本文共 19180 字,大约阅读时间需要 63 分钟。
1、限制前:ww@10.201.106.129's password: [ww@qq ~]$ exitlogoutConnection to 10.201.106.129 closed.[root@zz ~]# ssh ee@10.201.106.129ee@10.201.106.129's password: [ee@qq ~]$ exit2、限制后[root@qq ~]# vim /etc/ssh/sshd_configAllowUsers qq root[root@qq ~]# service sshd reloadReloading sshd: [ OK ]2.1测试[root@zz ~]# ssh ee@10.201.106.129ee@10.201.106.129's password: Permission denied, please try again.ee@10.201.106.129's password: [root@zz ~]# ssh ww@10.201.106.129ww@10.201.106.129's password: Permission denied, please try again.ww@10.201.106.129's password: [root@zz ~]# [root@zz ~]# ssh qq@10.201.106.129qq@10.201.106.129's password: Last login: Thu Jul 28 15:52:49 2016 from 10.201.106.128[qq@qq ~]$
[root@qq ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 16 | xargsrCHubvWwKIA4Fxk2
[root@qq ~]# tar xf dropbear-2013.58.tar.bz2
[root@qq ~]# cd dropbear-2013.58[root@qq dropbear-2013.58]# less INSTALLBasic Dropbear build instructions:- Edit options.h to set which features you want.- Edit debug.h if you want any debug options (not usually required).(If using a non-tarball copy, "autoconf; autoheader")./configure (optionally with --disable-zlib or --disable-syslog, or --help for other options)Now compile:make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp"And install (/usr/local/bin is usual default):……
[root@qq dropbear-2013.58]# ./configure
[root@qq dropbear-2013.58]# make PROGRAMS=' dropbear scp dropbearkey dbclient'
[root@qq dropbear-2013.58]# make PROGRAMS=' dropbear scp dropbearkey dbclient' install[root@qq dropbear-2013.58]# make PROGRAMS=' dropbear scp dropbearkey dbclient' installinstall -d -m 755 /usr/local/sbininstall -m 755 dropbear /usr/local/sbinchown root /usr/local/sbin/dropbearchgrp 0 /usr/local/sbin/dropbearinstall -d -m 755 /usr/local/bininstall -m 755 scp /usr/local/binchown root /usr/local/bin/scpchgrp 0 /usr/local/bin/scpinstall -d -m 755 /usr/local/bininstall -m 755 dropbearkey /usr/local/binchown root /usr/local/bin/dropbearkeychgrp 0 /usr/local/bin/dropbearkeyinstall -d -m 755 /usr/local/bininstall -m 755 dbclient /usr/local/binchown root /usr/local/bin/dbclientchgrp 0 /usr/local/bin/dbclient[root@qq dropbear-2013.58]# [root@qq dropbear-2013.58]# cd /usr/local/bin[root@qq bin]# lsdbclient dropbearkey scp
[root@qq bin]# mkdir /etc/dropbear
[root@qq bin]# dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -s 2048 Will output 2048 bit rsa secret key to '/etc/dropbear/dropbear_rsa_host_key'Generating key, this may take a while...Public key portion is:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAmtSn/j31kRsMGL2pcW2GhRaPRyhdC3wbtwuajPbyAvNPf/AiLMD7m31ZbyzQTlARzufZWFSeXuyjyxUNfR5zcfrcVErbz8p2Wub8Qm1H9hGz90Syy7RahwcdCmiEtG/E91t83knmOMRgncDnqi7qlCVUy31/hn3A7Dynt8Zpmjya2XpgRmHhplN4JcF7HHQ6RUamkJPYI2g8/hIyEaLbAaJMFfN0XMj2Q9urvjjyRxbSsSTdjD2GEQUBL+rrkIoxQ3DDx/5d5TKYA/YelFmMckCUJtvaEJa8kbzCxy2nWGBjde3JLRemHrOL0AMNJghxC4EUYWoweCWHyxWf14mZzu16Q== root@qqFingerprint: md5 d9:61:9d:b3:a7:d7:0a:f7:45:bb:4b:4d:9f:a1:08:1a[root@qq bin]# [root@qq bin]# ls /etc/dropbear/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key
[root@qq bin]# dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key Will output 1024 bit dss secret key to '/etc/dropbear/dropbear_dss_host_key'Generating key, this may take a while...Public key portion is:ssh-dss AAAAB3NzaC1kc3MAAACBALUVJRlZA2gh8WZAoVppglsAPHOS//uDWQqaqE5ZOiCtvhOCky1KWku4sIZQ1cK3hGTKXT+BG+2bU0HG0izn2ETqearYQo1FdU5f5opY9mxQZuBWwsscMdPAi/VL1LTBBoCJvHxfzPZIHh5+6l1TQmAbV7xqRvwEK8Kg6LngNY6lAAAAFQDKEWBnLwZ4gD0ad4kBVt88aZUaZQAAAIAzB13qfUl+EGe3Goa1dYQYM3U8X7W+5kx83Qxa4EANbb89ORPQg33fM4UMBFrM0BnG2XGeHbmxLQdizWfVJb8KdK8tHYGyCJVSF+0a42lIxlIHFi0EB6QPfLfNyYsYoB/BfxqVhtoQTQiFhqGvY+SP66oQde6r+t0ad0yqxtw+9QAAAIAxrt0bbKFkTixyRIe/XJJqNE+7UMSStH4M0oEq7T6mpJPwhZHXkhI2g/9rQ8u0erDDVsiZ+/5mB4ZBzmWBPU4xzITWjHhp0YuWLV2CI2oRBR/P6Jvyw+4+/BTM/Afsqs/QOkKzQmYRW6+zLNM9f0TXxkGigTinnBgskZy9IJKEPg== root@qqFingerprint: md5 cc:d6:76:e2:1a:00:b0:2d:1d:49:67:f1:9d:e8:33:7f[root@qq bin]# [root@qq bin]# [root@qq bin]# ls /etc/dropbear/dropbear_dss_host_key dropbear_rsa_host_key[root@qq bin]#
[root@qq bin]# dropbear -p :22022 -F -E[61370] Jul 29 16:17:57 Not backgrounding[root@qq bin]# ss -tnlState Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 10 10.201.106.129:53 *:* LISTEN 0 10 127.0.0.1:53 *:* LISTEN 0 128 :::22 :::* LISTEN 0 128 *:22 *:* LISTEN 0 64 :::23 :::* LISTEN 0 128 127.0.0.1:631 *:* LISTEN 0 128 ::1:631 :::* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 100 ::1:25 :::* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 :::43521 :::* LISTEN 0 20 :::22022 :::* LISTEN 0 20 *:22022 ##### *:* LISTEN 0 128 *:35240 *:* LISTEN 0 128 :::111 :::* LISTEN 0 128 *:111 *:*
[root@zz ~]# ssh -P 22022 root@10.201.106.129ssh: connect to host 22022 port 22: Invalid argument[root@zz ~]# ssh -p 22022 root@10.201.106.129The authenticity of host '[10.201.106.129]:22022 ([10.201.106.129]:22022)' can't be established.RSA key fingerprint is d9:61:9d:b3:a7:d7:0a:f7:45:bb:4b:4d:9f:a1:08:1a.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '[10.201.106.129]:22022' (RSA) to the list of known hosts.root@10.201.106.129's password: [root@qq ~]# pstreeinit─┬─abrtd ├─acpid ├─atd ├─auditd───{auditd} ├─automount───4*[{automount}] ├─certmonger ├─console-kit-dae───63*[{console-kit-da}] ├─crond ├─cupsd ├─dbus-daemon───{dbus-daemon} ├─hald─┬─hald-runner─┬─hald-addon-acpi │ │ ├─hald-addon-inpu │ │ └─hald-addon-rfki │ └─{hald} ├─login───bash ├─master─┬─pickup │ └─qmgr ├─mcelog ├─5*[mingetty] ├─named───3*[{named}] ├─rpc.statd ├─rpcbind ├─rsyslogd───3*[{rsyslogd}] ├─2*[sshd───bash] ├─sshd─┬─sshd───sshd───bash │ ├─sshd───bash │ └─sshd───bash───dropbear───dropbear───bash───pstree ├─udevd───2*[udevd] └─xinetd[root@qq ~]# [root@qq bin]# dropbear -p :22022 -F -E[61370] Jul 29 16:17:57 Not backgrounding[61414] Jul 29 16:22:24 Child connection from 10.201.106.128:33608[61414] Jul 29 16:22:30 Password auth succeeded for 'root' from 10.201.106.128:33608 [root@qq bin]# dbclient 10.201.106.128root@10.201.106.128's password: Last login: Sun Jul 31 01:54:38 2016 from 10.201.106.1[root@zz ~]# exitlogout[root@qq bin]# [61414] Jul 29 16:30:09 Exit (root): Disconnect received[root@qq bin]#
[root@qq bin]# cat /etc/pki/tls/openssl.cnf
[root@qq bin]# ll /etc/pki/CA/total 16drwxr-xr-x. 2 root root 4096 Oct 15 2014 certs #已签署证书drwxr-xr-x. 2 root root 4096 Oct 15 2014 crl #吊销证书列表drwxr-xr-x. 2 root root 4096 Oct 15 2014 newcerts #刚刚签署完的证书drwx------. 2 root root 4096 Oct 15 2014 private
[root@zz ~]# cd /etc/pki/CA/[root@zz CA]# [root@zz CA]# touch index.txt ***[root@zz CA]# lltotal 16drwxr-xr-x. 2 root root 4096 May 9 20:32 certsdrwxr-xr-x. 2 root root 4096 May 9 20:32 crl-rw-r--r--. 1 root root 0 Jul 31 07:15 index.txtdrwxr-xr-x. 2 root root 4096 May 9 20:32 newcertsdrwx------. 2 root root 4096 May 9 20:32 private[root@zz CA]# echo 01 > serial ***[root@zz CA]# lltotal 20drwxr-xr-x. 2 root root 4096 May 9 20:32 certsdrwxr-xr-x. 2 root root 4096 May 9 20:32 crl-rw-r--r--. 1 root root 0 Jul 31 07:15 index.txtdrwxr-xr-x. 2 root root 4096 May 9 20:32 newcertsdrwx------. 2 root root 4096 May 9 20:32 private-rw-r--r--. 1 root root 3 Jul 31 07:15 serial[root@zz CA]#
[root@zz CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048 ) Generating RSA private key, 2048 bit long modulus...+++.................................+++e is 65537 (0x10001)[root@zz CA]# [root@zz CA]# ll -l private/total 4-rw-------. 1 root root 1675 Jul 31 07:24 cakey.pem
[root@zz CA]# cd /etc/pki/CA/[root@zz CA]# lscerts crl index.txt newcerts private serial[root@zz CA]# ls private/cakey.pem[root@zz CA]# [root@zz CA]# openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:BeijingLocality Name (eg, city) [Default City]:BeijingOrganization Name (eg, company) [Default Company Ltd]:MageEduOrganizational Unit Name (eg, section) []:OpsCommon Name (eg, your name or your server's hostname) []:ca.magedu.comEmail Address []:caadmin@magedu.com[root@zz CA]# lltotal 24-rw-r--r--. 1 root root 1424 Jul 31 07:36 cacert.pemdrwxr-xr-x. 2 root root 4096 May 9 20:32 certsdrwxr-xr-x. 2 root root 4096 May 9 20:32 crl-rw-r--r--. 1 root root 0 Jul 31 07:15 index.txtdrwxr-xr-x. 2 root root 4096 May 9 20:32 newcertsdrwx------. 2 root root 4096 Jul 31 07:24 private-rw-r--r--. 1 root root 3 Jul 31 07:15 serial[root@zz CA]#
[root@zz ~]# cd /etc/httpd/[root@zz httpd]# lsconf conf.d logs modules run[root@zz httpd]# [root@zz httpd]# mkdir ssl[root@zz httpd]# lltotal 12drwxr-xr-x. 2 root root 4096 Jun 17 13:42 confdrwxr-xr-x. 2 root root 4096 Jun 14 21:50 conf.dlrwxrwxrwx. 1 root root 19 Jun 14 21:09 logs -> ../../var/log/httpdlrwxrwxrwx. 1 root root 29 Jun 14 21:09 modules -> ../../usr/lib64/httpd/moduleslrwxrwxrwx. 1 root root 19 Jun 14 21:09 run -> ../../var/run/httpddrwxr-xr-x. 2 root root 4096 Jul 31 09:11 ssl[root@zz httpd]#
[root@zz ssl]# (umask 077; openssl genrsa -out httpd.key 2048)Generating RSA private key, 2048 bit long modulus...+++....+++e is 65537 (0x10001)[root@zz ssl]# lltotal 4-rw-------. 1 root root 1675 Jul 31 09:56 httpd.key[root@zz ssl]#
[root@qq tmp]# openssl req -new -key httpd.key -days 365 -out httpd.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:BeijingOrganization Name (eg, company) [Default Company Ltd]:MageEduOrganizational Unit Name (eg, section) []:OpsCommon Name (eg, your name or your server's hostname) []:www.magedu.comEmail Address []:webadmin@magedu.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@zz ssl]# lshttpd.csr httpd.key
[root@qq tmp]# scp httpd.csr root@10.201.106.128:/tmproot@10.201.106.128's password:
[root@zz CA]# openssl ca -in /tmp/httpd.csr -out certs/httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 31 04:49:04 2016 GMT Not After : Jul 31 04:49:04 2017 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = MageEdu organizationalUnitName = Ops commonName = www.magedu.com emailAddress = webadmin@magedu.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: A3:AD:F4:55:D9:B5:74:AA:A8:9B:ED:0F:47:36:07:7B:8A:59:98:6D X509v3 Authority Key Identifier: keyid:0B:9F:56:6A:38:75:94:CD:B2:35:6E:FA:91:00:37:7C:3F:35:E5:39Certificate is to be certified until Jul 31 04:49:04 2017 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@zz CA]# [root@zz CA]# ls /tmp/httpd.crt httpd.csr[root@zz CA]#
[root@zz CA]# cat index.txtV 170731044904Z 01 unknown /C=CN/ST=Beijing/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=webadmin@magedu.com[root@zz CA]# 新生成的证书[root@zz CA]# ls newcerts/01.pem[root@zz CA]# 保存并重命名证书[root@zz CA]# cp newcerts/01.pem certs/httpd.pem[root@zz CA]# ls certs/httpd.pem[root@zz CA]#
[root@zz CA]# scp /tmp/httpd.crt root@10.201.106.129:/etc/httpdroot@10.201.106.129's password: httpd.crt 100% 4623 4.5KB/s 00:00 [root@zz CA]#
1、查看scp依赖的ssh的路径[root@qq tmp]# rpm -ql openssh-clients/etc/ssh/ssh_config/usr/bin/.ssh.hmac/usr/bin/scp/usr/bin/sftp/usr/bin/slogin/usr/bin/ssh/usr/bin/ssh-add/usr/bin/ssh-agent/usr/bin/ssh-copy-id/usr/bin/ssh-keyscan/usr/libexec/openssh/ssh-pkcs11-helper/usr/share/man/man1/scp.1.gz/usr/share/man/man1/sftp.1.gz/usr/share/man/man1/slogin.1.gz/usr/share/man/man1/ssh-add.1.gz/usr/share/man/man1/ssh-agent.1.gz/usr/share/man/man1/ssh-copy-id.1.gz/usr/share/man/man1/ssh-keyscan.1.gz/usr/share/man/man1/ssh.1.gz/usr/share/man/man5/ssh_config.5.gz2、复制文件[root@qq tmp]# /usr/bin/scp /tmp/httpd.crt root@10.201.106.128:/tmp
[root@qq tmp]# openssl x509 -in httpd.crt -noout -textCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=Beijing, L=Beijing, O=MageEdu, OU=Ops, CN=ca.magedu.com/emailAddress=caadmin@magedu.com Validity Not Before: Jul 31 04:49:04 2016 GMT Not After : Jul 31 04:49:04 2017 GMT Subject: C=CN, ST=Beijing, O=MageEdu, OU=Ops, CN=www.magedu.com/emailAddress=webadmin@magedu.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d9:e8:0c:6e:a8:c1:92:48:7a:0e:78:f9:a8:84: 43:99:04:22:8d:04:c7:e1:28:b3:69:0f:aa:ae:4d: 7e:78:7d:31:72:3a:63:42:da:52:00:76:04:26:e1: 45:d3:e4:cc:9e:18:20:a6:4a:8a:98:cd:b0:09:15: da:32:b6:fc:b0:54:02:c3:17:df:8a:aa:36:89:34: e4:79:d4:ac:e9:df:9f:ef:a4:12:fd:98:ba:0d:cd: a2:00:76:df:d3:1f:80:1b:1d:bc:84:5c:b1:12:d9: 10:df:ad:a1:9b:fe:06:46:b3:0d:b3:22:81:f8:e0: 73:87:fc:da:99:6f:ea:54:bb:73:3a:1c:a1:db:45: ec:ad:8a:52:6f:65:70:66:ad:f1:99:a0:4c:6d:4c: 91:24:47:41:81:da:dd:22:99:d9:0f:f2:9f:00:a2: f4:47:46:5b:f9:12:31:e6:2e:9a:8c:1c:f4:28:51: 2f:4f:0f:e3:aa:01:3a:bf:04:65:11:9c:ee:b1:68: 01:c0:3a:28:53:10:40:60:85:92:25:02:a9:8f:a1: da:b7:fb:53:4f:bc:00:88:18:21:e7:ec:f6:5f:27: b2:b1:20:56:59:1d:21:6f:cc:54:d7:ae:30:ce:74: d4:ad:1a:7b:86:34:62:47:8b:ba:3e:14:ac:f1:7f: 90:bf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: A3:AD:F4:55:D9:B5:74:AA:A8:9B:ED:0F:47:36:07:7B:8A:59:98:6D X509v3 Authority Key Identifier: keyid:0B:9F:56:6A:38:75:94:CD:B2:35:6E:FA:91:00:37:7C:3F:35:E5:39 Signature Algorithm: sha1WithRSAEncryption 35:71:e3:df:25:3a:b9:cd:21:74:15:a0:52:4c:fc:7f:98:8f: 71:3f:69:a7:1b:21:4b:47:bc:b0:65:27:4d:95:4d:fd:6f:85: 36:00:f4:ce:88:ab:6e:a9:20:d0:e7:69:81:76:1f:d2:bf:ac: 3f:58:f6:7f:86:3f:89:82:c9:44:fe:eb:bd:33:1d:27:87:04: 85:c0:c2:a9:4e:01:d5:7f:a9:4a:ac:20:b0:c7:69:11:4b:02: f7:7f:36:01:a4:88:32:01:b9:1c:0d:a3:31:51:f8:15:8b:f8: 6c:9c:ea:88:d2:6e:a5:96:11:ca:83:5a:95:e8:81:5c:4f:e8: 22:2c:35:5f:4b:a5:e8:c3:4a:f1:ad:98:7f:13:14:8d:04:69: 74:2c:77:b0:14:93:24:fa:40:95:ca:4c:b4:ef:d1:13:22:25: d3:d2:d5:e2:75:9a:50:eb:11:f6:90:94:ca:06:28:03:c4:ab: 3a:6b:68:22:bc:4d:ed:e2:d5:3f:61:70:1f:1b:37:df:31:81: 8a:be:3d:9b:11:92:af:7c:51:f3:1b:00:81:c5:4b:d3:30:30: 1b:6f:47:c7:02:2a:f2:1b:84:8c:be:63:05:ce:b0:3c:51:20: 8a:aa:a1:bf:a4:6f:63:41:16:63:0c:d2:39:45:88:77:cd:15: be:33:c4:f1[root@qq tmp]# [root@qq tmp]# [root@qq tmp]# openssl x509 -in httpd.crt -noout -subjectsubject= /C=CN/ST=Beijing/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=webadmin@magedu.com[root@qq tmp]# [root@qq tmp]# [root@qq tmp]# [root@qq tmp]# openssl x509 -in httpd.crt -noout -serialserial=01[root@qq tmp]#
转载于:https://blog.51cto.com/zhongle21/2091437