2006隨手札記

Securing Data Openssl *generating digital certificates #openssl genrsa -out server1.key.pem 1024 #openssl req -new -key server1.key.pem -out server1.csr.pem #openssl req -new -key server1.key.pem -out server1.crt.pem %make dovecot.pem (使用己經寫好MakeFile) #cd /etc/pki/tls/certs/ #make dovecot.pem %openssh authentication #ssh-keygen -t dsa [或rsa] [root@server118 netfilter]# ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: a2:7b:4d:f9:2c:57:f1:5d:c4:39:44:c2:fa:7e:8a:f4 root@server118.example.com [root@server118 netfilter]# (1)SSH Packages: openssh, openssh-clients, openssh-server Daemon: /usr/sbin/sshd Script: /etc/init.d/sshd Port: 22 Configuration: /etc/ssh/*, $HOME/.ssh/ Related: openssl, openssh-askpass, open-askpass-gnome, tcp-wrappers OpenSSH Server configuration file: /etc/ssh/sshd_config ---略--- #listening port #Port 22 #ssh2(DSA), ssh1(RSA), use ssh2 #Protocol 2,1 Protocol 2 #listening on multiple interfaces #ListenAddress 0.0.0.0 ---略--- # no default banner path #Banner /some/path ---略--- *command #ssh hostname #ssh user@hostname #ssh hostname remote-command #scp file user@host:remote-dir #scp -r user@host:remote-dir localdir %Port Forwarding #ssh -L clientport:host:hostport localhost Ex: #ssh -L 3025:mail.example.com:25 -N station1.example.com %Managing Keys #ssh-add adds RSA or DSA identities to the authentication agent #ssh-agent authentication agent #ssh-copy-id install your identity.pub in a remote machine’s authorized_keys Ex: [root@server118 ssh]# ssh-keygen -p -f ~/.ssh/id_dsa Key has comment '/root/.ssh/id_dsa' Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase. [root@server118 ssh]# eval $(ssh-agent) Agent pid 4749 [root@server118 ssh]# ssh-add Identity added: /root/.ssh/id_dsa (/root/.ssh/id_dsa) #ssh-copy-id -i ~/.ssh/id_dsa.pub server1 (將pub-key存到server1: ~/.ssh/authorized_keys, 連線不用打密碼) Lab: %vnc使用安全連線(ssh tunnel) [root@server118 ssh]#ssh -L 5901:server1:5901 server118 [root@server118 ssh]#vncviewer server118:5901