1、创建私有CA并进行证书申请。
1)创建CA所需目录和文件
# centos8默认没有CA目录,需创建对应的目录文件
[root@centos8-0 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
# 创建证书索引数据库文件
[root@centos8-0 ~]# touch /etc/pki/CA/index.txt
# 指定颁发证书的序列号
[root@centos8-0 ~]# echo 01 > /etc/pki/CA/serial
2)创建CA私钥
[root@centos8-0 CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
........+++++
................................+++++
e is 65537 (0x010001)
3)给CA颁发自签名证书
[root@centos8-0 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hunan
Locality Name (eg, city) [Default City]:changsha
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:
[root@centos8-0 CA]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
4)将cacert.pem文件上传至win10上,并修改文件名为cacert.pem.crt,双击打开显示:
修改前:
修改后:
查看证书:
5)用户生成私钥和证书申请
# 生成私钥文件
[root@centos8-0 ~]# mkdir /data/app1
[root@centos8-0 ~]# (umask 066;openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................+++++
.....+++++
e is 65537 (0x010001)
# 生成证书申请文件
[root@centos8-0 ~]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hunan
Locality Name (eg, city) [Default City]:cs
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:hr
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos8-0 ~]# ll /data/app1/
total 8
-rw-r--r-- 1 root root 997 Nov 1 21:33 app1.csr
-rw------- 1 root root 1679 Nov 1 21:30 app1.key
注意:默认有三项内容必须和CA一样,国家、省份、组织;
6)CA颁发证书
[root@centos8-0 ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 1 13:35:38 2021 GMT
Not After : Jul 28 13:35:38 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = hunan
organizationName = magedu
organizationalUnitName = hr
commonName = app1.magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E2:17:3E:EF:83:1D:59:43:C0:25:AD:8A:36:97:E3:03:BF:BB:EB:E9
X509v3 Authority Key Identifier:
keyid:06:92:38:D1:40:49:72:00:15:4F:84:A1:9A:E8:36:52:CE:09:DB:29
Certificate is to be certified until Jul 28 13:35:38 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos8-0 ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
7)查看证书
[root@centos8-0 ~]# cat /etc/pki/CA/certs/app1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=hunan, L=changsha, O=magedu, OU=it, CN=ca.magedu.org
Validity
Not Before: Nov 1 13:35:38 2021 GMT
Not After : Jul 28 13:35:38 2024 GMT
Subject: C=CN, ST=hunan, O=magedu, OU=hr, CN=app1.magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b5:5f:f0:09:c8:3e:1e:35:87:59:09:28:7f:a1:
12:df:25:19:b4:0e:2e:0b:de:e3:e5:ac:12:51:64:
e2:a7:ba:84:c1:73:45:ad:a6:a9:ed:0b:d9:3d:77:
4e:05:e9:7e:e9:9c:36:c3:f8:fd:d6:18:0d:9a:a2:
3d:fb:b3:f3:6d:39:2d:a6:22:84:95:eb:98:d3:e4:
db:e3:13:31:b6:23:42:2d:c2:40:5e:cc:9d:7d:cb:
03:56:c2:02:70:3b:52:da:ae:cb:6c:04:94:88:38:
e7:4f:6a:f4:a1:0b:b9:6a:97:11:e2:56:b4:b9:8e:
ac:b8:72:17:b0:fd:6d:1f:2f:58:e3:df:68:79:44:
36:98:df:6c:a0:d2:29:8b:c9:7a:4a:cb:e5:3a:e7:
7e:06:44:d2:62:5c:e9:9a:5e:9a:4b:15:31:5d:e9:
41:7f:17:6c:c6:75:62:35:1c:5b:46:7c:63:58:5a:
e0:0e:0a:0d:50:7c:77:ce:a6:e7:a1:54:f0:73:d0:
76:01:2c:6c:8b:bb:ab:97:93:b1:3b:da:33:a4:32:
ca:bb:d4:fd:1a:4a:f8:ac:36:89:59:a6:35:c7:95:
09:75:66:0b:c8:29:4a:91:fd:2c:1f:85:69:99:66:
d2:1e:23:55:0d:69:2b:2f:ec:e6:03:c2:ba:68:04:
9d:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E2:17:3E:EF:83:1D:59:43:C0:25:AD:8A:36:97:E3:03:BF:BB:EB:E9
X509v3 Authority Key Identifier:
keyid:06:92:38:D1:40:49:72:00:15:4F:84:A1:9A:E8:36:52:CE:09:DB:29
Signature Algorithm: sha256WithRSAEncryption
aa:52:97:f1:2e:8d:3c:9e:6e:05:38:9d:76:97:c7:5f:19:dc:
e1:21:1b:54:ad:b3:e1:41:70:bc:7e:09:5e:18:be:be:42:ab:
fa:3b:d9:38:98:e4:00:ab:3d:c8:da:a8:d7:9e:4b:d7:08:cd:
64:70:9a:e9:84:90:4f:8b:e5:0a:cb:7e:5f:ee:bc:fd:8c:49:
a5:54:3c:0f:7a:2f:c8:74:62:92:76:82:c7:8c:21:2e:dc:6a:
98:3b:36:63:bd:d6:5e:4b:0f:7a:cc:3e:4a:2f:19:ea:da:3c:
89:10:76:d5:c1:77:fa:00:50:a1:75:08:18:85:c0:09:99:69:
81:90:48:b8:6e:ee:fb:48:e5:3e:3b:1f:a1:bc:8b:a7:11:21:
2d:01:d2:f3:c7:1f:50:9a:c8:3f:31:e5:35:b3:af:09:cf:12:
69:28:30:1c:74:9c:bc:c9:a9:ff:ca:28:d4:9e:e4:c6:6c:9d:
6c:98:e3:b7:b7:6b:a9:27:16:cd:9b:e6:88:3a:59:2f:d0:9e:
e4:c2:c1:30:cb:78:5f:0e:e0:2c:45:2a:4c:82:8c:f5:08:8d:
0b:52:81:15:0a:c4:b1:e0:39:1b:bc:52:ba:2e:61:30:c7:e0:
14:82:0a:a4:ac:2a:d4:bf:e3:a1:60:2a:47:26:03:c7:b4:82:
aa:4f:8d:12
-----BEGIN CERTIFICATE-----
MIIDsTCCApmgAwIBAgIBATANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJDTjEO
MAwGA1UECAwFaHVuYW4xETAPBgNVBAcMCGNoYW5nc2hhMQ8wDQYDVQQKDAZtYWdl
ZHUxCzAJBgNVBAsMAml0MRYwFAYDVQQDDA1jYS5tYWdlZHUub3JnMB4XDTIxMTEw
MTEzMzUzOFoXDTI0MDcyODEzMzUzOFowVTELMAkGA1UEBhMCQ04xDjAMBgNVBAgM
BWh1bmFuMQ8wDQYDVQQKDAZtYWdlZHUxCzAJBgNVBAsMAmhyMRgwFgYDVQQDDA9h
cHAxLm1hZ2VkdS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1
X/AJyD4eNYdZCSh/oRLfJRm0Di4L3uPlrBJRZOKnuoTBc0WtpqntC9k9d04F6X7p
nDbD+P3WGA2aoj37s/NtOS2mIoSV65jT5NvjEzG2I0ItwkBezJ19ywNWwgJwO1La
rstsBJSIOOdPavShC7lqlxHiVrS5jqy4chew/W0fL1jj32h5RDaY32yg0imLyXpK
y+U6534GRNJiXOmaXppLFTFd6UF/F2zGdWI1HFtGfGNYWuAOCg1QfHfOpuehVPBz
0HYBLGyLu6uXk7E72jOkMsq71P0aSvisNolZpjXHlQl1ZgvIKUqR/SwfhWmZZtIe
I1UNaSsv7OYDwrpoBJ37AgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN
BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTiFz7v
gx1ZQ8AlrYo2l+MDv7vr6TAfBgNVHSMEGDAWgBQGkjjRQElyABVPhKGa6DZSzgnb
KTANBgkqhkiG9w0BAQsFAAOCAQEAqlKX8S6NPJ5uBTiddpfHXxnc4SEbVK2z4UFw
vH4JXhi+vkKr+jvZOJjkAKs9yNqo155L1wjNZHCa6YSQT4vlCst+X+68/YxJpVQ8
D3ovyHRiknaCx4whLtxqmDs2Y73WXksPesw+Si8Z6to8iRB21cF3+gBQoXUIGIXA
CZlpgZBIuG7u+0jlPjsfobyLpxEhLQHS88cfUJrIPzHlNbOvCc8SaSgwHHScvMmp
/8oo1J7kxmydbJjjt7drqScWzZvmiDpZL9Ce5MLBMMt4Xw7gLEUqTIKM9QiNC1KB
FQrEseA5G7xSui5hMMfgFIIKpKwq1L/joWAqRyYDx7SCqk+NEg==
-----END CERTIFICATE-----
[root@centos8-0 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = hunan, L = changsha, O = magedu, OU = it, CN = ca.magedu.org
Validity
Not Before: Nov 1 13:35:38 2021 GMT
Not After : Jul 28 13:35:38 2024 GMT
Subject: C = CN, ST = hunan, O = magedu, OU = hr, CN = app1.magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b5:5f:f0:09:c8:3e:1e:35:87:59:09:28:7f:a1:
12:df:25:19:b4:0e:2e:0b:de:e3:e5:ac:12:51:64:
e2:a7:ba:84:c1:73:45:ad:a6:a9:ed:0b:d9:3d:77:
4e:05:e9:7e:e9:9c:36:c3:f8:fd:d6:18:0d:9a:a2:
3d:fb:b3:f3:6d:39:2d:a6:22:84:95:eb:98:d3:e4:
db:e3:13:31:b6:23:42:2d:c2:40:5e:cc:9d:7d:cb:
03:56:c2:02:70:3b:52:da:ae:cb:6c:04:94:88:38:
e7:4f:6a:f4:a1:0b:b9:6a:97:11:e2:56:b4:b9:8e:
ac:b8:72:17:b0:fd:6d:1f:2f:58:e3:df:68:79:44:
36:98:df:6c:a0:d2:29:8b:c9:7a:4a:cb:e5:3a:e7:
7e:06:44:d2:62:5c:e9:9a:5e:9a:4b:15:31:5d:e9:
41:7f:17:6c:c6:75:62:35:1c:5b:46:7c:63:58:5a:
e0:0e:0a:0d:50:7c:77:ce:a6:e7:a1:54:f0:73:d0:
76:01:2c:6c:8b:bb:ab:97:93:b1:3b:da:33:a4:32:
ca:bb:d4:fd:1a:4a:f8:ac:36:89:59:a6:35:c7:95:
09:75:66:0b:c8:29:4a:91:fd:2c:1f:85:69:99:66:
d2:1e:23:55:0d:69:2b:2f:ec:e6:03:c2:ba:68:04:
9d:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E2:17:3E:EF:83:1D:59:43:C0:25:AD:8A:36:97:E3:03:BF:BB:EB:E9
X509v3 Authority Key Identifier:
keyid:06:92:38:D1:40:49:72:00:15:4F:84:A1:9A:E8:36:52:CE:09:DB:29
Signature Algorithm: sha256WithRSAEncryption
aa:52:97:f1:2e:8d:3c:9e:6e:05:38:9d:76:97:c7:5f:19:dc:
e1:21:1b:54:ad:b3:e1:41:70:bc:7e:09:5e:18:be:be:42:ab:
fa:3b:d9:38:98:e4:00:ab:3d:c8:da:a8:d7:9e:4b:d7:08:cd:
64:70:9a:e9:84:90:4f:8b:e5:0a:cb:7e:5f:ee:bc:fd:8c:49:
a5:54:3c:0f:7a:2f:c8:74:62:92:76:82:c7:8c:21:2e:dc:6a:
98:3b:36:63:bd:d6:5e:4b:0f:7a:cc:3e:4a:2f:19:ea:da:3c:
89:10:76:d5:c1:77:fa:00:50:a1:75:08:18:85:c0:09:99:69:
81:90:48:b8:6e:ee:fb:48:e5:3e:3b:1f:a1:bc:8b:a7:11:21:
2d:01:d2:f3:c7:1f:50:9a:c8:3f:31:e5:35:b3:af:09:cf:12:
69:28:30:1c:74:9c:bc:c9:a9:ff:ca:28:d4:9e:e4:c6:6c:9d:
6c:98:e3:b7:b7:6b:a9:27:16:cd:9b:e6:88:3a:59:2f:d0:9e:
e4:c2:c1:30:cb:78:5f:0e:e0:2c:45:2a:4c:82:8c:f5:08:8d:
0b:52:81:15:0a:c4:b1:e0:39:1b:bc:52:ba:2e:61:30:c7:e0:
14:82:0a:a4:ac:2a:d4:bf:e3:a1:60:2a:47:26:03:c7:b4:82:
aa:4f:8d:12
[root@centos8-0 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -issuer
issuer=C = CN, ST = hunan, L = changsha, O = magedu, OU = it, CN = ca.magedu.org
[root@centos8-0 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
subject=C = CN, ST = hunan, O = magedu, OU = hr, CN = app1.magedu.org
[root@centos8-0 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -dates
notBefore=Nov 1 13:35:38 2021 GMT
notAfter=Jul 28 13:35:38 2024 GMT
[root@centos8-0 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial
serial=01
# 验证编号对应证书的有效性
[root@centos8-0 ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
[root@centos8-0 ~]# cat /etc/pki/CA/index.txt
V 240728133538Z 01 unknown /C=CN/ST=hunan/O=magedu/OU=hr/CN=app1.magedu.org
[root@centos8-0 ~]# cat /etc/pki/CA/index.txt.old
[root@centos8-0 ~]# cat /etc/pki/CA/serial
02
[root@centos8-0 ~]# cat /etc/pki/CA/serial.old
01
8)将证书相关文件发送到用户端使用
[root@centos8-0 ~]# cp /etc/pki/CA/certs/app1.crt /data/app1/
[root@centos8-0 ~]# tree /data/app1
/data/app1
├── app1.crt
├── app1.csr
└── app1.key
0 directories, 3 files
9)查看CA颁发的证书
提示不能验证该证书,无法找到证书的颁发者。
10) 信任证书
2、总结ssh常用参数、用法
# 登录远程主机(不指定用户名,默认使用当前用户名登录)
[root@centos8-0 ~]# ssh 10.0.101.60
The authenticity of host '10.0.101.60 (10.0.101.60)' can't be established.
RSA key fingerprint is SHA256:uBlgDotoXN/v+Gb47OHTENCvZlMhmLAv31QQdeLLq9E.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.101.60' (RSA) to the list of known hosts.
root@10.0.101.60's password:
Last login: Thu Oct 28 20:24:58 2021 from 10.0.101.1
[root@centos6-0 ~]#
# 指定用户名登录远程主机
[root@centos8-0 ~]# ssh liuxiaofu@10.0.101.60
liuxiaofu@10.0.101.60's password:
[liuxiaofu@centos6-0 ~]$
# 指定端口号登录远程主机
[root@centos8-0 ~]# ssh -p 22 10.0.101.60
root@10.0.101.60's password:
Last login: Mon Nov 1 21:59:51 2021 from 10.0.101.80
[root@centos6-0 ~]#
# 远程登录主机执行命令
[root@centos8-0 ~]# ssh 10.0.101.60 "cat /etc/redhat-release"
root@10.0.101.60's password:
CentOS release 6.10 (Final)
# 远程登录主机执行本地脚本
[root@centos8-0 ~]# cat test.sh
#!/bin/bash
hostname -I
[root@centos8-0 ~]# ssh 10.0.101.60 "/bin/bash" < test.sh
root@10.0.101.60's password:
10.0.101.60
# 强制伪tty分配
root@ubuntu1804-0:~# iptables -A INPUT -s 10.0.101.60 -j REJECT
[root@centos6-0 ~]# ssh -t 10.0.101.70 ssh -t 10.0.101.80 ssh 10.0.101.180
The authenticity of host '10.0.101.70 (10.0.101.70)' can't be established.
RSA key fingerprint is af:43:e1:97:f5:21:58:ee:31:7a:f7:27:e9:20:17:49.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.101.70' (RSA) to the list of known hosts.
root@10.0.101.70's password:
The authenticity of host '10.0.101.80 (10.0.101.80)' can't be established.
ECDSA key fingerprint is SHA256:5AvfexeSOU3UhGJG9aFxKpW42uL7T/0uCleSobXBL70.
ECDSA key fingerprint is MD5:9c:5a:bb:42:aa:d0:f4:a2:81:77:e1:60:ec:c6:57:3b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.101.80' (ECDSA) to the list of known hosts.
root@10.0.101.80's password:
The authenticity of host '10.0.101.180 (10.0.101.180)' can't be established.
ECDSA key fingerprint is SHA256:AEWqZGhm997bgPQb9Yuzd2Qt85Fz9jBD0a++QCqz4ZU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.101.180' (ECDSA) to the list of known hosts.
root@10.0.101.180's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-112-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Nov 1 22:06:55 CST 2021
System load: 0.0 Processes: 179
Usage of /: 2.2% of 91.17GB Users logged in: 1
Memory usage: 10% IP address for eth0: 10.0.101.180
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
177 packages can be updated.
122 updates are security updates.
New release '20.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Mon Nov 1 20:50:39 2021 from 10.0.101.1
root@ubuntu1804-0:~#
# 基于密钥远程登录主机
[root@centos8-0 ~]# ssh-keygen -t rsa # 生成密钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:3MDxZtQmDKmqVGmTLR+BrQ796ik/vzecSPSPO2c8mMQ root@centos8-0.magedu.org
The key's randomart image is:
+---[RSA 3072]----+
| o o+.. |
| . o..+o o |
| . = oo +o |
| . X =. = |
| = B +S . |
| . o + E |
| . . o + B |
| o o.. X * |
| ++ooo.* . |
+----[SHA256]-----+
[root@centos8-0 ~]# ssh-copy-id -i .ssh/id_rsa.pub 10.0.101.70 # 把公钥文件传给远程主机
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
The authenticity of host '10.0.101.70 (10.0.101.70)' can't be established.
ECDSA key fingerprint is SHA256:BXuL4IceJVIAsgu/rChpjIChAKta2CIg/0Q6lW0URWc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.0.101.70's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '10.0.101.70'"
and check to make sure that only the key(s) you wanted were added.
[root@centos8-0 ~]# ssh 10.0.101.70 # 基于密钥登录远程主机
Last login: Mon Nov 1 22:06:50 2021 from 10.0.101.60
[root@centos7-0 ~]#
[root@centos8-0 ~]# ssh-keygen -p # 给私钥加密
Enter file in which the key is (/root/.ssh/id_rsa):
Key has comment 'root@centos8-0.magedu.org'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
[root@centos8-0 ~]# ssh 10.0.101.70 # 再次远程登录主机,此时提示输入加密私钥的密码
Enter passphrase for key '/root/.ssh/id_rsa':
Last login: Mon Nov 1 22:09:48 2021 from 10.0.101.80
[root@centos7-0 ~]#
[root@centos8-0 ~]# ssh-agent bash # 启用ssh代理
[root@centos8-0 ~]# ps aux | grep ssh-agent | grep -v 'grep'
root 1649 0.0 0.0 27424 520 ? Ss 22:12 0:00 ssh-agent bash
[root@centos8-0 ~]# ssh-add # 提示输入加密私钥的密码
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (root@centos8-0.magedu.org)
[root@centos8-0 ~]# ssh 10.0.101.70
Last login: Mon Nov 1 22:12:04 2021 from 10.0.101.80
[root@centos7-0 ~]#
3、总结sshd服务常用参数。
Port 22 # 指定在远程主机上连接的端口号。默认值是22。
ListenAddress 0.0.0.0 # 指定sshd应该监听的本地地址
PermitRootLogin yes # 是否允许root用户远程登录,yes为允许,no为不允许
PubkeyAuthentication yes # 基于key验证
PermitEmptyPasswords no # 空密码连接
PasswordAuthentication yes # 基于用户名和密码连接
ClientAliveInterval 10 # 单位:秒
ClientAliveCountMax 3 # 默认3
UseDNS yes # 提高连接速度可改为no
GSSAPIAuthentication yes # 是否允许基于GSSAPI的用户身份验证。提高连接速度可改为no
MaxStartups # 未认证连接最大值,默认值10
4、搭建dhcp服务,实现ip地址申请分发
# 安装dhcp服务
[root@ubuntu1804 ~]# apt -y install isc-dhcp-server
[root@ubuntu1804 ~]# dpkg -L isc-dhcp-server | head -18
/.
/etc
/etc/apparmor.d
/etc/apparmor.d/dhcpd.d
/etc/apparmor.d/usr.sbin.dhcpd
/etc/dhcp
/etc/dhcp/dhcpd.conf
/etc/dhcp/dhcpd6.conf
/etc/init.d
/etc/init.d/isc-dhcp-server
/etc/logcheck
/etc/logcheck/ignore.d.server
/etc/logcheck/ignore.d.server/isc-dhcp-server
/lib
/lib/systemd
/lib/systemd/system
/lib/systemd/system/isc-dhcp-server.service
/lib/systemd/system/isc-dhcp-server6.service
# 编辑配置文件
[root@ubuntu1804 ~]# cp /etc/dhcp/dhcpd.conf{,.bak}
[root@ubuntu1804 ~]# vim /etc/dhcp/dhcpd.conf
option domain-name "node.com";
option domain-name-servers 222.246.129.80,59.51.78.210;
default-lease-time 600;
max-lease-time 7200;
subnet 10.0.101.0 netmask 255.255.255.0 {
range 10.0.101.201 10.0.101.254;
option routers 10.0.101.2;
}
# 重启服务
[root@ubuntu1804 ~]# systemctl restart isc-dhcp-server
# 客户端获取地址
# 先关闭虚拟机自身DHCP功能“编辑-->虚拟网络编辑器-->选择vmnet8 NAT模式-->取消勾选使用本地DHCP服务器将IP地址分配给虚拟机”
[root@centos8 ~]# nmcli connection
NAME UUID TYPE DEVICE
eth0 a2f6056e-8db3-43a6-8e3b-834e4226b662 ethernet eth0
virbr0 b4e418e5-e5e9-465b-a2c2-7f093d78d084 bridge virbr0
[root@centos8 ~]# nmcli connection delete eth0
Connection 'eth0' (a2f6056e-8db3-43a6-8e3b-834e4226b662) successfully deleted.
[root@centos8 ~]# nmcli connection add type ethernet con-name eth0 ifname eth0 ipv4.method auto
Connection 'eth0' (80f6d570-cdf9-4a75-a87a-dfb38d32d884) successfully added.
[root@centos8 ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path:/org/freedesktop/NetworkManager/ActiveConnection/7)
[root@centos8 ~]# ip a sh eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:a1:7a:b3 brd ff:ff:ff:ff:ff:ff
inet 10.0.101.201/24 brd 10.0.101.255 scope global dynamic noprefixroute eth0
valid_lft 538sec preferred_lft 538sec
inet6 fe80::70ce:9402:2e46:488e/64 scope link noprefixroute
valid_lft forever preferred_lft forever