一.實戰:CentOS 8實現私有CA和證書申請
1. 創建CA相關目錄和文件
[root@centos8 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@centos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@centos8 ~]# touch /etc/pki/CA/index.txt
[root@centos8 ~]# echo 0F >//etc/pki/CA/serial
[root@centos8 ~]# openssl ca -in /data/app1/app1/csr -out /etc/pki/CA/certs/app1.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Can't open /etc/pki/CA/private/cakey.pem for reading, No such file or directory
140555057243968:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/private/cakey.pem','r')
140555057243968:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
unable to load CA private key
2. 創建CA的私鑰
[root@centos8 ~]# cd /etc/pki/CA
[root@centos8 CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
..............................................................................................................................+++++
e is 65537 (0x010001)
[root@centos8 CA]# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[root@centos8 CA]# ll private/
total 4
-rw------- 1 root root 1679 Dec 29 18:33 cakey.pem
[root@centos8 CA]# cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAs8cNQcGqHY4YXDw9xoTXbfFYgIOVulfxVfflYRqWQUFnPSDF
h+gxYQXHRkV8K7VMhoAVePVJk0Q5L1HQjF1/o7PSZRuezGhfSRACzFr/jTmzWtPu
Pc6vQPeSkD/wz09Ug07wB2sgnKycJPJlbkcBOsneFc7Dq1JZu0wVWEv3/tu7NWfZ
KwL2BbbU0bzGA9aCds01ViB1YnP2yzCQahgR55sFIEk1z1Dkm+JCucKAYecadgcN
kNTrviya1U5OpAylGt9sShFvE7KPbUmZY0G34ZaSA9ceQwEhMBf232wI0hxQQv4b
70ZnneTaYHX1L9sXGxk0+NYvbdORswqdB2ivbQIDAQABAoIBAQCG6dRbCpk9gMtr
PJInjr2U9k+ycg1FQIYOO/DZxHgKFKkDSLq0WV3lL87yP2cF7hK1xR1YHsvORp6b
kkxtaiVFlsdHtUigoZsQW4GeFpQ9SZX9jZn2rEr8+E33DuUKzr/forei+ZQJv8eW
OopADe0wTxnpR7eztCM+2cQS9T/w83V0EQmfpKplk6Oq5oyoRt/O0FC+2+AKCK1A
Dd+/8LFOMyd0UBb/OiUiYJ5jSweXI0fWm+doQGzdlY+l/encpd606sKYTSuCIWxF
gAPaT4sty7Ba06ckS5z5UeiDScPfsofbv1HTyM4cxvUB/HEkznAU46tUWiz4T/fN
u/JOjVRBAoGBAO4rC7QetXtk51zKHFxEwVzCFpBcp/9qVGsshZIawDoQ5mEHjGkH
3+aeh0yJKXOO+odZnVTBvmX4KHumHhv/llE/C2BhN9LsZBAQ8arUjMuL5D6or2dq
M2GJUxKXJNGluOnMwb/vhfhxB8apHfG/1Bdrx/7LjCUD8ctyBgwU7bXZAoGBAME8
1kULuoQ0UwnQIMucBeqjsSPBbbkdwLYPD+7MrlX/IwtOp6ZWW84mzNC2kjoLoo1g
H3xi/PhGx28F+eNSxh2V7QNTcUS15vmqq0+5wasGHZpks4u08lg9rs1KRohlvztf
Q7YViYU5+Zo2Z4+AelHQtv37X9U+3z5+oJstjOW1AoGAS+x1Aqp3eCqmhrH3cIKK
kaNdxg+Djqy61J+QxQ66EMiqaGwbmq/j9IS85O0kxa3it5sdyJMqux7s6N3/4zUL
GkNawRK81QR+sZB1OdwgNhMWY9Mqd3EniARa8yYzmpGV7RJVAXa94oFF1VK8NQDN
/9lgHB2PQ42KWyyyOM/DJ6ECgYBOTFNZ+M2jofv/nuia9+Zh0+AD5+2Is6iRXHsN
PLxrNg1CGKXPvXBHkOsuqruHb413EXrQkN+FzlAjCV3eoXyLImO+FEJyH+6uPVxa
2p7BqKG4HJOvySrlXGEG59C6ldetvAUYs5Nce0hLFz5RJDLsEdEECqYjJu2YSgDT
v9o2fQKBgQCUBK80OkYSNOJAQG/1jBfVoc1YxoV4773IkjaIVMy3uOvHoad2Yn8E
Lrg5wmFGRh8EbSTWqaGGqkPc+wUn6pMGbVwSSIXp12d1AOA0xeZLt+MTFXh2Vv2m
VWJN44naUG+RR0vDxS9T54Au9kqOfFHMfKQ5/AIZbhKQyuekUPX2uA==
-----END RSA PRIVATE KEY-----
3. 給CA頒發自簽名證書
[root@centos8 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:neteagles
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.neteagles.cn
Email Address []:admin@neteagles.cn
[root@centos8 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@centos8 CA]# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID/TCCAuWgAwIBAgIUDb0shShNlwSAO6vz8k16opRc7ggwDQYJKoZIhvcNAQEL
BQAwgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdzaGFhbnhpMQ4wDAYDVQQHDAV4
aSdhbjESMBAGA1UECgwJbmV0ZWFnbGVzMQswCQYDVQQLDAJpdDEYMBYGA1UEAwwP
Y2EubmV0ZWFnbGVzLmNuMSEwHwYJKoZIhvcNAQkBFhJhZG1pbkBuZXRlYWdsZXMu
Y24wHhcNMjAxMjI5MTAzNzIxWhcNMzAxMjI3MTAzNzIxWjCBjTELMAkGA1UEBhMC
Q04xEDAOBgNVBAgMB3NoYWFueGkxDjAMBgNVBAcMBXhpJ2FuMRIwEAYDVQQKDAlu
ZXRlYWdsZXMxCzAJBgNVBAsMAml0MRgwFgYDVQQDDA9jYS5uZXRlYWdsZXMuY24x
ITAfBgkqhkiG9w0BCQEWEmFkbWluQG5ldGVhZ2xlcy5jbjCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALPHDUHBqh2OGFw8PcaE123xWICDlbpX8VX35WEa
lkFBZz0gxYfoMWEFx0ZFfCu1TIaAFXj1SZNEOS9R0Ixdf6Oz0mUbnsxoX0kQAsxa
/405s1rT7j3Or0D3kpA/8M9PVINO8AdrIJysnCTyZW5HATrJ3hXOw6tSWbtMFVhL
9/7buzVn2SsC9gW21NG8xgPWgnbNNVYgdWJz9sswkGoYEeebBSBJNc9Q5JviQrnC
gGHnGnYHDZDU674smtVOTqQMpRrfbEoRbxOyj21JmWNBt+GWkgPXHkMBITAX9t9s
CNIcUEL+G+9GZ53k2mB19S/bFxsZNPjWL23TkbMKnQdor20CAwEAAaNTMFEwHQYD
VR0OBBYEFJg1UGERrkqBa2YZ+/skFkYS3iEtMB8GA1UdIwQYMBaAFJg1UGERrkqB
a2YZ+/skFkYS3iEtMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AHU3WkQgzo6sERXpk6HogaOuBNoufjkziumFxzH+R+t5ZmAdYj9avtU58bjL8ckw
qW64P2XZ3RRnpRT4cRRm1izpHX97Y1cv0fK9iMXampjZU8RZ79q8LyFwe3rs1ce5
huHzE3CRIxyDAHZlmpJeVAOivgxghioJfFcFv/L0d1nix/mLcA3XjX62VC4lx8eK
bsErAnxAy9/Cx/Zrj3m7Giq8UzmCcv3kkh7OOuwxFOqAO3dS8oOU9Jtr+HRBKMk3
+x5PxbkIXsQA2En4dC+W28WdJbyq+T2/9WW7/gaw/YVAhlcJuEmWDLprpBe/4yjY
Q9B777Q9SAtzycVrjLC1MnU=
-----END CERTIFICATE-----
[root@centos8 CA]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0d:bd:2c:85:28:4d:97:04:80:3b:ab:f3:f2:4d:7a:a2:94:5c:ee:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = shaanxi, L = xi'an, O = neteagles, OU = it, CN = ca.neteagles.cn, emailAddress = admin@neteagles.cn
Validity
Not Before: Dec 29 10:37:21 2020 GMT
Not After : Dec 27 10:37:21 2030 GMT
Subject: C = CN, ST = shaanxi, L = xi'an, O = neteagles, OU = it, CN = ca.neteagles.cn, emailAddress = admin@neteagles.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b3:c7:0d:41:c1:aa:1d:8e:18:5c:3c:3d:c6:84:
d7:6d:f1:58:80:83:95:ba:57:f1:55:f7:e5:61:1a:
96:41:41:67:3d:20:c5:87:e8:31:61:05:c7:46:45:
7c:2b:b5:4c:86:80:15:78:f5:49:93:44:39:2f:51:
d0:8c:5d:7f:a3:b3:d2:65:1b:9e:cc:68:5f:49:10:
02:cc:5a:ff:8d:39:b3:5a:d3:ee:3d:ce:af:40:f7:
92:90:3f:f0:cf:4f:54:83:4e:f0:07:6b:20:9c:ac:
9c:24:f2:65:6e:47:01:3a:c9:de:15:ce:c3:ab:52:
59:bb:4c:15:58:4b:f7:fe:db:bb:35:67:d9:2b:02:
f6:05:b6:d4:d1:bc:c6:03:d6:82:76:cd:35:56:20:
75:62:73:f6:cb:30:90:6a:18:11:e7:9b:05:20:49:
35:cf:50:e4:9b:e2:42:b9:c2:80:61:e7:1a:76:07:
0d:90:d4:eb:be:2c:9a:d5:4e:4e:a4:0c:a5:1a:df:
6c:4a:11:6f:13:b2:8f:6d:49:99:63:41:b7:e1:96:
92:03:d7:1e:43:01:21:30:17:f6:df:6c:08:d2:1c:
50:42:fe:1b:ef:46:67:9d:e4:da:60:75:f5:2f:db:
17:1b:19:34:f8:d6:2f:6d:d3:91:b3:0a:9d:07:68:
af:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
98:35:50:61:11:AE:4A:81:6B:66:19:FB:FB:24:16:46:12:DE:21:2D
X509v3 Authority Key Identifier:
keyid:98:35:50:61:11:AE:4A:81:6B:66:19:FB:FB:24:16:46:12:DE:21:2D
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
75:37:5a:44:20:ce:8e:ac:11:15:e9:93:a1:e8:81:a3:ae:04:
da:2e:7e:39:33:8a:e9:85:c7:31:fe:47:eb:79:66:60:1d:62:
3f:5a:be:d5:39:f1:b8:cb:f1:c9:30:a9:6e:b8:3f:65:d9:dd:
14:67:a5:14:f8:71:14:66:d6:2c:e9:1d:7f:7b:63:57:2f:d1:
f2:bd:88:c5:da:9a:98:d9:53:c4:59:ef:da:bc:2f:21:70:7b:
7a:ec:d5:c7:b9:86:e1:f3:13:70:91:23:1c:83:00:76:65:9a:
92:5e:54:03:a2:be:0c:60:86:2a:09:7c:57:05:bf:f2:f4:77:
59:e2:c7:f9:8b:70:0d:d7:8d:7e:b6:54:2e:25:c7:c7:8a:6e:
c1:2b:02:7c:40:cb:df:c2:c7:f6:6b:8f:79:bb:1a:2a:bc:53:
39:82:72:fd:e4:92:1e:ce:3a:ec:31:14:ea:80:3b:77:52:f2:
83:94:f4:9b:6b:f8:74:41:28:c9:37:fb:1e:4f:c5:b9:08:5e:
c4:00:d8:49:f8:74:2f:96:db:c5:9d:25:bc:aa:f9:3d:bf:f5:
65:bb:fe:06:b0:fd:85:40:86:57:09:b8:49:96:0c:ba:6b:a4:
17:bf:e3:28:d8:43:d0:7b:ef:b4:3d:48:0b:73:c9:c5:6b:8c:
[root@centos8 CA]# sz cacert.pem
#將文件cacert.pem傳到windows,修改文件名為cacert.pem.cst,雙擊就可以看到下面顯示
4. 用戶生成私鑰和證書申請
[root@centos8 ~]# (umask 066;openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................................+++++
....................................+++++
e is 65537 (0x010001)
[root@centos8 ~]# cat /data/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEArzA4mYnrXjGR1TcURKlRW2f0UNb3bMqrrefdLV8nKTgmOe7k
QnZtKqty6Yupcd+Sp8FPwCJodHZjHb2x2MtMjdHc8aFqoLFPyDsq6T4pBgkmFEcP
a8f+Wn+hkXPm5OofntfCYN73EiJrcYglI6meKAsjJMJFbHurwcTvMJaQJT6kQ6Qd
qf2b9mV3ViLdno3165Sh5An4RzY7t575fbecn/iu2qvGRRM0yJ9VRoHkbW6F1Ozx
aK/wl/r66FqBjZHsdTd3hew8sF/FPzDIVYG7fz3cLI2D6QaM7Owfqo2U7BjXU6PI
zHqz6f7nlYpdQEXeuDRfHVAW8KKXu5xmlMir9QIDAQABAoIBAQCuc1lZY6LSuI/c
/y0atnTCjgEXYwkd96//zA1Ouhs4C6bdN8trd5x7yiDy+dVxBM54aKKu1FSp7J4E
prpsBP4ll17p6vBQNmEZJfo0K2cUkJWvyZdMn+nkWoYcXosFVzLHrVjtt/nWwBm4
A3fgTG6mt3h2iVIylfBSU3ZQLw45VsKa4WBvFIgPCJG2TZENzfd9uQTT0U2w0RnM
5p+qBkacnoiqevusT+MG2Y+oXI00Ycie/wB+gx6FPy7/XbflbN0NEljnxsGXp3QS
jD7XQbTfTi3Ksrl1BC2LEtxlWgvav7N751hfDITdT1WIv/LPbrEY15bE5sE4niRZ
Fao09M+BAoGBANtS0YRmFFn1JPeFZN1VLa3HfuuPnwkxJ6wSjq+IpU5L5bblMwkS
a1X3RI1qsPtYk39AkSlBPPpe5+96a+ONwRuSMlxHXhYGWWvJJOolYogBLtXGjVCP
GEJBGJgaSyifzZgcV8WArNhV960BlTtowquJ6F58XTtF6G6kThmjOMKVAoGBAMx7
/RyejqqM/fud3BA5H82UvTe3klDh/dcQyJRcWU723LFeoQ1Zdf7nFYj3VUKwLeOW
/fzomtcHMsNB2o0um1HxuH/5o3Uu9htJQW9XjAE+ETusWkHv27YnCHn4ceYXVMw+
L5V7ciUlOgFHUlNkW/+KSiMDZRZASXUOrwaOVEvhAoGANvlUUPZxRXcf8/b4qE3Q
bE2j75GJUHmEsynXoAIFRVHa23Qpza1TQDIBedzzTZ0PI4dgm1Gh4jPluO4bmucO
L0X+34h3+ddPlKfPW+1Q/DwnrCffhgDIGNtOOdnlWuJrWyRHj9bH/FXYBgJukHya
xvqDRyOvDstgDlOay+xQrt0CgYAHMe2sDiAy/BcLvXg60ee+khc+WKU7V1hZMuv7
3GwADUuiqhO8poMyXusxEJLdb9mNgoiZV43rNwOgPzbzdMpeTcUSK7SGsQpT13YH
9uqkOIzerqfWXhw7ApCXyhgn4nZHYYDHH7rad77cwKey63sZOMJ3DO2HpOdwyP17
m5J3wQKBgFjxeZkewkdnOIg6u3x0yP+v663vQzrzRW5MpSa55EjYOMXSJzFd7jxy
Ir4r8EA3DkN+uKZ1aI/4MphjunlppDA2a/8f278dB+cbIQNz2lgIDuOctFKDgwmn
9+3uuM49lNhQ3crh1R0GaQGA9xrg4X+y346dBlv+MRZRQrslHKPn
-----END RSA PRIVATE KEY-----
[root@centos8 ~]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:neteagles
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.neteagles.cn
Email Address []:root@neteagles.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos8 ~]# ll /data/app1/
total 8
-rw-r--r-- 1 root root 1058 Dec 29 18:46 app1.csr
-rw------- 1 root root 1675 Dec 29 18:43 app1.key
5. CA頒發證書
[root@centos8 ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Dec 29 10:48:35 2020 GMT
Not After : Dec 29 10:48:35 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = shaanxi
organizationName = neteagles
organizationalUnitName = it
commonName = app1.neteagles.cn
emailAddress = root@neteagles.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D8:5F:1A:EF:7C:EC:BC:D4:A3:AA:7F:23:01:EF:C3:FC:F9:C4:EE:BC
X509v3 Authority Key Identifier:
keyid:98:35:50:61:11:AE:4A:81:6B:66:19:FB:FB:24:16:46:12:DE:21:2D
Certificate is to be certified until Dec 29 10:48:35 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
6. 查看證書
[root@centos8 ~]# cat /etc/pki/CA/certs/app1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=shaanxi, L=xi'an, O=neteagles, OU=it, CN=ca.neteagles.cn/emailAddress=admin@neteagles.cn
Validity
Not Before: Dec 29 10:48:35 2020 GMT
Not After : Dec 29 10:48:35 2021 GMT
Subject: C=CN, ST=shaanxi, O=neteagles, OU=it, CN=app1.neteagles.cn/emailAddress=root@neteagles.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:af:30:38:99:89:eb:5e:31:91:d5:37:14:44:a9:
51:5b:67:f4:50:d6:f7:6c:ca:ab:ad:e7:dd:2d:5f:
27:29:38:26:39:ee:e4:42:76:6d:2a:ab:72:e9:8b:
a9:71:df:92:a7:c1:4f:c0:22:68:74:76:63:1d:bd:
b1:d8:cb:4c:8d:d1:dc:f1:a1:6a:a0:b1:4f:c8:3b:
2a:e9:3e:29:06:09:26:14:47:0f:6b:c7:fe:5a:7f:
a1:91:73:e6:e4:ea:1f:9e:d7:c2:60:de:f7:12:22:
6b:71:88:25:23:a9:9e:28:0b:23:24:c2:45:6c:7b:
ab:c1:c4:ef:30:96:90:25:3e:a4:43:a4:1d:a9:fd:
9b:f6:65:77:56:22:dd:9e:8d:f5:eb:94:a1:e4:09:
f8:47:36:3b:b7:9e:f9:7d:b7:9c:9f:f8:ae:da:ab:
c6:45:13:34:c8:9f:55:46:81:e4:6d:6e:85:d4:ec:
f1:68:af:f0:97:fa:fa:e8:5a:81:8d:91:ec:75:37:
77:85:ec:3c:b0:5f:c5:3f:30:c8:55:81:bb:7f:3d:
dc:2c:8d:83:e9:06:8c:ec:ec:1f:aa:8d:94:ec:18:
d7:53:a3:c8:cc:7a:b3:e9:fe:e7:95:8a:5d:40:45:
de:b8:34:5f:1d:50:16:f0:a2:97:bb:9c:66:94:c8:
ab:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D8:5F:1A:EF:7C:EC:BC:D4:A3:AA:7F:23:01:EF:C3:FC:F9:C4:EE:BC
X509v3 Authority Key Identifier:
keyid:98:35:50:61:11:AE:4A:81:6B:66:19:FB:FB:24:16:46:12:DE:21:2D
Signature Algorithm: sha256WithRSAEncryption
45:90:4b:56:5b:6c:06:9c:68:66:f6:9d:38:31:30:34:1c:22:
72:00:4f:af:40:1e:66:57:8c:58:92:7c:2d:52:b6:76:b4:ac:
78:d7:7e:2f:b6:7c:2a:cf:49:aa:c7:ed:94:5e:29:c8:c0:b5:
fe:62:d2:5d:73:20:72:ea:13:29:bc:c5:2a:97:11:84:6e:2c:
47:57:ec:60:64:73:1b:8b:82:e9:d7:43:2b:71:6e:c3:d3:d1:
e7:b7:92:30:9b:a9:33:92:6d:af:dc:28:f4:8c:8a:95:b4:0d:
e9:3f:e2:94:cd:48:36:cd:3c:3d:39:3e:c4:25:52:f2:ea:8c:
72:0a:f2:31:02:f8:99:68:69:60:db:ff:ea:e2:7f:58:05:d6:
49:ca:8e:b5:cc:54:c4:a4:3d:e0:a8:b5:90:a1:a2:68:1a:c5:
e4:b9:61:2b:07:3a:ad:12:8b:87:a8:0f:7e:71:ff:70:53:39:
b8:54:42:c9:2c:8e:41:73:75:c6:de:fa:3f:8d:0a:75:56:97:
33:16:9f:9b:b7:d3:3e:b4:45:4d:b7:27:8d:05:a8:8b:cb:9b:
c1:88:a9:4b:ea:b8:e3:c6:66:73:4f:09:8a:c6:69:fd:60:03:
7f:21:36:a8:6b:75:7c:e2:95:01:07:96:1a:21:e0:3e:47:85:
80:60:66:54
-----BEGIN CERTIFICATE-----
MIIEAjCCAuqgAwIBAgIBDzANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCQ04x
EDAOBgNVBAgMB3NoYWFueGkxDjAMBgNVBAcMBXhpJ2FuMRIwEAYDVQQKDAluZXRl
YWdsZXMxCzAJBgNVBAsMAml0MRgwFgYDVQQDDA9jYS5uZXRlYWdsZXMuY24xITAf
BgkqhkiG9w0BCQEWEmFkbWluQG5ldGVhZ2xlcy5jbjAeFw0yMDEyMjkxMDQ4MzVa
Fw0yMTEyMjkxMDQ4MzVaMH4xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdzaGFhbnhp
MRIwEAYDVQQKDAluZXRlYWdsZXMxCzAJBgNVBAsMAml0MRowGAYDVQQDDBFhcHAx
Lm5ldGVhZ2xlcy5jbjEgMB4GCSqGSIb3DQEJARYRcm9vdEBuZXRlYWdsZXMuY24w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvMDiZieteMZHVNxREqVFb
Z/RQ1vdsyqut590tXycpOCY57uRCdm0qq3Lpi6lx35KnwU/AImh0dmMdvbHYy0yN
0dzxoWqgsU/IOyrpPikGCSYURw9rx/5af6GRc+bk6h+e18Jg3vcSImtxiCUjqZ4o
CyMkwkVse6vBxO8wlpAlPqRDpB2p/Zv2ZXdWIt2ejfXrlKHkCfhHNju3nvl9t5yf
+K7aq8ZFEzTIn1VGgeRtboXU7PFor/CX+vroWoGNkex1N3eF7DywX8U/MMhVgbt/
PdwsjYPpBozs7B+qjZTsGNdTo8jMerPp/ueVil1ARd64NF8dUBbwope7nGaUyKv1
AgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2Vu
ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTYXxrvfOy81KOqfyMB78P8+cTu
vDAfBgNVHSMEGDAWgBSYNVBhEa5KgWtmGfv7JBZGEt4hLTANBgkqhkiG9w0BAQsF
AAOCAQEARZBLVltsBpxoZvadODEwNBwicgBPr0AeZleMWJJ8LVK2drSseNd+L7Z8
Ks9JqsftlF4pyMC1/mLSXXMgcuoTKbzFKpcRhG4sR1fsYGRzG4uC6ddDK3Fuw9PR
57eSMJupM5Jtr9wo9IyKlbQN6T/ilM1INs08PTk+xCVS8uqMcgryMQL4mWhpYNv/
6uJ/WAXWScqOtcxUxKQ94Ki1kKGiaBrF5LlhKwc6rRKLh6gPfnH/cFM5uFRCySyO
QXN1xt76P40KdVaXMxafm7fTPrRFTbcnjQWoi8ubwYipS+q448Zmc08JisZp/WAD
fyE2qGt1fOKVAQeWGiHgPkeFgGBmVA==
-----END CERTIFICATE-----
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = shaanxi, L = xi'an, O = neteagles, OU = it, CN = ca.neteagles.cn, emailAddress = admin@neteagles.cn
Validity
Not Before: Dec 29 10:48:35 2020 GMT
Not After : Dec 29 10:48:35 2021 GMT
Subject: C = CN, ST = shaanxi, O = neteagles, OU = it, CN = app1.neteagles.cn, emailAddress = root@neteagles.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:af:30:38:99:89:eb:5e:31:91:d5:37:14:44:a9:
51:5b:67:f4:50:d6:f7:6c:ca:ab:ad:e7:dd:2d:5f:
27:29:38:26:39:ee:e4:42:76:6d:2a:ab:72:e9:8b:
a9:71:df:92:a7:c1:4f:c0:22:68:74:76:63:1d:bd:
b1:d8:cb:4c:8d:d1:dc:f1:a1:6a:a0:b1:4f:c8:3b:
2a:e9:3e:29:06:09:26:14:47:0f:6b:c7:fe:5a:7f:
a1:91:73:e6:e4:ea:1f:9e:d7:c2:60:de:f7:12:22:
6b:71:88:25:23:a9:9e:28:0b:23:24:c2:45:6c:7b:
ab:c1:c4:ef:30:96:90:25:3e:a4:43:a4:1d:a9:fd:
9b:f6:65:77:56:22:dd:9e:8d:f5:eb:94:a1:e4:09:
f8:47:36:3b:b7:9e:f9:7d:b7:9c:9f:f8:ae:da:ab:
c6:45:13:34:c8:9f:55:46:81:e4:6d:6e:85:d4:ec:
f1:68:af:f0:97:fa:fa:e8:5a:81:8d:91:ec:75:37:
77:85:ec:3c:b0:5f:c5:3f:30:c8:55:81:bb:7f:3d:
dc:2c:8d:83:e9:06:8c:ec:ec:1f:aa:8d:94:ec:18:
d7:53:a3:c8:cc:7a:b3:e9:fe:e7:95:8a:5d:40:45:
de:b8:34:5f:1d:50:16:f0:a2:97:bb:9c:66:94:c8:
ab:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D8:5F:1A:EF:7C:EC:BC:D4:A3:AA:7F:23:01:EF:C3:FC:F9:C4:EE:BC
X509v3 Authority Key Identifier:
keyid:98:35:50:61:11:AE:4A:81:6B:66:19:FB:FB:24:16:46:12:DE:21:2D
Signature Algorithm: sha256WithRSAEncryption
45:90:4b:56:5b:6c:06:9c:68:66:f6:9d:38:31:30:34:1c:22:
72:00:4f:af:40:1e:66:57:8c:58:92:7c:2d:52:b6:76:b4:ac:
78:d7:7e:2f:b6:7c:2a:cf:49:aa:c7:ed:94:5e:29:c8:c0:b5:
fe:62:d2:5d:73:20:72:ea:13:29:bc:c5:2a:97:11:84:6e:2c:
47:57:ec:60:64:73:1b:8b:82:e9:d7:43:2b:71:6e:c3:d3:d1:
e7:b7:92:30:9b:a9:33:92:6d:af:dc:28:f4:8c:8a:95:b4:0d:
e9:3f:e2:94:cd:48:36:cd:3c:3d:39:3e:c4:25:52:f2:ea:8c:
72:0a:f2:31:02:f8:99:68:69:60:db:ff:ea:e2:7f:58:05:d6:
49:ca:8e:b5:cc:54:c4:a4:3d:e0:a8:b5:90:a1:a2:68:1a:c5:
e4:b9:61:2b:07:3a:ad:12:8b:87:a8:0f:7e:71:ff:70:53:39:
b8:54:42:c9:2c:8e:41:73:75:c6:de:fa:3f:8d:0a:75:56:97:
33:16:9f:9b:b7:d3:3e:b4:45:4d:b7:27:8d:05:a8:8b:cb:9b:
c1:88:a9:4b:ea:b8:e3:c6:66:73:4f:09:8a:c6:69:fd:60:03:
7f:21:36:a8:6b:75:7c:e2:95:01:07:96:1a:21:e0:3e:47:85:
80:60:66:54
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -issuer
issuer=C = CN, ST = shaanxi, L = xi'an, O = neteagles, OU = it, CN = ca.neteagles.cn, emailAddress = admin@neteagles.cn
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
subject=C = CN, ST = shaanxi, O = neteagles, OU = it, CN = app1.neteagles.cn, emailAddress = root@neteagles.cn
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -dates
notBefore=Dec 29 10:48:35 2020 GMT
notAfter=Dec 29 10:48:35 2021 GMT
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial
serial=0F
[root@centos8 ~]# openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Valid (V)
[root@centos8 ~]# cat /etc/pki/CA/index.txt
V 211229104835Z 0F unknown /C=CN/ST=shaanxi/O=neteagles/OU=it/CN=app1.neteagles.cn/emailAddress=root@neteagles.cn
[root@centos8 ~]# cat /etc/pki/CA/index.txt.old
[root@centos8 ~]# cat /etc/pki/CA/serial
10
[root@centos8 ~]# cat /etc/pki/CA/serial.old
0F
[root@centos8 ~]# sz /etc/pki/CA/certs/app1.crt
7. 將證書相關文件發送到用戶端使用
[root@centos8 ~]# cp /etc/pki/CA/certs/app1.crt /data/app1/
[root@centos8 ~]# tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key
0 directories, 3 files
8. 證書信任
默認生成的證書,在Windows上是不被信任的,可以通過下面的操作實現信任
打開intelnet屬性
9. 證書吊銷
[root@centos8 ~]# openssl ca -revoke /etc/pki/CA/newcerts/0F.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
[root@centos8 ~]# openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Revoked (R)
[root@centos8 ~]# cat /etc/pki/CA/index.txt
R 211229104835Z 201229112239Z 0F unknown /C=CN/ST=shaanxi/O=neteagles/OU=it/CN=app1.neteagles.cn/emailAddress=root@neteagles.cn
10. 生成證書吊銷列表文件
[root@centos8 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
139665427777344:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/crlnumber','r')
139665427777344:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
[root@centos8 ~]# echo 01 >/etc/pki/CA/crlnumber
[root@centos8 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos8 ~]# cat /etc/pki/CA/crlnumber
02
[root@centos8 ~]# cat /etc/pki/CA/crl.pem
-----BEGIN X509 CRL-----
MIIB/TCB5gIBATANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCQ04xEDAOBgNV
BAgMB3NoYWFueGkxDjAMBgNVBAcMBXhpJ2FuMRIwEAYDVQQKDAluZXRlYWdsZXMx
CzAJBgNVBAsMAml0MRgwFgYDVQQDDA9jYS5uZXRlYWdsZXMuY24xITAfBgkqhkiG
9w0BCQEWEmFkbWluQG5ldGVhZ2xlcy5jbhcNMjAxMjI5MTEyODAyWhcNMjEwMTI4
MTEyODAyWjAUMBICAQ8XDTIwMTIyOTExMjIzOVqgDjAMMAoGA1UdFAQDAgEBMA0G
CSqGSIb3DQEBCwUAA4IBAQATOrJOvf3aEgXLJZ1i+g8LKze98RkI93Y0K9q/b4vy
1CcZeXFoweNuCrQoTp1VJdohA8cLYgrpH7dzpZOuxee3JT6bsnFx9LoEXs4O6AaX
i0D/Jvfu/IAmHoNeFHilj/yeZoMS72ex9o/SJcmjznI1L/m5iBCNsR8naDZSF6q/
0Ws8RSnmPAoYPYB0b0b42bL/dnzx8MwiWnqff+DxOuXau1hrCoOZpf6E3tGkhcqx
+DcJDSzrEkp8Zie/IDkzGwFMubbLQHaDAvwWhx3LIgUG4Zhu7tTAS6C1ZcpZPtHq
dpJgk7ACrSxR6YNnWFj31Xhuu93AI+nY00jwCqkYVQVP
-----END X509 CRL-----
[root@centos8 ~]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = shaanxi, L = xi'an, O = neteagles, OU = it, CN = ca.neteagles.cn, emailAddress = admin@neteagles.cn
Last Update: Dec 29 11:28:02 2020 GMT
Next Update: Jan 28 11:28:02 2021 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 0F
Revocation Date: Dec 29 11:22:39 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
13:3a:b2:4e:bd:fd:da:12:05:cb:25:9d:62:fa:0f:0b:2b:37:
bd:f1:19:08:f7:76:34:2b:da:bf:6f:8b:f2:d4:27:19:79:71:
68:c1:e3:6e:0a:b4:28:4e:9d:55:25:da:21:03:c7:0b:62:0a:
e9:1f:b7:73:a5:93:ae:c5:e7:b7:25:3e:9b:b2:71:71:f4:ba:
04:5e:ce:0e:e8:06:97:8b:40:ff:26:f7:ee:fc:80:26:1e:83:
5e:14:78:a5:8f:fc:9e:66:83:12:ef:67:b1:f6:8f:d2:25:c9:
a3:ce:72:35:2f:f9:b9:88:10:8d:b1:1f:27:68:36:52:17:aa:
bf:d1:6b:3c:45:29:e6:3c:0a:18:3d:80:74:6f:46:f8:d9:b2:
ff:76:7c:f1:f0:cc:22:5a:7a:9f:7f:e0:f1:3a:e5:da:bb:58:
6b:0a:83:99:a5:fe:84:de:d1:a4:85:ca:b1:f8:37:09:0d:2c:
eb:12:4a:7c:66:27:bf:20:39:33:1b:01:4c:b9:b6:cb:40:76:
83:02:fc:16:87:1d:cb:22:05:06:e1:98:6e:ee:d4:c0:4b:a0:
b5:65:ca:59:3e:d1:ea:76:92:60:93:b0:02:ad:2c:51:e9:83:
67:58:58:f7:d5:78:6e:bb:dd:c0:23:e9:d8:d3:48:f0:0a:a9:
18:55:05:4f
[root@centos8 ~]# sz /etc/pki/CA/crl.pem
#將crl.pem傳到windows上並改名為crl.pem.crl,雙擊打開
二.腳本實現自動創建證書
[root@centos8 ~]# certificate.sh
#!/bin/bash
#
#********************************************************************
#Author: zhanghui
#QQ: 19661891
#Date: 2020-12-28
#FileName: certificate.sh
#URL: www.neteagles.cn
#Description: The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
CA_SUBJECT="/O=neteagles/CN=ca.neteagles.cn"
SUBJECT="/C=CN/ST=Shaanxi/L=xi'an/O=neteagles/CN=*.neteagles.cn"
SERIAL=01
EXPIRE=202002
FILE=httpd
openssl req -x509 -newkey rsa:2048 -subj $CA_SUBJECT -keyout ca.key -nodes -days 202002 -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout ${FILE}.key -subj $SUBJECT -out ${FILE}.csr
openssl x509 -req -in $FILE.csr -CA ca.crt -CAkey ca.key -set_serial $SERIAL -days $EXPIRE -out ${FILE}.crt
chmod 600 ${FILE}.key ca.key
三.SSH實現批量key驗證
[root@centos8 ~]# vim ssh_key_push_centos.sh
#!/bin/bash
#
#********************************************************************
#Author: zhanghui
#QQ: 19661891
#Date: 2020-12-28
#FileName: ssh_key_push_centos.sh
#URL: www.neteagles.cn
#Description: The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
export SSHPASS=123456
HOSTS="
10.0.0.100
10.0.0.200
10.0.0.7"
ssh-keygen -f /root/.ssh/id_rsa -P '' &> /dev/null
rpm -q sshpass &> /dev/null || yum -y install sshpass &> /dev/null
for i in $HOSTS;do
{
sshpass -e ssh-copy-id -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa.pub $i &> /dev/null
echo $i is finished
}&
done
wait
[root@centos8 ~]# bash ssh_key_push.sh
10.0.0.7 is finished
10.0.0.200 is finished
10.0.0.100 is finished
[root@centos8 ~]# ssh 10.0.0.7
Last login: Mon Dec 28 19:16:25 2020 from 10.0.0.8
[root@centos7 ~]#
root@ubuntu2004:~# cat ssh_key_push_ubuntu.sh
#!/bin/bash
#
#********************************************************************
#Author: zhanghui
#QQ: 19661891
#Date: 2020-12-28
#FileName: ssh_key_push_ubuntu.sh
#URL: www.neteagles.cn
#Description: The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
export SSHPASS=123456
HOSTS="
10.0.0.100
10.0.0.8
10.0.0.7"
ssh-keygen -f /root/.ssh/id_rsa -P '' &> /dev/null
dpkg -S sshpass &> /dev/null || apt -y install sshpass &> /dev/null
for i in $HOSTS;do
{
sshpass -e ssh-copy-id -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa.pub $i &> /dev/null
echo $i is finished
}&
done
wait
四.ssh修改端口和優化設置
[root@centos8 ~]# cat ssh_optimalize.sh
#!/bin/bash
#
#********************************************************************
#Author: zhanghui
#QQ: 19661891
#Date: 2020-12-28
#FileName: ssh_optimalize.sh
#URL: www.neteagles.cn
#Description: The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
read -p "請輸入端口號:" PORT
sed -i.bak -e 's/#Port 22/Port '$PORT'/' -e 's/#UseDNS no/UseDNS no/' -e 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd
五.ubuntu設置root用戶登錄
root@ubuntu2004:~# cat root_login.sh
#!/bin/bash
#
#********************************************************************
#Author: zhanghui
#QQ: 19661891
#Date: 2020-12-28
#FileName: root_login.sh
#URL: www.neteagles.cn
#Description: The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
sudo apt -y install expect
password=123456
expect <<EOF
set timeout 20
spawn sudo -i
expect "password" { send "$password\n" }
expect "~#" { send "sed -i.bak 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config\n" }
expect "~#" { send "echo -e '123456\n123456' |passwd root\n" }
expect "~#" { send "exit\n" }
EOF
root@ubuntu2004:~# cat root_login2.sh
#!/bin/bash
#
#********************************************************************
#Author: zhanghui
#QQ: 19661891
#Date: 2020-12-28
#FileName: root_login2.sh
#URL: www.neteagles.cn
#Description: The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
password=123456
echo $password |sudo -S sed -ri 's@#(PermitRootLogin )prohibit-password@\1yes@' /etc/ssh/sshd_config
sudo systemctl restart sshd
sudo -S passwd root <<EOF
$password
$password
EOF
六.ssh基於谷歌pam_google-authenticator插件實現雙重驗證
1.首先掃這個二維碼下載,手機APP
2.運行下面腳本實現自動安裝
[root@centos7 ~]# cat google-authenticator.sh
#安裝epel
#yum install -y epel-release.noarch
#yum makecache
#安裝google authenticator
yum install -y google-authenticator.x86_64
echo -e "\033[31mDo you want me to update your "/root/.google_authenticator" file? (y/n) y"
echo -e "\033[31m你希望我更新你的“/root/.google_authenticator”文件嗎(y/n)?\033[0m"
echo -e "\033[31mDo you want to disallow multiple uses of the same authentication"
echo -e "\033[31mtoken? This restricts you to one login about every 30s, but it increases"
echo -e "\033[31myour chances to notice or even prevent man-in-the-middle attacks (y/n) y"
echo -e "\033[31m你希望禁止多次使用同一個驗證令牌嗎?這限制你每次登錄的時間大約是30秒, 但是這加大了發現或甚至防止中間人攻擊的可能性(y/n)?\033[0m"
echo -e "\033[31mBy default, a new token is generated every 30 seconds by the mobile app."
echo -e "\033[31mIn order to compensate for possible time-skew between the client and the server,"
echo -e "\033[31mwe allow an extra token before and after the current time. This allows for a"
echo -e "\033[31mtime skew of up to 30 seconds between authentication server and client. If you"
echo -e "\033[31mexperience problems with poor time synchronization, you can increase the window"
echo -e "\033[31mfrom its default size of 3 permitted codes (one previous code, the current"
echo -e "\033[31mcode, the next code) to 17 permitted codes (the 8 previous codes, the current"
echo -e "\033[31mcode, and the 8 next codes). This will permit for a time skew of up to 4 minutes"
echo -e "\033[31mbetween client and server."
echo -e "\033[31mDo you want to do so? (y/n) y"
echo -e "\033[31m默認情況下,令牌保持30秒有效;為了補償客戶機與服務器之間可能存在的時滯,\033[0m"
echo -e "\033[31m我們允許在當前時間前后有一個額外令牌。如果你在時間同步方面遇到了問題, 可以增加窗口從默認的3個可通過驗證碼增加到17個可通過驗證碼,\033[0m"
echo -e "\033[31m這將允許客戶機與服務器之間的時差增加到4分鍾。你希望這么做嗎(y/n)?\033[0m"
echo -e "\033[31mIf the computer that you are logging into isn't hardened against brute-force"
echo -e "\033[31mlogin attempts, you can enable rate-limiting for the authentication module."
echo -e "\033[31mBy default, this limits attackers to no more than 3 login attempts every 30s."
echo -e "\033[31mDo you want to enable rate-limiting? (y/n) y"
echo -e "\033[31m如果你登錄的那台計算機沒有經過固化,以防范運用蠻力的登錄企圖,可以對驗證模塊\033[0m"
echo -e "\033[31m啟用嘗試次數限制。默認情況下,這限制攻擊者每30秒試圖登錄的次數只有3次。 你希望啟用嘗試次數限制嗎(y/n)?\033[0m"
echo -e "\033[32m 在App Store 搜索Google Authenticator 進行App安裝 \033[0m"
google-authenticator
#/etc/pam.d/sshd文件,修改或添加下行保存
#auth required pam_google_authenticator.so
sed -i '1a\auth required pam_google_authenticator.so' /etc/pam.d/sshd
#編輯/etc/ssh/sshd_config找到下行
#ChallengeResponseAuthentication no
#更改為
#ChallengeResponseAuthentication yes
sed -i 's/.*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
#重啟SSH服務
service sshd restart
[root@centos7 ~]# bash google-authenticator.sh
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@centos8.3%3Fsecret%3DGUW425QR7RMQ3QH3Y6BTS5J6E4%26issuer%3Dcentos8.3 #把這段復制到瀏覽器,打開用手機APP掃碼,綁定設備
3.訪問生成的URL(需要XX上網)
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@centos8.3%3Fsecret%3DGUW425QR7RMQ3QH3Y6BTS5J6E4%26issuer%3Dcentos8.3
4.打開用手機APP掃碼,綁定設備
5.輸入獲取的驗證碼
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: GUW425QR7RMQ3QH3Y6BTS5J6E4
Enter code from app (-1 to skip): 720782 #這里輸入手機綁定后獲取的動態驗證碼
Code confirmed
Your emergency scratch codes are:
95817019
34153916
67876890
96915467
65085458
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
Redirecting to /bin/systemctl restart sshd.service
6.登錄
[root@centos7 ~]# ssh 10.0.0.8
Verification code:
Password:
Last login: Tue Dec 29 16:23:15 2020 from ::ffff:10.0.0.200
[root@centos8 ~]# exit
logout
Connection to 10.0.0.8 closed.
7.臨時口令
[root@centos8 ~]# cat .google_authenticator
GUW425QR7RMQ3QH3Y6BTS5J6E4
" RATE_LIMIT 3 30 1609233645
" WINDOW_SIZE 17
" DISALLOW_REUSE 53641121
" TOTP_AUTH
95817019
34153916
67876890
96915467
65085458
七.創建chrony服務端和客戶端實現時間同步
1.服務端
root@ubuntu1804:~# apt -y install chrony
root@ubuntu1804:~# vim /etc/chrony/chrony.conf
server ntp.aliyun.com iburst
server time1.cloud.tencent.com iburst
server slb.time.edu.cn iburst
allow 10.0.0.0/16
local stratum 10
:wq
root@ubuntu1804:~# systemctl restart chrony
root@ubuntu1804:~# ss -ntul
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 128 [::1]:6010 [::]:*
root@ubuntu1804:~# chronyc sources -nv
210 Number of sources = 3
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 203.107.6.88 2 6 17 57 -407us[-8953us] +/- 39ms #* 星號表示和這台服務器已經同步
^- 139.199.215.251 2 6 17 57 +12ms[ +12ms] +/- 46ms
^? sv9865.si-servers.com 0 7 0 - +0ns[ +0ns] +/- 0ns
2.客戶端
[root@centos7 ~]# yum -y install chrony
[root@centos7 ~]# vim /etc/chrony.conf
server 10.0.0.100 iburst
:wq
[root@centos7 ~]# systemctl restart chronyd
[root@centos7 ~]# chronyc sources -nv
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 10.0.0.100 3 6 7 0 +23us[ -8784h] +/- 36ms
root@ubuntu1804:~# ss -ntul
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:123 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 128 [::1]:6010 [::]:*