Securing Data

Openssl

*generating digital certificates
#openssl genrsa -out server1.key.pem 1024
#openssl req -new -key server1.key.pem -out server1.csr.pem
#openssl req -new -key server1.key.pem -out server1.crt.pem


%make dovecot.pem (使用己經寫好MakeFile)
#cd /etc/pki/tls/certs/
#make dovecot.pem

%openssh authentication
#ssh-keygen -t dsa [或rsa]

[root@server118 netfilter]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
a2:7b:4d:f9:2c:57:f1:5d:c4:39:44:c2:fa:7e:8a:f4 root@server118.example.com
[root@server118 netfilter]#

(1)SSH

Packages: openssh, openssh-clients, openssh-server
Daemon: /usr/sbin/sshd
Script: /etc/init.d/sshd
Port: 22
Configuration: /etc/ssh/*, $HOME/.ssh/
Related: openssl, openssh-askpass, open-askpass-gnome, tcp-wrappers

OpenSSH Server
configuration file: /etc/ssh/sshd_config

---略---
#listening port
#Port 22

#ssh2(DSA), ssh1(RSA), use ssh2
#Protocol 2,1
Protocol 2

#listening on multiple interfaces
#ListenAddress 0.0.0.0

---略---
# no default banner path
#Banner /some/path
---略---

*command
#ssh hostname
#ssh user@hostname
#ssh hostname remote-command

#scp file user@host:remote-dir
#scp -r user@host:remote-dir localdir

%Port Forwarding
#ssh -L clientport:host:hostport localhost
Ex:
#ssh -L 3025:mail.example.com:25 -N station1.example.com

%Managing Keys

#ssh-add
adds RSA or DSA identities to the authentication agent
#ssh-agent
authentication agent
#ssh-copy-id
install your identity.pub in a remote machine’s authorized_keys

Ex:
[root@server118 ssh]# ssh-keygen -p -f ~/.ssh/id_dsa
Key has comment '/root/.ssh/id_dsa'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

[root@server118 ssh]# eval $(ssh-agent)
Agent pid 4749

[root@server118 ssh]# ssh-add
Identity added: /root/.ssh/id_dsa (/root/.ssh/id_dsa)

#ssh-copy-id -i ~/.ssh/id_dsa.pub server1
(將pub-key存到server1: ~/.ssh/authorized_keys, 連線不用打密碼)

Lab:

%vnc使用安全連線(ssh tunnel)
[root@server118 ssh]#ssh -L 5901:server1:5901 server118
[root@server118 ssh]#vncviewer server118:5901


arrow
arrow
    全站熱搜
    創作者介紹
    創作者 aquatower 的頭像
    aquatower

    2006隨手札記

    aquatower 發表在 痞客邦 留言(0) 人氣()