1、判断UID是否大于等于500,如果为真就显示为普通用户,如果为假就显示为系统或管理用户
[root@centos6 ssl]#awk -F : '{$3>=500?usertype="普通用户":usertype="系统或管理用户";print $1,"是",usertype}' /etc/passwd
root 是 系统或管理用户
bin 是 系统或管理用户
daemon 是 系统或管理用户
adm 是 系统或管理用户
lp 是 系统或管理用户
sync 是 系统或管理用户
shutdown 是 系统或管理用户
halt 是 系统或管理用户
mail 是 系统或管理用户
jack 是 普通用户
2、显示用户id为奇数的用户。
[root@centos6 ssl]#awk -F: '{if($3%2!=0) {print $1,$3}}' /etc/passwd
[root@centos6 ssl]#awk -F: '{if($3%2>0) {print $1,$3}}' /etc/passwd
bin 1
adm 3
sync 5
halt 7
operator 11
gopher 13
nobody 99
dbus 81
usbmuxd 113
rtkit 499
3、统计web服务访问日志中的ip访问量
[root@centos6 httpd]#awk '{ip[$1]++}END{for(i in ip){print i,ip[i]}}' /var/log/httpd/access_log
192.168.38.1 4
4、简述加密类型以及数据加密解密过程
1.对称加密
对称加密:加密和解密使用同一个密钥
DES:Data Encryption Standard,56bits
3DES:
AES:Advanced (128, 192, 256bits)
Blowfish,Twofish
IDEA,RC6,CAST5
特性:
1、加密、解密使用同一个密钥,效率高
2、将原始数据分割成固定大小的块,逐个进行加密
缺陷:
1、密钥过多
2、密钥分发
3、数据来源无法确认
### `2.公钥加密(非对称加密算法)`
公钥加密:密钥是成对出现
公钥:公开给所有人;public key
私钥:自己留存,必须保证其私密性;secret key
特点:用公钥加密数据,只能使用与之配对的私钥解密;反之亦然
功能:
数字签名:主要在于让接收方确认发送方身份
对称密钥交换:发送方用对方的公钥加密一个对称密钥后发送给对方
数据加密:适合加密较小数据
缺点:密钥长,加密解密效率低下
算法:
RSA(加密,数字签名)
DSA(数字签名)
ELGamal
非对称加密
基于一对公钥/密钥对
用密钥对中的一个加密,另一个解密
实现加密:
接收者
生成公钥/密钥对:P和S
公开公钥P,保密密钥S
发送者
使用接收者的公钥来加密消息M
将P(M)发送给接收者
接收者
使用密钥S来解密:M=S(P(M))
实现数字签名:
发送者
生成公钥/密钥对:P和S
公开公钥P,保密密钥S
使用密钥S来加密消息M
发送给接收者S(M)
接收者
使用发送者的公钥来解密M=P(S(M))
结合签名和加密
分离签名
3.单向加密(单向散列)
将任意数据缩小成固定大小的“指纹”
任意长度输入
固定长度输出
若修改数据,指纹也会改变(“不会产生冲突”)
无法从指纹中重新生成数据(“单向”)
功能:数据完整性
常见算法
md5: 128bits、sha1: 160bits、sha224 、sha256、sha384、sha512
常用工具
md5sum | sha1sum [ --check ] file
openssl、gpg
rpm -V
4.认证协议
SSL:Secure Socket Layer,TLS: Transport Layer Security
1995:SSL 2.0 Netscape
1996:SSL 3.0
1999:TLS 1.0
2006:TLS 1.1 IETF(Internet工程任务组) RFC 4346
2008:TLS 1.2 当前使用
2015:TLS 1.3
功能:机密性,认证,完整性,重放保护
两阶段协议,分为握手阶段和应用阶段
握手阶段(协商阶段):客户端和服务器端认证对方身份(依赖于PKI体系,利用数字证书进行身份认证),并协商通信中使用的安全参数、密码套件以及主密钥。后续通信使用的所有密钥都是通过MasterSecret生成。
应用阶段:在握手阶段完成后进入,在应用阶段通信双方使用握手阶段协商好的密钥进行安全通信
5、搭建私有CA并实现证书颁发
1.查看设置/etc/pki/tls/openssl.conf
match:要求申请填写的信息必须和CA设置的信息一致
optional:可有可无,跟CA设置的信息可以不一致
supplied:必须填写的信息
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
2.提供证书主机生成私有CA
[root@centos7 CA]#pwd
/etc/pki/CA
[root@centos7 CA]#tree
.
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@centos7 CA]#( umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 )
Generating RSA private key, 2048 bit long modulus
......+++
.......+++
e is 65537 (0x10001)
[root@centos7 CA]#tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 1 file
[root@centos7 CA]#ll private/
total 4
-rw------- 1 root root 1679 Jul 7 20:23 cakey.pem
3.提供证书主机生成自签名证书
[root@centos7 CA]#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:jack
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.jack.com
Email Address []:
[root@centos7 CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 2 files
4.提供证书主机建立两个必要的文件 index.txt记录序列号 serial记录序号16进制
[root@centos7 CA]#touch index.txt
[root@centos7 CA]#echo 0F > serial
[root@centos7 CA]#cat serial
0F
在C6客户端上创建私钥CA证书
[root@centos6 ssl]#pwd
/data/ssl
[root@centos6 ssl]#ls
[root@centos6 ssl]#( umask 066;openssl genrsa -out app.key 1024)
Generating RSA private key, 1024 bit long modulus
....................++++++
......++++++
e is 65537 (0x10001)
[root@centos6 ssl]#ll
total 4
-rw------- 1 root root 891 Jul 7 11:15 app.key
5.需求证书主机生成证书,生成证书申请文件
[root@centos6 ssl]#openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:jack
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:*.jack.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos6 ssl]#ll
total 8
-rw-r--r-- 1 root root 655 Jul 7 11:23 app.csr
-rw------- 1 root root 891 Jul 7 11:15 app.key
6.需求证书主机将生成的证书签名申请发送给提供证书主机准备检查
[root@centos6 ssl]#scp app.csr 192.168.38.101:/etc/pki/CA
The authenticity of host '192.168.38.101 (192.168.38.101)' can't be established.
RSA key fingerprint is 58:e6:c2:90:1c:3e:62:cf:52:3b:0e:49:95:c3:f4:8f.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.38.101' (RSA) to the list of known hosts.
root@192.168.38.101's password:
app.csr 100% 655 0.6KB/s 00:00
[root@centos7 CA]#ll
total 8
-rw-r--r-- 1 root root 655 Jul 7 20:45 app.csr
-rw-r--r-- 1 root root 1330 Jul 7 20:30 cacert.pem
drwxr-xr-x. 2 root root 6 Oct 31 2018 certs
drwxr-xr-x. 2 root root 6 Oct 31 2018 crl
drwxr-xr-x. 2 root root 6 Oct 31 2018 newcerts
drwx------. 2 root root 23 Jul 7 20:23 private
7.提供证书主机检查申请,制作CA证书
[root@centos7 CA]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Jul 7 12:52:54 2019 GMT
Not After : Apr 2 12:52:54 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = jack
organizationalUnitName = devops
commonName = *.jack.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F1:4A:B7:EC:E3:89:E7:EB:B9:70:CE:F2:40:5E:8A:BE:35:ED:E2:2C
X509v3 Authority Key Identifier:
keyid:16:94:CC:1B:9B:06:6C:D1:EF:29:F4:E4:41:8C:3C:87:B0:F9:90:53
Certificate is to be certified until Apr 2 12:52:54 2022 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7.将制作好的证书拷贝至请求证书主机
[root@centos7 CA]#scp certs/app.crt 192.168.38.100:/data/ssl
The authenticity of host '192.168.38.100 (192.168.38.100)' can't be established.
RSA key fingerprint is SHA256:DGmFlKwx6nrdJVNKxEo4LCTsTC3cKyfJDKNb/jyNSvg.
RSA key fingerprint is MD5:35:2f:7f:c5:ec:9f:f3:ab:f5:ca:4d:16:c6:95:9f:70.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.38.100' (RSA) to the list of known hosts.
root@192.168.38.100's password:
app.crt 100% 3716 968.4KB/s 00:00
8.请求主机上查看收到的证书
[root@centos6 ssl]#ll
total 12
-rw-r--r-- 1 root root 3716 Jul 7 11:48 app.crt
-rw-r--r-- 1 root root 655 Jul 7 11:23 app.csr
-rw------- 1 root root 891 Jul 7 11:15 app.key
[root@centos6 ssl]#openssl x509 -in app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=jack, OU=devops, CN=ca.jack.com
Validity
Not Before: Jul 7 12:52:54 2019 GMT
Not After : Apr 2 12:52:54 2022 GMT
Subject: C=CN, ST=beijing, O=jack, OU=devops, CN=*.jack.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b5:62:63:06:87:54:a9:71:8f:e0:b2:d1:cb:e4:
84:5d:9a:1e:8c:4e:e1:43:3b:52:d5:16:00:0a:18:
53:1b:8e:3b:ae:36:55:de:fc:0b:2c:3a:ad:e1:a6:
b9:97:ff:25:0a:b9:6f:1b:5d:29:57:1b:e5:e9:91:
51:42:23:95:69:b6:bf:21:1b:be:5d:d7:bd:2d:e2:
f1:b0:b6:d0:a0:4e:39:26:bb:3d:d4:c1:34:a0:07:
1a:5b:5d:98:11:ad:08:c3:61:f1:9a:fe:0a:0f:d7:
7f:4d:71:b1:5b:de:24:62:59:0f:b2:2a:73:0e:75:
c5:bf:d5:d0:32:b4:10:1b:b7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F1:4A:B7:EC:E3:89:E7:EB:B9:70:CE:F2:40:5E:8A:BE:35:ED:E2:2C
X509v3 Authority Key Identifier:
keyid:16:94:CC:1B:9B:06:6C:D1:EF:29:F4:E4:41:8C:3C:87:B0:F9:90:53
Signature Algorithm: sha256WithRSAEncryption
b7:e6:ee:2e:bb:fc:e6:74:55:71:44:d9:f2:67:e7:52:02:17:
13:8d:87:f0:26:a4:73:eb:bd:66:5c:a3:ab:14:05:d8:71:68:
04:65:b0:65:cc:d8:9d:10:76:56:9a:77:42:91:e8:6b:cf:cb:
67:09:90:ac:67:f9:c7:a3:94:40:4b:50:81:d1:e8:4f:a4:1f:
c1:b8:c5:52:82:3e:83:0c:23:4e:3c:4f:83:1a:2c:24:7a:ab:
77:ca:ba:da:98:16:e2:fa:eb:ae:b5:11:77:2e:5a:33:37:0b:
e5:b8:ed:b8:e2:bd:f7:a8:61:6c:09:d6:3d:eb:3d:b8:fc:58:
c5:35:53:08:a0:11:2c:78:5e:75:76:3e:77:66:20:95:b7:68:
cb:a4:b0:e4:4c:70:d6:5e:ac:90:15:96:2f:b7:ca:de:43:c8:
cd:49:fa:92:a5:72:35:c3:7a:32:c6:88:fc:6a:a0:49:d4:f5:
7c:58:31:7a:a2:6b:17:45:68:0e:9a:0a:51:52:b8:2f:c3:10:
67:73:83:0a:31:b5:23:53:fe:32:06:4a:f2:fd:66:a8:2c:92:
dc:8a:9d:f7:3e:71:5f:01:21:af:21:ed:70:3b:4c:23:db:11:
88:bd:73:46:25:a3:0f:ef:6c:ea:9e:76:20:ab:af:4a:ec:40:
51:b3:05:9b
制作过程中生成文件观察
[root@centos7 CA]#tree
.
├── app.csr
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 6 files
[root@centos7 CA]#ll certs/app.crt
-rw-r--r-- 1 root root 0 Jul 7 20:52 certs/app.crt
[root@centos7 CA]#ll certs/app.crt
-rw-r--r-- 1 root root 3716 Jul 7 20:54 certs/app.crt
[root@centos7 CA]#tree
.
├── app.csr
├── cacert.pem
├── certs
│ └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@centos7 CA]#ll certs/app.crt newcerts/0F.pem
-rw-r--r-- 1 root root 3716 Jul 7 20:54 certs/app.crt
-rw-r--r-- 1 root root 3716 Jul 7 20:54 newcerts/0F.pem
[root@centos7 CA]#diff certs/app.crt newcerts/0F.pem
提供证书主机查看生成的文件信息,V表示有效 R表示失效
[root@centos7 CA]#cat index.txt
V 220402125254Z 0F unknown /C=CN/ST=beijing/O=jack/OU=devops/CN=*.jack.com
下一个证书的编号已经自动+1了16进制
[root@centos7 CA]#cat serial
10
[root@centos7 CA]#cat serial.old
0F
每个提交的请求不能一样,避免重复颁发证书
[root@centos7 CA]#cat index.txt.attr
unique_subject = yes
综述
1 在服务器上建立私有CA
( umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
touch index.txt
echo 00 > serial
2 在客户端申请证书
(umask 066;openssl genrsa -out app.key 1024)
openssl req -new -key app.key -out app.csr
scp app.csr 服务器IP:/etc/pki/CA/
3 在服务器上颁发证书
openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 1000
scp /etc/pki/CA/certs/app.crt 客户端: