N46期-第八周作业

1、对称加密过程由那三部分组成

答：对称加密过程中，由明文、密钥和加密算法这三部分组成。在对称加密中时，数据发送方将原始数据即明文，与加密密钥一起经过特殊加密算法处理后，使其变成复杂的加密密文发送出去。接收方收到密文后要想解读原文，就使用加密密钥及相同算法的逆算法对密文进行解密，恢复成可读明文。在对称加密算法中，使用的密钥只有一个，发收信双方都使用同一个密钥对数据进行加密和解密。

2、使用openssl中的aes对称加密算法对文件file.txt进行加密，然后解密

答：

加密：
openssl enc -e -aes256 -a -salt -in ./file.txt -out ./file.enc
enter aes-256-cbc encryption password:（输入密钥）
Verifying - enter aes-256-cbc encryption password:（再次输入密钥）

解密
openssl enc -d -aes256 -a -salt -in ./file.enc -out file.new
enter aes-256-cbc decryption password:（输入加密的设置的密钥）
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

 

3、搭建CA和申请证书

答：

（1）创建CA目录

# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}

 

（2）生成证书索引数据库文件
# touch /etc/pki/CA/index.txt

 

（3）指定第一个颁发证书的序列号

# echo 01 > /etc/pki/CA/serial

 

（4）生成CA私钥
# cd /etc/pki/CA
# (umask 066;openssl genrsa -out private/cakey.pem 2048)

 

（5）生成CA自签名证书
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:

 

# tree /etc/pki/CA
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

 

（6）为一个应用申请一个证书：
# (umask 066; openssl genrsa -out /data/test.key 2048)

生成证书申请文件：
# openssl req -new -key /data/test.key -out /data/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:market
Common Name (eg, your name or your server's hostname) []:app.magedu.org
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

（7）CA签署证书并将证书颁发给请求者
# openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 19 23:07:58 2020 GMT
Not After : Jul 19 23:07:58 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = mak\1B[C\1Barket
commonName = app.magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
60:63:A6:B1:6D:46:3E:03:9C:88:0C:76:7E:AB:4A:2D:2B:56:99:0E
X509v3 Authority Key Identifier:
keyid:20:1D:88:68:AF:B9:0B:1B:BF:20:7E:AB:C9:D8:B1:F1:1B:AB:CA:85

Certificate is to be certified until Jul 19 23:07:58 2021 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

# tree /etc/pki/CA
.
├── cacert.pem
├── certs
│   └── test.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files

 

test.crt即为申请的证书，由私有CA颁发的。

 

4、使用脚本实现多个用户key验证免密登录

答：vim push_key.sh

#********************************************************************
#Author: jiquanquan
#QQ: 298007250
#Date: 2020-07-21
#FileName： push_key.sh
#URL: http://www.example.com
#Description： The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
yum install -y epel-release &> /dev/null
yum install -y sshpass &> /dev/null
net=192.168.1
pass=123456
ssh-keygen -P "" -f /root/.ssh/id_rsa &> /dev/null
for i in {1..254};do
{
　　sshpass -p $pass ssh-copy-id -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa.pub $net.$i &> /dev/null
}&
done
wait

 

1、安装epel源，因为sshpass工具不在base源里。

2、安装sshpass工具。

3、分配一个net变量，只写网络地址，保留主机地址。

4、将要被访问的主机预先留下的root密码，放到pass变量中。

5、通过ssh-keygen命令，生成客户端主机的公私密钥对，不在屏幕上显示。

6、写for循环，同时执行循环语句中的命令。sshpass -p $pass可以将预先提供的密码，自动输入，免交互。ssh-copy-id -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa.pub $net.$i命令，可以免检查的将客户端公钥复制至服务器端，并在服务器端的/root/.ssh目录下，生成authorized_keys文件，authorized_keys里就是客户端的公钥。