CA证书和SSH服务

1、创建私有CA并进行证书申请

1.1、创建CA相关的文件和目录
[root@Centos8~]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@Centos8~]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files
[root@Centos8~]#touch /etc/pki/CA/index.txt && echo 0F > /etc/pki/CA/serial
[root@Centos8~]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial

4 directories, 2 files
1.2、创建CA的私钥linux是什么操作系统
[root@Centos8~]#cd /etc/pki/CA/
[root@Centos8CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
.....+++++
e is 65537 (0x010001)
[root@Centos8CA]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial

4 directories, 3 files
[root@Centos8CA]#ll private/
total 4
-rw------- 1 root root 1679 Jan 16 14:10 cakey.pem
[root@Centos8CA]#cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvNrGunjAXN/YvoGRy4143YBdfvcEjc3yY/51vWIN7WgA7Xbm
xrYhcGicdKOZhb5087fG0zM7wA4RmmmX8mVyLemonAlB/2FuXSesDYfeqmI2kb0O
dESKWKMcPTre/MAhf15+M8bEN87/xqDWXCutKY5cjnujXmtTfX7rS4PYf/I8Jz4U
oOPhK0dM5DFLkbjB1G8I9ffAlrPgfE6G9gkL6owrH5Tsl0WraHlq7qlf9Cz5PfDF
rFTGc4TI6gaAT6OUmNxfprzSWJI8Nuh2EGVfXEGD0o40rwMBg/e4xeWmbTeu09kx
lKZx5V4vCT6P4i5hdxZhZThRdZDTm8e1TCRiJwIDAQABAoIBAQCXT0HBzVVyE/b4
S5+gUuzvqxU90HPZmZQHAa0b2yAFgjqcB5PGyc3o3ifcW+d4/Kt/SVMHjBjnO15n
NQsErrrYhkkNG23BSzK9eDelb6K7KI1IHw0honilo6nQdQaLwvQTtIWwviQgAr1z
SxH0LxpCHUmS7wRpddwixDmI+03O08fzTdVbIS5kvZ/8i4TtYB5sV1rMXW84dyK/
xXaJd0IHpp5VtGsEhKT0m3r5S3NJcAUYIpsylc8pHekh6zn2Db6ApZkFSPV+Lj5D
yo+3hOxxfPJCcd3O5AnuuyHIAWl4o1NwMD0C4tifeSJv4eIfE1TdHvU9Ov875gmw
MQy/V2pBAoGBAPF7ooaSiTsDlefRbW1ho/3NCS11Ri2I5Qv4llHThkQqv9AdLFHA
6c1RKIQX0QuRZyJ7JKBuhSGaWJXBqqmtvjKEEVJV4nLMGykXskaNNPH6k6QC5vWq
BKhGzlTmr2C5AiOteCvvt0lFIP5Qws+ma05x5r8ggbWOyEIV4J09CA/vAoGBAMg1
NB07x+j/cPAXSrwxHA91pv9jKrO6y/yYld+G9LFT1UwRyDf1bUaEXi854f/rU+Wo
146pjbgpC/jPIuTN0MRbzHevHXIjWg3JuzWvM5sy8jWzMxefSF+VPv7gWNd9RMso
O7WS/kZk0/gGI1HtOKGieAhSAyu2jKG32lrPzplJAoGBAN6w6kd52Q3QF6zpaCVn
1siWDbGbJbWWOcuZWl5pV7eDSNJOJPHbmoDaKCfworotQ9P7heJhKWq8oJayO4Uw
kWaafjLUuvismxuBG8mOLNY+A2tLtdu1B4h7i4mmFvN2ia+HKHw0G215T5zXs1+1
E94KkgWNn7Bj1O+Ep1e50baHAoGAbpPcHc1X49u6IBFtSLYDHpLH0sSN4Ejqw6/v
D091tL9tzp7/q9CVM16GuqTIq1Xpt63iqLwDN1UMdLbLOf5nMRzWuL/yjojyAy2J
heQnp6+i0YARVxm1mn1PFu0IhLR+m4q0N9xhLrYf0Rxqw6Q3JCcdDtNlRu6DjAqE
wqWGIWkCgYAMs+Dqm8Hbsp/0bBskRpVj1kFD/GU7UdoqtWga61MKkAqTN3fjim2J
eYrK0PZmrIjBs3/35HqFqTvHNA9a6utlVxCOx+4s2ppiI7ftiZ9zvqRMmIk5Zl3s
TcZ1bB9qgtDH9xnkt0hoAWM0cc4ZpilbuKiu0L4JaVOWLLoJsy854Q==
-----END RSA PRIVATE KEY-----
1.3、给CA颁发自签名证书
[root@Centos8CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [DefaultCity]:ShenZhen
Organization Name (eg, company) [DefaultCompanyLtd]:StarsInfo
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.starsinfo.com
Email Address []:admin@starsinfo.com
[root@Centos8CA]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial

4 directories, 4 files
[root@Centos8CA]#cat cacert.pem
-----BEGIN CERTIFICATE-----
MIIECzCCAvOgAwIBAgIUVj7oOHDSPLFu+RzQ6tlHdgoF8KgwDQYJKoZIhvcNAQEL
BQAwgZQxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcM
CFNoZW5aaGVuMRIwEAYDVQQKDAlTdGFyc0luZm8xCzAJBgNVBAsMAklUMRkwFwYD
VQQDDBBjYS5zdGFyc2luZm8uY29tMSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBzdGFy
c2luZm8uY29tMB4XDTIyMDExNjA2MjIwN1oXDTMyMDExNDA2MjIwN1owgZQxCzAJ
BgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcMCFNoZW5aaGVu
MRIwEAYDVQQKDAlTdGFyc0luZm8xCzAJBgNVBAsMAklUMRkwFwYDVQQDDBBjYS5z
dGFyc2luZm8uY29tMSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBzdGFyc2luZm8uY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNrGunjAXN/YvoGRy414
3YBdfvcEjc3yY/51vWIN7WgA7XbmxrYhcGicdKOZhb5087fG0zM7wA4RmmmX8mVy
LemonAlB/2FuXSesDYfeqmI2kb0OdESKWKMcPTre/MAhf15+M8bEN87/xqDWXCut
KY5cjnujXmtTfX7rS4PYf/I8Jz4UoOPhK0dM5DFLkbjB1G8I9ffAlrPgfE6G9gkL
6owrH5Tsl0WraHlq7qlf9Cz5PfDFrFTGc4TI6gaAT6OUmNxfprzSWJI8Nuh2EGVf
XEGD0o40rwMBg/e4xeWmbTeu09kxlKZx5V4vCT6P4i5hdxZhZThRdZDTm8e1TCRi
JwIDAQABo1MwUTAdBgNVHQ4EFgQUbYHI2fo+24tptt5uAWPdmk+9hBswHwYDVR0j
BBgwFoAUbYHI2fo+24tptt5uAWPdmk+9hBswDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAsT0BXU/BHeKY+vHAfFKN//Iv8UiwhvtQpkkWddv50cE0
pSPOYLCD4UGOWPa+Jg3kI92wdrouJNg3XJmYvmlBCQtYbDiDuBdm3NKrNMpjXSg7
IJdYZhLEbCNpkFp8eh+5s3BpZMatCaBkXz4LlpMr5gilbEmRTcQFx1PVHt7/si1K
iaDx2Zz7kO0vc3zFAbUTim8qGL31kHc2t/bL+VRj+VUbJP+gfpVPsTGTno78WMJx
XapLKD2uVNbpts86JYp7e+CAV9ODkbGjBoDgyyIdhBXqUUV4X5IbOrktrETWDSjl
RFOqcKH71jwioEs0yST72xapq47ZDWjZVRwEZ8vsQA==
-----END CERTIFICATE-----
[root@Centos8CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
56:3e:e8:38:70:d2:3c:b1:6e:f9:1c:d0:ea:d9:47:76:0a:05:f0:a8
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = GuangDong, L = ShenZhen, O = StarsInfo, OU = IT, CN = ca.starsinfo.com, emailAddress = admin@starsinfo.com
Validity
Not Before: Jan 16 06:22:07 2022 GMT
Not After : Jan 14 06:22:07 2032 GMT
Subject: C = CN, ST = GuangDong, L = ShenZhen, O = StarsInfo, OU = IT, CN = ca.starsinfo.com, emailAddress = admin@starsinfo.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bc:da:c6:ba:78:c0:5c:df:d8:be:81:91:cb:8d:
78:dd:80:5d:7e:f7:04:8d:cd:f2:63:fe:75:bd:62:
0d:ed:68:00:ed:76:e6:c6:b6:21:70:68:9c:74:a3:
99:85:be:74:f3:b7:c6:d3:33:3b:c0:0e:11:9a:69:
97:f2:65:72:2d:e9:a8:9c:09:41:ff:61:6e:5d:27:
ac:0d:87:de:aa:62:36:91:bd:0e:74:44:8a:58:a3:
1c:3d:3a:de:fc:c0:21:7f:5e:7e:33:c6:c4:37:ce:
ff:c6:a0:d6:5c:2b:ad:29:8e:5c:8e:7b:a3:5e:6b:
53:7d:7e:eb:4b:83:d8:7f:f2:3c:27:3e:14:a0:e3:
e1:2b:47:4c:e4:31:4b:91:b8:c1:d4:6f:08:f5:f7:
c0:96:b3:e0:7c:4e:86:f6:09:0b:ea:8c:2b:1f:94:
ec:97:45:ab:68:79:6a:ee:a9:5f:f4:2c:f9:3d:f0:
c5:ac:54:c6:73:84:c8:ea:06:80:4f:a3:94:98:dc:
5f:a6:bc:d2:58:92:3c:36:e8:76:10:65:5f:5c:41:
83:d2:8e:34:af:03:01:83:f7:b8:c5:e5:a6:6d:37:
ae:d3:d9:31:94:a6:71:e5:5e:2f:09:3e:8f:e2:2e:
61:77:16:61:65:38:51:75:90:d3:9b:c7:b5:4c:24:
62:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
6D:81:C8:D9:FA:3E:DB:8B:69:B6:DE:6E:01:63:DD:9A:4F:BD:84:1B
X509v3 Authority Key Identifier:
keyid:6D:81:C8:D9:FA:3E:DB:8B:69:B6:DE:6E:01:63:DD:9A:4F:BD:84:1B

X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
b1:3d:01:5d:4f:c1:1d:e2:98:fa:f1:c0:7c:52:8d:ff:f2:2f:
f1:48:b0:86:fb:50:a6:49:16:75:db:f9:d1:c1:34:a5:23:ce:
60:b0:83:e1:41:8e:58:f6:be:26:0d:e4:23:dd:b0:76:ba:2e:
24:d8:37:5c:99:98:be:69:41:09:0b:58:6c:38:83:b8:17:66:
dc:d2:ab:34:ca:63:5d:28:3b:20:97:58:66:12:c4:6c:23:69:
90:5a:7c:7a:1f:b9:b3:70:69:64:c6:ad:09:a0:64:5f:3e:0b:
96:93:2b:e6:08:a5:6c:49:91:4d:c4:05:c7:53:d5:1e:de:ff:
b2:2d:4a:89:a0:f1:d9:9c:fb:90:ed:2f:73:7c:c5:01:b5:13:
8a:6f:2a:18:bd:f5:90:77:36:b7:f6:cb:f9:54:63:f9:55:1b:
24:ff:a0:7e:95:4f:b1:31:93:9e:8e:fc:58:c2:71:5d:aa:4b:
28:3d:ae:54:d6:e9:b6:cf:3a:25:8a:7b:7b:e0:80:57:d3:83:
91:b1:a3:06:80:e0:cb:22:1d:84:15:ea:51:45:78:5f:92:1b:
3a:b9:2d:ac:44:d6:0d:28:e5:44:53:aa:70:a1:fb:d6:3c:22:
a0:4b:34:c9:24:fb:db:16:a9:ab:8e:d9:0d:68:d9:55:1c:04:
67:cb:ec:40
[root@Centos8CA]#sz /etc/pki/CA/cacert.pem
#将文件cacert.pem传到windows上,修改文件名为cacert.pem.crt,双击可以看到下面显示

1.4、用户生成私钥,并证书申请
[root@Centos8~]#mkdir /data/app1
[root@Centos8~]#(umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..........................................................................+++++
.....................................................................................................+++++
e is 65537 (0x010001)
[root@Centos8~]#cat /data/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAym6ZTqdjSCufNf3SLPqzJlHKMwzfffUCcXCzJ2qWsViMUgfY
TplT1ZbETbAbbbD7bbuYaj5WWuLXqRwbJxCPhnu0dF/c2z+SFSiZwiqyONXHVvHt
LJ/SpZkizft8r13oWtcBLTi4nXUJpObJID4JjHq3/cZcJTM4NaCpiKrt85nFldGm
ffS9lop1wxLdx2C6T8GBwZNAeyrVy9gosk7DpG4Ua0gYB1V7NgyuACKeiSdJODb0
xRAY9ereQqoFwRWcR6BR0th1kRP+FuYSjsLkL6hmpoQnmKY6uz3rXgTa5l3aVx6Q
65H96fSTCpp1lbiA/jrQD/5J75B7vLs2tEogXwIDAQABAoIBAAa6OjoU8gW5/WaL
8uovwrhpS3D64oqLE/O1LR8IOc3XBYLMY/HowpJ8mjWCvsacdR6md2BAhhorI8Oo
/XYE5OAxSEP905ctu6scWE/Nn3KoGCHZlGpBPXznY/K4guJJGqm6L33TPr9s3k8u
pEyAA0053td+Oh26YAnYNwoltBa+XGDpwHkQWRiKPnwyLreJvelzyQ9lVzvi1pYD
QHgZrUVwd379s7fnMm+WG6sO3+0F4M8nEZcSbdoUIymJv6FJPcH1vK6rcXHml7Qu
qoCaQtcN3UlAcfjm1Lfhx9x5kzC2yTmM/OxudP4Dn9/gBp7azKyMy1f1XfIeF0u8
gtCyCeECgYEA63b867K0UV2BgRxRJ4fjL3/6ToPoxyYEFQgQBI+G5dN49XyT6DnA
liRe+5Ez1umKcSgdt0RIXjVQQijZW2ma8Lg4NfMxm9UajjJy17sn5uNSqrvQ/P+V
cXKZlyejC1quwreiFQFwIZnjk+qiCzS/IBwGOSSDTI0Y/xLVVVRNukcCgYEA3BYe
JWxrMCxrGQlpNxqHeuvJuc1AYTXgpOzwhJgRSOFxmi1UMQZc6AhyT1QR7QNPDYoe
Ux0a1qq+Mh5o29JSlY6Gl/JxeW3sjeQr67D1j1y1Ir/yflzKiud++1KoX51RTaa/
qR4oRoM9rKvagJuTpSH5XMRfu2NnGbdR85G43SkCgYBNv9Rz32Y7F60TfM4vR2d0
38U+9799QshGSYtAdkQMz285YBFWtPsqmIfkeWWsqSDVjHGDekCLGv+NWP+sd4p5
wdqNtefDlPJX0cCqC1p5msZJKgsv/xTRiQ2+I5Bqx169XPVgCkGEVtQWm3s2SAx0
BczoQW45cL24O/fFXTjtMQKBgBrJ0meJt85ISczlWVosr3rlwksMUZ7DeRF6CZiK
DeiKEFLM26eP97UCei9vszLfKTsjqadCLqccZ0QgcXD4O7cafwV1rBw0pgtrT3FD
u8/0X9PX+0MoNjsMDGe42uewdVn3RvLlyc8zYElpLZJj3WfHJ9wDxwc/BSibKK11
+kNpAoGAfNTLIEk9dRZHW1RSSsIMd5Y3sj8eCtbyRC2G77ciB02VTCieCUiNVhq0
jhHj9RE6lcRvkrCDc7lNltPsmVD3DHVI309pMQfF28wZPnaAlB4RlA69Q5wTssmg
581NbKMN9oBa15hMtDYwsjI87Ny6+/7QDsE5WV9ONquWU1GP9fM=
-----END RSA PRIVATE KEY-----
#生成申请证书文件
[root@Centos8~]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [DefaultCity]:ShenZhen
Organization Name (eg, company) [DefaultCompanyLtd]:StarsInfo
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.starsinfo.com
Email Address []:app1@starsinfo.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@Centos8~]#ll /data/app1/
total 8
-rw-r--r-- 1 root root 1066 Jan 16 14:50 app1.csr
-rw------- 1 root root 1675 Jan 16 14:46 app1.key
[root@Centos8~]#ll /etc/pki/CA
total 8
-rw-r--r-- 1 root root 1464 Jan 16 14:22 cacert.pem
drwxr-xr-x 2 root root 6 Jan 16 13:50 certs
drwxr-xr-x 2 root root 6 Jan 16 13:50 crl
-rw-r--r-- 1 root root 0 Jan 16 13:51 index.txt
drwxr-xr-x 2 root root 6 Jan 16 13:50 newcerts
drwxr-xr-x 2 root root 23 Jan 16 14:10 private
-rw-r--r-- 1 root root 3 Jan 16 14:01 serial
1.centos7配置ip地址5centos7、CA颁发证书
[root@Centos8~]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 2000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 16 06:56:54 2022 GMT
Not After : Jul 9 06:56:54 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = GuangDong
organizationName = StarsInfo
organizationalUnitName = IT
commonName = ca.starsinfo.com
emailAddress = app1@starsinfo.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:E6:6E:3B:63:62:B0:14:30:57:AE:CB:62:DD:EE:B6:8C:EE:36:94
X509v3 Authority Key Identifier:
keyid:6D:81:C8:D9:FA:3E:DB:8B:69:B6:DE:6E:01:63:DD:9A:4F:BD:84:1B

Certificate is to be certified until Jul 9 06:56:54 2027 GMT (2000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@Centos8~]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 00.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files
1.6、查看和验证证书
[root@Centos8~]#cat /etc/pki/CA/certs/app1.crt 
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=StarsInfo, OU=IT, CN=ca.starsinfo.com/emailAddress=admin@starsinfo.com
Validity
Not Before: Jan 16 06:56:54 2022 GMT
Not After : Jul 9 06:56:54 2027 GMT
Subject: C=CN, ST=GuangDong, O=StarsInfo, OU=IT, CN=ca.starsinfo.com/emailAddress=app1@starsinfo.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ca:6e:99:4e:a7:63:48:2b:9f:35:fd:d2:2c:fa:
b3:26:51:ca:33:0c:df:7d:f5:02:71:70:b3:27:6a:
96:b1:58:8c:52:07:d8:4e:99:53:d5:96:c4:4d:b0:
1b:6d:b0:fb:6d:bb:98:6a:3e:56:5a:e2:d7:a9:1c:
1b:27:10:8f:86:7b:b4:74:5f:dc:db:3f:92:15:28:
99:c2:2a:b2:38:d5:c7:56:f1:ed:2c:9f:d2:a5:99:
22:cd:fb:7c:af:5d:e8:5a:d7:01:2d:38:b8:9d:75:
09:a4:e6:c9:20:3e:09:8c:7a:b7:fd:c6:5c:25:33:
38:35:a0:a9:88:aa:ed:f3:99:c5:95:d1:a6:7d:f4:
bd:96:8a:75:c3:12:dd:c7:60:ba:4f:c1:81:c1:93:
40:7b:2a:d5:cb:d8:28:b2:4e:c3:a4:6e:14:6b:48:
18:07:55:7b:36:0c:ae:00:22:9e:89:27:49:38:36:
f4:c5:10:18:f5:ea:de:42:aa:05:c1:15:9c:47:a0:
51:d2:d8:75:91:13:fe:16:e6:12:8e:c2:e4:2f:a8:
66:a6:84:27:98:a6:3a:bb:3d:eb:5e:04:da:e6:5d:
da:57:1e:90:eb:91:fd:e9:f4:93:0a:9a:75:95:b8:
80:fe:3a:d0:0f:fe:49:ef:90:7b:bc:bb:36:b4:4a:
20:5f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:E6:6E:3B:63:62:B0:14:30:57:AE:CB:62:DD:EE:B6:8C:EE:36:94
X509v3 Authority Key Identifier:
keyid:6D:81:C8:D9:FA:3E:DB:8B:69:B6:DE:6E:01:63:DD:9A:4F:BD:84:1B

Signature Algorithm: sha256WithRSAEncryption
17:36:d3:c1:f3:8d:b1:c0:29:a6:a1:ca:7a:97:da:ef:00:46:
f0:c5:96:45:65:bf:cb:95:6c:02:75:01:f5:85:4f:17:b5:e4:
ef:08:91:0e:04:55:ec:a4:4a:08:fe:a3:83:f8:de:6f:9f:97:
48:14:46:87:7e:3f:bd:3b:fb:b5:87:8c:24:c3:47:75:4e:f0:
ca:d2:a1:83:4a:27:b0:21:13:f2:90:8d:b4:85:a7:51:fd:ed:
4a:4e:81:6e:a4:11:2e:55:10:28:7e:8e:fa:e6:2a:84:51:16:
57:52:5d:cf:80:a9:5f:d2:af:cc:8b:65:f6:5b:56:72:39:aa:
bf:c3:41:09:f6:4f:ec:a3:ce:b2:46:91:11:d2:43:27:8d:20:
d7:72:9b:78:54:95:48:11:c3:81:87:d7:1a:3c:3c:9c:c0:db:
91:65:cb:f5:5a:5f:99:3e:08:79:6f:8e:78:34:67:d3:5a:b8:
d0:69:57:40:3f:6f:5b:39:62:a8:52:29:8b:4c:fc:f6:0e:bd:
b2:82:06:b1:8b:38:b7:b8:46:8f:08:a4:ec:c4:8e:ec:2f:57:
53:2f:71:1c:dc:fb:7d:47:a1:eb:4e:25:e9:1d:99:10:2d:87:
0e:f9:4c:eb:bc:90:6a:8d:5d:d0:33:b2:99:16:4c:43:91:41:
f4:40:05:16
-----BEGIN CERTIFICATE-----
MIIEDDCCAvSgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nRG9uZzERMA8GA1UEBwwIU2hlblpoZW4xEjAQBgNVBAoM
CVN0YXJzSW5mbzELMAkGA1UECwwCSVQxGTAXBgNVBAMMEGNhLnN0YXJzaW5mby5j
b20xIjAgBgkqhkiG9w0BCQEWE2FkbWluQHN0YXJzaW5mby5jb20wHhcNMjIwMTE2
MDY1NjU0WhcNMjcwNzA5MDY1NjU0WjCBgDELMAkGA1UEBhMCQ04xEjAQBgNVBAgM
CUd1YW5nRG9uZzESMBAGA1UECgwJU3RhcnNJbmZvMQswCQYDVQQLDAJJVDEZMBcG
A1UEAwwQY2Euc3RhcnNpbmZvLmNvbTEhMB8GCSqGSIb3DQEJARYSYXBwMUBzdGFy
c2luZm8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAym6ZTqdj
SCufNf3SLPqzJlHKMwzfffUCcXCzJ2qWsViMUgfYTplT1ZbETbAbbbD7bbuYaj5W
WuLXqRwbJxCPhnu0dF/c2z+SFSiZwiqyONXHVvHtLJ/SpZkizft8r13oWtcBLTi4
nXUJpObJID4JjHq3/cZcJTM4NaCpiKrt85nFldGmffS9lop1wxLdx2C6T8GBwZNA
eyrVy9gosk7DpG4Ua0gYB1V7NgyuACKeiSdJODb0xRAY9ereQqoFwRWcR6BR0th1
kRP+FuYSjsLkL6hmpoQnmKY6uz3rXgTa5l3aVx6Q65H96fSTCpp1lbiA/jrQD/5J
75B7vLs2tEogXwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUeOZuO2NisBQw
V67LYt3utozuNpQwHwYDVR0jBBgwFoAUbYHI2fo+24tptt5uAWPdmk+9hBswDQYJ
KoZIhvcNAQELBQADggEBABc208HzjbHAKaahynqX2u8ARvDFlkVlv8uVbAJ1AfWF
Txe15O8IkQ4EVeykSgj+o4P43m+fl0gURod+P707+7WHjCTDR3VO8MrSoYNKJ7Ah
E/KQjbSFp1H97UpOgW6kES5VECh+jvrmKoRRFldSXc+AqV/Sr8yLZfZbVnI5qr/D
QQn2T+yjzrJGkRHSQyeNINdym3hUlUgRw4GH1xo8PJzA25Fly/VaX5k+CHlvjng0
Z9NauNBpV0A/b1s5YqhSKYtM/PYOvbKCBrGLOLe4Ro8IpOzEjuwvV1MvcRzc+31H
oetOJekdmRAthw75TOu8kGqNXdAzspkWTEORQfRABRY=
-----END CERTIFICATE-----
[root@Centos8~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = GuangDong, L = ShenZhen, O = StarsInfo, OU = IT, CN = ca.starsinfo.com, emailAddress = admin@starsinfo.com
Validity
Not Before: Jan 16 06:56:54 2022 GMT
Not After : Jul 9 06:56:54 2027 GMT
Subject: C = CN, ST = GuangDong, O = StarsInfo, OU = IT, CN = ca.starsinfo.com, emailAddress = app1@starsinfo.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ca:6e:99:4e:a7:63:48:2b:9f:35:fd:d2:2c:fa:
b3:26:51:ca:33:0c:df:7d:f5:02:71:70:b3:27:6a:
96:b1:58:8c:52:07:d8:4e:99:53:d5:96:c4:4d:b0:
1b:6d:b0:fb:6d:bb:98:6a:3e:56:5a:e2:d7:a9:1c:
1b:27:10:8f:86:7b:b4:74:5f:dc:db:3f:92:15:28:
99:c2:2a:b2:38:d5:c7:56:f1:ed:2c:9f:d2:a5:99:
22:cd:fb:7c:af:5d:e8:5a:d7:01:2d:38:b8:9d:75:
09:a4:e6:c9:20:3e:09:8c:7a:b7:fd:c6:5c:25:33:
38:35:a0:a9:88:aa:ed:f3:99:c5:95:d1:a6:7d:f4:
bd:96:8a:75:c3:12:dd:c7:60:ba:4f:c1:81:c1:93:
40:7b:2a:d5:cb:d8:28:b2:4e:c3:a4:6e:14:6b:48:
18:07:55:7b:36:0c:ae:00:22:9e:89:27:49:38:36:
f4:c5:10:18:f5:ea:de:42:aa:05:c1:15:9c:47:a0:
51:d2:d8:75:91:13:fe:16:e6:12:8e:c2:e4:2f:a8:
66:a6:84:27:98:a6:3a:bb:3d:eb:5e:04:da:e6:5d:
da:57:1e:90:eb:91:fd:e9:f4:93:0a:9a:75:95:b8:
80:fe:3a:d0:0f:fe:49:ef:90:7b:bc:bb:36:b4:4a:
20:5f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:E6:6E:3B:63:62:B0:14:30:57:AE:CB:62:DD:EE:B6:8C:EE:36:94
X509v3 Authority Key Identifier:
keyid:6D:81:C8:D9:FA:3E:DB:8B:69:B6:DE:6E:01:63:DD:9A:4F:BD:84:1B

Signature Algorithm: sha256WithRSAEncryption
17:36:d3:c1:f3:8d:b1:c0:29:a6:a1:ca:7a:97:da:ef:00:46:
f0:c5:96:45:65:bf:cb:95:6c:02:75:01:f5:85:4f:17:b5:e4:
ef:08:91:0e:04:55:ec:a4:4a:08:fe:a3:83:f8:de:6f:9f:97:
48:14:46:87:7e:3f:bd:3b:fb:b5:87:8c:24:c3:47:75:4e:f0:
ca:d2:a1:83:4a:27:b0:21:13:f2:90:8d:b4:85:a7:51:fd:ed:
4a:4e:81:6e:a4:11:2e:55:10:28:7e:8e:fa:e6:2a:84:51:16:
57:52:5d:cf:80:a9:5f:d2:af:cc:8b:65:f6:5b:56:72:39:aa:
bf:c3:41:09:f6:4f:ec:a3:ce:b2:46:91:11:d2:43:27:8d:20:
d7:72:9b:78:54:95:48:11:c3:81:87:d7:1a:3c:3c:9c:c0:db:
91:65:cb:f5:5a:5f:99:3e:08:79:6f:8e:78:34:67:d3:5a:b8:
d0:69:57:40:3f:6f:5b:39:62:a8:52:29:8b:4c:fc:f6:0e:bd:
b2:82:06:b1:8b:38:b7:b8:46:8f:08:a4:ec:c4:8e:ec:2f:57:
53:2f:71:1c:dc:fb:7d:47:a1:eb:4e:25:e9:1d:99:10:2d:87:
0e:f9:4c:eb:bc:90:6a:8d:5d:d0:33:b2:99:16:4c:43:91:41:
f4:40:05:16

#查看证书编号
[root@Centos8~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial
serial=00
#查看证书的信息
[root@Centos8~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -issuer
issuer=C = CN, ST = GuangDong, L = ShenZhen, O = StarsInfo, OU = IT, CN = ca.starsinfo.com, emailAddress = admin@starsinfo.com
[root@Centos8~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
subject=C = CN, ST = GuangDong, O = StarsInfo, OU = IT, CN = ca.starsinfo.com, emailAddress = app1@starsinfo.com
[root@Centos8~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -dates
notBefore=Jan 16 06:56:54 2022 GMT
notAfter=Jul 9 06:56:54 2027 GMT
#查看证书的有效性
[root@Centos8~]#openssl ca -status 00
Using configuration from /etc/pki/tls/openssl.cnf
00=Valid (V)
[root@Centos8~]#cat /etc/pki/CA/index.txt
V 270709065654Z 00 unknown /C=CN/ST=GuangDong/O=StarsInfo/OU=IT/CN=ca.starsinfo.com/emailAddress=app1@starsinfo.com
#将证书传到Windows上面,查看验证
[root@Centos8~]#sz /etc/pki/CA/certs/app1.crt


                                            CA证书和SSH服务

2、总结ssh常用参数、用法

2.1、ssh基本介绍
ssh: secure shell protocol, 22/tcp, 安全的远程登录,实现加密通信,代替传统的 telnet 协议
常用软件:
OpenSSH:ssh协议的开源实现,CentOS 默认安装
dropbear:另一个ssh协议的开源项目的实现
SSH 协议版本:
v1:基于CRC-32做MAC,不安全;man-in-middle
v2:双方主机协议选择安全的MAC方式,基于DH算法做密钥交换,基于RSA或DSA实现身份认证
2.2、sd3吃到几岁sh命令格式
ssh [user@]host [COMMAND]
ssh [-luser] host [COMMAND]
2.3、ssh命令常用选项
-p port #远程服务器监听的端口,默认为22,一般生产环境中都会修改成其他的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-t #强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i <file> #指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等
2.4、d3ssh命令常用用法

范例一:最常用的用法

root@ubuntu:~# hostname
ubuntu
root@ubuntu:~# ssh 10.0.0.8 #第一次连的时候会问是否继续连,需要输入yes或者no,连过后以后连就不要输入yes或no了
The authenticity of host '10.0.0.8 (10.0.0.8)' can't be established.
ECDSA key fingerprint is SHA256:2JG/jQhQolNkXbiMK9lDAYg1Pm6jhztmsOuEm3NJf0o.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.8' (ECDSA) to the list of known hosts.
root@10.0.0.8's password:
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Sun Jan 16 13:50:28 2022 from 10.0.0.1
[root@Centos8~]#hostname
Centos8.localdomain

范例二:指定用户名来连接远程主机

root@ubuntu:~# hostname
ubuntu
root@ubuntu:~# ssh zhanggui@10.0.0.8
zhanggui@10.0.0.8's password:
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Sun Jan 16 15:39:03 2022 from 10.0.0.100
[zhanggui@Centos8~]$ id
uid=1000(zhanggui) gid=1000(zhanggui) groups=1000(zhanggui)
[zhanggui@Centos8~]$ hostname
Centos8.localdomain

范例三:指定用户名、端口以及压缩的方式传输

root@ubuntu:~# ssh -C -p 22 10.0.0.8
root@10.0.0.8's password:
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Sun Jan 16 15:30:51 2022 from 10.0.0.100
[root@Centos8~]#id
uid=0(root) gid=0(root) groups=0(root)
[root@Centos8~]#hostname
Centos8.localdomain

范例四:高级用法

#SSH本地端口转发
ssh -L localport:remotehost:remotehostport sshserver
-f 后台启用
-N 不打开远程shell,处于等待状态
-g 启用网关功能

#SSH远程端口转发
ssh -R sshserverport:remotehost:remotehostport sshserver

#SSH动态端口转发
#当用firefox访问internet时,本机的1080端口做为代理服务器,firefox的访问请求被转发到sshserver上,由sshserver替之访问internet
ssh -D 1080 root@sshserver -fNg


#X协议转发
#范例:在windows上使用mobaXtrem的X server 显示 Linux 的图形工具
[root@centos~]#yum install xorg-x11-xauth xorg-x11-fonts-* xorg-x11-font-utils xorg-x11-fonts-Type1 firefox -y
[root@centos~]#exit
[root@centos~]#firefox
范例:在windows上使用xshell的X server 显示 Linux 的图形工具
指向Windows的IP
[root@centos~]# export DISPLAY=10.0.0.1:0.0
[root@centos~]# yum -y install xclock
[root@centos~]# xclock

3、总结sshd服务常用参数

3.1、sshd服务配置文件中常用参数

常用参数及默认值

基本系统运维包括哪些内容作用和用途

Port 22linux创建文件

sshd服务的默认端口 ,生产中都会修改,如2222、8822端口,可以提高安全性

ListenAddress 0.0.0.0

ide0sgrtsts另类定sshd服务监听IP地址 一般保持0.0.0.0

Protocol 2

Sd3SH协议版本

HostKey /etc/ideologicalssh/ideassd35cc蓝月亮h_host_rsa_key

SSH协议版本为2时,RSA私钥存放的位置。

HostKey /etc/系统运维工程ssh/ssh_host_dsa_key

SSd3滴剂H协议版本为2时,DSA私钥存放的位置。

PermitRootLogin yes

设置是否允许root用户直接登录,Ubuntu这个项默认是拒绝的,centos默认是同样的

StrictModes yes

当远程用户私钥改变时则直接拒绝连接

MaxAucentos7thTried3和ad有什么区别s 6

密码最多输入错误次数

MaxSessions 10

同时连接的最大终端数

PasswordAuthentication yes

centos安装否允许密码验证,默认允许

PermitEmptyPasswords no

是否允许空密码登陆(不安全),默认为不允许

AllowAgentForwarding yes

SSH转发功能默认打开

AllowTcpForwarding yes

TCPTCP转发功能

GatewayPorts no

远程端口转发并实现网关功能,此项必须设定为yes

LoginGraceTime 2m

没有输入密码时,自动断开时间

ClientAliveInterval 0

间隔多久客户端和服务器端没有操作就断开连接,单位是秒

ClientAliveCountMax 3

检测几次后发现没有操作断d3的作用和功效与作用开,此项和上一linux系统安装项结合一起使d3吃多了有副作用吗

UseDNS no

是否使用名称解析identical,默认不启用,提高速度可以设置no

GSSAPIAuthenticatio系统/运维n no

GSSAPIidea的认证,提高速度可以设置no

MaxStartupcentos是什么系统s 10:30:100

未验证的最大连接数

Banner none

登录前提示的信息

AllowUsers

允许哪些用户登录(白名单)

DenyUsers

不允许哪些用户linux必学的60个命令登录(黑名单)

Alinux是什么操作系统llowGroups

允许哪些组登录(白名单)

DenyGroups

不允许哪些组登录(黑名单)

3.2、生存环境ssh最佳实践
建议使用非默认端口 修改port
禁止使用protocol version 1
限制可登录用户 AllowUsers、DenyUsers、AllowGroups、DenyGroups
设定空闲会话超时时长 ClientAliveInterval和ClientAliveCountMax
利用防火墙设置ssh访问策略 设置iptables策略
仅监听特定的IP地址 修改ListenAddress
基于口令认证时,使用强密码策略 使用难以猜测的随机口令,长度越长约好,并定期修改。
使用基于密钥的认证 使用密钥登陆,不使用口令
禁止使用空密码 PermitEmptyPasswords no
禁止root用户直接登录 PermitRootLogin
限制ssh的访问频度和并发在线数 MaxStartups
经常分析日志 sshd的日志文件为/var/log/secure
3.3、sshd服务配置文件/etc/ssh/sshd_config
[root@Centos8~]#cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# Thisisthesshdserversystem-wideconfigurationfile.See
# sshd_config(5)formoreinformation.

# ThissshdwascompiledwithPATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

# Thestrategyusedforoptionsinthedefaultsshd_configshippedwith
# OpenSSHistospecifyoptionswiththeirdefaultvaluewhere
# possible,butleavethemcommented.Uncommentedoptionsoverridethe
# defaultvalue.

# IfyouwanttochangetheportonaSELinuxsystem,youhavetotell
# SELinuxaboutthischange.
# semanageport-a-tssh_port_t-ptcp#PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphersandkeying
#RekeyLimit default none

# Thissystemisfollowingsystem-widecryptopolicy.Thechangesto
# cryptoproperties(Ciphers,MACs,...)willnothaveanyeffecthere.
# Theywillbeoverriddenbycommand-lineoptionspassedtotheserver
# oncommandline.
# Please,checkmanualpagesforupdate-crypto-policies(8)andsshd_config(5).

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Thedefaultistocheckboth.ssh/authorized_keysand.ssh/authorized_keys2
# butthisisoverriddensoinstallationswillonlycheck.ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# Forthistoworkyouwillalsoneedhostkeysin/etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Changetoyesifyoudon'ttrust~/.ssh/known_hostsfor
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don'treadtheuser's~/.rhostsand~/.shostsfiles
#IgnoreRhosts yes

# Todisabletunneledcleartextpasswords,changetonohere!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Changetonotodisables/keypasswords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberosoptions
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPIoptions
GSSAPIAuthentication no
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Setthisto'yes'toenablePAMauthentication,accountprocessing,
# andsessionprocessing.Ifthisisenabled,PAMauthenticationwill
# beallowedthroughtheChallengeResponseAuthenticationand
# PasswordAuthentication.DependingonyourPAMconfiguration,
# PAMauthenticationviaChallengeResponseAuthenticationmaybypass
# thesettingof"PermitRootLoginwithout-password".
# IfyoujustwantthePAMaccountandsessioncheckstorunwithout
# PAMauthentication,thenenablethisbutsetPasswordAuthentication
# andChallengeResponseAuthenticationto'no'.
# WARNING:'UsePAMno'isnotsupportedinFedoraandmaycauseseveral
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes

# Itisrecommendedtousepam_motdin/etc/pam.d/sshdinsteadofPrintMotd,
# asitismoreconfigurableandversatilethanthebuilt-inversion.
PrintMotd no

#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# nodefaultbannerpath
#Banner none

# Acceptlocale-relatedenvironmentvariables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# overridedefaultofnosubsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Exampleofoverridingsettingsonaper-userbasis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

4、搭建dhcp服务,实现ip地址申请分发

4.1、检查并安装软件包linux系统安装
[root@Centos8~]#rpm -ql dhcp-server
package dhcp-server is not installed
[root@Centos8~]#yum provides dhcp-server
Last metadata expiration check: 28 days, 4:02:42 ago on Sun 19 Dec 2021 12:38:39 PM CST.
dhcp-server-12:4.3.6-45.el8.x86_64 : Provides the ISC DHCP server
Repo : BaseOS
Matched from:
Provide : dhcp-server = 12:4.3.6-45.el8

[root@Centos8~]#yum install dhcp-server-12:4.3.6-45.el8.x86_64
BaseOS 39 kB/s | 3.9 kB 00:00
BaseOS 6.2 MB/s | 4.6 MB 00:00
AppStream 59 kB/s | 4.3 kB 00:00
AppStream 7.7 MB/s | 8.4 MB 00:01
EPEL 15 kB/s | 4.7 kB 00:00
EPEL 8.6 MB/s | 11 MB 00:01
extras 15 kB/s | 1.5 kB 00:00
centosplus 13 kB/s | 1.5 kB 00:00
centosplus 1.6 MB/s | 610 kB 00:00
PowerTools 18 kB/s | 4.3 kB 00:00
PowerTools 4.1 MB/s | 2.3 MB 00:00
Dependencies resolved.
=====================================================================================================
Package Architecture Version Repository Size
=====================================================================================================
Installing:
dhcp-server x86_64 12:4.3.6-45.el8 BaseOS 530 k
Installing dependencies:
bind-export-libs x86_64 32:9.11.26-6.el8 BaseOS 1.1 M
dhcp-common noarch 12:4.3.6-45.el8 BaseOS 207 k
dhcp-libs x86_64 12:4.3.6-45.el8 BaseOS 148 k

Transaction Summary
=====================================================================================================
Install 4 Packages

Total download size: 2.0 M
Installed size: 4.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): dhcp-common-4.3.6-45.el8.noarch.rpm 900 kB/s | 207 kB 00:00
(2/4): dhcp-libs-4.3.6-45.el8.x86_64.rpm 630 kB/s | 148 kB 00:00
(3/4): bind-export-libs-9.11.26-6.el8.x86_64.rpm 3.2 MB/s | 1.1 MB 00:00
(4/4): dhcp-server-4.3.6-45.el8.x86_64.rpm 1.9 MB/s | 530 kB 00:00
-----------------------------------------------------------------------------------------------------
Total 3.9 MB/s | 2.0 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : dhcp-libs-12:4.3.6-45.el8.x86_64 1/4
Installing : dhcp-common-12:4.3.6-45.el8.noarch 2/4
Installing : bind-export-libs-32:9.11.26-6.el8.x86_64 3/4
Running scriptlet: bind-export-libs-32:9.11.26-6.el8.x86_64 3/4
Running scriptlet: dhcp-server-12:4.3.6-45.el8.x86_64 4/4
Installing : dhcp-server-12:4.3.6-45.el8.x86_64 4/4
Running scriptlet: dhcp-server-12:4.3.6-45.el8.x86_64 4/4
Verifying : bind-export-libs-32:9.11.26-6.el8.x86_64 1/4
Verifying : dhcp-common-12:4.3.6-45.el8.noarch 2/4
Verifying : dhcp-libs-12:4.3.6-45.el8.x86_64 3/4
Verifying : dhcp-server-12:4.3.6-45.el8.x86_64 4/4

Installed:
bind-export-libs-32:9.11.26-6.el8.x86_64 dhcp-common-12:4.3.6-45.el8.noarch
dhcp-libs-12:4.3.6-45.el8.x86_64 dhcp-server-12:4.3.6-45.el8.x86_64

Complete!
4.2、验证安装的软件包、复制d3125模板并修改配置文件
[root@Centos8~]#rpm -ql dhcp-server
/etc/NetworkManager
/etc/NetworkManager/dispatcher.d
/etc/dhcp
/etc/dhcp/dhcpd.conf
/etc/dhcp/dhcpd6.conf
/etc/openldap/schema
/etc/openldap/schema/dhcp.schema
/etc/sysconfig/dhcpd
/usr/bin/omshell
/usr/lib/.build-id
/usr/lib/.build-id/4a
/usr/lib/.build-id/4a/dab9a373b30d2cf3756b7eae76e04b964106ee
/usr/lib/.build-id/58
/usr/lib/.build-id/58/01369e8a07b56c0426ed16d31a0a4e8283d84d
/usr/lib/systemd/system/dhcpd.service
/usr/lib/systemd/system/dhcpd6.service
/usr/sbin/dhcpd
/usr/share/doc/dhcp-server
/usr/share/doc/dhcp-server/dhcp-lease-list.pl
/usr/share/doc/dhcp-server/dhcpd.conf.example
/usr/share/doc/dhcp-server/dhcpd6.conf.example
/usr/share/doc/dhcp-server/ldap
/usr/share/doc/dhcp-server/ldap/README.ldap
/usr/share/doc/dhcp-server/ldap/dhcp.schema
/usr/share/doc/dhcp-server/ldap/dhcpd-conf-to-ldap
/usr/share/man/man1/omshell.1.gz
/usr/share/man/man5/dhcpd.conf.5.gz
/usr/share/man/man5/dhcpd.leases.5.gz
/usr/share/man/man8/dhcpd.8.gz
/var/lib/dhcpd
/var/lib/dhcpd/dhcpd.leases
/var/lib/dhcpd/dhcpd6.leases

#查看默认的dhcpd.conf信息,默认配置基本为空,但是提示参考文件了
[root@Centos8~]#cat /etc/dhcp/dhcpd.conf
#
# DHCPServerConfigurationfile.
# see/usr/share/doc/dhcp-server/dhcpd.conf.example
# seedhcpd.conf(5)manpage
#

#复制模板文件,并开始修改此文件
[root@Centos8~]#cp /usr/share/doc/dhcp-server/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite '/etc/dhcp/dhcpd.conf'? y
[root@Centos8~]#vim /etc/dhcp/dhcpd.conf
#修改下面这两段信息,指定DNS、网段和路由
option domain-name "startsinfo.com";
option domain-name-servers 114.114.114.114, 8.8.8.8;

default-lease-time 60000;
max-lease-time 720000;

# DHCPservertounderstandthenetworktopology.

subnet 192.168.250.0 netmask 255.255.255.0 {
range 192.168.250.11 192.168.250.30;
option routers 192.168.250.254;
}

[root@Centos8~]#cat /etc/dhcp/dhcpd.conf
# dhcpd.conf
#
# SampleconfigurationfileforISCdhcpd
#

# optiondefinitionscommontoallsupportednetworks...
option domain-name "startsinfo.com";
option domain-name-servers 114.114.114.114, 8.8.8.8;

default-lease-time 60000;
max-lease-time 720000;

# Usethistoenble/disabledynamicdnsupdatesglobally.
#ddns-update-style none;

# IfthisDHCPserveristheofficialDHCPserverforthelocal
# network,theauthoritativedirectiveshouldbeuncommented.
#authoritative;

# Usethistosenddhcplogmessagestoadifferentlogfile(youalso
# havetohacksyslog.conftocompletetheredirection).
log-facility local7;

# Noservicewillbegivenonthissubnet,butdeclaringithelpsthe
# DHCPservertounderstandthenetworktopology.

subnet 192.168.250.0 netmask 255.255.255.0 {
range 192.168.250.11 192.168.250.30;
option routers 192.168.250.254;
}

# Thisisaverybasicsubnetdeclaration.

subnet 10.254.239.0 netmask 255.255.255.224 {
range 10.254.239.10 10.254.239.20;
option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
}

# ThisdeclarationallowsBOOTPclientstogetdynamicaddresses,
# whichwedon'treallyrecommend.

subnet 10.254.239.32 netmask 255.255.255.224 {
range dynamic-bootp 10.254.239.40 10.254.239.60;
option broadcast-address 10.254.239.31;
option routers rtr-239-32-1.example.org;
}

# Aslightlydifferentconfigurationforaninternalsubnet.
subnet 10.5.5.0 netmask 255.255.255.224 {
range 10.5.5.26 10.5.5.30;
option domain-name-servers ns1.internal.example.org;
option domain-name "internal.example.org";
option routers 10.5.5.1;
option broadcast-address 10.5.5.31;
default-lease-time 600;
max-lease-time 7200;
}

# Hostswhichrequirespecialconfigurationoptionscanbelistedin
# hoststatements.Ifnoaddressisspecified,theaddresswillbe
# allocateddynamically(ifpossible),butthehost-specificinformation
# willstillcomefromthehostdeclaration.

host passacaglia {
hardware ethernet 0:0:c0:5d:bd:95;
filename "vmunix.passacaglia";
server-name "toccata.example.com";
}

# FixedIPaddressescanalsobespecifiedforhosts.Theseaddresses
# shouldnotalsobelistedasbeingavailablefordynamicassignment.
# HostsforwhichfixedIPaddresseshavebeenspecifiedcanbootusing
# BOOTPorDHCP.Hostsforwhichnofixedaddressisspecifiedcanonly
# bebootedwithDHCP,unlessthereisanaddressrangeonthesubnet
# towhichaBOOTPclientisconnectedwhichhasthedynamic-bootpflag
# set.
host fantasia {
hardware ethernet 08:00:07:26:c0:a5;
fixed-address fantasia.example.com;
}

# Youcandeclareaclassofclientsandthendoaddressallocation
# basedonthat.Theexamplebelowshowsacasewhereallclients
# inacertainclassgetaddressesonthe10.17.224/24subnet,andall
# otherclientsgetaddressesonthe10.0.29/24subnet.

class "foo" {
match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
}

shared-network 224-29 {
subnet 10.17.224.0 netmask 255.255.255.0 {
option routers rtr-224.example.org;
}
subnet 10.0.29.0 netmask 255.255.255.0 {
option routers rtr-29.example.org;
}
pool {
allow members of "foo";
range 10.17.224.10 10.17.224.250;
}
pool {
deny members of "foo";
range 10.0.29.10 10.0.29.230;
}
}
4系统运维工资一般多少.3、启动dhcp服务并验证
[root@Centos8~]#systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2022-01-16 17:13:06 CST; 2s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 34285 (dhcpd)
Status: "Dispatching packets..."
Tasks: 1 (limit: 11231)
Memory: 5.4M
CGroup: /system.slice/dhcpd.service
└─34285 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid

Jan 16 17:13:06 Centos8.localdomain dhcpd[34285]: ** Ignoring requests on virbr0. If this is not what
Jan 16 17:13:06 Centos8.localdomain dhcpd[34285]: you want, please write a subnet declaration
Jan 16 17:13:06 Centos8.localdomain dhcpd[34285]: in your dhcpd.conf file for the network segment
Jan 16 17:13:06 Centos8.localdomain dhcpd[34285]: to which interface virbr0 is attached. **
Jan 16 17:13:06 Centos8.localdomain dhcpd[34285]:
Jan 16 17:13:06 Centos8.localdomain dhcpd[34285]: Listening on LPF/eth0/00:0c:29:18:d0:d9/192.168.250.0/24
Jan 16 17:13:06 Centos8.localdomain dhcpd[34285]: Sending on LPF/eth0/00:0c:29:18:d0:d9/192.168.250.0/24
Jan 16 17:13:06 Centos8.localdomain dhcpd[34285]: Sending on Socket/fallback/fallback-net
Jan 16 17:13:06 Centos8.localdomain dhcpd[34285]: Server starting service.
Jan 16 17:13:06 Centos8.localdomain systemd[1]: Started DHCPv4 Server Daemon.

4.4、到客户端机器上在创建一个新identify的网卡,验证通过DHCP自动获取IP地址

[root@Centos7~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:6a:3d:12 brd ff:ff:ff:ff:ff:ff
inet 192.168.250.7/24 brd 192.168.250.255 scope global noprefixroute ens192
valid_lft forever preferred_lft forever
inet6 fe80::938d:47d9:e863:bd67/64 scope link noprefixroute
valid_lft forever preferred_lft forever
# 下面就是新增加的网卡自动获取到的地址信息
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:6a:3d:1c brd ff:ff:ff:ff:ff:ff
inet 192.168.250.11/24 brd 192.168.250.255 scope global noprefixroute dynamic ens224
valid_lft 59332sec preferred_lft 59332sec
inet6 fe80::3ada:8cc9:59de:52d6/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@Centos8~]#cat dhcpd.leases
# Theformatofthisfileisdocumentedinthedhcpd.leases(5)manualpage.
# Thisleasefilewaswrittenbyisc-dhcp-4.3.6

# authoring-byte-orderentryisgenerated,DONOTDELETE
authoring-byte-order little-endian;

server-duid "\000\001\000\001)r\226\014\000\014)\030\320\331";

lease 192.168.250.11 {
starts 4 2022/01/13 08:23:49;
ends 5 2022/01/14 01:03:49;
cltt 4 2022/01/13 08:23:49;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet 00:0c:29:6a:3d:1c;
client-hostname "CentOS7";
}