1、创建私有CA并进行证书申请。
生成私钥
/etc/pki/CA
[root@10-100-13-200 CA]# cd /etc/pki/CA/
[root@10-100-13-200 CA]# umask 066;openssl genrsa -out private/cakey.pem -des3 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
....................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for private/cakey.pem:
140018341844800:error:28078065:UI routines:UI_set_result_ex:result too small:crypto/ui/ui_lib.c:905:You must type in 4 to 1023 characters
Enter pass phrase for private/cakey.pem:
Verifying - Enter pass phrase for private/cakey.pem:
umake #指定文件的权限
genrsa#私钥加密算法
-out private/cakey.pem # 生成私钥的存放位置
-des3 #加密算法
利用私钥生成自签名证书
[root@10-100-13-200 CA]# umask 066;openssl genrsa -out private/cakey.pem -des3 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
....................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for private/cakey.pem:
140018341844800:error:28078065:UI routines:UI_set_result_ex:result too small:crypto/ui/ui_lib.c:905:You must type in 4 to 1023 characters
Enter pass phrase for private/cakey.pem:
Verifying - Enter pass phrase for private/cakey.pem:
[root@10-100-13-200 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
2、总结ssh常用参数、用法
2.1 连接到远程主机
ssh name@remoteserver
-p #指定端口号
-b #指定连接的源ip
-C #压缩方式
2.2 远程执行命令
ssh 163.53.x.xx "hostname -I"
2.3 远程主机运行本地的shell脚本
ssh 163.53.x.x /bin/bash < ip.sh
3、总结sshd服务常用参数。
/etc/ssh/sshd_config #配置文件路径
Post 端口号 #更改默认端口号
ListenAddress IP地址 #绑定ip地址为指定唯一登录地址
PermitRootLogin yes|no #关闭超级用户登录
PubkeyAuthentication yes|no #密钥认证开启
PasswordAuthentication yes|no #登录密码认证开启
DenyUsers 黑名单用户不允许登录
AllowUsers 白名单用户允许登录,安全级别更高
systemctl restart sshd.service #重启ssh服务
scp 命令 scp 选项 原路径或文件 目标路径或文件
-C #压缩数据流
-r #递归复制
-q #不显示传输进度,静默模式
-P #指定端口号
rsync 命令
可以基于ssh和rsync协议实现高效率的远程系统之间文件传输,比scp 快,基于增量数据的同步,只复制两端不同的文件
rsync -av /etc remoteserver:/tmp #复制目录和目录下的文件
rsync -av /etc/ remoteserver:/tmp #只复制目录下的文件
-r #递归复制
-v #显示详细过程
-p #保留权限
-z #压缩,节省网络带宽
-a #存档
4、搭建dhcp服务,实现ip地址申请分发
DHCP 服务 动态主机配置协议,是一个局域网的网络协议,使用的UDP协议工作。
用途:给内部网络自动分配IP地址,主机名,dns服务器等;配合其他服务实现集成化管理功能,无人值守安装系统
[root@10-100-15-47 ~]# grep -v "#" /etc/dhcp/dhcpd.conf
option domain-name-servers 180.76.76.76, 223.6.6.6;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.10 10.0.0.100;
option routers 10.0.0.2;
next-server 10.0.0.8;
filename "pxelinux.0";
}
host testclient {
hardware ethernet 00:0c:29:33:b4:1a;
fixed-address 10.0.0.106;
default-lease-time 86400;
max-lease-time 864000;
option routers 10.0.0.254;
option domain-name-servers 114.114.114.114,8.8.8.8 ;
}