Linux under FTP+SSL implementation FTPS
FTPs and SFTP:
FTPs is the use of SSL protocol encryption, SSL is designed for HTTP/SMTP and other encryption, SFTP is encrypted with SSH, SSH is for TELNET/FTP encryption, establish a transmission channel design. SSH establishes the transmission channel for encryption and transmission, and this channel can be used for remote login. Creates an encrypted channel to encrypt the file.
From the principle of simple: FTPs is the meaning of Ftp-over-ssl, that is, FTP with SSL protocol encryption transmission, not only to use the FTP server and SSL protocol encryption. The SFTP protocol is an independent protocol in SSH that allows data to be transferred using an SFTP server.
The following author with SSL to achieve the secure transmission of FTPS:
SSL is FTPS. (Encryption of the transport layer)
SSL authentication: 1, only password Authentication 2, SSL certificate authentication, need to establish CA server
Experiment idea: First installs the Wireshark grasping the package tool, grasps the packet without using the CA server, the view grasps the packet situation. Then install the CA server to issue certificates for the FTP server. Grab the bag again and look at the grab bag. Note: The CA server is on the same host as the FTP server in this experiment
New User:
[[email protected] ~]# Useradd user1 #新建用户user1 for packet-grabbing testing.
[Email protected] ~]# passwd user1
Install Wireshare:
[Email protected] ~]# Mkdir/mnt/cdrom
[Email protected] ~]# mount/dev/cdrom/mnt/cdrom/
[Email protected] ~]# cd/mnt/cdrom/server/
[Email protected] server]# Vim/etc/yum.repos.d/rhel-debuginfo.repo #编辑本地yum
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164133181.png " Width= "581" vspace= "5" style= "border:0px;"/>
[email protected] server]# Yum install wireshark–y #安装wireshark抓包工具
Install Vsftp:
[Email protected] server]# RPM-IVH vsftpd-2.0.5-16.el5.i386.rpm
[[Email protected] server]# service VSFTPD start
Use the Grab kit tool to see how the packet is caught when SSL is not used:
[[email protected] server]# tshark-ni eth0-r "Tcp.dstport eq" #由于客户端必须使用21端口与服务器建立连接, so here's a grab for Port 21st.
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164133182.png " Style= "border:0px;"/>
The user name and password have been compromised:
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164133183.png " Style= "border:0px;"/>
To build the CA server:
[Email protected] server]# cd/etc/pki/tls/
[Email protected] tls]# vim openssl.cnf
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164133184.png " Style= "border:0px;"/>
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164133185.png " Style= "border:0px;"/>
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164133186.png " Style= "border:0px;"/>
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164133187.png " Style= "border:0px;"/>
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164133188.png " Style= "border:0px;"/>
[Email protected] tls]# cd/etc/pki/ca/#切换到与CA服务器有关的目录
[Email protected] ca]# mkdir certs #建立与证书有关的目录
[Email protected] ca]# mkdir newcerts #与新证书有关的目录
[[email protected] ca]# mkdir CRL #证书吊销列表
[email protected] ca]# Touch index.txt
[email protected] ca]# Touch serial
[Email protected] ca]# echo > Serial #给serial一个初始值
[email protected] ca]# OpenSSL genrsa 1024x768 > Private/cakey.pem #使用非对称加密算法rsa, using 1024 as the algorithm, to get a key stored in the PRIVATE/CAKEY.PEM
[[email protected] ca]# chmod Private/cakey.pem #私钥不允许别人查看, so the permissions of the Cakey.pem file will be changed to 600, only the owning user can read and write
[email protected] ca]# OpenSSL req-new-key private/cakey.pem-x509-out cacert.pem-days 3650 #使用CA服务器自己的私钥cakey. pe M generates a certificate Cacert.pem
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164181771.png " Width= "581" vspace= "5" style= "border:0px;"/>
[[email protected] ca]# mkdir-pv/etc/vsftpd/certs #创建一个目录, stored in VSFTP related certificate, certificate request, key
[Email protected] ca]# cd/etc/vsftpd/certs/
[[email protected] certs]# OpenSSL genrsa 1024x768 >vsftpd.key #非对称加密算法rsa, using 1024-bit, to calculate a key Vsftp.key
[email protected] certs]# OpenSSL req-new-key vsftpd.key-out VSFTPD.CSR #利用私钥vsftp. Key generates a certificate request file VSFTP.CSR
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164181772.png " Width= "581" vspace= "5" style= "border:0px;"/>
[email protected] certs]# OpenSSL ca-in vsftpd.csr-out vsftpd.cert #利用证书请求文件的到一个证书vsftp. cert
[Email protected] certs]# chmod #将该目录下的文件权限全部改为600, which means that the user can read and write
Associate the requested CA certificate with the VSFTP:
[[email protected] certs]# chmod 600 *
[Email protected] certs]# vim/etc/vsftpd/vsftpd.conf
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164181773.png " Width= "581" vspace= "5" style= "border:0px;"/>
[Email protected] certs]# service vsftpd restart
650) this.width=650; "src=" Http://www.linuxidc.com/linuxfile/logo.gif "alt=" Linux "width=" [height=] "style=" border:0px; "/>
Use FLASHFXP as a test:
[Email protected] certs]# tshark-ni eth0-r "Tcp.dstport eq" #抓包 to see if you can get a username and password
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164122701.png " Style= "border:0px;"/>650) this.width=650; src= "Http://www.linuxidc.com/upload/2012_09/120924164122702.png" Width= "581" vspace= "5" style= "border:0px;" alt= "120924164122702.png"/>
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164122703.png " Style= "border:0px;"/>
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164122704.png " Style= "border:0px;"/>
View capture results: Unable to get user name and password
650) this.width=650, "alt=" Linux Ftp+ssl implementation FTPs "src=" Http://www.linuxidc.com/upload/2012_09/120924164122705.png " Style= "border:0px;"/>
650) this.width=650; "src=" Http://www.linuxidc.com/linuxfile/logo.gif "alt=" Linux "width=" [height=] "style=" border:0px; "/>
This article is from the "Mr_computer" blog, make sure to keep this source http://caochun.blog.51cto.com/4497308/1566876
Linux-openssl (SFTP)