Home > Others

OpenSSH and OpenSSL create a private CA

Source: Internet
Author: User
Tags openssl x509 scp command ssh access strong password dropbear
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Ssh:secure Shell,protocol, monitor TCP22, provide secure remote login service

Open source implementation of the OPENSSH:SSH protocol

Dropbear: Another open source implementation


SSH protocol version:

V1: Based on CRC-32 do MAC (message authentication code), insecure: vulnerable to man-in-middle attack

V2: Two host protocols choose a secure Mac mode

Key exchange based on DH algorithm, authentication based on RSA or DSA algorithm

User login authentication in two ways:

Password: Based on passwd

Based on key

OpenSSH:

C

C:ssh,scp,sftp

Windows client: Xshell,putty,securecrt,sshsecureshellclient

S:sshd

Client components:

SSH, config file:/etc/ssh/ssh_config

Format: SSH [[email protected]]host [COMMAND] (omitting the current logged-on user on the current system, Linux system)

SSH [-l user] host [COMMAND] (l indicates login user)

-P Port: Remote server listening port default 22 port

-X: Supports X11 forwarding;

-Y: Supports trusted x11 forwarding;

Host PATTERN

PARAMETER VALUE

[[email protected] ~]# ssh [email protected] ' hostname ' does not log in and execute orders

Key-based authentication:

(1) Create a key pair on the client

ssh-t RSA [-P '][-f "~/.ssh/id_rsa"]

(2) Transfer the public key to the home directory of the remote server corresponding to the user

Ssh-copy-id [-I [Identity_file]] [[Email Protected]]machine

(3) test

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/73/E4/wKioL1YJZDTC22rWAAMFhJmQ9kw554.jpg "titl E= "1.png" alt= "Wkiol1yjzdtc22rwaamfhjmq9kw554.jpg"/>

SCP Command: Cross-host replication commands

SCP [Options] SRC ... dest/

There are two scenarios:

PULL:SCP [Options] [[Email Protected]]host:path/to/somewhert/path/to/somewhere

PUSH:SCP [Options]/path/from/somefile [[Email Protected]]host:/path/to/somewhere

Common options:

-R: Recursive replication, replicating directory use

-P: Keep the source file's property information

-Q: Silent mode

-p:port: Indicates the remote host listening port

-X:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/73/E7/wKiom1YJZEnSgE6WAAJTBsRJWTc572.jpg "titl E= "2.png" alt= "Wkiom1yjzensge6waajtbsrjwtc572.jpg"/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/73/E4/wKioL1YJZGjj9d_qAAJRiylDuYk190.jpg "titl E= "3.png" alt= "Wkiol1yjzgjj9d_qaajriylduyk190.jpg"/>

SFTP command:

sftp [[Email Protected]]host

Sftp> Help

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/73/E7/wKiom1YJZHGyeqpsAAEUryly0b8744.jpg "titl E= "4.png" alt= "Wkiom1yjzhgyeqpsaaeuryly0b8744.jpg"/>

Server-side:

sshd, config file:/etc/ssh/sshd_config

Common parameters:

port:22022

ListenAddress IP

Permitrootlogin yes whether to allow root login

To restrict the login user method:

Allowusers user1 User2 (space apart)

Allowgroups

Best Practices for SSH services:

1. Do not use the default port:

2. Prohibit the use of Protocol version 1

3, limit can login User: (configuration file Add allowusers root CentOS line)

4. Set Idle session timeout time

5. Use firewall to set SSH access policy

6. Listen only to specific IP addresses

7, password-based authentication, the use of strong password policy, do not allow the server to use different passwords

# TR-DC A-za-z0-9_ </dev/urandom | Head-c 30 | Xargs

8. Use key-based authentication whenever possible

9, prohibit the use of blank password

10. Disable root User login directly

11. Limit the frequency of SSH access and the number of concurrent online

12. Do the log, often do analysis

Another implementation of the SSH protocol: dropbear

(1) dropbearkey-t rsa-f/etc/dropbear/dropbear_rsa_host_key-s 2048

Dropbearkey-t dss-f/etc/dropbear/dropbear_dss_host_key

dropbear-p [Ip:]port-f-E

Openssl

Three components:

OpenSSL: Multi-purpose command-line tools:

Libcrypto: Cryptographic Decryption Library

Implementation of the LIBSSL:SSL protocol

Pki:public Key Infrastructure

CA: Issuing agency

RA: Registration Authority

CRL: Certificate Revocation List

Certificate Access Library

To establish a private CA:

OpenCA

Openssl

Certificate application and Issuing procedure:

1. Generate Request for Application

2, RA Nuclear inspection

3, CA sign

4. Obtain the certificate and use

How to create a private CA:

OpenSSL configuration file:/etc/pki/tls/openssl.cnf

(1) Create the required files

# Touch Index.txt

# echo > Serial

#

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/73/E4/wKioL1YJZJ_y81OzAAE43_8RqTs326.jpg "titl E= "5.png" alt= "Wkiol1yjzj_y81ozaae43_8rqts326.jpg"/>

(2) CA self-signed certificate

# (Umask 077; OpenSSL Genrsa-out/etc/pki/ca/private/cakey.pem 2048)

650) this.width=650; "Src=" http://s3.51cto.com/wyfs02/M01/73/E7/wKiom1YJZLHRsEVXAADZJg2gX4U657.jpg " Title= "6.png" alt= "Wkiom1yjzlhrsevxaadzjg2gx4u657.jpg"/>

# OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.epm-days 7300-out /etc/pki/ca/cacert.pem

-new: Generate a new certificate signing request;

-x509: Dedicated to CA generate self-signed certificate;

-key: The private key file used to generate the request;

-days N: Validity period of the certificate;

-out/path/to/somecertfile: The path to save the certificate;

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/73/E7/wKiom1YJZNLQUc9OAANNUNODXtU525.jpg "titl E= "7.png" alt= "Wkiom1yjznlquc9oaannunodxtu525.jpg"/>

(3) Issuing certificates

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/73/E4/wKioL1YJZO6D_umKAACdnEttM3A189.jpg "titl E= "8.png" alt= "Wkiol1yjzo6d_umkaacdnettm3a189.jpg"/>

(a) Generate a certificate request from the host using the certificate;

# (Umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048)

# OpenSSL Req-new-key/etc/httpd/ssl/httpd.key-days 365-OUT/ETC/HTTPD/SSL/HTTPD.CSR

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/73/E7/wKiom1YJZPjTicuRAADjpgCNKKY963.jpg "titl E= "9.png" alt= "Wkiom1yjzpjticuraadjpgcnkky963.jpg"/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/E4/wKioL1YJZQ7B51lgAALNBUGSk1s054.jpg "title=" 10.png "alt=" Wkiol1yjzq7b51lgaalnbugsk1s054.jpg "/>

(b) Transfer the request file to the CA;

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/73/E7/wKiom1YJZRGxjoeJAAHHTjyskeM204.jpg "titl E= "11.png" alt= "Wkiom1yjzrgxjoejaahhtjyskem204.jpg"/>

(c) The CA signs the certificate and sends the certificate back to the requestor;

# OpenSSL Ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/73/E4/wKioL1YJZT7At45WAANjp6HZGJc085.jpg "titl E= "12.png" alt= "Wkiol1yjzt7at45waanjp6hzgjc085.jpg"/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/73/E7/wKiom1YJZUWAZiehAADu2B9EE00289.jpg "titl E= "13.png" alt= "Wkiom1yjzuwaziehaadu2b9ee00289.jpg"/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/73/E7/wKiom1YJZVKxRJZJAAFmgCY8irQ165.jpg "titl E= "14.png" alt= "Wkiom1yjzvkxrjzjaafmgcy8irq165.jpg"/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/73/E4/wKioL1YJZW3T9z-ZAAHJNm4fH_w897.jpg "titl E= "15.png" alt= "Wkiol1yjzw3t9z-zaahjnm4fh_w897.jpg"/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/73/E4/wKioL1YJZXuh9C42AAA_CeJp1Xw415.jpg "titl E= "16.png" alt= "Wkiol1yjzxuh9c42aaa_cejp1xw415.jpg"/>

To view the information in the certificate:

OpenSSL x509-in/path/from/cert_file-noout-text|-subject|-serial

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/73/E7/wKiom1YJZYHRe1D3AAIeKsjQ_t4516.jpg "titl E= "17.png" alt= "Wkiom1yjzyhre1d3aaieksjq_t4516.jpg"/>

(4) Revocation of certificates

(a) The client obtains the serial of the certificate to be revoked

# OpenSSL X509-in/path/from/cert_file-noout-serial-subject

(b) CA

Based on the serial and subject information submitted by the customer, the comparison test is consistent with the information in the Index.txt file;

To revoke a certificate:

# OpenSSL Ca-revoke/etc/pki/ca/newcerts/serial.pem

(c) The number of the revocation certificate is generated (the first time a certificate is revoked)

# echo >/etc/pki/ca/crlnumber

(d) Updating the certificate revocation List

# OpenSSL Ca-gencrl-out thisca.crl

To view the CRL file:

# OpenSSL Crl-in/path/from/crl_file.crl-noout-text

Blog job: Encryption and decryption Foundation, PKI and SSL, create private CA;


OpenSSH and OpenSSL create a private CA

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
openssl create private key and csr openssl create ca openssl generate csr and private key openssl generate private key and csr openssl create cert and key openssl ca bundle openssl extensions v3 ca

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More