1、需求
希望能实现自动化的、参数可配置的,批量的对指定目录和文件服务器进行文件传输功能,用FTP+SSL加密实现。设计用shell脚本实现,但是标准的Linux FTP客户端是不支持FTPS连接的,脚本中ftps命令是无效的。
2、SurgeFTP
它首先是一个FTP服务器,能实现更精细化的管理服务器,并提供远程Web管理支持。其中SSLFTP客户端是它的组件之一,可以实现ftps命令连接FTPS服务。官方文档:
What FTP client can I use with SSL/TLS
SurgeFTP is distributed with SSLFTP, a simple command line client very similar to the standard UNIX/DOS 'FTP' client. e.g.
c:> sslftp my.server
Username: xxx
Password: yyy
sslftp> dir
sslftp> get important.dat
sslftp> quit
This same client is available for multiple platforms.
There are also many SSL gui clients now available, 'smartftp' is one good example, see http://www.smartftp.com/
After installing SurgeFTP the SSLFTP, install script is left in the main SurgeFTP directory, sslftp_install.exe. You can distribute this to any systems that need to install the SSLFTP client, as it is a self extracting archive to install the command line utility.
There is no fee charged for the use of SSLFTP, it is freely distributable.
Please note: SSLFTP is only currently licensed for use with SurgeFTP servers, but it will work with any in a pinch. This means that we will fix any bug with SSLFTP if it cannot talk with SurgeFTP. We cannot gaurantee that we can fix problems with it not talking to other FTP servers.
(Note2: sslftp.exe was originally called sftp.exe. It was re-named to avoid conflicts)
重点SSLFTP是免费的支持FTPS命令连接,下载链接: SurgeFTP. 文档链接: manual.
下载之后就是一个surgeftp_23f2_linux64.tar.gz文件,解压安装,并创建秘钥对,连接测试。
#解压文件到当前目录
tar -xzvf surgeftp_23f2_linux64.tar.gz
##切换到解压的目标文件夹下
./install.sh
#创建文件,创建秘钥对时用的
touch random.data
#创建秘钥对,生成证书请求,命令后输入名称
#回答所有问题,然后输入密码
#生成密钥时需要输入多次密码确认
./surgeftp_ca.sh YOUR.SERVER.NAME
我的名称是vmclient,除了我们random.data文件,剩余的都是sh脚本生成的,我们来看sh脚本里的代码
if test $1
then
echo ""
else
echo ""
echo " usage: surgeftp_ca.sh server-name cert-bits"
echo ""
echo " server-name is DNS name of server."
echo " cert-bits is number of bits for certificate, e.g. 128, 256, ... 2048"
echo ""
echo " output files:"
echo " server-name.key - your key generated from random.data"
echo " server-name.de.key - your key with pass code removed"
echo " server-name.csr - send this file only to certificate authority to order real CA certificate"
echo " surge_priv.pem - self signed & ready to use certificates for surgeftp"
echo " surge_cert.pem - self signed & ready to use certificates for surgeftp"
fi
if test -f random.data
then
echo Generate the Key from random data
openssl genrsa -des3 -rand random.data -out $1.key $2
echo Generate Certificate Request
openssl req -config ./openssl.cnf -new -key $1.key -out $1.csr
echo Generate a temporary self-signed Certificate
openssl x509 -req -days 365 -in $1.csr -signkey $1.key -out $1.crt
echo remove passcode encryption, SurgeFTP does not currently have option for decoding this
openssl rsa -in $1.key -out $1.de.key
echo create self signed key and certificate for SurgeFTP.
cp $1.de.key surge_priv.pem
cp $1.crt surge_cert.pem
else
echo Please create a file called random.data that has random
echo information in it, at least 2MB uncompressed or 50KB compressed,
echo it can be anything! but must be unique data.
echo We recomend creating large bitmap file with Paint program
echo maybe start with existing picture, draw lots of scriggles
echo on it in different colors, save it as random.png,
echo compress it with pkzip or arj or compress
echo or ace or any compresser you have.
echo then save final file as random.data
echo and then rerun surgeftp_ca.sh
fi
这里我们就明白了为什么要创建random.data文件了,也可以知道创建了哪些文件和声明含义。
3、服务器认证,连接测试
我们将csr证书请求,复制到服务器中,结合秘钥生成二级证书,添加到服务器信任库中,重启ApacheFTPServer,一定要重启!将我们刚刚添加的证书文件,读取到服务器中。
Usage: sslftp [options] [site.name]
Options:
-d Print debug information
-version Print version number
-i Don't prompt for confirmations (Default)
-nossl Don't attempt to use SSL encryption
-n Disable auto login from /root/.netrc file
-a Anonymous login
-asksave Ask if you want to save login details
-implicit_port n Sets and activates Implicit ftp port
-TLSv1 use TLSv1 protocol only
-SSLv2 use SSLv2 protocol only
-SSLv3 use SSLv3 protocol only
-s:file Run commands in stored file
-script file Run commands in stored file
-run file Run commands in stored file
-record file Record ftp commands in a file suitable for -run switch
-randomize Seed the pseudo random number generator
-cert file Use specified client certificate file (in .pem format)
-key file Use specified client private key file (in .pem format)
-pass password Optionally specify password for client private key file
-netrc netrc.txt Specify path to file to store/retrieve usernames and passwords
上面是sslftp命令帮助信息作参考
sslftp 192.168.1.223 -implicit_port 21 -key surge_priv.pem -cert surge_cert.pem -pass 123456
Connected to 192.168.1.223
starting SSL/TLS
sslinit 3
Using certificate & key from "surge_cert.pem" & "surge_priv.pem"
Negotiated secure protocol TLSv1.2, using an AESGCM cipher.
220 Service ready for new user.
200 Command PBSZ okay.
200 Command PROT okay.
(secure) User: admin
331 User name okay, need password for admin.
(secure) Password: *****
230 User logged in, proceed.
Type in "save" to save login details to /root/.netrc
到这里连接成功。
4、抓包测试,是否加密
#服务器安装抓包工具
yum install -y tcpdump
#查看当前使用的网卡
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:ac:7b:2e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.175/24 brd 192.168.1.255 scope global noprefixroute dynamic enp0s3
valid_lft 5686sec preferred_lft 5686sec
inet6 fe80::a00:27ff:feac:7b2e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
#执行抓包
tcpdump -i enp0s3 -w /home/weatherservice.cap
下面是抓包的信息信息,可以用wireshark打开文件
加密成功,大功告成!
4511
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
