一.实战:CentOS 8实现私有CA和证书申请
1. 创建CA相关目录和文件
[root@centos8 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@centos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@centos8 ~]# touch /etc/pki/CA/index.txt
[root@centos8 ~]# echo 0F >//etc/pki/CA/serial
[root@centos8 ~]# openssl ca -in /data/app1/app1/csr -out /etc/pki/CA/certs/app1.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Can't open /etc/pki/CA/private/cakey.pem for reading, No such file or directory
140555057243968:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/private/cakey.pem','r')
140555057243968:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
unable to load CA private key
2. 创建CA的私钥
[root@centos8 ~]# cd /etc/pki/CA
[root@centos8 CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
..............................................................................................................................+++++
e is 65537 (0x010001)
[root@centos8 CA]# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[root@centos8 CA]# ll private/
total 4
-rw------- 1 root root 1679 Dec 29 18:33 cakey.pem
[root@centos8 CA]# cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAs8cNQcGqHY4YXDw9xoTXbfFYgIOVulfxVfflYRqWQUFnPSDF
h+gxYQXHRkV8K7VMhoAVePVJk0Q5L1HQjF1/o7PSZRuezGhfSRACzFr/jTmzWtPu
Pc6vQPeSkD/wz09Ug07wB2sgnKycJPJlbkcBOsneFc7Dq1JZu0wVWEv3/tu7NWfZ
KwL2BbbU0bzGA9aCds01ViB1YnP2yzCQahgR55sFIEk1z1Dkm+JCucKAYecadgcN
kNTrviya1U5OpAylGt9sShFvE7KPbUmZY0G34ZaSA9ceQwEhMBf232wI0hxQQv4b
70ZnneTaYHX1L9sXGxk0+NYvbdORswqdB2ivbQIDAQABAoIBAQCG6dRbCpk9gMtr
PJInjr2U9k+ycg1FQIYOO/DZxHgKFKkDSLq0WV3lL87yP2cF7hK1xR1YHsvORp6b
kkxtaiVFlsdHtUigoZsQW4GeFpQ9SZX9jZn2rEr8+E33DuUKzr/forei+ZQJv8eW
OopADe0wTxnpR7eztCM+2cQS9T/w83V0EQmfpKplk6Oq5oyoRt/O0FC+2+AKCK1A
Dd+/8LFOMyd0UBb/OiUiYJ5jSweXI0fWm+doQGzdlY+l/encpd606sKYTSuCIWxF
gAPaT4sty7Ba06ckS5z5UeiDScPfsofbv1HTyM4cxvUB/HEkznAU46tUWiz4T/fN
u/JOjVRBAoGBAO4rC7QetXtk51zKHFxEwVzCFpBcp/9qVGsshZIawDoQ5mEHjGkH
3+aeh0yJKXOO+odZnVTBvmX4KHumHhv/llE/C2BhN9LsZBAQ8arUjMuL5D6or2dq
M2GJUxKXJNGluOnMwb/vhfhxB8apHfG/1Bdrx/7LjCUD8ctyBgwU7bXZAoGBAME8
1kULuoQ0UwnQIMucBeqjsSPBbbkdwLYPD+7MrlX/IwtOp6ZWW84mzNC2kjoLoo1g
H3xi/PhGx28F+eNSxh2V7QNTcUS15vmqq0+5wasGHZpks4u08lg9rs1KRohlvztf
Q7YViYU5+Zo2Z4+AelHQtv37X9U+3z5+oJstjOW1AoGAS+x1Aqp3eCqmhrH3cIKK
kaNdxg+Djqy61J+QxQ66EMiqaGwbmq/j9IS85O0kxa3it5sdyJMqux7s6N3/4zUL
GkNawRK81QR+sZB1OdwgNhMWY9Mqd3EniARa8yYzmpGV7RJVAXa94oFF1VK8NQDN
/9lgHB2PQ42KWyyyOM/DJ6ECgYBOTFNZ+M2jofv/nuia9+Zh0+AD5+2Is6iRXHsN
PLxrNg1CGKXPvXBHkOsuqruHb413EXrQkN+FzlAjCV3eoXyLImO+FEJyH+6uPVxa
2p7BqKG4HJOvySrlXGEG59C6ldetvAUYs5Nce0hLFz5RJDLsEdEECqYjJu2YSgDT
v9o2fQKBgQCUBK80OkYSNOJAQG/1jBfVoc1YxoV4773IkjaIVMy3uOvHoad2Yn8E
Lrg5wmFGRh8EbSTWqaGGqkPc+wUn6pMGbVwSSIXp12d1AOA0xeZLt+MTFXh2Vv2m
VWJN44naUG+RR0vDxS9T54Au9kqOfFHMfKQ5/AIZbhKQyuekUPX2uA==
-----END RSA PRIVATE KEY-----
3. 给CA颁发自签名证书
[root@centos8 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:neteagles
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.neteagles.cn
Email Address []:admin@neteagles.cn
[root@centos8 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@centos8 CA]# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID/TCCAuWgAwIBAgIUDb0shShNlwSAO6vz8k16opRc7ggwDQYJKoZIhvcNAQEL
BQAwgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdzaGFhbnhpMQ4wDAYDVQQHDAV4
aSdhbjESMBAGA1UECgwJbmV0ZWFnbGVzMQswCQYDVQQLDAJpdDEYMBYGA1UEAwwP
Y2EubmV0ZWFnbGVzLmNuMSEwHwYJKoZIhvcNAQkBFhJhZG1pbkBuZXRlYWdsZXMu
Y24wHhcNMjAxMjI5MTAzNzIxWhcNMzAxMjI3MTAzNzIxWjCBjTELMAkGA1UEBhMC
Q04xEDAOBgNVBAgMB3NoYWFueGkxDjAMBgNVBAcMBXhpJ2FuMRIwEAYDVQQKDAlu
ZXRlYWdsZXMxCzAJBgNVBAsMAml0MRgwFgYDVQQDDA9jYS5uZXRlYWdsZXMuY24x
ITAfBgkqhkiG9w0BCQEWEmFkbWluQG5ldGVhZ2xlcy5jbjCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALPHDUHBqh2OGFw8PcaE123xWICDlbpX8VX35WEa
lkFBZz0gxYfoMWEFx0ZFfCu1TIaAFXj1SZNEOS9R0Ixdf6Oz0mUbnsxoX0kQAsxa
/405s1rT7j3Or0D3kpA/8M9PVINO8AdrIJysnCTyZW5HATrJ3hXOw6tSWbtMFVhL
9/7buzVn2SsC9gW21NG8xgPWgnbNNVYgdWJz9sswkGoYEeebBSBJNc9Q5JviQrnC
gGHnGnYHDZDU674smtVOTqQMpRrfbEoRbxOyj21JmWNBt+GWkgPXHkMBITAX9t9s
CNIcUEL+G+9GZ53k2mB19S/bFxsZNPjWL23TkbMKnQdor20CAwEAAaNTMFEwHQYD
VR0OBBYEFJg1UGERrkqBa2YZ+/skFkYS3iEtMB8GA1UdIwQYMBaAFJg1UGERrkqB
a2YZ+/skFkYS3iEtMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AHU3WkQgzo6sERXpk6HogaOuBNoufjkziumFxzH+R+t5ZmAdYj9avtU58bjL8ckw
qW64P2XZ3RRnpRT4cRRm1izpHX97Y1cv0fK9iMXampjZU8RZ79q8LyFwe3rs1ce5
huHzE3CRIxyDAHZlmpJeVAOivgxghioJfFcFv/L0d1nix/mLcA3XjX62VC4lx8eK
bsErAnxAy9/Cx/Zrj3m7Giq8UzmCcv3kkh7OOuwxFOqAO3dS8oOU9Jtr+HRBKMk3
+x5PxbkIXsQA2En4dC+W28WdJbyq+T2/9WW7/gaw/YVAhlcJuEmWDLprpBe/4yjY
Q9B777Q9SAtzycVrjLC1MnU=
-----END CERTIFICATE-----
[root@centos8 CA]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0d:bd:2c:85:28:4d:97:04:80:3b:ab:f3:f2:4d:7a:a2:94:5c:ee:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = shaanxi, L = xi'an, O = neteagles, OU = it, CN = ca.neteagles.cn, emailAddress = admin@neteagles.cn
Validity
Not Before: Dec 29 10:37:21 2020 GMT
Not After : Dec 27 10:37:21 2030 GMT
Subject: C = CN, ST = shaanxi, L = xi'an, O = neteagles, OU = it, CN = ca.neteagles.cn, emailAddress = admin@neteagles.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b3:c7:0d:41:c1:aa:1d:8e:18:5c:3c:3d:c6:84:
d7:6d:f1:58:80:83:95:ba:57:f1:55:f7:e5:61:1a:
96:41:41:67:3d:20:c5:87:e8:31:61:05:c7:46:45:
7c:2b:b5:4c:86:80:15:78:f5:49:93:44:39:2f:51:
d0:8c:5d:7f:a3:b3:d2:65:1b:9e:cc:68:5f:49:10:
02:cc:5a:ff:8d:39:b3:5a:d3:ee:3d:ce:af:40:f7:
92:90:3f:f0:cf:4f:54:83:4e:f0:07:6b:20:9c:ac:
9c:24:f2:65:6e:47:01:3a:c9:de:15:ce:c3:ab:52:
59:bb:4c:15:58:4b:f7:fe:db:bb:35:67:d9:2b:02:
f6:05:b6:d4:d1:bc:c6:03:d6:82:76:cd:35:56:20:
75:62:73:f6:cb:30:90:6a:18:11:e7:9b:05:20:49:
35:cf:50:e4:9b:e2:42:b9:c2:80:61:e7:1a:76:07:
0d:90:d4:eb:be:2c:9a:d5:4e:4e:a4:0c:a5:1a:df:
6c:4a:11:6f:13:b2:8f:6d:49:99:63:41:b7:e1:96:
92:03:d7:1e:43:01:21:30:17:f6:df:6c:08:d2:1c:
50:42:fe:1b:ef:46:67:9d:e4:da:60:75:f5:2f:db:
17:1b:19:34:f8:d6:2f:6d:d3:91:b3:0a:9d:07:68:
af:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
98:35:50:61:11:AE:4A:81:6B:66:19:FB:FB:24:16:46:12:DE:21:2D
X509v3 Authority Key Identifier:
keyid:98:35:50:61:11:AE:4A:81:6B:66:19:FB:FB:24:16:46:12:DE:21:2D
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
75:37:5a:44:20:ce:8e:ac:11:15:e9:93:a1:e8:81:a3:ae:04:
da:2e:7e:39:33:8a:e9:85:c7:31:fe:47:eb:79:66:60:1d:62:
3f:5a:be:d5:39:f1:b8:cb:f1:c9:30:a9:6e:b8:3f:65:d9:dd:
14:67:a5:14:f8:71:14:66:d6:2c:e9:1d:7f:7b:63:57:2f:d1:
f2:bd:88:c5:da:9a:98:d9:53:c4:59:ef:da:bc:2f:21:70:7b:
7a:ec:d5:c7:b9:86:e1:f3:13:70:91:23:1c:83:00:76:65:9a:
92:5e:54:03:a2:be:0c:60:86:2a:09:7c:57:05:bf:f2:f4:77:
59:e2:c7:f9:8b:70:0d:d7:8d:7e:b6:54:2e:25:c7:c7:8a:6e:
c1:2b:02:7c:40:cb:df:c2:c7:f6:6b:8f:79:bb:1a:2a:bc:53:
39:82:72:fd:e4:92:1e:ce:3a:ec:31:14:ea:80:3b:77:52:f2:
83:94:f4:9b:6b:f8:74:41:28:c9:37:fb:1e:4f:c5:b9:08:5e:
c4:00:d8:49:f8:74:2f:96:db:c5:9d:25:bc:aa:f9:3d:bf:f5:
65:bb:fe:06:b0:fd:85:40:86:57:09:b8:49:96:0c:ba:6b:a4:
17:bf:e3:28:d8:43:d0:7b:ef:b4:3d:48:0b:73:c9:c5:6b:8c:
[root@centos8 CA]# sz cacert.pem
#将文件cacert.pem传到windows,修改文件名为cacert.pem.cst,双击就可以看到下面显示
4. 用户生成私钥和证书申请
[root@centos8 ~]# (umask 066;openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................................+++++
....................................+++++
e is 65537 (0x010001)
[root@centos8 ~]# cat /data/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEArzA4mYnrXjGR1TcURKlRW2f0UNb3bMqrrefdLV8nKTgmOe7k
QnZtKqty6Yupcd+Sp8FPwCJodHZjHb2x2MtMjdHc8aFqoLFPyDsq6T4pBgkmFEcP
a8f+Wn+hkXPm5OofntfCYN73EiJrcYglI6meKAsjJMJFbHurwcTvMJaQJT6kQ6Qd
qf2b9mV3ViLdno3165Sh5An4RzY7t575fbecn/iu2qvGRRM0yJ9VRoHkbW6F1Ozx
aK/wl/r66FqBjZHsdTd3hew8sF/FPzDIVYG7fz3cLI2D6QaM7Owfqo2U7BjXU6PI
zHqz6f7nlYpdQEXeuDRfHVAW8KKXu5xmlMir9QIDAQABAoIBAQCuc1lZY6LSuI/c
/y0atnTCjgEXYwkd96//zA1Ouhs4C6bdN8trd5x7yiDy+dVxBM54aKKu1FSp7J4E
prpsBP4ll17p6vBQNmEZJfo0K2cUkJWvyZdMn+nkWoYcXosFVzLHrVjtt/nWwBm4
A3fgTG6mt3h2iVIylfBSU3ZQLw45VsKa4WBvFIgPCJG2TZENzfd9uQTT0U2w0RnM
5p+qBkacnoiqevusT+MG2Y+oXI00Ycie/wB+gx6FPy7/XbflbN0NEljnxsGXp3QS
jD7XQbTfTi3Ksrl1BC2LEtxlWgvav7N751hfDITdT1WIv/LPbrEY15bE5sE4niRZ
Fao09M+BAoGBANtS0YRmFFn1JPeFZN1VLa3HfuuPnwkxJ6wSjq+IpU5L5bblMwkS
a1X3RI1qsPtYk39AkSlBPPpe5+96a+ONwRuSMlxHXhYGWWvJJOolYogBLtXGjVCP
GEJBGJgaSyifzZgcV8WArNhV960BlTtowquJ6F58XTtF6G6kThmjOMKVAoGBAMx7
/RyejqqM/fud3BA5H82UvTe3klDh/dcQyJRcWU723LFeoQ1Zdf7nFYj3VUKwLeOW
/fzomtcHMsNB2o0um1HxuH/5o3Uu9htJQW9XjAE+ETusWkHv27YnCHn4ceYXVMw+
L5V7ciUlOgFHUlNkW/+KSiMDZRZASXUOrwaOVEvhAoGANvlUUPZxRXcf8/b4qE3Q
bE2j75GJUHmEsynXoAIFRVHa23Qpza1TQDIBedzzTZ0PI4dgm1Gh4jPluO4bmucO
L0X+34h3+ddPlKfPW+1Q/DwnrCffhgDIGNtOOdnlWuJrWyRHj9bH/FXYBgJukHya
xvqDRyOvDstgDlOay+xQrt0CgYAHMe2sDiAy/BcLvXg60ee+khc+WKU7V1hZMuv7
3GwADUuiqhO8poMyXusxEJLdb9mNgoiZV43rNwOgPzbzdMpeTcUSK7SGsQpT13YH
9uqkOIzerqfWXhw7ApCXyhgn4nZHYYDHH7rad77cwKey63sZOMJ3DO2HpOdwyP17
m5J3wQKBgFjxeZkewkdnOIg6u3x0yP+v663vQzrzRW5MpSa55EjYOMXSJzFd7jxy
Ir4r8EA3DkN+uKZ1aI/4MphjunlppDA2a/8f278dB+cbIQNz2lgIDuOctFKDgwmn
9+3uuM49lNhQ3crh1R0GaQGA9xrg4X+y346dBlv+MRZRQrslHKPn
-----END RSA PRIVATE KEY-----
[root@centos8 ~]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:neteagles
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.neteagles.cn
Email Address []:root@neteagles.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos8 ~]# ll /data/app1/
total 8
-rw-r--r-- 1 root root 1058 Dec 29 18:46 app1.csr
-rw------- 1 root root 1675 Dec 29 18:43 app1.key
5. CA颁发证书
[root@centos8 ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Dec 29 10:48:35 2020 GMT
Not After : Dec 29 10:48:35 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = shaanxi
organizationName = neteagles
organizationalUnitName = it
commonName = app1.neteagles.cn
emailAddress = root@neteagles.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D8:5F:1A:EF:7C:EC:BC:D4:A3:AA:7F:23:01:EF:C3:FC:F9:C4:EE:BC
X509v3 Authority Key Identifier:
keyid:98:35:50:61:11:AE:4A:81:6B:66:19:FB:FB:24:16:46:12:DE:21:2D
Certificate is to be certified until Dec 29 10:48:35 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
6. 查看证书
[root@centos8 ~]# cat /etc/pki/CA/certs/app1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=shaanxi, L=xi'an, O=neteagles, OU=it, CN=ca.neteagles.cn/emailAddress=admin@neteagles.cn
Validity
Not Before: Dec 29 10:48:35 2020 GMT
Not After : Dec 29 10:48:35 2021 GMT
Subject: C=CN, ST=shaanxi, O=neteagles, OU=it, CN=app1.neteagles.cn/emailAddress=root@neteagles.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:af:30:38:99:89:eb:5e:31:91:d5:37:14:44:a9:
51:5b:67:f4:50:d6:f7:6c:ca:ab:ad:e7:dd:2d:5f:
27:29:38:26:39:ee:e4:42:76:6d:2a:ab:72:e9:8b:
a9:71:df:92:a7:c1:4f:c0:22:68:74:76:63:1d:bd:
b1:d8:cb:4c:8d:d1:dc:f1:a1:6a:a0:b1:4f:c8:3b:
2a:e9:3e:29:06:09:26:14:47:0f:6b:c7:fe:5a:7f:
a1:91:73:e6:e4:ea:1f:9e:d7:c2:60:de:f7:12:22:
6b:71:88:25:23:a9:9e:28:0b:23:24:c2:45:6c:7b:
ab:c1:c4:ef:30:96:90:25:3e:a4:43:a4:1d:a9:fd:
9b:f6:65:77:56:22:dd:9e:8d:f5:eb:94:a1:e4:09:
f8:47:36:3b:b7:9e:f9:7d:b7:9c:9f:f8:ae:da:ab:
c6:45:13:34:c8:9f:55:46:81:e4:6d:6e:85:d4:ec:
f1:68:af:f0:97:fa:fa:e8:5a:81:8d:91:ec:75:37:
77:85:ec:3c:b0:5f:c5:3f:30:c8:55:81:bb:7f:3d:
dc:2c:8d:83:e9:06:8c:ec:ec:1f:aa:8d:94:ec:18:
d7:53:a3:c8:cc:7a:b3:e9:fe:e7:95:8a:5d:40:45:
de:b8:34:5f:1d:50:16:f0:a2:97:bb:9c:66:94:c8:
ab:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D8:5F:1A:EF:7C:EC:BC:D4:A3:AA:7F:23:01:EF:C3:FC:F9:C4:EE:BC
X509v3 Authority Key Identifier:
keyid:98:35:50:61:11:AE:4A:81:6B:66:19:FB:FB:24:16:46:12:DE:21:2D
Signature Algorithm: sha256WithRSAEncryption
45:90:4b:56:5b:6c:06:9c:68:66:f6:9d:38:31:30:34:1c:22:
72:00:4f:af:40:1e:66:57:8c:58:92:7c:2d:52:b6:76:b4:ac:
78:d7:7e:2f:b6:7c:2a:cf:49:aa:c7:ed:94:5e:29:c8:c0:b5:
fe:62:d2:5d:73:20:72:ea:13:29:bc:c5:2a:97:11:84:6e:2c:
47:57:ec:60:64:73:1b:8b:82:e9:d7:43:2b:71:6e:c3:d3:d1:
e7:b7:92:30:9b:a9:33:92:6d:af:dc:28:f4:8c:8a:95:b4:0d:
e9:3f:e2:94:cd:48:36:cd:3c:3d:39:3e:c4:25:52:f2:ea:8c:
72:0a:f2:31:02:f8:99:68:69:60:db:ff:ea:e2:7f:58:05:d6:
49:ca:8e:b5:cc:54:c4:a4:3d:e0:a8:b5:90:a1:a2:68:1a:c5:
e4:b9:61:2b:07:3a:ad:12:8b:87:a8:0f:7e:71:ff:70:53:39:
b8:54:42:c9:2c:8e:41:73:75:c6:de:fa:3f:8d:0a:75:56:97:
33:16:9f:9b:b7:d3:3e:b4:45:4d:b7:27:8d:05:a8:8b:cb:9b:
c1:88:a9:4b:ea:b8:e3:c6:66:73:4f:09:8a:c6:69:fd:60:03:
7f:21:36:a8:6b:75:7c:e2:95:01:07:96:1a:21:e0:3e:47:85:
80:60:66:54
-----BEGIN CERTIFICATE-----
MIIEAjCCAuqgAwIBAgIBDzANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCQ04x
EDAOBgNVBAgMB3NoYWFueGkxDjAMBgNVBAcMBXhpJ2FuMRIwEAYDVQQKDAluZXRl
YWdsZXMxCzAJBgNVBAsMAml0MRgwFgYDVQQDDA9jYS5uZXRlYWdsZXMuY24xITAf
BgkqhkiG9w0BCQEWEmFkbWluQG5ldGVhZ2xlcy5jbjAeFw0yMDEyMjkxMDQ4MzVa
Fw0yMTEyMjkxMDQ4MzVaMH4xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdzaGFhbnhp
MRIwEAYDVQQKDAluZXRlYWdsZXMxCzAJBgNVBAsMAml0MRowGAYDVQQDDBFhcHAx
Lm5ldGVhZ2xlcy5jbjEgMB4GCSqGSIb3DQEJARYRcm9vdEBuZXRlYWdsZXMuY24w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvMDiZieteMZHVNxREqVFb
Z/RQ1vdsyqut590tXycpOCY57uRCdm0qq3Lpi6lx35KnwU/AImh0dmMdvbHYy0yN
0dzxoWqgsU/IOyrpPikGCSYURw9rx/5af6GRc+bk6h+e18Jg3vcSImtxiCUjqZ4o
CyMkwkVse6vBxO8wlpAlPqRDpB2p/Zv2ZXdWIt2ejfXrlKHkCfhHNju3nvl9t5yf
+K7aq8ZFEzTIn1VGgeRtboXU7PFor/CX+vroWoGNkex1N3eF7DywX8U/MMhVgbt/
PdwsjYPpBozs7B+qjZTsGNdTo8jMerPp/ueVil1ARd64NF8dUBbwope7nGaUyKv1
AgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2Vu
ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTYXxrvfOy81KOqfyMB78P8+cTu
vDAfBgNVHSMEGDAWgBSYNVBhEa5KgWtmGfv7JBZGEt4hLTANBgkqhkiG9w0BAQsF
AAOCAQEARZBLVltsBpxoZvadODEwNBwicgBPr0AeZleMWJJ8LVK2drSseNd+L7Z8
Ks9JqsftlF4pyMC1/mLSXXMgcuoTKbzFKpcRhG4sR1fsYGRzG4uC6ddDK3Fuw9PR
57eSMJupM5Jtr9wo9IyKlbQN6T/ilM1INs08PTk+xCVS8uqMcgryMQL4mWhpYNv/
6uJ/WAXWScqOtcxUxKQ94Ki1kKGiaBrF5LlhKwc6rRKLh6gPfnH/cFM5uFRCySyO
QXN1xt76P40KdVaXMxafm7fTPrRFTbcnjQWoi8ubwYipS+q448Zmc08JisZp/WAD
fyE2qGt1fOKVAQeWGiHgPkeFgGBmVA==
-----END CERTIFICATE-----
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = shaanxi, L = xi'an, O = neteagles, OU = it, CN = ca.neteagles.cn, emailAddress = admin@neteagles.cn
Validity
Not Before: Dec 29 10:48:35 2020 GMT
Not After : Dec 29 10:48:35 2021 GMT
Subject: C = CN, ST = shaanxi, O = neteagles, OU = it, CN = app1.neteagles.cn, emailAddress = root@neteagles.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:af:30:38:99:89:eb:5e:31:91:d5:37:14:44:a9:
51:5b:67:f4:50:d6:f7:6c:ca:ab:ad:e7:dd:2d:5f:
27:29:38:26:39:ee:e4:42:76:6d:2a:ab:72:e9:8b:
a9:71:df:92:a7:c1:4f:c0:22:68:74:76:63:1d:bd:
b1:d8:cb:4c:8d:d1:dc:f1:a1:6a:a0:b1:4f:c8:3b:
2a:e9:3e:29:06:09:26:14:47:0f:6b:c7:fe:5a:7f:
a1:91:73:e6:e4:ea:1f:9e:d7:c2:60:de:f7:12:22:
6b:71:88:25:23:a9:9e:28:0b:23:24:c2:45:6c:7b:
ab:c1:c4:ef:30:96:90:25:3e:a4:43:a4:1d:a9:fd:
9b:f6:65:77:56:22:dd:9e:8d:f5:eb:94:a1:e4:09:
f8:47:36:3b:b7:9e:f9:7d:b7:9c:9f:f8:ae:da:ab:
c6:45:13:34:c8:9f:55:46:81:e4:6d:6e:85:d4:ec:
f1:68:af:f0:97:fa:fa:e8:5a:81:8d:91:ec:75:37:
77:85:ec:3c:b0:5f:c5:3f:30:c8:55:81:bb:7f:3d:
dc:2c:8d:83:e9:06:8c:ec:ec:1f:aa:8d:94:ec:18:
d7:53:a3:c8:cc:7a:b3:e9:fe:e7:95:8a:5d:40:45:
de:b8:34:5f:1d:50:16:f0:a2:97:bb:9c:66:94:c8:
ab:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D8:5F:1A:EF:7C:EC:BC:D4:A3:AA:7F:23:01:EF:C3:FC:F9:C4:EE:BC
X509v3 Authority Key Identifier:
keyid:98:35:50:61:11:AE:4A:81:6B:66:19:FB:FB:24:16:46:12:DE:21:2D
Signature Algorithm: sha256WithRSAEncryption
45:90:4b:56:5b:6c:06:9c:68:66:f6:9d:38:31:30:34:1c:22:
72:00:4f:af:40:1e:66:57:8c:58:92:7c:2d:52:b6:76:b4:ac:
78:d7:7e:2f:b6:7c:2a:cf:49:aa:c7:ed:94:5e:29:c8:c0:b5:
fe:62:d2:5d:73:20:72:ea:13:29:bc:c5:2a:97:11:84:6e:2c:
47:57:ec:60:64:73:1b:8b:82:e9:d7:43:2b:71:6e:c3:d3:d1:
e7:b7:92:30:9b:a9:33:92:6d:af:dc:28:f4:8c:8a:95:b4:0d:
e9:3f:e2:94:cd:48:36:cd:3c:3d:39:3e:c4:25:52:f2:ea:8c:
72:0a:f2:31:02:f8:99:68:69:60:db:ff:ea:e2:7f:58:05:d6:
49:ca:8e:b5:cc:54:c4:a4:3d:e0:a8:b5:90:a1:a2:68:1a:c5:
e4:b9:61:2b:07:3a:ad:12:8b:87:a8:0f:7e:71:ff:70:53:39:
b8:54:42:c9:2c:8e:41:73:75:c6:de:fa:3f:8d:0a:75:56:97:
33:16:9f:9b:b7:d3:3e:b4:45:4d:b7:27:8d:05:a8:8b:cb:9b:
c1:88:a9:4b:ea:b8:e3:c6:66:73:4f:09:8a:c6:69:fd:60:03:
7f:21:36:a8:6b:75:7c:e2:95:01:07:96:1a:21:e0:3e:47:85:
80:60:66:54
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -issuer
issuer=C = CN, ST = shaanxi, L = xi'an, O = neteagles, OU = it, CN = ca.neteagles.cn, emailAddress = admin@neteagles.cn
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
subject=C = CN, ST = shaanxi, O = neteagles, OU = it, CN = app1.neteagles.cn, emailAddress = root@neteagles.cn
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -dates
notBefore=Dec 29 10:48:35 2020 GMT
notAfter=Dec 29 10:48:35 2021 GMT
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial
serial=0F
[root@centos8 ~]# openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Valid (V)
[root@centos8 ~]# cat /etc/pki/CA/index.txt
V 211229104835Z 0F unknown /C=CN/ST=shaanxi/O=neteagles/OU=it/CN=app1.neteagles.cn/emailAddress=root@neteagles.cn
[root@centos8 ~]# cat /etc/pki/CA/index.txt.old
[root@centos8 ~]# cat /etc/pki/CA/serial
10
[root@centos8 ~]# cat /etc/pki/CA/serial.old
0F
[root@centos8 ~]# sz /etc/pki/CA/certs/app1.crt
7. 将证书相关文件发送到用户端使用
[root@centos8 ~]# cp /etc/pki/CA/certs/app1.crt /data/app1/
[root@centos8 ~]# tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key
0 directories, 3 files
8. 证书信任
默认生成的证书,在Windows上是不被信任的,可以通过下面的操作实现信任
打开intelnet属性
9. 证书吊销
[root@centos8 ~]# openssl ca -revoke /etc/pki/CA/newcerts/0F.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
[root@centos8 ~]# openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Revoked (R)
[root@centos8 ~]# cat /etc/pki/CA/index.txt
R 211229104835Z 201229112239Z 0F unknown /C=CN/ST=shaanxi/O=neteagles/OU=it/CN=app1.neteagles.cn/emailAddress=root@neteagles.cn
10. 生成证书吊销列表文件
[root@centos8 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
139665427777344:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/crlnumber','r')
139665427777344:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
[root@centos8 ~]# echo 01 >/etc/pki/CA/crlnumber
[root@centos8 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos8 ~]# cat /etc/pki/CA/crlnumber
02
[root@centos8 ~]# cat /etc/pki/CA/crl.pem
-----BEGIN X509 CRL-----
MIIB/TCB5gIBATANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCQ04xEDAOBgNV
BAgMB3NoYWFueGkxDjAMBgNVBAcMBXhpJ2FuMRIwEAYDVQQKDAluZXRlYWdsZXMx
CzAJBgNVBAsMAml0MRgwFgYDVQQDDA9jYS5uZXRlYWdsZXMuY24xITAfBgkqhkiG
9w0BCQEWEmFkbWluQG5ldGVhZ2xlcy5jbhcNMjAxMjI5MTEyODAyWhcNMjEwMTI4
MTEyODAyWjAUMBICAQ8XDTIwMTIyOTExMjIzOVqgDjAMMAoGA1UdFAQDAgEBMA0G
CSqGSIb3DQEBCwUAA4IBAQATOrJOvf3aEgXLJZ1i+g8LKze98RkI93Y0K9q/b4vy
1CcZeXFoweNuCrQoTp1VJdohA8cLYgrpH7dzpZOuxee3JT6bsnFx9LoEXs4O6AaX
i0D/Jvfu/IAmHoNeFHilj/yeZoMS72ex9o/SJcmjznI1L/m5iBCNsR8naDZSF6q/
0Ws8RSnmPAoYPYB0b0b42bL/dnzx8MwiWnqff+DxOuXau1hrCoOZpf6E3tGkhcqx
+DcJDSzrEkp8Zie/IDkzGwFMubbLQHaDAvwWhx3LIgUG4Zhu7tTAS6C1ZcpZPtHq
dpJgk7ACrSxR6YNnWFj31Xhuu93AI+nY00jwCqkYVQVP
-----END X509 CRL-----
[root@centos8 ~]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = shaanxi, L = xi'an, O = neteagles, OU = it, CN = ca.neteagles.cn, emailAddress = admin@neteagles.cn
Last Update: Dec 29 11:28:02 2020 GMT
Next Update: Jan 28 11:28:02 2021 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 0F
Revocation Date: Dec 29 11:22:39 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
13:3a:b2:4e:bd:fd:da:12:05:cb:25:9d:62:fa:0f:0b:2b:37:
bd:f1:19:08:f7:76:34:2b:da:bf:6f:8b:f2:d4:27:19:79:71:
68:c1:e3:6e:0a:b4:28:4e:9d:55:25:da:21:03:c7:0b:62:0a:
e9:1f:b7:73:a5:93:ae:c5:e7:b7:25:3e:9b:b2:71:71:f4:ba:
04:5e:ce:0e:e8:06:97:8b:40:ff:26:f7:ee:fc:80:26:1e:83:
5e:14:78:a5:8f:fc:9e:66:83:12:ef:67:b1:f6:8f:d2:25:c9:
a3:ce:72:35:2f:f9:b9:88:10:8d:b1:1f:27:68:36:52:17:aa:
bf:d1:6b:3c:45:29:e6:3c:0a:18:3d:80:74:6f:46:f8:d9:b2:
ff:76:7c:f1:f0:cc:22:5a:7a:9f:7f:e0:f1:3a:e5:da:bb:58:
6b:0a:83:99:a5:fe:84:de:d1:a4:85:ca:b1:f8:37:09:0d:2c:
eb:12:4a:7c:66:27:bf:20:39:33:1b:01:4c:b9:b6:cb:40:76:
83:02:fc:16:87:1d:cb:22:05:06:e1:98:6e:ee:d4:c0:4b:a0:
b5:65:ca:59:3e:d1:ea:76:92:60:93:b0:02:ad:2c:51:e9:83:
67:58:58:f7:d5:78:6e:bb:dd:c0:23:e9:d8:d3:48:f0:0a:a9:
18:55:05:4f
[root@centos8 ~]# sz /etc/pki/CA/crl.pem
#将crl.pem传到windows上并改名为crl.pem.crl,双击打开
二.脚本实现自动创建证书
[root@centos8 ~]# certificate.sh
#!/bin/bash
#
#********************************************************************
#Author: zhanghui
#QQ: 19661891
#Date: 2020-12-28
#FileName: certificate.sh
#URL: www.neteagles.cn
#Description: The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
CA_SUBJECT="/O=neteagles/CN=ca.neteagles.cn"
SUBJECT="/C=CN/ST=Shaanxi/L=xi'an/O=neteagles/CN=*.neteagles.cn"
SERIAL=01
EXPIRE=202002
FILE=httpd
openssl req -x509 -newkey rsa:2048 -subj $CA_SUBJECT -keyout ca.key -nodes -days 202002 -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout ${FILE}.key -subj $SUBJECT -out ${FILE}.csr
openssl x509 -req -in $FILE.csr -CA ca.crt -CAkey ca.key -set_serial $SERIAL -days $EXPIRE -out ${FILE}.crt
chmod 600 ${FILE}.key ca.key
三.SSH实现批量key验证
[root@centos8 ~]# vim ssh_key_push_centos.sh
#!/bin/bash
#
#********************************************************************
#Author: zhanghui
#QQ: 19661891
#Date: 2020-12-28
#FileName: ssh_key_push_centos.sh
#URL: www.neteagles.cn
#Description: The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
export SSHPASS=123456
HOSTS="
10.0.0.100
10.0.0.200
10.0.0.7"
ssh-keygen -f /root/.ssh/id_rsa -P '' &> /dev/null
rpm -q sshpass &> /dev/null || yum -y install sshpass &> /dev/null
for i in $HOSTS;do
{
sshpass -e ssh-copy-id -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa.pub $i &> /dev/null
echo $i is finished
}&
done
wait
[root@centos8 ~]# bash ssh_key_push.sh
10.0.0.7 is finished
10.0.0.200 is finished
10.0.0.100 is finished
[root@centos8 ~]# ssh 10.0.0.7
Last login: Mon Dec 28 19:16:25 2020 from 10.0.0.8
[root@centos7 ~]#
root@ubuntu2004:~# cat ssh_key_push_ubuntu.sh
#!/bin/bash
#
#********************************************************************
#Author: zhanghui
#QQ: 19661891
#Date: 2020-12-28
#FileName: ssh_key_push_ubuntu.sh
#URL: www.neteagles.cn
#Description: The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
export SSHPASS=123456
HOSTS="
10.0.0.100
10.0.0.8
10.0.0.7"
ssh-keygen -f /root/.ssh/id_rsa -P '' &> /dev/null
dpkg -S sshpass &> /dev/null || apt -y install sshpass &> /dev/null
for i in $HOSTS;do
{
sshpass -e ssh-copy-id -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa.pub $i &> /dev/null
echo $i is finished
}&
done
wait
四.ssh修改端口和优化设置
[root@centos8 ~]# cat ssh_optimalize.sh
#!/bin/bash
#
#********************************************************************
#Author: zhanghui
#QQ: 19661891
#Date: 2020-12-28
#FileName: ssh_optimalize.sh
#URL: www.neteagles.cn
#Description: The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
read -p "请输入端口号:" PORT
sed -i.bak -e 's/#Port 22/Port '$PORT'/' -e 's/#UseDNS no/UseDNS no/' -e 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd
五.ubuntu设置root用户登录
root@ubuntu2004:~# cat root_login.sh
#!/bin/bash
#
#********************************************************************
#Author: zhanghui
#QQ: 19661891
#Date: 2020-12-28
#FileName: root_login.sh
#URL: www.neteagles.cn
#Description: The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
sudo apt -y install expect
password=123456
expect <<EOF
set timeout 20
spawn sudo -i
expect "password" { send "$password\n" }
expect "~#" { send "sed -i.bak 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config\n" }
expect "~#" { send "echo -e '123456\n123456' |passwd root\n" }
expect "~#" { send "exit\n" }
EOF
root@ubuntu2004:~# cat root_login2.sh
#!/bin/bash
#
#********************************************************************
#Author: zhanghui
#QQ: 19661891
#Date: 2020-12-28
#FileName: root_login2.sh
#URL: www.neteagles.cn
#Description: The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
password=123456
echo $password |sudo -S sed -ri 's@#(PermitRootLogin )prohibit-password@\1yes@' /etc/ssh/sshd_config
sudo systemctl restart sshd
sudo -S passwd root <<EOF
$password
$password
EOF
六.ssh基于谷歌pam_google-authenticator插件实现双重验证
1.首先扫这个二维码下载,手机APP
2.运行下面脚本实现自动安装
[root@centos7 ~]# cat google-authenticator.sh
#安装epel
#yum install -y epel-release.noarch
#yum makecache
#安装google authenticator
yum install -y google-authenticator.x86_64
echo -e "\033[31mDo you want me to update your "/root/.google_authenticator" file? (y/n) y"
echo -e "\033[31m你希望我更新你的“/root/.google_authenticator”文件吗(y/n)?\033[0m"
echo -e "\033[31mDo you want to disallow multiple uses of the same authentication"
echo -e "\033[31mtoken? This restricts you to one login about every 30s, but it increases"
echo -e "\033[31myour chances to notice or even prevent man-in-the-middle attacks (y/n) y"
echo -e "\033[31m你希望禁止多次使用同一个验证令牌吗?这限制你每次登录的时间大约是30秒, 但是这加大了发现或甚至防止中间人攻击的可能性(y/n)?\033[0m"
echo -e "\033[31mBy default, a new token is generated every 30 seconds by the mobile app."
echo -e "\033[31mIn order to compensate for possible time-skew between the client and the server,"
echo -e "\033[31mwe allow an extra token before and after the current time. This allows for a"
echo -e "\033[31mtime skew of up to 30 seconds between authentication server and client. If you"
echo -e "\033[31mexperience problems with poor time synchronization, you can increase the window"
echo -e "\033[31mfrom its default size of 3 permitted codes (one previous code, the current"
echo -e "\033[31mcode, the next code) to 17 permitted codes (the 8 previous codes, the current"
echo -e "\033[31mcode, and the 8 next codes). This will permit for a time skew of up to 4 minutes"
echo -e "\033[31mbetween client and server."
echo -e "\033[31mDo you want to do so? (y/n) y"
echo -e "\033[31m默认情况下,令牌保持30秒有效;为了补偿客户机与服务器之间可能存在的时滞,\033[0m"
echo -e "\033[31m我们允许在当前时间前后有一个额外令牌。如果你在时间同步方面遇到了问题, 可以增加窗口从默认的3个可通过验证码增加到17个可通过验证码,\033[0m"
echo -e "\033[31m这将允许客户机与服务器之间的时差增加到4分钟。你希望这么做吗(y/n)?\033[0m"
echo -e "\033[31mIf the computer that you are logging into isn't hardened against brute-force"
echo -e "\033[31mlogin attempts, you can enable rate-limiting for the authentication module."
echo -e "\033[31mBy default, this limits attackers to no more than 3 login attempts every 30s."
echo -e "\033[31mDo you want to enable rate-limiting? (y/n) y"
echo -e "\033[31m如果你登录的那台计算机没有经过固化,以防范运用蛮力的登录企图,可以对验证模块\033[0m"
echo -e "\033[31m启用尝试次数限制。默认情况下,这限制攻击者每30秒试图登录的次数只有3次。 你希望启用尝试次数限制吗(y/n)?\033[0m"
echo -e "\033[32m 在App Store 搜索Google Authenticator 进行App安装 \033[0m"
google-authenticator
#/etc/pam.d/sshd文件,修改或添加下行保存
#auth required pam_google_authenticator.so
sed -i '1a\auth required pam_google_authenticator.so' /etc/pam.d/sshd
#编辑/etc/ssh/sshd_config找到下行
#ChallengeResponseAuthentication no
#更改为
#ChallengeResponseAuthentication yes
sed -i 's/.*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
#重启SSH服务
service sshd restart
[root@centos7 ~]# bash google-authenticator.sh
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@centos8.3%3Fsecret%3DGUW425QR7RMQ3QH3Y6BTS5J6E4%26issuer%3Dcentos8.3 #把这段复制到浏览器,打开用手机APP扫码,绑定设备
3.访问生成的URL(需要XX上网)
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@centos8.3%3Fsecret%3DGUW425QR7RMQ3QH3Y6BTS5J6E4%26issuer%3Dcentos8.3
4.打开用手机APP扫码,绑定设备
5.输入获取的验证码
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: GUW425QR7RMQ3QH3Y6BTS5J6E4
Enter code from app (-1 to skip): 720782 #这里输入手机绑定后获取的动态验证码
Code confirmed
Your emergency scratch codes are:
95817019
34153916
67876890
96915467
65085458
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
Redirecting to /bin/systemctl restart sshd.service
6.登录
[root@centos7 ~]# ssh 10.0.0.8
Verification code:
Password:
Last login: Tue Dec 29 16:23:15 2020 from ::ffff:10.0.0.200
[root@centos8 ~]# exit
logout
Connection to 10.0.0.8 closed.
7.临时口令
[root@centos8 ~]# cat .google_authenticator
GUW425QR7RMQ3QH3Y6BTS5J6E4
" RATE_LIMIT 3 30 1609233645
" WINDOW_SIZE 17
" DISALLOW_REUSE 53641121
" TOTP_AUTH
95817019
34153916
67876890
96915467
65085458
七.创建chrony服务端和客户端实现时间同步
1.服务端
root@ubuntu1804:~# apt -y install chrony
root@ubuntu1804:~# vim /etc/chrony/chrony.conf
server ntp.aliyun.com iburst
server time1.cloud.tencent.com iburst
server slb.time.edu.cn iburst
allow 10.0.0.0/16
local stratum 10
:wq
root@ubuntu1804:~# systemctl restart chrony
root@ubuntu1804:~# ss -ntul
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 128 [::1]:6010 [::]:*
root@ubuntu1804:~# chronyc sources -nv
210 Number of sources = 3
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 203.107.6.88 2 6 17 57 -407us[-8953us] +/- 39ms #* 星号表示和这台服务器已经同步
^- 139.199.215.251 2 6 17 57 +12ms[ +12ms] +/- 46ms
^? sv9865.si-servers.com 0 7 0 - +0ns[ +0ns] +/- 0ns
2.客户端
[root@centos7 ~]# yum -y install chrony
[root@centos7 ~]# vim /etc/chrony.conf
server 10.0.0.100 iburst
:wq
[root@centos7 ~]# systemctl restart chronyd
[root@centos7 ~]# chronyc sources -nv
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 10.0.0.100 3 6 7 0 +23us[ -8784h] +/- 36ms
root@ubuntu1804:~# ss -ntul
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:123 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 128 [::1]:6010 [::]:*