlPw3edGfTFL
XmZFawGPa1rnCHZPV3hhsvDbJ54riQeoAvq4ETN1m9n6DaX3pTkQa58f3//vQl6t
WsT8d4ihQ1FG9FOEYH+6M6BUSjosVXX0riZCNT3HHiUztHgnsvaBS1fM1rpCgjaS
Vh3d+U0sJkYtJo2auB/rwlAhStgQVq6ENTwSwdk5lyZ2rhzmeclEhslqaVI9449e
S8eP4Wp5dVCLsHsHtnoDx8tK/14iGFGotEzfrv5z9qYZ+3SbxeafcrDLWuX5+/Cb
JTpQSqkyJZMssa3rxQnZqSs/orv5eHyypSLw1IOR2zqSosqZjJeRM8YcwYCjpGM1
8EjTC7i87oNHvFyG1YM4E7q0Nz8NC/4+4yce53aqlryzeDKk20w9pcxSloEdj5WE
BXw7rPkuxZPpSxGt7Iv3BV4ltp/L2mc2LbpqcLB6Ka1xwZma4ckVOlMyyRmbF03c
tW7BzQO5o43sLZdl58Y3PS1BHRPZA724InWZeZiJzWD2q8KfVnJZqtyGPY5puln3
ujBwodZdBqGt6mncvVWcr4Cv56an3IF0eBxPWvzifHNOJDwnx9Zm6a+XhUU7rURi
eMF3q5iZ8sT8SylNaUGWBoM4TO4fuIIqfiJ6bIMkdxFdxKEOoFM3HjwpV2z4/1j3
58RHl6l792ZaMOxEGGgf1kmswTZ2pS1xbpkqNCpIKiMJtAkJPaplx6A4Jx1Oo8yz
27Ct2aIme2oWM5FAqNPrwgfBKy3VqXbNzgjMm0JuQAHTYzJqsdV4oBAilzt8Bd92
hgxDHENlY/rDh7Aswt3vX/jNI2eZjmc5LIF2kloQSTYXVNHCVV5MHTcTDzlAlvlb
sI6SwnzNBE/mSYaEsYElIvpObOzEdJKhYwEXhku5NQjzFppYN9mtZbQeNnuuRpGc
COnpSXRTcXFWOs4WLMpNhFJPKhq9FKcsdX4w0Ruhgogtt0vG3EOkiMvF2A/MkQsH
wD67khECI7Bwu+mgLc1XuG31un+te8OlN+jMAP2oDv/P+OPWWJxY+oWN855Vmoll
6tlTW7Zn5CwDlQlSvikFZtUpE5JjW9f+eM+FELxwtYWdiqzGp7wWlDjEyhb5e0nE
vkxjez5APbMZImmnpr7SQ7cDyiQqpMt4sV7ntK/8QVWKR+4IrT1aXKgwoKHBTuBf
WQg5YEtrwcwFIih/oB7kDDBH7m9v15TnnDpN/8RWddmoBvlFs+hQmfjBXxr2slne
VbrOgdrJwG/7fOoGeF5TiKb+AfWZLcYdCVS/64BjS0+dtQZiPKcqz3dJmosajQq4
ec1tUgZ7bewqWTMtgNcNt+t+gQpEqzPkEI1D4WQOHV4vxcPUA0Edqx+Mh3Y+3iU/
LwtACRMwKVEVN1yECLkHNb+xAKMkVLPrK3VboyEaXcbuL/bsub7wUW6bv7aTWk9f
/qXt1gWHJwfPzs9sUMeSC9lh/jhGYdUb0PHLY0mAf/03OBOyldyPrz6zEqdxD34u
jq/KZ0lUf3QkAdhbD1ot9UB39oWmmBJgqtLiJ/3rmv/t/rmY77iW4ncU/1M/FP1B
zCgPGo5lepzMfEUk+0ZRZitzA280MSJ6uGl8R8FxG2qjFt9TgfeQMRAo8igibvbS
D8VsCf2ndTzw2xVxLQImgo1SCdO9s2mVX2rTOG86ZpWtnZmj4JVaHuyCF2yh0OSi
1dGdT7PFOJZu0c7CyHqr2DOyzgLHCN7kD8DZDeZocjjgNi7c4W1f21zHXdwWc4i4
D8kwavRrp4E=
[root@Smoke ~]# openssl enc -des3 -d -salt -a -in inittab.des3 -out inittab(解密inittab.des3文件,-des3算法,-d解密,-salt更高安全性,
-a对文本进行base64编码,-in需要解密的原文件,-out解密后的文件)
enter des-ede3-cbc decryption password:(输入密码)
[root@Smoke ~]# cat inittab(查看inittab文件内容)
#
# inittab This file describes how the INIT process should set up
# the system in a certain run-level.
#
# Author: Miquel van Smoorenburg, <miquels@drinkel.nl.mugnet.org>
# Modified for RHS Linux by Marc Ewing and Donnie Barnes
#
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:3:initdefault:
# System initialization.
si::sysinit:/etc/rc.d/rc.sysinit
l0:0:wait:/etc/rc.d/rc 0
l1:1:wait:/etc/rc.d/rc 1
l2:2:wait:/etc/rc.d/rc 2
l3:3:wait:/etc/rc.d/rc 3
l4:4:wait:/etc/rc.d/rc 4
l5:5:wait:/etc/rc.d/rc 5
l6:6:wait:/etc/rc.d/rc 6
# Trap CTRL-ALT-DELETE
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# When our UPS tells us power has failed, assume we have a few minutes
# of power left. Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"
# If power was restored before the shutdown kicked in, cancel it.
pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm -nodaemon
计算文件的摘要信息(提取文件指纹):
[root@Smoke ~]# md5sum inittab(计算inittab文件md5校验码)
92a39a223f68e67e9e6c412443851aeb inittab
[root@Smoke ~]# sha1sum inittab(计算inittab文件sha1校验码)
78ef239097844c223671e99a79d6b533dced8d3b inittab
[root@Smoke ~]# openssl dgst -sha1 inittab(通过openssl命令对inittab文件计算sha1校验码,dgst摘要)
SHA1(inittab)= 78ef239097844c223671e99a79d6b533dced8d3b
提示:不管那种工具只要加密算法一样,结果一定一样;
[root@Smoke ~]# openssl dgst -md5 inittab(通过openssl命令对inittab文件计算md5校验码,dgst摘要)
MD5(inittab)= 92a39a223f68e67e9e6c412443851aeb
[root@Smoke ~]# vim inittab(编辑inittab文件)
#(在最后一行加#井号)
[root@Smoke ~]# openssl dgst -md5 inittab(通过openssl命令对inittab文件计算md5校验码,dgst摘要)
MD5(inittab)= be8ab42fb3be8e7f6913183f18997314
提示:一点小的改变,产生结果巨大的改变,雪崩效应;
如何给用户生成密码串:
[root@Smoke ~]# man sslpasswd(查看openssl子命令passwd的man帮助文档)
-1 Use the MD5 based BSD password algorithm 1.(使用md5生成用户密码串)
openssl passwd -crypt -salt xx(指定密码) password prints xxj31ZMTZzkVA.(结果)
提示:openssl命令的passwd子命令也是模拟跟用户passwd命令一样的工具,能够帮助用户生成密码串;
[root@Smoke ~]# openssl passwd -1(使用md5生成用户密码串)
Password: (输入密码)
Verifying - Password:
$1$(两个$中间是加密算法)P6KxC6Tr$(这个$符号和前面之间的是salt)worEd2LrPRruwpp2J1Umw.(加密的密码串)
[root@Smoke ~]# openssl passwd -1(使用md5生成用户密码串)
Password:
Verifying - Password:
$1$DQzxqI8i$8EQNFwQ7bvCDl0T89zXNt0
提示:虽然两次输入的密码都一样,但是生成的密码串不一样,因为加入了salt搅浑密码,所以结果不同;
[root@Smoke ~]# openssl passwd -1 -salt DQzxqI8i(使用md5生成用户密码串,-salt指定加入salt的串)
Password:
$1$DQzxqI8i$8EQNFwQ7bvCDl0T89zXNt0
提示:使用和上次执行命令后输入的密码一样,使用salt指定DQzxqI8i,和上面生成的salt一样后,两次命令生成的密码完全一样,所以salt存在的意义就是为了避免反推密码;
实现非对称加密:
[root@Smoke ~]# openssl ?(查看openssl帮助)
openssl:Error: '?' is an invalid command.
Standard commands
asn1parse ca ciphers crl crl2pkcs7
dgst dh dhparam dsa dsaparam
enc engine errstr gendh gendsa(生成dsa密钥)
genrsa(生成rsa密钥) nseq ocsp passwd pkcs12
pkcs7 pkcs8 prime rand(生成伪随机数) req
rsa rsautl(rsa加密工具) s_client s_server s_time
sess_id smime speed spkac verify
version x509
Message Digest commands (see the `dgst' command for more details)
md2 md4 md5 rmd160 sha
sha1
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb base64 bf bf-cbc bf-cfb
bf-ecb bf-ofb cast cast-cbc cast5-cbc
cast5-cfb cast5-ecb cast5-ofb des des-cbc
des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx rc2 rc2-40-cbc
rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40
[root@Smoke ~]# man rsa(查看rsa的man帮助文档)
rsa - RSA key processing tool(密钥处理工具)
[root@Smoke ~]# man rsautl(查看rsautl的man帮助文档)
rsautl - RSA utility(rsautl才是真正rsa加密解密工具)
openssl rsautl [-in file] [-out file] [-inkey file](密钥) [-pubin] [-certin] [-sign] [-verify]
[-encrypt](加密) [-decrypt] [-pkcs] [-ssl] [-raw] [-hexdump] [-asn1parse]
[root@Smoke ~]# whatis rand(查看rand的man帮助文档有几章)
rand (3) - pseudo-random number generator
rand (3p) - pseudo-random number generator
rand [sslrand] (1ssl) - generate pseudo-random bytes
rand [sslrand] (3ssl) - pseudo-random number generator
[root@Smoke ~]# man sslrand(查看rand的man帮助文档)
rand - generate pseudo-random bytes(生成伪随机数)
openssl rand [-out file] [-rand file(s)] [-base64] num(生成伪随机数)
[root@Smoke ~]# openssl rand -base64 45(生成随机数,-base64 45指定加密以后的长度)
YPT/Gg5nkiQfTPPotAdd/MZDMWvq0Q0mpDvHwB0s7H+JaG712qrXFz3Q01CX
[root@Smoke ~]# openssl rand -base64 12(生成随机数,-base64 12指定加密以后的长度)
JbGaQMC43JyUloYW
[root@Smoke ~]# man genrsa(查看genrsa的man帮助文档)
genrsa - generate an RSA private key(生成rsa私钥)
openssl genrsa [-out filename](保存文件) [-passout arg] [-des] [-des3](指定加密算法) [-idea] [-f4] [-3] [-rand file(s)]
[-engine id] [numbits](指定密钥长度,默认512位)
提示:既然私钥安全性非常关键,因此不能让别人随意查看,这个文件的权限最起码是600的,可以先生成再更改权限,也可以直接生成文件的时候就有了600权限;
[root@Smoke ~]# openssl genrsa(生成rsa类型的私钥)
Generating RSA private key, 512 bit long modulus
...++++++++++++
....++++++++++++
e is 65537 (0x10001)
-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBAMYvvne2cbEaNifTGkZGpaZjmt6UTsnCkDPgqT+ghpUFqnVoXABS
3SRc8MM7DrGQd1RqDTzO7v8lrE/V7E25j4cCAwEAAQJAbFVM2ENygkzBraNHiYK0
qe9oiKKpLsCb8r+rxIwLBQnNiobiSm3qcCIX0JWXTNv1MVrkKCNK8yKZ4emxoGCO
gQIhAOT6Pxq9tiNTlsUyWLhGboTOaiJ45IowQDaung/unDujAiEA3ZNBLI5NOh2E
07x3CImjIhtSqFBh2od0DwmVBR4n2s0CIHarTvsf6P5j+taWYi6Wqf6AL7dP6jnI
Ce+NDfP52NR7AiEArZp2cgZ8k5AVRiBf0xyj6FEoDiAMyz9du3pye7QI3fECIQCb
3Ggzl+naUBqqGvsKRRUEK9ll399cQ4/ZbWN5qSI3Ug==
-----END RSA PRIVATE KEY-----
[root@Smoke ~]# openssl genrsa 2048(生成rsa类型的私钥,长度为2048)
Generating RSA private key, 2048 bit long modulus
.................+++
........................................................+++
e is 65537 (0x10001)
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAoYSJmptZUaT/4eRxdHvZK+g1fwoOE2FjHOOdlH/3fBh7htCQ
NsIcMuPdRDr6xWPJ388rm/qOJXXKxp7OXkf0jeK1YIISXm0E0rRPPN4e/IR6u9vM
mGqS/9c48IY42Ysz5IgRf9PLJ5JnjGbZlFqA+q3iyOOz+15pbwqPff+5sHtNZOfs
tz8yUZ11lpJk0QtMxzkZ+m0/IenN6FK/zYXRo4PZdRmFNUpzex3DtlrGXBnt0bt5
qgWYcbM2jLM/Ka0GYY4vIfLEO3t56ct5Oc1MEWGbwHBTqPYH0dGC0jeFaQu0Uo4N
Ok/0RtsHyeYWfdvrWoS1Mc9ZbFUfl461G3BOrwIDAQABAoIBAGSLmhFplX+SpEud
ptbpZfbENdEglESSQl2wf976jjhtETCKUswTp/QyDwKzaHpKNVgiojYWEjjVi+Z6
42KjjmRo9ZnfPsoTOYZlAlKUv1tYqQKawFE9PscO1n48P9WEp0gjQCl/0Z6Pr/Ah
8l48vL/QUTXXMapQSnf6bfr0n0Zxbj7OjbXMmyysmfGk+uGuUNTndYdAjPdk7Tod
jTRUpEK7jUpup5kOSfzCGfXJBO6TYZOLdeieJR/gUfm1WyK8fiIvj6wf3gDaRiaA
XXlRAI5/WHhQUUeK+3cL26DtTUI/XVetr1z2RMElru3tjIUEBOwdKdcO/T87hPFu
Ah0NnfkCgYEAzMfqaLcQ9mSbnxjjNqgktunL1y3JyJyCqe92HfWRE15qOq3CZ46P
F9R84QiVThWSP8IhzciKFi0IwS1RslVmTAIh8rUyUYgjNsxRiUJrkBDCcO/DmOok
0KUYdKdNbkD3oyejOAj1OD5xrW7TfAgkLQcpYlp2ibDn9f2WIn/LpDsCgYEAyep8
yaHAus9sDoMprusEBjxaTTFJ37PYOWHOTFQ5/XgV3IMOcF0O4kYZmumkGFPUurY0
8VaEQGMdkUb2i0Qi4ULBHlNkJhDr8yrJ39d221LuYFyR/PQXEYZSN4VjK89wxRCE
sd+JkppW6qayFDWlm/NS8/zCZgKRNguHicj03B0CgYATVqnHW8ppSlT78FC8v6I/
99I9LuDIZidcvvVrnN4ncxobEn+yYd8XhASLB9F5v0XBaabhlRedQoF6JLp7Wd9A
PE9SaVQoKPASY7crfC9GOp7yJWJWVX5GieDGW2pPiCkaqkqapxXpStRXaYjlRKuN
6Qg6doqNNDyjmWANP/5OMwKBgQCbst2W/cwIQXoplqrF3yOzS0a2z5MPlTbeyLSz
1x8AfWEeMVEpBBk+EqAb/J40xC/96hLZJsXEgKmEJRxoN5pN6ZPRNqy7TcEkOZKB
sTxN051NYRSR4gcH1HQBrDHUzpk+3IX2Q1FqYuky+GfJfbS+lNsamYWt87zV1/4k
GXn3YQKBgQCGCvobHqErqI5ONAv+ZRqvi45kZBdkWTTZcZV2smSIdUoSfSvi2a0Z
HhBVSvHWz7lyCW56lmYrIjcFatw2b/MN8eehj7EBHuJZrjRjURM6OA982s4q0UeH
pzClULwHWN3Dk9WfG5h4TP78dPaf3OqOlRy8v7H9w6FOEnCjAMswjw==
-----END RSA PRIVATE KEY-----
[root@Smoke ~]# openssl genrsa 2048 > server.key(生成rsa类型的密钥,长度为2048,重定向到server.key文件)
Generating RSA private key, 2048 bit long modulus
.............................+++
..............................................+++
e is 65537 (0x10001)
[root@Smoke ~]# cat server.key(查看server.key文件)
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA0pXeA8bnIlRhVp15tZHFKMaoNZ2yPwl+4JtVOzaxjl7PIyJs
59/AsFmrQ7xBKRaJl3P8DuZeEAaA9Yz+n2FyQXxhbRInU5Pcs6EWQGe1nc+dCfbH
R2MRnb4yT+2/nUbVsFbPSzCilAlW1BR25Zm0/mKhWtxvP1FaFZmApj3/ZGHJZOCR
DtpB6xr7si6ewMM/MzTVpBjDmWeIeu1AOZQVi88m/6zHYJcdmNafXJrjOlwWBIyN
YyFa+QSpfKJJKIqr4zE8zqA/wLwJ+GUgGqdJ5wTEjzzkioosw0RSdewEw+NOfiAh
fW2lGK2Xnb03qAH7gxyggl7G6PT4XavSKgoxxQIDAQABAoIBAFenV/08epLYipex
/qosHePmJLgEhuAkRLKbFXQLRQbcwd1/A9PUV/FPsbEFGB5RKj5nYcCV9Qs4mc8b
vBR9TECj1C3BQ6tPPatrXsa6JGemtlgiZzp4qyl8tJZ+gKaniGTZDXnfqZxy8rhe
OEtDmonUZhNa89doNlYNSfZokfim1XeV8vWY4+hxVT9ZSp4aYeXsCsB2JAWjG6V7
q+oBeFut1OiYmSSrFxRYNebdHpgp5Qgw9XfN87XMNlCh1xq7k7U0eO1169/F65we
HGs3rV24JcDkQYUSqAFvvxBM85kpxJ0cBPEvaF1ooJuch6sZ55n+dbUi1CpSu2rv
eQPuI3UCgYEA+0FYBVjP1cu3GM4smLFYPxodeI8JEZSbiZ0P3qJv6iw8l8W1tm4j
lNi+A6CdGbKYX6gUt9mYpoJ9euJENeZgqsnvAdjUC4vMj1Av7LxzdaI3WwGzR8z+
YHoT+da2hDcjknPkKegb28nzMGCOwp1ks3Ky/apyWBhz6686GB6AAq8CgYEA1o/p
QeMufd2X14Keq5IzUnQfHkbDPqEAMu0mLrhSQNpiwjfDrdgbV0fSUOk0qd1FhFwX
wjxLqcuP0vlf8fnBlo7yuThOngeEMRw9kQzpttg4BBGFbEQvGNptAygg+qtZMS22
DLmDImMS5icgZ+zlzGL6GqGQPvrus1gR/IfRP8sCgYEA6zX42MiTiGn1NluMlEUx
f6FLBZmhu7uLAADw4lLewjI3Zz3HJslktetRtsOdTnlK/AG1o4coyHhQT8GSaYMJ
69iuzuPVXhm5nlBLDSw+SllZyPCGjSjy2g5utOy0YIHd4zRq3HBV5CPibd92xeni
Y7t0pNPzx1Tc8D5R/FJRNDECgYEA0uRgwQIrkEteE9WvX7Qz/bdlXrzu64AUUfoG
raU+M8BzkbJ+A0GGniNZ9W1C9jMnQRHDyIa7WAldNGEojQ6P2QxoRuWxYGLC7AJ2
ATxP/AhKBrWyDth18le/DntC7x+8azoi1h8BZas7yDxs/bk7pckjS0nCHiVGucC2
7SAR7EECgYBSY3xzzI5BGV8vp4mdrMKzgthBq362shklRgFUh05vMuwmOeh9kIqu
Yml83PDBwCXc1BHRtdENwJOoIrKXjLQJm9Xeh/mFCxW2+3EBacX66CLibY+WqTeW
qnMRCb8MvSKySEJc+dsdGERNJ7usf7uuKiQktMx3vzjhJX4UtkGF1Q==
-----END RSA PRIVATE KEY-----
[root@Smoke ~]# (umask 077;openssl genrsa -out server1024.key 1024)(使用()括号括起来的一组命令,无论写多少命令,这些命令只在子shell中执行,
不在当前shell中执行,而且执行完以后子shell就退出了,子shell中的所有设定跟我们没关系了,为子shell设定umask 077遮罩码,创建的文件都是600,创建的目录都
是700的,生成rsa类型的私钥,长度为1024,-out保存到server1024.key文件中)
Generating RSA private key, 1024 bit long modulus
..........++++++
......................++++++
e is 65537 (0x10001)
[root@Smoke ~]# ll server*(查看server开头的文件)
-rw------- 1 root root 891 Dec 11 12:50 server1024.key
-rw-r--r-- 1 root root 1679 Dec 11 12:41 server.key
提示:server1024.key文件权限为600,但不影响当前的umask;
[root@Smoke ~]# umask(查看当前系统创建文件目录的遮罩码)
0022
[root@Smoke ~]# openssl rsa -in server1024.key -pubout(生成rsa类型的公钥,-in指定私钥文件,-pubout提取公钥)
writing RSA key
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfpqMfS/K5m+8MMAJjLGM64XBu
bBuOimF5BhbILBMQ2fgFrG1R72+z4GTBYxRx0SWzfEZu5h9UHNKRn6ib2oMH+LhD
NBd5kZR8ysaq19THCuxz6jiyw3JZMXSkUOWVw44R9foiObpJPG72Oq4Xt/DTNWhz
RI335om8sF8OuTVSfwIDAQAB
-----END PUBLIC KEY-----
[root@Smoke ~]# man req(查看openssl子命令req的man帮助文档)
req - PKCS#10 certificate request and certificate generating utility.(生成自签署的证书)
openssl req [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-text] [-pubkey]
[-noout] [-verify] [-modulus] [-new] [-rand file(s)] [-newkey rsa:bits] [-newkey dsa:file] [-nodes] [-key filename] [-keyform PEM|DER]
[-keyout filename] [-[md5|sha1|md2|mdc2]] [-config filename] [-subj arg] [-multivalue-rdn] [-x509](生成x509自签证书) [-days n]
[-set_serial n] [-asn1-kludge] [-newhdr] [-extensions section] [-reqexts section] [-utf8] [-nameopt] [-batch] [-verbose] [-engine id]
[root@Smoke ~]# openssl req -new -x509 -key server1024.key -out server.crt -days 365(签发证书,-new表示新的申请,-x509表示生成自签证
书,-key指定密钥文件,-out指定保存的证书位置及文件名,-days指定有效期限)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN(国家,证书拥有者的信息)
State or Province Name (full name) [Berkshire]:Shaanxi (省份名称)
Locality Name (eg, city) [Newbury]:Xi'an(城市名称)
Organization Name (eg, company) [My Company Ltd]:Smoke(公司名称)
Organizational Unit Name (eg, section) []:Tech(组织单位/部分,Tech技术部)
Common Name (eg, your name or your server's hostname) []:ca.smoke.com(主机名称,至关重要:假如这个证书是发给某个服务器用的,将来别人联系你的
服务器必须要使用这个主机名,它才能使用这个证书跟你建立安全通信,否则提示不可信,这里可以写主机的DNS名称)
Email Address []:349817712@qq.com(管理员邮件地址)
提示:自签证书做好了;
[root@Smoke ~]# ll server*(查看当前目录server开头的文件)
-rw------- 1 root root 891 Dec 11 12:50 server1024.key
-rw-r--r-- 1 root root 1269 Dec 11 13:19 server.crt
-rw-r--r-- 1 root root 1679 Dec 11 12:41 server.key
提示:做好的自签证书server.crt;
[root@Smoke ~]# cat server.crt(查看server.crt文件内容)
-----BEGIN CERTIFICATE-----
MIIDezCCAuSgAwIBAgIJAMcA5oWJiPD8MA0GCSqGSIb3DQEBBQUAMIGGMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHU2hhYW54aTEOMAwGA1UEBxMFWGknYW4xDjAMBgNV
BAoTBVNtb2tlMQ0wCwYDVQQLEwRUZWNoMRUwEwYDVQQDEwxjYS5zbW9rZS5jb20x
HzAdBgkqhkiG9w0BCQEWEDM0OTgxNzcxMkBxcS5jb20wHhcNMTQxMjExMDUxOTEw
WhcNMTUxMjExMDUxOTEwWjCBhjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NoYWFu
eGkxDjAMBgNVBAcTBVhpJ2FuMQ4wDAYDVQQKEwVTbW9rZTENMAsGA1UECxMEVGVj
aDEVMBMGA1UEAxMMY2Euc21va2UuY29tMR8wHQYJKoZIhvcNAQkBFhAzNDk4MTc3
MTJAcXEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfpqMfS/K5m+8M
MAJjLGM64XBubBuOimF5BhbILBMQ2fgFrG1R72+z4GTBYxRx0SWzfEZu5h9UHNKR
n6ib2oMH+LhDNBd5kZR8ysaq19THCuxz6jiyw3JZMXSkUOWVw44R9foiObpJPG72
Oq4Xt/DTNWhzRI335om8sF8OuTVSfwIDAQABo4HuMIHrMB0GA1UdDgQWBBSYjIze
DHosu1W8iRhNni6g+Qz6ZjCBuwYDVR0jBIGzMIGwgBSYjIzeDHosu1W8iRhNni6g
+Qz6ZqGBjKSBiTCBhjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NoYWFueGkxDjAM
BgNVBAcTBVhpJ2FuMQ4wDAYDVQQKEwVTbW9rZTENMAsGA1UECxMEVGVjaDEVMBMG
A1UEAxMMY2Euc21va2UuY29tMR8wHQYJKoZIhvcNAQkBFhAzNDk4MTc3MTJAcXEu
Y29tggkAxwDmhYmI8PwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAP
wSzzY5ZkkqfUuKbkyshYHbwR16R/SXDZmr/j2oVAuq16KPkP4fJHsoxHUvozLtJo
XK+3+FG0Wo7eCCks0eP06JSPLQ1Fvqln36sgZwGd+jvxK6XFq4+Bn9H+bFSF6ptc
I8SSdeh4wbPy7i8UYbAj16pub69d1HL5STBOJpIxOQ==
-----END CERTIFICATE-----
[root@Smoke ~]# openssl x509 -text -in server.crt(查看server.crt证书信息,-text输出成文本信息,-in指定证书)
Certificate:
Data:
Version: 3 (0x2)(证书版本号)
Serial Number:(序列号)
c7:00:e6:85:89:88:f0:fc
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Shaanxi, L=Xi'an, O=Smoke, OU=Tech, CN=ca.smoke.com/emailAddress=349817712@qq.com(证书拥有者信息)
Validity
Not Before: Dec 11 05:19:10 2014 GMT(证书有效期)
Not After : Dec 11 05:19:10 2015 GMT
Subject: C=CN, ST=Shaanxi, L=Xi'an, O=Smoke, OU=Tech, CN=ca.smoke.com/emailAddress=349817712@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption(Public Key使用rsa加密)
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:df:a6:a3:1f:4b:f2:b9:9b:ef:0c:30:02:63:2c:
63:3a:e1:70:6e:6c:1b:8e:8a:61:79:06:16:c8:2c:
13:10:d9:f8:05:ac:6d:51:ef:6f:b3:e0:64:c1:63:
14:71:d1:25:b3:7c:46:6e:e6:1f:54:1c:d2:91:9f:
a8:9b:da:83:07:f8:b8:43:34:17:79:91:94:7c:ca:
c6:aa:d7:d4:c7:0a:ec:73:ea:38:b2:c3:72:59:31:
74:a4:50:e5:95:c3:8e:11:f5:fa:22:39:ba:49:3c:
6e:f6:3a:ae:17:b7:f0:d3:35:68:73:44:8d:f7:e6:
89:bc:b0:5f:0e:b9:35:52:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
98:8C:8C:DE:0C:7A:2C:BB:55:BC:89:18:4D:9E:2E:A0:F9:0C:FA:66
X509v3 Authority Key Identifier: (证书办法机构相关信息)
keyid:98:8C:8C:DE:0C:7A:2C:BB:55:BC:89:18:4D:9E:2E:A0:F9:0C:FA:66
DirName:/C=CN/ST=Shaanxi/L=Xi'an/O=Smoke/OU=Tech/CN=ca.smoke.com/emailAddress=349817712@qq.com
serial:C7:00:E6:85:89:88:F0:FC
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption(CA签名信息)
0f:c1:2c:f3:63:96:64:92:a7:d4:b8:a6:e4:ca:c8:58:1d:bc:
11:d7:a4:7f:49:70:d9:9a:bf:e3:da:85:40:ba:ad:7a:28:f9:
0f:e1:f2:47:b2:8c:47:52:fa:33:2e:d2:68:5c:af:b7:f8:51:
b4:5a:8e:de:08:29:2c:d1:e3:f4:e8:94:8f:2d:0d:45:be:a9:
67:df:ab:20:67:01:9d:fa:3b:f1:2b:a5:c5:ab:8f:81:9f:d1:
fe:6c:54:85:ea:9b:5c:23:c4:92:75:e8:78:c1:b3:f2:ee:2f:
14:61:b0:23:d7:aa:6e:6f:af:5d:d4:72:f9:49:30:4e:26:92:
31:39
-----BEGIN CERTIFICATE-----
MIIDezCCAuSgAwIBAgIJAMcA5oWJiPD8MA0GCSqGSIb3DQEBBQUAMIGGMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHU2hhYW54aTEOMAwGA1UEBxMFWGknYW4xDjAMBgNV
BAoTBVNtb2tlMQ0wCwYDVQQLEwRUZWNoMRUwEwYDVQQDEwxjYS5zbW9rZS5jb20x
HzAdBgkqhkiG9w0BCQEWEDM0OTgxNzcxMkBxcS5jb20wHhcNMTQxMjExMDUxOTEw
WhcNMTUxMjExMDUxOTEwWjCBhjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NoYWFu
eGkxDjAMBgNVBAcTBVhpJ2FuMQ4wDAYDVQQKEwVTbW9rZTENMAsGA1UECxMEVGVj
aDEVMBMGA1UEAxMMY2Euc21va2UuY29tMR8wHQYJKoZIhvcNAQkBFhAzNDk4MTc3
MTJAcXEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfpqMfS/K5m+8M
MAJjLGM64XBubBuOimF5BhbILBMQ2fgFrG1R72+z4GTBYxRx0SWzfEZu5h9UHNKR
n6ib2oMH+LhDNBd5kZR8ysaq19THCuxz6jiyw3JZMXSkUOWVw44R9foiObpJPG72
Oq4Xt/DTNWhzRI335om8sF8OuTVSfwIDAQABo4HuMIHrMB0GA1UdDgQWBBSYjIze
DHosu1W8iRhNni6g+Qz6ZjCBuwYDVR0jBIGzMIGwgBSYjIzeDHosu1W8iRhNni6g
+Qz6ZqGBjKSBiTCBhjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NoYWFueGkxDjAM
BgNVBAcTBVhpJ2FuMQ4wDAYDVQQKEwVTbW9rZTENMAsGA1UECxMEVGVjaDEVMBMG
A1UEAxMMY2Euc21va2UuY29tMR8wHQYJKoZIhvcNAQkBFhAzNDk4MTc3MTJAcXEu
Y29tggkAxwDmhYmI8PwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAP
wSzzY5ZkkqfUuKbkyshYHbwR16R/SXDZmr/j2oVAuq16KPkP4fJHsoxHUvozLtJo
XK+3+FG0Wo7eCCks0eP06JSPLQ1Fvqln36sgZwGd+jvxK6XFq4+Bn9H+bFSF6ptc
I8SSdeh4wbPy7i8UYbAj16pub69d1HL5STBOJpIxOQ==
-----END CERTIFICATE-----
提示:这表示CA准备好了,可以给别人发证,接下来作为CA服务器,有个客户端想使用证书,需要向CA申请使用证书,只需要自己生成一个申请,把申请交给CA,CA签署就行
了,但是现在CA没法用,在RHEL 5上要想让CA真正使用起来,还需要做一些额外配置,密钥和证书是不能随便放的,因为工作成CA的时候有配置文件;
[root@Smoke ~]# cd /etc/pki/tls/(切换到/etc/pki/tls目录)
[root@Smoke tls]# vim openssl.cnf(编辑openssl.cnf文件)
[ CA_default ](CA默认项)
dir = /etc/pki/CA # Where everything is kept(工作在那个目录/etc/pki/CA,这个使用相对路径有时候会有问题,可以更改
为绝对路径)
certs = $dir/certs # Where the issued certs are kept(客户端证书保存目录)
crl_dir = $dir/crl # Where the issued crl are kept(证书吊销目录)
database = $dir/index.txt # database index file.(数据库,给那些人发证,会有记录)
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.(新生成的证书目录)
certificate = $dir/cacert.pem # The CA certificate(CA自己的证书是什么)
serial = $dir/serial # The current serial number(所有生成证书序列号)
crlnumber = $dir/crlnumber # the current crl number(证书撤销列表已经工作到第几个号码)
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL(证书吊销文件是什么)
private_key = $dir/private/cakey.pem# The private key(CA的私钥)
RANDFILE = $dir/private/.rand # private random number file(随机数文件,自动生成)
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 3657 # how long to certify for(如果步指定有效期限,默认证书有效期限)
default_crl_days= 30 # how long before next CRL(吊销的证书保存多长时间在证书吊销列表)
default_md = sha1 # which md to use.(单向算法默认使用什么算法)
preserve = no # keep passed DN ordering
[ req_distinguished_name ](默认证书拥有者信息)
countryName = Country Name (2 letter code)
countryName_default = CN(国家)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Shaanxi(默认省份)
localityName = Locality Name (eg, city)
localityName_default = Xi'an(默认城市)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Smoke(公司名称)
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default = Tech(组织名称)
commonName = Common Name (eg, your name or your server\'s hostname)(主机名称)
commonName_max = 64
emailAddress = Email Address(邮件地址)
emailAddress_max = 64
提示:openssl.cnf是CA的配置文件;
给CA准备私钥和证书:
[root@Smoke tls]# cd ..(切换到上级目录)
[root@Smoke pki]# ls(查看当前目录文件及子目录)
CA entitlement nssdb product rpm-gpg tls
提示:/etc/pki目录下有CA目录;
[root@Smoke pki]# cd CA/(切换到CA目录)
[root@Smoke CA]# ls(查看当前目录文件及子目录)
private
提示:/etc/pki/CA/private目录是保存CA私钥的目录;
[root@Smoke CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)(使用()括号括起来的一组命令,无论写多少命令,这些命令只在子shell中执
行,不再当前shell中执行,而且执行完以后子shell就退出了,子shell中的所有设定跟我们当前shell没关系,为子shell设定umask 077遮罩码,创建的文件都是600,
创建的目录都是700的,生成rsa类型的私钥,长度为2048,-out保存到/private/目录叫cakey.pem)
Generating RSA private key, 2048 bit long modulus
..........................................................................+++
............................................................................................+++
e is 65537 (0x10001)
提示:将生成的CA私钥保存到/etc/pki/CA/private目录叫cakey.pem,需要和/etc/pki/tls/openssl.cnf配置文件设定保持一致;
[root@Smoke CA]# ls -l private/(查看private目录的文件及子目录详细信息)
total 8
-rw------- 1 root root 1679 Dec 11 13:57 cakey.pem
提示:生成的cakey.pem私钥证书;
生成自签证书:
[root@Smoke CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem(生成自签证书,-new表示新的申请,-x509表示生成自签证书,-key
指定私钥文件,-out保存当前目录叫cacert.pem)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:(国家,证书拥有者信息)
State or Province Name (full name) [Shaanxi]:(省份名称)
Locality Name (eg, city) [Xian]:(城市名称)
Organization Name (eg, company) [Smoke]:(公司名称)
Organizational Unit Name (eg, section) [Tech]:(组织单位/部门)
Common Name (eg, your name or your server's hostname) []:ca.smoke.com(主机名称,至关重要:假如这个证书是发给某个服务器用的,将来别人联系你的
服务器必须要使用这个主机名,它才能使用这个证书跟你建立安全通信,否则提示不可信,这里可以写主机的DNS名称)
Email Address []:349817712@qq.com(管理员邮件地址)
[root@Smoke CA]# mkdir certs newcerts crl(创建certs、newcerts、crl目录)
[root@Smoke CA]# ls
cacert.pem certs crl newcerts private
提示:certs目录是客户端证书保存目录,newcerts是新生成的证书目录,crl证书吊销目录,对应/etc/pki/tls/openssl.cnf配置文件中的内容;
[root@Smoke CA]# touch index.txt(创建index.txt文件)
提示:index.txt是数据库,给那些人发证,会有记录,对应/etc/pki/tls/openssl.cnf配置文件中的内容;
[root@Smoke CA]# touch serial(创建serial文件)
提示:serial是所有生成证书序列号;
[root@Smoke CA]# echo 01 > serial(显示01输出到serial文件)
提示:给serial中一个起始序列号,如果没有证书吊销列表,吊销号码可以不用写;
[root@Smoke CA]# ls(查看当前目录文件及子目录)
cacert.pem certs crl index.txt newcerts private serial
到此为止CA服务器准备完整,接下来别人就可以申请,比如再启动一台主机,在另外一台护自己上,生成一对密钥,自己生成证书颁发申请,并发送给CA服务器,CA服务器签发
后就可以使用;
假如建立web服务器:
[root@Smoke CA]# mkdir /etc/httpd(创建/etc/httpd目录)
提示:假如web服务器的配置文件都在/etc/httpd目录;
[root@Smoke CA]# cd /etc/httpd/(切换到/etc/httpd目录)
[root@Smoke httpd]# ls(查看当前目录文件及子目录)
为这个主机准备证书和密钥:
[root@Smoke httpd]# mkdir ssl(创建ssl目录)
[root@Smoke httpd]# cd ssl/(切换到ssl目录)
[root@Smoke ssl]# pwd(查看当前所处的目录)
/etc/httpd/ssl
提示:一般将证书放在应用的配置文件目录里面,任何一个应用要想用到证书,必须要有私钥,因为要从私钥中提取公钥,上面的公钥私钥是CA的跟当前web服务器没关系,
不能拿CA的给web服务器使用,这是两种不同的应用,每一种应用都需要自己的证书,如果还需要发邮件,邮件用到证书,还需要为邮件服务器生成一对密钥证书,两种服务
尽可能不要使用同样的证书,要有证书得有公钥,要有公钥得有私钥;
申请生成私钥:
[root@Smoke ssl]# (umask 077; openssl genrsa -out httpd.key 1024)(使用()括号括起来的一组命令,无论写多少命令,这些命令只在子shell中执行,
不在当前shell中执行,而且执行完以后子shell就退出了,子shell中的所有设定跟我们当前shell没关系,为子shell设定umask 077遮罩码,创建的文件都是600,
创建的目录都是700的,生成rsa类型的私钥,长度为1024,-out保存到当前目录叫httpd.key)
Generating RSA private key, 1024 bit long modulus
.................++++++
...............................................................................++++++
e is 65537 (0x10001)
[root@Smoke ssl]# cat httpd.key(查看httpd.key文件内容)
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDasMCYFMg5RlhQ0BD96q07OZDDIZwmbXrN4q4bnw/+otBSZE/n
3CxhOCIy2FnJ+2FmuzdfKn4CMMdfqnu1HPepPK2q6YMn19+rZrP6Jyvj0a65JG6h
6vBlTLeB9fieb/b9pjJRlOK46z82FD0ff0rd62G7LZqGf31Sug2mxF1eFwIDAQAB
AoGBANA9QJdQKrxHHK+PAK8YeO4NSahVZ8A7vZUxBYMtumhJFr9t35yzzdqhPgdW
dmFbqorNONO4vZZOZnrU9skmFThh0zGV4aNCKD5116hhEDYTVX9gLpkQE9NmH/ir
FEgvoBuAQlPsZ9OmrxvZmUsaAWuuC3F2NwQjGehum5MfEIv5AkEA8zo4I5ho4x9z
MjzvBynhXGwfIT5XY2+SMnsVM37jHbNStN+OV7ac+UQafbywx1K/BpvDVrDxm4js
3p7BhpvkEwJBAOYsrMUsbirfqi1Pa0dJ1tQbCFsPAjmCBDPMtaK7jQ6E0Jh4NhHf
zaGn79Wr4nU3K1JOfQpdY+8TXhkEEwpB9m0CQGoN2KysqA9ghzpAl3joKfvCqVA1
fqU84OJiCLyLdzxcFJQJZmeYmJmXuHVa8Tn4OpMHGAWU4cSPz7jCQGARWUECQHo1
RhX6HRQOZOBhxme3QKSlJa6TLW8zJOAL1HRud9o5kjchvDOJTDiEXcZo2He7rvio
S6NxKloJQnCtxR4xH5ECQATk8Yke45410qPsRyS9UnPnB+VX8AiGbVki/sI0f227
hNQdpA0GEp/3W8R+dGJoWPnMP+E3myK6NLxjEvczOE8=
-----END RSA PRIVATE KEY-----
提示:有了密钥就可以生成证书请求,不可能自己给自己发证,要到CA服务器申请证书,作为一个应用来讲,生成证书颁发请求,要生成申请,让CA服务器进行签署,申请里面
所有内容,包括个人信息要自己填,填好以后它此时还不是证书,让CA服务器签署以后就可以使用;
生成证书请求文件:
[root@Smoke ssl]# openssl req -new -key httpd.key -out httpd.csr(生成证书申请,-new表示新的申请,此时不需要-x509标识生成自签证书,-key指定
私钥文件,-out保存到当前目录叫httpd.csr,后最csr标明叫证书签署请求)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:(国家,证书拥有者信息)
State or Province Name (full name) [Shaanxi]:(省份名称)
Locality Name (eg, city) [Xian]:(城市名称)
Organization Name (eg, company) [Smoke]:(公司名称)
Organizational Unit Name (eg, section) [Tech]:(组织单位/部门私有证书当中,机构、部分等,尤其到组织单位都要保持一致,换一个公司名就不给签)
Common Name (eg, your name or your server's hostname) []:www.smoke.com(主机名称,至关重要:假如这个证书是发给某个服务器用的,将来别人联系
你的服务器必须要使用这个主机名,它才能使用这个证书跟你建立安全通信,否则提示不可信,这里可以写主机的DNS名称)
Email Address []:wwwadmin@smoke.com(管理员邮件地址)
Please enter the following 'extra' attributes
to be sent with your certificate request(要不要将证书请求加密存放起来)
A challenge password []:(回车,不加密)
An optional company name []:
[root@Smoke ssl]# ls(查看当前目录文件及子目录)
httpd.csr httpd.key
提示:此时当CA对证书请求httpd.csr签署以下,就成为证书,就可以使用了;
CA服务器对客户证书请求签署:
[root@Smoke ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365(openssl子命令ca进入ca模式,-in指定证书请求文件,-out保存的证书名称,
-days指定有效期)
Using configuration from /etc/pki/tls/openssl.cnf(使用/etc/pki/tls/openssl.cnf文件来检查)
Check that the request matches the signature
Signature ok
Certificate Details:(证书详细信息)
Serial Number: 1 (0x1)
Validity
Not Before: Dec 11 06:56:39 2014 GMT
Not After : Dec 11 06:56:39 2015 GMT
Subject:(主体信息))
countryName = CN
stateOrProvinceName = Shaanxi
organizationName = Smoke
organizationalUnitName = Tech
commonName = www.smoke.com
emailAddress = wwwadmin@smoke.com
X509v3 extensions:(x509格式相关信息)
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5E:C7:54:43:28:78:CE:5E:15:7B:12:A0:48:63:42:7E:27:03:46:DC
X509v3 Authority Key Identifier:
keyid:08:CE:CB:F6:02:48:7D:A9:41:E7:AE:93:77:AA:A9:14:41:2C:7C:1B
Certificate is to be certified until Dec 11 06:56:39 2015 GMT (365 days)
Sign the certificate? [y/n]:y(输入y签署)
1 out of 1 certificate requests certified, commit? [y/n]y(确定要不要提交)
Write out database with 1 new entries
Data Base Updated
[root@Smoke ssl]# ll(查看当前目录文件及子目录详细信息)
total 24
-rw-r--r-- 1 root root 3845 Dec 11 14:59 httpd.crt
-rw-r--r-- 1 root root 696 Dec 11 14:50 httpd.csr
-rw------- 1 root root 887 Dec 11 14:30 httpd.key
[root@Smoke ssl]# cd /etc/pki/CA/(切换到/etc/pki/CA目录)
[root@Smoke CA]# cat index.txt(查看index.txt文件内容)
V 151211065639Z 01 unknown /C=CN/ST=Shaanxi/O=Smoke/OU=Tech/CN=www.smoke.com/emailAddress=wwwadmin@smoke.com
提示:已经签署一个证书,序列号01是从/etc/pki/CA/serial文件中读取出来的,如果还有证书序列号依次往后排;
[root@Smoke CA]# cat serial(查看serial文件内容)
02
提示:cerial文件内容变为02;
红帽还提供另外一个工具在/etc/pki/tls/目录:
[root@Smoke CA]# cd /etc/pki/tls/(切换到/etc/pki/tls目录)
[root@Smoke tls]# ls(查看当前目录文件及子目录)
cert.pem certs misc openssl.cnf private
提示:在/etc/pki/tls目录的certs目录;
[root@Smoke tls]# cd certs/(切换到certs目录)
[root@Smoke certs]# ls(查看当前目录文件及子目录)
ca-bundle.crt make-dummy-cert Makefile
提示:这里面提供了一个Makefile文件,也就是说在这个目录可以执行make命令快速生成一个测试用的证书,注意:不能在生产环境使用,最多只能测试使用,但可以快速生成;
[root@Smoke certs]# make httpd.pem(生成自签证书)
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > httpd.pem ; \
echo "" >> httpd.pem ; \
cat $PEM2 >> httpd.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
...................................+++
........................................................................................................................
.........................+++
writing new private key to '/tmp/openssl.p13407'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Shaanxi]:
Locality Name (eg, city) [Xian]:
Organization Name (eg, company) [Smoke]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:www.smoke.com
Email Address []:wwwadmin@smoke.com
[root@Smoke certs]# ls(查看当前目录文件及子目录)
ca-bundle.crt httpd.pem make-dummy-cert Makefile
提示:测试证书生成完成,把它复制走就可以直接使用,这个证书既是个证书,里面还有私钥,所以别人拿到证书就能拿到私钥,所以只是测试证书,在这里面也可以生成
证书办法请求,也可以快速生成密钥,都可以的,因此make命令很关键,后面跟文件名的后缀很重要,它正是通过后缀判定给你生成什么样格式的文件的,到底是什么格式
可以查看/etc/pki/tls/certs/Makefile文件;
[root@Smoke certs]# cat Makefile(查看Makefile文件内容)
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
SERIAL=0
PRIVATE_KEY_BITS=2048
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
@echo
@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"
@echo " make server.crt SERIAL=1"
@echo " make stunnel.pem SERIAL=2"
@echo " make testcert SERIAL=3"
%.pem:(如果后缀跟的是.pem生成的是测试证书,里面既有私钥又有证书,是自签的证书)
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req $(UTF8) -newkey rsa:$(PRIVATE_KEY_BITS) -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_
serial $(SERIAL) ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2
%.key:(如果后缀跟的是.key生成私钥的)
umask 77 ; \
/usr/bin/openssl genrsa -des3 $(PRIVATE_KEY_BITS) > $@
%.csr: %.key(如果后面跟的是.csr或者.key生成证书申请)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
%.crt: %.key(如果后面跟的是.crt或者.key生成证书的)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL)
TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt
genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)
$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL)
提示:所以它是根据Makefile文件帮你快速生成测试工具的,所以这是make用到的一个Makefile的配置文件而已,不建议这么用,虽然简单,但是没什么适用性,还不如自
己使用命令来完成,如果命令忘了,可以看看Makefile文件;
1、创建CA
自己生成一对密钥;
生成自签证书;
2、客户端
生成一对密钥;
生成证书办法请求,.csr;
3、CA端
签署此证书
传送给客户端;
OpenSSL:TLS/SSL,(libcryto,libssl,openssl),TLS PRI
OpenSSH:
telnet,TCP/23,远程登录
认证明文
数据传输明文
ssh:Secure Shell,TCP/22
C/S
ssh --> SSH
OpenSSH(开源)
ssh v1,v2
客户端:
Linux:ssh
Windows:putty(绿色软件),SecureCRT(商业版),SSHSecureShellClient(免费/商业),Xmanager
服务器端:
sshd
openssh (ssh,sshd)
ssh --> telnet
sshd:主机密钥
SSH实现加密传输:
基于口令认证:
通信双方事先并没有见到过彼此,那么它们如何实现安全通信,我们借助CA的证书,但是ssh客户端和服务器端之间未必有证书,当ssh客户端向服务器端发起连接请求的时候,它解决不了这个问题,服务器端一定会发过来一个公钥过来,但是怎么识别它的公钥,如果对方发过来的压根不是一个证书,我们就无从通过第三方可信任的颁发机构来验证这个服务器端身份的可靠性,那没有办法,在这种前提下,对方发来主机公钥以后,ssh客户端就会接收到对方发来的主机公钥的指纹信息,接下来就问是否认可这个指纹,你自己确保这个服务器的却是你认可的那台服务器,如果信任就确认,就意味着主机发来的公钥,这个公钥是主机一对密钥中的公钥信息,能够支持身份验证的公钥加密有RSA和DSA,如果服务器端即支持RSA又支持DSA,但是客户端仅支持DSA,那服务端就只能使用DSA,如果客户端也支持RSA,就可以采用RSA,因为RSA功能强大,所以应该优先使用RSA,不管是哪一种应该把两种都准备好,看客户端支持哪一种,我们就使用哪一种,但无论是哪一种,一旦客户端发起请求了,服务器端首先将自己的对应算法的公钥发给客户端,客户端接收下来之后,这时就有服务器端的公钥信息,于是就会生成临时的对称会话密钥,而且是客户端选取的,生成完成之后,接下来就可以将所有的数据通过这个密码加密,比如接下来对方就听输入帐号,我们用密码加密帐号发送给服务器端,在加密之前,先将密码用对方的公钥加密之后发给服务器端,只有服务器能解密,服务器可以得到这个密钥,接下来客户端在发送密码的时候用刚才的密码加密密码和用户名,然后传递给服务器,这样就算别人捕获了也找不到我们的帐号密码,同样,如果认证通过,服务器端在本地验证一下,发现这个用户帐号到底存在不存在,这是用户本身认证的,跟身份认证没有关系,它远程是不是那台服务器,是不是那个客户端,不是这么验证的,只是提供的帐号密码是不是合法的,如果帐号密码合法就通过了,接下来用户就可以发送各种命令了,因此一旦认证通过以后,双方就建立了一个永久在线的ssh会话通道,只要客户端发送请求,服务器端就能够接受命令,并将执行结果返回给客户端;
基于密钥认证:
客户端也生成一对密钥,跟客户端没关系,是客户端的用户自身也生成一对密钥,它把公钥放在远程服务器上去,虽然是公钥,但是这个公钥信息此时是保密的,不能让任何其他人知道,私钥自己保留,公钥放在远程服务器某个用户的家目录下,以后远程登录这台主机的时候,输入用户名以后,它不再要求输入密码,而是对暗号,只要对上密码以后,因为双方都有公钥和私钥,所以双方建立会话的时候直接用自己的私钥加密一段数据传递过去,我这端的公钥能够解密,就说明他俩配对,一旦能配对就直接登录了,不再需要输入口令了,这种叫做基于密钥的认证,很显然如果在互联网上步传输密钥本身,不传输口令本身,基于密钥认证更安全,但就密钥需要事先配置;
默认情况下都是基于口令的认证方式;
通过SSH登录服务器安全:
最好不使用root用户直接登录,可以使用普通用户登录后切换到root用户,限定服务器不能直接在互联网上任意主机都能登录,设定就算是SSH,就是算普通用户,也仅某些台有限主机远程登录,可以在服务器前端设定VPN服务器,设定服务器仅允许VPN的IP地址登录,而后先远程连接到VPN上,再由VPN转由登录服务器,而且最好别使用22号端口,需要经常更好口令,一般一个月换一次,密码最好是随机的,而且要足够长,如果可以最好自己带U盘带着客户端,带着SecureCRT里面有基于密钥的登录认证信息,
netstat:
-r:显示路由表
-n:以数字格式显示
-t:tcp协议
-u:udp协议
-l:监听端口
-p:process进程,那个程序监听了当前端口
ssh:客户端软件,配置文件/etc/ssh/ssh_config
sshd:服务器端软件,配置文件/etc/sshd_config
客户端和服务器端都需要配置文件,在/etc/ssh目录;
ssh:
ssh -l USERNAME REMOTE_HOST ['command']:-l指定登录的用户名,['command']不登录远程主机,执行远程主机命令,并将结果返回本地;
ssh USERNAME@REMOTE_HOST
-p:指定远程主机SSH服务端口
-X:登录到远程主机执行窗口命令,本地必须启动图形端;
-Y:登录到远程主机执行窗口命令,Y比X更安全,本地必须启动图形端;
基于密钥的认证
一台主机为客户端(基于某个用户实现):
1、生成一对密钥
ssh-keygen
-t [rsa|dsa]:-t指定加密算法rsa或dsa;
-f /path/to/keyfile:指定私钥文件保存位置;
-N 'password':指定私钥密码,''表示为空;
2、将公钥传输至服务器端某用户的家目录下的.ssh/authorizaed_keys文件中
使用文件传输工具传输(ssh-copy-id,scp)
ssh-copy-id -i /path/to/pubkey USERNAME@REMOTE_HOST:-i指定公钥文件是什么,默认读取的公钥文件不是id_rsa.pub,所以必须要使用-i指定,能够将公钥放追加.ssh/authorized_keys文件中;
3、测试登录
scp:基于ssh的远程复制命令,可以实现在主机之间传输数据,基于ssh传输,所以传输过程是加密的;
scp [options] SRC DEST
-r:复制目录,递归复制;
-p:保留源文件或目录的属性。
-a:比-r选项多,类似与-rp,保存原来文件的mode等信息;
REMOTE_MACHINE
USERNAME@HOSTNAME:/path/to/somefile:远程主机路径,USERNAME可以省略,如果省略以当前系统的用户作为远程主机用户来使用;
sftp:基于ssh的ftp,只要对方支持SSH和SFTP,不需要创建FTP服务器,直接使用sftp连接上去,能访问的文件都可以访问,而且可以直接下载;
总结:
1、密码应该经常换且足够复杂;
2、使用非默认端口;
3、限制登录客户端地址;
4、禁止管理员直接登录;
5、仅允许有限用户登录;
6、使用基于密钥的认证;
7、禁止使用版本1;
嵌入式系统专用的ssh软件dropbear
[root@Smoke ~]# rpm -qa | grep ssh
openssh-server-4.3p2-82.el5(服务器端)
openssh-askpass-4.3p2-82.el5(通用组件库)
openssh-4.3p2-82.el5(建立会话用到的工具和库文件)
openssh-clients-4.3p2-82.el5(客户端)
提示:ssh是由多个RPM软件包组成的,这多个RPM包又得是提供服务器端的,有的是提供客户端的,有的是提供通用组件的;
[root@Smoke ~]# rpm -qi openssh(查看openssh相关信息,-q询问方式)
Name : openssh Relocations: (not relocatable)
Version : 4.3p2 Vendor: Red Hat, Inc.
Release : 82.el5 Build Date: Wed 04 Jan 2012 09:41:26 PM CST
Install Date: Sat 22 Nov 2014 09:24:54 AM CST Build Host: x86-002.build.bos.redhat.com
Group : Applications/Internet Source RPM: openssh-4.3p2-82.el5.src.rpm
Size : 747178 License: BSD
Signature : DSA/SHA1, Thu 05 Jan 2012 11:55:32 PM CST, Key ID 5326810137017186
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://www.openssh.com/portable.html
Summary : The OpenSSH implementation of SSH protocol versions 1 and 2
Description :
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.(SSH是什么)
OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features, as well as removing
all patented algorithms to separate libraries.
This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.(包是用来干什么的,服务器端和客户端都要用到的通用组件)
提示:一般这四个包都要安装,因为既要远程登录别人,也要别人远程登录;
[root@Smoke ~]# netstat -tnl(查看当前主机后台服务,-t代表tcp,-n代表数字格式显示,-l监听的端口)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:896 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN(SSH静听的端口)
tcp 0 0 ::1:6010 :::* LISTEN
tcp 0 0 ::1:6012 :::* LISTEN
[root@Smoke ~]# netstat -tu(显示当前主机后台服务,-t代表tcp,-u代表udp,如果不加-l显示连接状态的tcp/udp会话)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 132 172.16.100.1:ssh 172.16.100.254:vaultbase ESTABLISHED
tcp 0 0 172.16.100.1:ssh 172.16.100.254:8564 ESTABLISHED
[root@Smoke ~]# netstat -tun(显示当前主机后台服务,-t代表tcp,-u代表udp,-n以数字格式显示,任何时候都应该加-n,因为它会反解IP地址和端口号)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 172.16.100.1:22 172.16.100.254:1771 ESTABLISHED
tcp 0 0 172.16.100.1:22 172.16.100.254:8564 ESTABLISHED
[root@Smoke ~]# netstat -tunl(显示当前主机后台服务,-t代表tcp,-u代表udp,-n以数字格式显示,-l处于监听状态的服务)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:896 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:6010 :::* LISTEN
tcp 0 0 ::1:6012 :::* LISTEN
udp 0 0 0.0.0.0:514 0.0.0.0:*(UDP协议不会LISTEN,因为不需要三次握手)
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 0.0.0.0:890 0.0.0.0:*
udp 0 0 0.0.0.0:51835 0.0.0.0:*
udp 0 0 0.0.0.0:893 0.0.0.0:*
udp 0 0 :::38419 :::*
udp 0 0 :::5353 :::*
[root@Smoke ~]# netstat -tunlp(显示当前主机后台服务,-t代表tcp,-u代表udp,-n以数字格式显示,-l处于监听状态的服务,-p显示当前那个程序监听当前端口)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3542/./hpiod
tcp 0 0 0.0.0.0:896 0.0.0.0:* LISTEN 3258/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3219/portmap
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3563/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3575/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3612/sendmail
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 13845/sshd
tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN 13290/sshd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3547/python
tcp 0 0 :::22 :::* LISTEN 3563/sshd
tcp 0 0 ::1:6010 :::* LISTEN 13845/sshd
tcp 0 0 ::1:6012 :::* LISTEN 13290/sshd
udp 0 0 0.0.0.0:514 0.0.0.0:* 3137/syslogd
udp 0 0 0.0.0.0:68 0.0.0.0:* 3025/dhclient
udp 0 0 0.0.0.0:5353 0.0.0.0:* 3749/avahi-daemon
udp 0 0 0.0.0.0:111 0.0.0.0:* 3219/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 3575/cupsd
udp 0 0 0.0.0.0:890 0.0.0.0:* 3258/rpc.statd
udp 0 0 0.0.0.0:51835 0.0.0.0:* 3749/avahi-daemon
udp 0 0 0.0.0.0:893 0.0.0.0:* 3258/rpc.statd
udp 0 0 :::38419 :::* 3749/avahi-daemon
udp 0 0 :::5353 :::* 3749/avahi-daemon
[root@Smoke ~]# service sshd status(查看当前ssh服务运行状态)
openssh-daemon (pid 3563) is running...
[root@Smoke ~]# cd /etc/ssh/(切换到/etc/ssh目录)
[root@Smoke ssh]# ls
moduli sshd_config ssh_host_dsa_key.pub ssh_host_key.pub ssh_host_rsa_key.pub
ssh_config ssh_host_dsa_key ssh_host_key ssh_host_rsa_key
提示:ssh_config是客户端配置文件,sshd_config是服务器端配置文件,moduli是ssh会话中用到的密钥交换的相关信息,ssh_host_dsa_key ssh_host
_dsa_key.pub ssh_host_key ssh_host_key.pub ssh_host_rsa_key ssh_host_rsa_key.pub是私钥公钥文件,ssh_host_dsa_key ssh_host
_dsa_key.pub是dsa加密算法,ssh_host_rsa_key ssh_host_rsa_key.pub是rsa加密算法,这两种算法是为SSHv2版本协议使用的,ssh_host_key ssh
_host_key.pub没有指定算法,视为SSHv1版本使用的;
[root@Smoke ssh]# ll(查看当前目录文件及子目录详细信息)
total 204
-rw------- 1 root root 132839 Jan 4 2012 moduli
-rw-r--r-- 1 root root 1836 Jan 4 2012 ssh_config
-rw------- 1 root root 3332 Jan 4 2012 sshd_config
-rw------- 1 root root 668 Nov 22 09:36 ssh_host_dsa_key
-rw-r--r-- 1 root root 590 Nov 22 09:36 ssh_host_dsa_key.pub
-rw------- 1 root root 963 Nov 22 09:36 ssh_host_key
-rw-r--r-- 1 root root 627 Nov 22 09:36 ssh_host_key.pub
-rw------- 1 root root 1671 Nov 22 09:36 ssh_host_rsa_key
-rw-r--r-- 1 root root 382 Nov 22 09:36 ssh_host_rsa_key.pub
提示:私钥文件全部都是600的权限,不允许普通用户随便读的,而且服务器端的配置文件sshd_config也是600的权限,因为它跟安全相关;
[root@Smoke ssh]# export LANG=en(更改语言变量LANG为en)
-rw-r--r-- 1 root root 382 Nov 22 09:36 ssh_host_rsa_key.pub
[root@Smoke ssh]# pstree(查看当前目录树)
init-+-acpid
|-atd
|-auditd-+-audispd---{audispd}
| `-{auditd}
|-automount---4*[{automount}]
|-avahi-daemon---avahi-daemon
|-crond
|-cupsd
|-dbus-daemon---{dbus-daemon}
|-dhclient
|-events/0
|-gam_server
|-gpm
|-hald---hald-runner-+-hald-addon-acpi
| |-hald-addon-keyb
| `-hald-addon-stor
|-hcid
|-hidd
|-hpiod
|-hpssd.py
|-2*[iscsid]
|-iscsiuio---3*[{iscsiuio}]
|-khelper
|-klogd
|-krfcommd
|-ksoftirqd/0
|-kthread-+-aio/0
| |-ata/0
| |-ata_aux
| |-bnx2i_thread/0
| |-cnic_wq
| |-cqueue/0
| |-ib_addr
| |-ib_cm/0
| |-ib_inform
| |-ib_mcast
| |-iscsi_eh
| |-iw_cm_wq
| |-kacpid
| |-kauditd
| |-kblockd/0
| |-kgameportd
| |-khubd
| |-khungtaskd
| |-2*[kjournald]
| |-kmpath_handlerd
| |-kmpathd/0
| |-kpsmoused
| |-kseriod
| |-kstriped
| |-kswapd0
| |-local_sa
| |-mpt/0
| |-mpt_poll_0
| |-2*[pdflush]
| |-rdma_cm
| |-rpciod/0
| |-scsi_eh_0
| |-scsi_eh_1
| |-scsi_eh_10
| |-scsi_eh_11
| |-scsi_eh_12
| |-scsi_eh_13
| |-scsi_eh_14
| |-scsi_eh_15
| |-scsi_eh_16
| |-scsi_eh_17
| |-scsi_eh_18
| |-scsi_eh_19
| |-scsi_eh_2
| |-scsi_eh_20
| |-scsi_eh_21
| |-scsi_eh_22
| |-scsi_eh_23
| |-scsi_eh_24
| |-scsi_eh_25
| |-scsi_eh_26
| |-scsi_eh_27
| |-scsi_eh_28
| |-scsi_eh_29
| |-scsi_eh_3
| |-scsi_eh_30
| |-scsi_eh_4
| |-scsi_eh_5
| |-scsi_eh_6
| |-scsi_eh_7
| |-scsi_eh_8
| `-scsi_eh_9
|-login---bash
|-mcstransd
|-migration/0
|-5*[mingetty]
|-pcscd---{pcscd}
|-portmap
|-restorecond
|-rhsmcertd
|-rpc.idmapd
|-rpc.statd
|-sdpd
|-2*[sendmail]
|-setroubleshootd---2*[{setroubleshootd}]
|-smartd
|-sshd-+-sshd---bash
| `-sshd---bash---pstree
|-syslogd
|-udevd
|-xfs
|-xinetd
`-yum-updatesd
提示:当前系统可能有多个sshd进程,几乎每个用户链接进来以后,sshd服务起来以后,sshd启动一个主进程,这个主进程监听用户的请求,一旦有用户请求进来了,
就生成一个子进程,来响应它的请求,所以登录的用户多了sshd进程可能会启动多个的;
[root@Smoke ssh]# vim sshd_config(编辑ssh服务器配置文件)
#Port 22(端口号,如果要使用非默认,将此参数启动起来改成别的端口)
#Protocol 2,1(可以使用ssh版本2和版本1,但是优先使用ssh版本2)
Protocol 2(ssh协议版本2)
#AddressFamily any(地址族,如果当前主机即提供了ipv4地址又提供了ipv6地址,在那一类地址提供服务,any表示ipv4和ipv6都可以)
#ListenAddress 0.0.0.0(监听地址,0.0.0.0标识任意地址,可以启动起来指定地址)
#HostKey /etc/ssh/ssh_host_key(指定ssh协议版本1使用的密钥)
#HostKey /etc/ssh/ssh_host_rsa_key(指定ssh协议版本2使用的rsa类型算法密钥)
#HostKey /etc/ssh/ssh_host_dsa_key(指定ssh协议版本2使用的dsa类型算法密钥)
#KeyRegenerationInterval 1h(密钥重新生成的时间间隔)
#ServerKeyBits 768(服务器端密钥长度)
#SyslogFacility AUTH(facility日志来源子系统,认证相关的)
SyslogFacility AUTHPRIV(facility日志来源子系统,权限,授权相关的)
#LogLevel INFO(日志级别,INFO一般信息)
#LoginGraceTime 2m(登录宽容期,在登录的时候,等候用户输入帐号密码多长时间超时,2分钟)
#PermitRootLogin yes(是否允许管理员直接登录)
#StrictModes yes(是否使用严格限定模式)
#MaxAuthTries 6(最大登录密码错误认证次数)
#RSAAuthentication yes(是不是支持使用RSA认证)
#PubkeyAuthentication yes(是不是支持基于公钥认证)
#AuthorizedKeysFile .ssh/authorized_keys(公钥文件放置位置)
#RhostsRSAAuthentication no(主机认证)
PasswordAuthentication yes(是不是允许使用基于口令的认证)
#ChallengeResponseAuthentication yes(启用挑战性握手协议,不安全,一般步允许使用)
ChallengeResponseAuthentication no(不启用挑战性握手协议,)
#KerberosAuthentication no(不允许使用kerbero认证)
#KerberosOrLocalPasswd yes(允许使用kerberos认证)
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#GSSAPIAuthentication no(不允许使用GSSAPI认证)
GSSAPIAuthentication yes(允许使用GSSAPI认证)
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
UsePAM yes(允许使用PAM认证,PAM是一种可插入认证模块,应该允许)
X11Forwarding yes(允许转发X11请求)
#PrintMotd yes(允许登录时候显示Motd文件内容)
#PrintLastLog yes(允许显示上次通过那个主机登录过)
#Banner /some/path(欢迎标语目录文件)
Subsystem sftp /usr/libexec/openssh/sftp-server(子系统,sftp安全ftp,通过ssh来实现叫sftp,基于ssl来实现叫做ftps,sftp服务器
软件程序在/ur/libexec/openssh/sftp-server)
提示:#注释,#号开头后面有空格存注释,#号后面没有空格是可以启用的选项或参数;
[root@Smoke ~]# cat /etc/mot(查看mot文件内容,没有内容)
[root@Smoke ssh]# man sshd_config(查看sshd_config文件的man帮助信息)
AllowGroups:白名单组;
AllowUsers:允许那个用户通过ssh登录的,白名单;
DenyGroups:黑名单组;
DenyUsers:黑名单;
提示:一般黑名单和白名单同时出现,黑名单失效;
[root@Smoke ssh]# cd /etc/init.d/(切换到/etc/init.d目录)
[root@Smoke init.d]# ls(查看当前目录文件及子目录)
acpid conman haldaemon iscsid messagebus nscd restorecond smartd ypbind
anacron cpuspeed halt isdn microcode_ctl ntpd rhnsd sshd yum-updatesd
apmd crond hidd kdump multipathd pand rhsmcertd svnserve
atd cups hplip killall netconsole pcscd rpcgssd syslog
auditd cups-config-daemon ip6tables krb524 netfs portmap rpcidmapd vncserver
autofs dnsmasq ipmi kudzu netplugd psacct rpcsvcgssd wdaemon
avahi-daemon dund iptables lvm2-monitor network rawdevices saslauthd winbind
avahi-dnsconfd firstboot irda mcstrans NetworkManager rdisc sendmail wpa_supplicant
bluetooth functions irqbalance mdmonitor nfs readahead_early setroubleshoot xfs
capi gpm iscsi mdmpd nfslock readahead_later single xinetd
提示:SSH服务的任何改变配置要想生效需要重启服务,在/etc/init.d目录有sshd启动脚本;
[root@Smoke init.d]# service sshd aa(随便给sshd服务参数,有帮助信息)
Usage: /etc/init.d/sshd {start|stop|restart|reload|condrestart|status}
1:SIGHUP: 让一个进程不用重启,就可以重读其配置文件,并让新的配置信息生效,可以使用{start|stop|restart|reload|condrestart|status},reload
不用重启服务也可以重新加载配置文件;
[root@Smoke init.d]# vim sshd(编辑sshd启动脚本文件)
reload()
{
echo -n $"Reloading $prog: "
if [ -n "`pidfileofproc $SSHD`" ] ; then
killproc $SSHD -HUP(发送-HUP信号,1号信号,不用重启服务也可以重新加载配置文件)
else
failure $"Reloading $prog"
fi
RETVAL=$?
echo
[root@Smoke init.d]# kill -l(查看所有信号)
1) SIGHUP 2) SIGINT 3) SIGQUIT 4) SIGILL
5) SIGTRAP 6) SIGABRT 7) SIGBUS 8) SIGFPE
9) SIGKILL 10) SIGUSR1 11) SIGSEGV 12) SIGUSR2
13) SIGPIPE 14) SIGALRM 15) SIGTERM 16) SIGSTKFLT
17) SIGCHLD 18) SIGCONT 19) SIGSTOP 20) SIGTSTP
21) SIGTTIN 22) SIGTTOU 23) SIGURG 24) SIGXCPU
25) SIGXFSZ 26) SIGVTALRM 27) SIGPROF 28) SIGWINCH
29) SIGIO 30) SIGPWR 31) SIGSYS 34) SIGRTMIN
35) SIGRTMIN+1 36) SIGRTMIN+2 37) SIGRTMIN+3 38) SIGRTMIN+4
39) SIGRTMIN+5 40) SIGRTMIN+6 41) SIGRTMIN+7 42) SIGRTMIN+8
43) SIGRTMIN+9 44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12
47) SIGRTMIN+13 48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14
51) SIGRTMAX-13 52) SIGRTMAX-12 53) SIGRTMAX-11 54) SIGRTMAX-10
55) SIGRTMAX-9 56) SIGRTMAX-8 57) SIGRTMAX-7 58) SIGRTMAX-6
59) SIGRTMAX-5 60) SIGRTMAX-4 61) SIGRTMAX-3 62) SIGRTMAX-2
63) SIGRTMAX-1 64) SIGRTMAX
SSH客户端应用:
[root@Smoke init.d]# cd(切换到跟用户家目录)
[root@Smoke ~]# man ssh(查看ssh命令的man帮助文档)
ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
[-e escape_char] [-F configfile] [-i identity_file] [-L [bind_address:]port:host:hostport]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R
[bind_address:]port:host:hostport] [-S ctl_path] [-w tunnel:tunnel] [user@]hostname(主机名称) [command]
[root@Smoke ~]# ssh 172.16.100.1(通过ssh客户端连接自己)
The authenticity of host '172.16.100.1 (172.16.100.1)' can't be established.(这台主机无法建立连接,无法识别身份)
RSA key fingerprint is ea:32:fd:b5:e6:d2:75:e2:c2:c2:8c:63:d4:82:4c:48.(对方发过来一个RSA类型的key,并显示rsa key的指纹)
Are you sure you want to continue connecting (yes/no)? no(是否接受这个连接)
Host key verification failed.(主机key确认失败)
[root@Smoke ~]# ssh 172.16.100.1(通过ssh客户端连接自己)
The authenticity of host '172.16.100.1 (172.16.100.1)' can't be established.(这台主机无法建立连接,无法识别身份)
RSA key fingerprint is ea:32:fd:b5:e6:d2:75:e2:c2:c2:8c:63:d4:82:4c:48.(对方发过来一个RSA类型的key,并显示rsa key的指纹)
Are you sure you want to continue connecting (yes/no)? yes(是否接受这个连接)
Warning: Permanently added '172.16.100.1' (RSA) to the list of known hosts.(这台主机无法建立连接,无法识别身份)
root@172.16.100.1's password: (输入密码,提示:默认既有用户,没指用户就使用root用户登录了,因为登录之前在本机上的用户,如果在登录远程主机之前
步指定用户,它就认为使用当前主机的用户当作远程登录的用户名来登录;)
Last login: Thu Dec 11 18:30:52 2014 from 172.16.100.254
[root@Smoke ~]# exit(退出登录)
[root@Smoke ~]# ssh -l root 172.16.100.1(通过ssh远程登录172.16.100.1,-l指定登录用户名)
root@172.16.100.1's password:
Last login: Thu Dec 11 18:41:23 2014 from 172.16.100.1
提示:第二次登录的时候再也不需要确认信任远程主机密钥,这是因为当你第一次确认接受以后,我们主机就假设本地客户端这是你已经认可的主机,因此他会将这个主
机远程主机的密钥信息保存到可信主机当中去的;
[root@Smoke ~]# ls -a(查看当前目录下所有文件及子目录)
. .ssh install.log Desktop
.. .config .thumbnails .bashrc
提示:每个用户只要登录了别人使用ls -a在当前用户家目录下会生成隐藏目录叫.ssh;
[root@Smoke ~]# cd .ssh/(切换到.ssh目录)
known_hosts
提示:在.ssh/目录下有个文件叫known_hosts,任何时候接受了远程主机,那个主机的公钥公钥信息就会被保存在这个文件里面,因此第二次登录的时候,这个主机的公
钥和远程主机的私钥双方建立会话,看能不能配上对,如果能配上对表示认可了对方的主机,所以第二次就不再需要了;
[root@Smoke .ssh]# cat known_hosts(查看known_hosts文件内容)
172.16.100.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2u3cae3XewfEfh4TX8j2fO/VApFenzIwJlG80aZBVJVy1H/OiBf/Fx0leNIqgzdbpEMnbaEFkq0or
k+JHNW9Um0tOXSc+ZwXugaZ7r9ZUODNfMmRz2DffXxOc+B6hlOBkSw0iW6AQ+FxsLFwf8/+bsDfbBHnY1SuHQ/uNCY84hbuI6H2qY+dBSKhb/o57Hy63T567WkYoOcN
bvISdh0xqplKk/6ZcIqXSGjaJ0x9sJYevyyt5lY1Jjas37eTk86vF6MsU584nnp4PK04YN6ZFcu+9CpXSoZoY9y/La9KJO3J4d0cq8wxdErqUlJ0rbvH4wNjcl2q9Ec
fovKsmDb0UQ==
提示:要从新认可,可以清空known_hosts文件中相应主机的公钥信息;
[root@Smoke .ssh]# vim known_hosts(编辑known_hosts文件)
172.16.100.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2u3cae3XewfEfh4TX8j2fO/VApFenzIwJlG80aZBVJVy1H/OiBf/Fx0leNIqgzdbpEMnbaEFkq0ork
+JHNW9Um0tOXSc+ZwXugaZ7r9ZUODNfMmRz2DffXxOc+B6hlOBkSw0iW6AQ+FxsLFwf8/+bsDfbBHnY1SuHQ/uNCY84hbuI6H2qY+dBSKhb/o57Hy63T567WkYoOcNb
vISdh0xqplKk/6ZcIqXSGjaJ0x9sJYevyyt5lY1Jjas37eTk86vF6MsU584nnp4PK04YN6ZFcu+9CpXSoZoY9y/La9KJO3J4d0cq8wxdErqUlJ0rbvH4wNjcl2q9Ecf
ovKsmDb0UQ==
dd(删除文件这行)
[root@Smoke .ssh]# cd(切换到root用户家目录)
[root@Smoke ~]# ssh -l root 172.16.100.1(通过ssh远程登录172.16.100.1,-l指定登录用户名)
The authenticity of host '172.16.100.1 (172.16.100.1)' can't be established.
RSA key fingerprint is ea:32:fd:b5:e6:d2:75:e2:c2:c2:8c:63:d4:82:4c:48.
Are you sure you want to continue connecting (yes/no)? yes
root@172.16.100.1's password:
Last login: Thu Dec 11 18:45:56 2014 from 172.16.100.254
提示:由于删除了/root/.ssh/known_hosts文件中主机的公钥,又需要信任远程主机的公钥;
[root@Smoke ~]# exit(退出登录)
SSH不登录远程主机直接执行远程主机命令,并把对方命令执行结果返回到本地:需要输入密码,
[root@Smoke ~]# ssh root@172.16.100.2 'ifconfig'(使用ssh不登陆主机172.16.100.2,但执行命令ifconifg)
The authenticity of host '172.16.100.2 (172.16.100.2)' can't be established.
RSA key fingerprint is 42:e9:a1:a0:c1:7f:bd:02:4b:4a:eb:54:17:4b:80:1b.
Are you sure you want to continue connecting (yes/no)? yes
root@172.16.100.1's password:
eth0 Link encap:Ethernet HWaddr 00:0C:29:8C:BF:0A
inet addr:172.16.100.2 Bcast:172.16.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe8c:bf0a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8004 errors:0 dropped:0 overruns:0 frame:0
TX packets:8330 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2936324 (2.8 MiB) TX bytes:6488180 (6.1 MiB)
Interrupt:67 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:875 errors:0 dropped:0 overruns:0 frame:0
TX packets:875 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:102540 (100.1 KiB) TX bytes:102540 (100.1 KiB)
提示:没有登录远程主机,只是执行远程主机的命令就退回来了;
[root@Smoke ~]# ifconfig(查看网卡信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:CC:FA:AE
inet addr:172.16.100.1 Bcast:172.16.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fecc:faae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28609 errors:0 dropped:0 overruns:0 frame:0
TX packets:19450 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2606620 (2.4 MiB) TX bytes:2487823 (2.3 MiB)
Interrupt:67 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10273 errors:0 dropped:0 overruns:0 frame:0
TX packets:10273 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2885456 (2.7 MiB) TX bytes:2885456 (2.7 MiB)
[root@Smoke ~]# man ssh(查看ssh命令man帮助文档)
-X:登录到远程主机执行窗口命令,本地必须启动图形端;
-Y:登录到远程主机执行窗口命令,Y比X更安全,本地必须启动图形端;
如何实现基于密钥认证:
打开两台linux系统,一台作为SSH客户端,一台作为SSH服务器端;
[root@client ~]# ifconfig(查看主机网卡信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:CC:FA:AE
inet addr:172.16.100.1 Bcast:172.16.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fecc:faae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30266 errors:0 dropped:0 overruns:0 frame:0
TX packets:20032 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2760030 (2.6 MiB) TX bytes:2563351 (2.4 MiB)
Interrupt:67 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10940 errors:0 dropped:0 overruns:0 frame:0
TX packets:10940 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2953251 (2.8 MiB) TX bytes:2953251 (2.8 MiB)
[root@Server ~]# ifconfig eth0 172.16.100.2/16(更改eth0接口ip地址)
[root@Server ~]# ifconfig(查看主机网卡信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:8C:BF:0A
inet addr:172.16.100.2 Bcast:172.16.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe8c:bf0a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9407 errors:0 dropped:0 overruns:0 frame:0
TX packets:8628 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3063485 (2.9 MiB) TX bytes:6510664 (6.2 MiB)
Interrupt:67 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:899 errors:0 dropped:0 overruns:0 frame:0
TX packets:899 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:105684 (103.2 KiB) TX bytes:105684 (103.2 KiB)
[root@client ~]# ping 172.16.100.2(ping测试172.16.100.2)
PING 172.16.100.2 (172.16.100.2) 56(84) bytes of data.
64 bytes from 172.16.100.2: icmp_seq=1 ttl=64 time=1.86 ms
64 bytes from 172.16.100.2: icmp_seq=2 ttl=64 time=0.205 ms
64 bytes from 172.16.100.2: icmp_seq=3 ttl=64 time=0.234 ms
--- 172.16.100.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.205/0.767/1.864/0.775 ms
[root@client ~]# ssh -l root 172.16.100.2(通过ssh远程连接172.16.100.2主机,-l指定登录用户名)
The authenticity of host '172.16.100.2 (172.16.100.2)' can't be established.
RSA key fingerprint is 42:e9:a1:a0:c1:7f:bd:02:4b:4a:eb:54:17:4b:80:1b.
Are you sure you want to continue connecting (yes/no)? yes(接受远程主机的公钥)
Warning: Permanently added '172.16.100.2' (RSA) to the list of known hosts.
root@172.16.100.2's password: (输入密码)
Last login: Tue Nov 11 12:48:13 2014 from 172.16.100.1
[root@Server ~]# ifconfig(查看主机网卡信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:8C:BF:0A
inet addr:172.16.100.2 Bcast:172.16.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe8c:bf0a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15074 errors:0 dropped:0 overruns:0 frame:0
TX packets:10044 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3584959 (3.4 MiB) TX bytes:6616656 (6.3 MiB)
Interrupt:67 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:917 errors:0 dropped:0 overruns:0 frame:0
TX packets:917 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:109132 (106.5 KiB) TX bytes:109132 (106.5 KiB)
提示:已经通过ssh登录服务器端系统,可以通过查看网卡地址信息;
[root@Server ~]# exit(退出登录)
[root@client ~]# ssh -l root 172.16.100.2(通过ssh远程连接172.16.100.2主机,-l指定登录用户名)
root@172.16.100.2's password:
Last login: Tue Nov 11 12:50:39 2014 from 172.16.100.1
[root@Server ~]# exit(退出登录)
将远程主机文件服务复制到本地:
[root@client ~]# scp root@172.16.100.2:/etc/fstab ./(远程通过root用户复制172.16.100.2主机上/etc/fstab文件到本地主机当前目录)
root@172.16.100.2's password:
fstab 100% 532 0.5KB/s 00:00
[root@client ~]# vim fstab(编辑fstab文件)
LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
提示:复制过来的远程主机上的fstab文件,将后三行删除;
把本地文件复制到远程服务器:
[root@client ~]# scp fstab root@172.16.100.2:/root/(远程通过root用户复制本地fstab文件到远程主机172.16.100.2的root目录下)
root@172.16.100.2's password:
fstab 100% 304 0.3KB/s 00:00
[root@Server ~]# ls(查看当前目录文件及子目录)
anaconda-ks.cfg bash-3.2-32.el5.i386.rpm fstab id_rsa.pub install.log install.log.syslog
提示:查看远程主机的/root目录下存在fstab文件;
[root@Server ~]# vim fstab(编辑fstab文件)
LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
[root@client ~]# useradd haddop(添加hadoop用户)
[root@client ~]# su - hadoop(切换到hadoop用户)
[hadoop@client ~]$ ssh-keygen -t rsa(生成一对密钥,-t指定加密算法为rsa类型)
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hadoop/.ssh/id_rsa): (指定私钥文件名称,生成公钥私钥对)
Created directory '/home/hadoop/.ssh'.(创建.ssh目录)
Enter passphrase (empty for no passphrase):(私钥需要加密,要使用密码才能访问,不然丢失私钥,别人会拿着我们私钥到处招摇撞骗,但是私钥加密码以后,
每次使用都要提供密码,所以我们都留空)
Enter same passphrase again:
Your identification has been saved in /home/hadoop/.ssh/id_rsa.(私钥文件)
Your public key has been saved in /home/hadoop/.ssh/id_rsa.pub.(公钥文件)
The key fingerprint is:
fa:38:aa:12:d7:bb:a8:ff:3f:c2:b6:b3:e8:3d:b2:e7 hadoop@client(指纹信息)
提示:会把密钥保存到用户家目录下的.ssh目录当中,并且明明为id_rsa和id_rsa.pub
ssh-keygen另外用法:
[hadoop@client ~]$ man ssh-keygen(查看ssh-keygen的man帮助文档)
ssh-keygen - authentication key generation, management and conversion
ssh-keygen [-q] [-b bits] -t type(-t不可省,必须指定加密算法rsa或dsa) [-N new_passphrase] [-C comment] [-f output_keyfile](
指定保存到什么位置)
ssh-keygen -p [-P old_passphrase] [-N new_passphrase](指定私钥密码) [-f keyfile]
ssh-keygen -i [-f input_keyfile]
ssh-keygen -e [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -l [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D reader
ssh-keygen -F hostname [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -U reader [-f input_keyfile]
ssh-keygen -r hostname [-f input_keyfile] [-g]
ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
ssh-keygen -T output_file -f input_file [-v] [-a num_trials] [-W generator]
[hadoop@client ~]$ rm -rf .ssh/(删除.ssh目录,-r递归删除,-f强制删除)
[hadoop@client ~]$ ssh-keygen -t rsa(生成一对密钥,公钥和私钥,-t指定加密算法rsa)
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hadoop/.ssh/id_rsa): (指定私钥文件名称,生成公钥私钥对)
Created directory '/home/hadoop/.ssh'.(创建.ssh目录)
Enter passphrase (empty for no passphrase): (私钥需要加密,要使用密码才能访问,不然丢失私钥,别人会拿着我们私钥到处招摇撞骗,但是私钥加密以后,
每次使用都要提供密码,所以我们留空)
Enter same passphrase again:
Your identification has been saved in /home/hadoop/.ssh/id_rsa.(私钥文件)
Your public key has been saved in /home/hadoop/.ssh/id_rsa.pub.(公钥文件)
The key fingerprint is:
92:5d:e3:d5:a4:69:0c:70:b3:ea:52:a6:8e:d7:a2:3c hadoop@client(指纹信息)
[hadoop@client ~]$ ll -ha(查看当前目录所有文件或子目录详细信息)
total 80K
drwx------ 4 hadoop hadoop 4.0K Dec 12 05:21 .
drwxr-xr-x 7 root root 4.0K Dec 12 05:09 ..
-rw------- 1 hadoop hadoop 731 Dec 11 09:23 .bash_history
-rw-r--r-- 1 hadoop hadoop 33 Dec 3 12:16 .bash_logout
-rw-r--r-- 1 hadoop hadoop 176 Dec 3 12:16 .bash_profile
-rw-r--r-- 1 hadoop hadoop 124 Dec 3 12:16 .bashrc
-rw-r--r-- 1 hadoop hadoop 515 Dec 3 12:16 .emacs
drwxr-xr-x 4 hadoop hadoop 4.0K Dec 3 12:16 .mozilla
drwx------ 2 hadoop hadoop 4.0K Dec 12 05:21 .ssh
-rw------- 1 hadoop hadoop 512 Dec 11 06:16 .viminfo
提示:.ssh目录权限为700的,如果这个权限多了的话,ssh客户端是无法使用的,所以删除以后要自己建注意改变它的权限;
[hadoop@client ~]$ rm -rf .ssh/*(删除.ssh目录中所有文件,-r递归删除,-f强制删除)
[hadoop@client ~]$ ssh-keygen -t rsa -f .ssh/id_rsa(生成一对密钥,公钥和私钥,-t指定加密算法rsa,-f指定私钥保存位置)
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): (私钥需要加密,要使用密码才能访问,不然丢失私钥,别人会拿着我们私钥到处招摇撞骗,但是私钥加密以后,
每次使用都要提供密码,所以我们留空)
Enter same passphrase again:
Your identification has been saved in .ssh/id_rsa.(私钥文件)
Your public key has been saved in .ssh/id_rsa.pub.(公钥文件)
The key fingerprint is:
27:50:27:db:5c:13:d8:8f:a4:ba:47:c9:fd:e9:1e:a7 hadoop@client(指纹信息)
[hadoop@client ~]$ !rm(执行命令历史中最近一个以rm字符串开头的命令,删除.ssh目录下所有文件,-r递归删除,-f强制删除)
rm -rf .ssh/*
[hadoop@client ~]$ ssh-keygen -t rsa -f .ssh/id_rsa -N ''(生成一对密钥,公钥和私钥,-t指定加密算法rsa,-f指定私钥保存位置,-N ''指定私钥
密码为空)
Generating public/private rsa key pair.
Your identification has been saved in .ssh/id_rsa.(私钥文件)
Your public key has been saved in .ssh/id_rsa.pub.(公钥文件)
The key fingerprint is:
90:32:fa:6d:fa:83:bc:f9:40:99:0c:f9:05:fd:16:4f hadoop@client(指纹信息)
[hadoop@client ~]$ ssh-keygen -t rsa -f .ssh/id_rsa -N ''(生成一对密钥,公钥和私钥,-t指定加密算法rsa,-f指定私钥保存位置,-N ''指定私钥
密码为空)
Generating public/private rsa key pair.
.ssh/id_rsa already exists.
Overwrite (y/n)? y(第二次生成提醒密钥是否覆盖)
Your identification has been saved in .ssh/id_rsa.
Your public key has been saved in .ssh/id_rsa.pub.
The key fingerprint is:
cc:cd:e3:1e:8f:aa:47:f5:3d:8c:30:d3:17:84:3e:54 hadoop@client
[hadoop@client ~]$ ssh-copy-id -i .ssh/id_rsa.pub root@172.16.100.2(通过ssh-copy-id将.ssh/id_rsa.pub公钥文件复制到远程主机172.16.
100.2,以root用户登录)
15
The authenticity of host '172.16.100.2 (172.16.100.2)' can't be established.
RSA key fingerprint is 42:e9:a1:a0:c1:7f:bd:02:4b:4a:eb:54:17:4b:80:1b.
Are you sure you want to continue connecting (yes/no)? yes(这里又让输入yes,但是此前使用管理员登录过主机172.16.100.2,因为当前主机是另
外一个用户hadoop)
Warning: Permanently added '172.16.100.2' (RSA) to the list of known hosts.
root@172.16.100.2's password: (输入密码)
Now try logging into the machine, with "ssh 'root@172.16.100.2'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
提示:ssh-copy-id不但能讲.ssh/id_rsa.pub文件复制到远程主机,还能够将公钥放到.ssh/authorized_keys文件中;
[hadoop@client ~]$ ssh -l root 172.16.100.2(通过ssh远程登录172.16.100.2主机,-l指定登录用户)
Last login: Tue Nov 11 12:54:08 2014 from 172.16.100.1
提示:不需要输入密码,远程主机172.16.100.2有当前主机的公钥文件;
[hadoop@client ~]$ ssh -l root 172.16.100.2(通过ssh远程登录172.16.100.2主机,-l指定登录用户)
Last login: Tue Nov 11 13:50:33 2014 from 172.16.100.1
问题:我们通过172.16.100.2能不能远程登录到172.16.100.1也不需要输入密码,不能,这种信任是单向的;
[root@Server ~]# cd .ssh/(切换到.ssh目录)
[root@Server .ssh]# cat authorized_keys(查看authorized_key文件内容)
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzqIiyyEqp5pa8KA0KZA38Ktau8uh1nCfzg67IsowCYr+d+YVQcp/SH8GH2wwGokNdKHMCl1b+8BOMpNovjnyN/0WOS
YVIOVyb+77TxI3PTgO0uyg8pfI/Nd58U7EXyweNK/ZZN21m5O3KV2DXvmMgpEcfR8VSEyB8KwDNI39XY/HNTkfL7klWL3sFC3U39BNgXB9ft3yyDrWfzSyOCqV0pAv
5dd+SqdYYQ2SD6yqZamFNLsTBKkxBjT9TKKSOQb3bANn9htTnN/KqwTk6jYOG1EuuxAsGkuOH9qvDNoSj6VeT+FXBuYmJ7Dkb26tVVg5evfnJlbZxn7fSsiXLWMCgQ
== hadoop@client
[root@Server .ssh]# exit(退出登录)
sftp基于ssh的ftp,即是客户端也是服务端:
[hadoop@client ~]$ sftp root@172.16.100.2(通过sftp远程连接172.16.100.2主机)
Connecting to 172.16.100.2...
sftp> ls(查看当前目录文件及子目录)
anaconda-ks.cfg bash-3.2-32.el5.i386.rpm fstab id_rsa.pub
install.log install.log.syslog
提示:如果SSH已经配置了主机互信,连密码都不需要输入)
sftp> cd /etc(切换到/etc目录)
sftp> ls(查看当前目录文件及子目录)
DIR_COLORS DIR_COLORS.xterm Muttrc Muttrc.local
NetworkManager X11 a2ps-site.cfg a2ps.cfg
acpi adjtime aliases aliases.db
alsa alternatives anacrontab asound.state
at.deny audisp audit auto.master
auto.misc auto.net auto.smb autofs_ldap_auth.conf
avahi bashrc blkid bluetooth
bonobo-activation capi.conf cdrecord.conf conman.conf
cron.d cron.daily cron.deny cron.hourly
cron.monthly cron.weekly crontab csh.cshrc
csh.login cups dbus-1 default
depmod.d desktop-profiles dev.d dhcp6c.conf
dnsmasq.conf dnsmasq.d dumpdates enscript.cfg
environment esd.conf exports fb.modes
filesystems fonts foomatic fstab
gconf gcrypt gdm ghostscript
gimp gnome-vfs-2.0 gnome-vfs-mime-magic gpm-root.conf
gre.d group group- grub.conf
gshadow gshadow- gssapi_mech.conf gtk-2.0
hal host.conf hosts hosts.allow
hosts.deny hp httpd idmapd.conf
init.d initlog.conf inittab inputrc
iproute2 iscsi isdn issue
issue.net java jvm jvm-commmon
jwhois.conf krb5.conf ld.so.cache ld.so.conf
ld.so.conf.d ldap.conf lftp.conf libaudit.conf
libuser.conf localtime login.defs logrotate.conf
logrotate.d logwatch lsb-release.d lvm
mail mail.rc mailcap makedev.d
man.config maven mgetty+sendfax mime.types
minicom.users mke2fs.conf modprobe.conf modprobe.conf~
modprobe.d motd mtab mtools.conf
multipath.conf netplug netplug.d nscd.conf
nsswitch.conf ntp ntp.conf oddjob
oddjobd.conf oddjobd.conf.d openldap opt
pam.d pam_pkcs11 pam_smb.conf pango
passwd passwd- pcmcia pinforc
pki pm ppp prelink.cache
prelink.conf prelink.conf.d printcap profile
profile.d protocols purple quotagrpadmins
quotatab racoon rc rc.d
rc.local rc.sysinit rc0.d rc1.d
rc2.d rc3.d rc4.d rc5.d
rc6.d readahead.d reader.conf reader.conf.d
redhat-lsb redhat-release request-key.conf resolv.conf
resolv.conf.predhclient rhgb rmt rpc
rpm rsyslog.conf rwtab rwtab.d
samba sane.d sasl2 scim
scrollkeeper.conf scsi_id.config securetty security
selinux services sestatus.conf setuptool.d
sgml shadow shadow- shells
skel slrn.rc smartd.conf smrsh
sound ssh stunnel sudoers
sysconfig sysctl.conf syslog.conf tcsd.conf
termcap udev updatedb.conf vimrc
virc warnquota.conf wgetrc wpa_supplicant
wvdial.conf xdg xinetd.d xml
yp.conf yum yum.conf yum.repos.d sftp> get(下载文件)
sftp> help(查看sftp的命令帮助)
Available commands:
cd path Change remote directory to 'path'
lcd path Change local directory to 'path'
chgrp grp path Change group of file 'path' to 'grp'
chmod mode path Change permissions of file 'path' to 'mode'
chown own path Change owner of file 'path' to 'own'
help Display this help text
get remote-path [local-path] Download file
lls [ls-options [path]] Display local directory listing
ln oldpath newpath Symlink remote file
lmkdir path Create local directory
lpwd Print local working directory
ls [path] Display remote directory listing
lumask umask Set local umask to 'umask'
mkdir path Create remote directory
progress Toggle display of progress meter
put local-path [remote-path] Upload file
pwd Display remote working directory
exit Quit sftp
quit Quit sftp
rename oldpath newpath Rename remote file
rmdir path Remove remote directory
rm path Delete remote file
symlink oldpath newpath Symlink remote file
version Show SFTP version
!command Execute 'command' in local shell
! Escape to local shell
? Synonym for help
提示:通过sftp下载文件,数据是加密的,以后要想从远程主机复制文件,只要对方支持SSH和SFTP,不需要创建FTP服务器,直接使用sftp连接上去,能访问的文件都可以访
问,而且可以直接下载;
sftp> exit(退出sftp登录)
[hadoop@client ~]$ exit(退出)
[root@client ~]# man ssh(查看ssh命令man帮助文档)
ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
[-e escape_char] [-F configfile] [-i identity_file] [-L [bind_address:]port:host:hostport]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port](指定端口) [-R
[bind_address:]port:host:hostport] [-S ctl_path] [-w tunnel:tunnel] [user@]hostname [command]
Xshell client远程登录也不需要密码:要想步输入密码要本地保存密钥;
客户端生成密钥:
在Xshell客户端菜单工具-新建用户密钥生成向导;
选择加密算法RSA,密钥长度1024,选择下一步;
正在生成,点击下一步,保存密钥id_rsa_1024文件名,要不要密码加密私钥,不加密算则下一步;
选择版本格式为SSH2-OpenSSH,选择保存为文件,将公钥保存到桌面上,选择完成;
如果想导入用户的私钥或导出用户私钥可以选择导入或导出,选择关闭;
通过Xshell的新建文件传输,将导出到桌面的id_rsa_1024.pub公钥传进如linux系统里面;
[root@client ~]# cat id_rsa_1024.pub >> .ssh/authorized_keys(查看id_rsa_1024.pub文件内容,将输出结果追加到authorized_keys文件中) [c:\~]$ ssh 172.16.100.1(通过ssh登录主机172.16.100.1)
输入用户名;
选择使用Public Key(U),点击确定;
[root@client ~]# (登录成功) 如果服务器改变端口: [root@client ~]# vim /etc/ssh/sshd_config(编辑sshd服务器配置文件) Port 2233(更改SSH连接端口为2233) [root@client ~]# service sshd restart(重新启动sshd服务) Stopping sshd: [ OK ] Starting sshd: [ OK ] [root@client ~]# logout(退出登录) [c:\~]$ ssh 172.16.100.1(通过ssh连接172.16.100.1主机) Connecting to 172.16.100.1:22... Could not connect to '172.16.100.1' (port 22): Connection failed. Type `help' to learn how to use Xshell prompt. 提示:由于服务器更改端口为2233,而默认SSH使用端口22连接,因此连接失败; [c:\~]$ ssh 172.16.100.1 2233(通过ssh连接172.16.100.1主机,指定连接端口2233) [root@client ~]# (登录成功) [root@client ~]# vim /etc/ssh/sshd_config(编辑sshd服务的配置文件) #Port 22(改变为默认端口) [root@client ~]# service sshd restart(重启SSHD服务) Stopping sshd: [ OK ] Starting sshd: [ OK ]
浙公网安备 33010602011771号