FTP服务学习笔记之ssl/tls安全认证配置(3)

在Redhat5.8_X64bit上配置

一、实验说明

操作系统:Redhat5.8_x64bit

实验平台:VMware Workstation

实验目的:配置ftp基于ssl/tls安全认证

二、实验步骤如下:

1、安装vsftpd

#yum install vsftpd

#rpm -ql vsftpd

#service vsftpd start

#chkconfig vsftpd on

2、配置CA

#cd /etc/pki/CA

#mkdir certs newcerts crl

#touch index.txt

#echo 1 > serial

/**生成私钥**/

[[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048;)

Generating RSA private key, 2048 bit long modulus

...............................................+++

...........................................+++

e is 65537 (0x10001)

/*生成自签证书*/

[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Beijing

Locality Name (eg, city) [Newbury]:fengtai

Organization Name (eg, company) [My Company Ltd]:zengxin

Organizational Unit Name (eg, section) :Tech

Common Name (eg, your name or your server‘s hostname) []:ca.zengxin.com

Email Address []:[email protected]

3、生成vsftpd服务的私钥

# mkdir /etc/vsftpd/ssl   //创建ssl目录

# cd /etc/vsftpd/ssl/

/*生成vsftpd私钥*/

[[email protected] ssl]# (umask 077;openssl genrsa -out vsftpd.key 2048;)

Generating RSA private key, 2048 bit long modulus

.............................................+++

.........+++

e is 65537 (0x10001)

/*生成证书颁发请求*/

[[email protected] ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Beijing

Locality Name (eg, city) [Newbury]:fengtai

Organization Name (eg, company) [My Company Ltd]:zengxin

Organizational Unit Name (eg, section) :Tech

Common Name (eg, your name or your server‘s hostname) []:ftp.zengxin.com

Email Address []:

Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

4、修改openssl.cnf配置文件

# vim /etc/pki/tls/openssl.cnf

修改

dir  = ../../CA

dir  = /etc/pki/CA

5、服务器端签发CA证书

[[email protected] ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Nov 28 08:04:32 2015 GMT

Not After : Nov 27 08:04:32 2016 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = zengxin

organizationalUnitName    = Tech

commonName                = ftp.zengxin.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

50:C5:C8:45:52:CF:CB:CD:0B:AD:96:4E:1A:93:6D:3C:2D:F9:4A:7E

X509v3 Authority Key Identifier:

keyid:1C:A1:73:10:D1:5D:D2:C5:CE:CB:89:FB:18:2E:C2:BA:93:50:F7:25

Certificate is to be certified until Nov 27 08:04:32 2016 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[[email protected] ssl]#

6、修改vsftpd.conf配置文件

# vim /etc/vsftpd/vsftpd.conf   -->添加如下内容

######ssl or tls#########

ssl_enable=YES

ssl_sslv3=YES

ssl_tlsv1=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt

rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key

#service vsftpd restart   //重启vsftpd服务

7、测试

[[email protected] ~]# ftp 192.168.3.3

Connected to 192.168.3.3.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.3.3:root): ftp    //使用匿名用户登录

331 Please specify the password.

Password:

230 Login successful.    //登录成功

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,3,3,33,2)

150 Here comes the directory listing.

drwxr-xr-x    2 0        0            4096 Dec 05  2011 pub

226 Directory send OK.

ftp>

[[email protected] ~]# ftp 192.168.3.3

Connected to 192.168.3.3.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.3.3:root): lisi   //使用本地用户登录

530 Non-anonymous sessions must use encryption.  //提示非匿名用户需要通过认证登录

Login failed.

ftp>

在客户端使用FlashFXP登录服务器:

时间: 11-27

FTP服务学习笔记之ssl/tls安全认证配置(3)的相关文章

FTP服务学习笔记之基于MySQL+PAM的vsftpd虚拟用户

基于mysql+PAM的vsftpd虚拟用户配置 一.实验说明 操作系统:Redhat5.8_X64bit 实验平台:VMware Workstation 所需要的软件包:pam_mysql-0.7RC1.tar.gz 二.安装所需要程序 1.事先安装好开发环境和mysql数据库 # yum -y groupinstall "Development Tools" "Development Libraries" #yum -y install mysql-server

Python Web学习笔记之SSL,TLS,HTTPS

一. SSL 1. SSL简介 SSL协议位于TCP/IP协议与各种应用层协议之间,为数据通讯提供安全支持.SSL协议可分为两层: SSL记录协议(SSL Record Protocol):它建立在可靠的传输协议(如TCP)之上,为高层协议提供数据封装.压缩.加密等基本功能的支持. SSL握手协议(SSL Handshake Protocol):它建立在SSL记录协议之上,用于在实际的数据传输开始前,通讯双方进行身份认证.协商加密算法.交换加密密钥等. SSL协议提供的服务主要有:1)认证用户和

FTP服务学习笔记之vsftpd安装和配置(2)

在redhat5部署FTP服务 实验环境介绍: 操作系统:Redhat5.8_X64bit 实验平台:VMware Workstation 一.基于匿名用户的FTP服务部署 1.匿名FTP 访问匿名的FTP服务器时不需要密码,只需要用户名"ftp"和"anonymous". 2.安装vsftpd软件 #yum install vsftpd #rpm -ql vsftpd 3.启动vsftpd服务 #service vsftpd start #chkconfig vs

MQTT服务-Mosquitto简单安装及TLS双向认证配置

一. 安装配置Mosquitto 1.yum安装Mosquitto yum install epel-release -y yum search mosquitto yum install mosquitto-devel mosquitto -y 2. 配置 Mosquitto egrep -v '^#|^$' /etc/mosquitto/mosquitto.conf pid_file /var/run/mosquitto.pid port 1883 #默认连接端口 persistence t

Sharepoint商务智能学习笔记之PowerPviot Service安装与配置(七)

1) PowerPviot Service多服务器部署注意事项 PowerPviot Service不是Sharepoint自带的服务,要想使用PowerPviot Service需要先在sharepoint场中部署PowerPivot for SharePoint.详情请参考在 SharePoint 场中规划 PowerPivot 部署. 如果sharepoint场是多服务器场,可以将PowerPivot for SharePoint以扩展方式部署到多个应用程序服务器上.对于 PowerPiv

[Linux][VMWare] 学习笔记之安装Linux系统-网络配置

最近开始折腾Linux,在本机装了个VMWare和Centos,装完之后虚拟机里面的OS可以上网,但是使用SecureCRT连接不上虚拟机,开始折腾这个网络. vmware安装好以后,会自动添加两张网卡(vmnet1和vmnet8),中间网卡),整个机器的结构就可以抽象成:虚拟机系统(虚拟机网卡vmnet0)--(vmnet1 vmnet8),中间网卡)--实际系统网卡 vmware的网卡设置的几种方式: 1. Bridged(桥接)方式     用这种方式,虚拟系统的IP可设置成与本机系统在同

基于mosquitto的MQTT服务器---SSL/TLS 单向认证+双向认证

基于mosquitto的MQTT服务器---SSL/TLS 单向认证+双向认证 摘自:https://blog.csdn.net/ty1121466568/article/details/81118468 2018年07月19日 16:51:57 曾来过 阅读数:1632 本文为参考网上其他博文搭建出服务器后的步骤记录,如有冒犯,请私信!!! 目录... 3 第 1 章 安装Mosquitto. 4 1.1 方法一:手动编译安装... 4 1.2方法二:在Ubuntu下使用apt-get安装..

STM32 FSMC学习笔记+补充(LCD的FSMC配置)

STM32 FSMC学习笔记+补充(LCD的FSMC配置) STM32 FSMC学习笔记 STM32 FSMC的用法--LCD

SSL/TLS双向认证案例参考

一.首先我们需要生成服务器端和客户端的数字证书并添加信任 实际应用环境里,需要向CA机构申请服务器证书.这里我们为了测试方便通过Keytool工具生成自签名证书来模拟. 注:相关参数说明请使用 keytool -help 查阅 1. 生成服务器端证书 keytool -genkey -v -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 36000 -alias www.alan.org -keystore alan.keystore