1、创建私有CA并进行证书申请。 ```bash 1.创建CA需要的文件 [root@localhost ~]# touch /etc/pki/index.txt [root@localhost ~]# echo 01 > /etc/pki/CA/serial 2.生成CA私钥 [root@localhost CA]# umask 066;openssl genrsa -out private/cakey.pem 2048 Generating RSA private key, 2048 bit long modulus ..............................+++ .......................................+++ e is 65537 (0x10001) 3创建自签名证书 [root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:JS Locality Name (eg, city) [Default City]:NJ Organization Name (eg, company) [Default Company Ltd]:EG Organizational Unit Name (eg, section) []:EG Common Name (eg, your name or your server's hostname) []:EG Email Address []:EG 4.申请证书 生成私钥 [root@localhost ~]# umask 066 ;openssl genrsa -out /data/test.key 2048 Generating RSA private key, 2048 bit long modulus ..................+++ ............+++ e is 65537 (0x10001) 生成证书申请文件 [root@localhost ~]# openssl req -new -key /data/test.key -out /data/test.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:JS Locality Name (eg, city) [Default City]:NJ Organization Name (eg, company) [Default Company Ltd]:EG Organizational Unit Name (eg, section) []:EG Common Name (eg, your name or your server's hostname) []:EG Email Address []:EG Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:EG 传递CA证书申请文件给CA 颁发证书 [root@localhost ~]# openssl ca -in /tmp/test.csr -out /etc/pki/CA/certs/test.crt -days 100 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 20 02:48:25 2021 GMT Not After : Sep 28 02:48:25 2021 GMT Subject: countryName = CN stateOrProvinceName = JS organizationName = EG organizationalUnitName = EG commonName = EG emailAddress = EG X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 2A:98:FF:F8:68:20:CB:6E:C3:8B:B4:8E:1E:B4:A1:4C:D1:17:D6:A8 X509v3 Authority Key Identifier: keyid:08:56:DD:78:88:97:DC:58:92:E6:51:03:CF:B8:23:39:6D:F7:20:89 Certificate is to be certified until Sep 28 02:48:25 2021 GMT (100 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ``` 2、总结ssh常用参数、用法 ```bash 命令格式 ssh [user@]host [command] eg. ssh host date 常用选项 -p port远程的端口 ssh -p 5543 host -b 指定本地源IP ssh -b IP host -v 调试模式 -c 压缩模式 -x 支持x11转发 -t 强制伪tty分配 ssh -t host1 ssh -t host2 -o option -i 指定私钥文件路径 在远程主机运行本地shell脚本 ssh host1 /bin/bash < test.sh 基于ssh的scp命令 scp [option] [user@]host：/sourcefile /destpath scp [option] /sourcefile [user@]host:/destpath 常用选项 -c 压缩数据流 -r 递归复制 -p 保持原文件的属性 -q 静默模式 -P port ``` 3、总结sshd服务常用参数。 ```bash sshd服务配置文件 /etc/ssh/sshd_config 常用参数 Port sshd的端口 ListenAddress ip 指定监听的网络地址 LoginGraceTime 2m 登录时间限制 PermitRootLogin yes 是否允许root登录 StrictModes yes 是否检查.ssh/文件的所有者，权限等 MaxAuthTries 6 指定每个连接的最大允许认证次数 MaxSessions 10 指定同一个连接最大会话数 PubkeyAuthentication yes 是否基于key验证 PermitEmptyPasswords no 是否允许空密码连接 PasswordAuthentication yes 是否允许基于用户名和密码连接 GatewayPorts no 是否允许远程主机连接本地的转发端口 ClientAliveInterval 10 设置时长，超过该时长就发送alive信息，并等候应答，只对ssh-2生效，单位为秒 ClientAliveCountMax 3 指定sshd服务器发送的alive信息的个数，超过上限则ssh将断开，默认为3 UseDNS yes 是否对远程主机进行反向解析，提高速度可改为no GSSAPIAuthentication yes 是否允许使用基于 GSSAPI 的用户认证，提高速度可改为no MaxStartups 未认证连接最大值，默认值10 Banner /path/file ssh认证前用户可以看到的界面 ```