Linux OpenSSH OpenSSL

Linux OpenSSH OpenSSL

Note Date 20180524

Directory

OpenSSH

Configure SSH key-based authentication

Server-side configuration files

Best Practices for SSH services

Openssl

Three components

Pki:public Key Infrastructure

Establish a private CA

Certificate Application and signing procedure

To create a private CA detailed steps

OpenSSH

Configure SSH key-based authentication

1. Generate a key pair

Ssh-keygen-p '-F. Ssh/own_rsakey

2. Copy the public key to the server-specific directory that will be connected remotely

Using the above command generates two files a private key, a public key, and Cat. Ssh/own_rsakey.pub is a public key file

Copy the contents of the inside

Remote connection to use a key authentication server to open its user home directory to be remote ~/.ssh/

Vim Authorized_keys

Then paste the key here

Change the permissions for this file to 600 if you do not change the key that may not be implemented based on who

The SCP command can copy files from a remote server to the local computer, or you can copy the files from this computer to the server

SCP [Email protected]:/path/file/path/somewhere remote file to local

scp/path/somewhere [Email protected]:/path/local file to remote

Server-side configuration files

/etc/ssh/sshd_config

Hostkey

Port 22

ListenAddress 0.0.0.0

Protocol 2

Permitrootlogin Yes

Best Practices for SSH services

1. Do not use the default port

2. Prohibit the use of protocal version1

3. Restrict the users who can log in

4. Set Idle session timeout time

5. Use firewall to set up SSH access policy

6. Listen only to specific IP addresses

7, password-based authentication, the use of strong password policy

# TR-DC A-za-z0-9_ </dev/urandom | Head-c 30 | Xargs

8. Using key-based authentication

9, prohibit the use of blank password

10, the root user is not allowed to log in directly

11. Limit the frequency of SSH access and the number of concurrent online

12, do the log, often analysis

Openssl

Three components

OpenSSL multi-purpose command-line tools

Libcrypto Encryption and Decryption library

Implementation of LIBSSL SSL protocol

Pki:public Key Infrastructure

CA Certificate Authority

RA Registration Authority

CRL Certificate Revocationg List

Access Library for certificates

Establish a private CA

OpenCA

Openssl

Certificate Application and signing procedure

1. Generate Request for Application

2, Registration agency RA Nuclear Inspection

3, CA sign

4. Get the certificate

Create a private CA

OpenSSL configuration file/etc/pki/tls/openssl.conf

1. Create the required files in the OpenSSL configuration file

Touch/etc/pki/ca/index.txt

echo >/etc/pki/ca/serial

echo >/etc/pki/ca/crlnumber

2. CA self-signed certificate

Generate private key

(Umask 077; OpenSSL Genrsa-out/etc/pki/ca/private/cakey.pem 2048)

Generate certificate

OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-days 7300 \

-out/etc/pki/ca/cacert.pem

-new Generating a new certificate signing request

-x509 dedicated to generating self-signed certificates for CAs

-key the private key file to use when generating the request

-days Validity period of the certificate

-out/path/to/somecertifile Certificate

3. Issuing certificates

A certificate request is generated with the host of the certificate

(Umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048)

OpenSSL req-new-key/etc/httpd/ssl/httpd/ssl/httpd.key-days 365 \

-out/etc/httpd/ssl/httpd.csr

b Transfer the request file to the CA

C CA Sign the certificate and return the certificate to the requestor

OpenSSL CA in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365

View the information in a certificate

OpenSSL x509-in/path/from/cert_file-noout-text|-subject|-serial

4. Revoking a certificate

A client gets the serial to revoke the certificate

OpenSSL X509-in/path/from/cert_file-noout-serial-subject

b CA

Based on the serial and subject information submitted by the customer, the comparison test is consistent with the information in the Index.txt file.

Revoking a certificate

OpenSSL Ca-revoke/etc/pki/ca/newcerts/serial.pem

C generate the number of the revocation certificate (used the first time a certificate is revoked)

echo >/etc/pki/ca/crlnumber

D Update certificate revocation list (name and path specified by itself)

OpenSSL ca-gencrl-out/etc/pki/ca/crl/mysky.crl

Viewing CRL Files

OpenSSL Crl-in/etc/pki/ca/crl/mysky.crl-noout-text

Linux OpenSSH OpenSSL