四、ftpd+ssl实现安全的ftps
首先要自建CA服务器
其次创建自己的私钥文件#cd /etc/vsftpd/ssl/
(umask 077;openssl genrsa -out vsftpd.key 2048)
umask 077:用括号括起来,则表示此umsak只对当前子shell有效,如果不用括号,则对当前shell都生效,在此创建文件时属组和其它用户将没有任何权限
openssl genrsa:生成私钥的命令关键字
-out:指定文件的路径
vsftpd.key:私钥的名称,名字可以随便取,用.key结尾是为了方便记忆
2048:指私钥生成的位,默认是512,必须是2的n次方倍数
利用私钥文件生成证书签署请求文件
[root@stu2ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr
req:证书请求和证书生成工具的命令关键字
-new:制作证书申请
-key:指定私钥文件
-out:输出证书请求文件的路径,以.csr结尾
You areabout to be asked to enter information that will be incorporated
into yourcertificate request.
What youare about to enter is what is called a Distinguished Name or a DN.
There arequite a few fields but you can leave some blank
For somefields there will be a default value,
If youenter '.', the field will be left blank.
-----
CountryName (2 letter code) [XX]:CN
State orProvince Name (full name) []:henan
LocalityName (eg, city) [Default City]:zhengzhou
OrganizationName (eg, company) [Default Company Ltd]:ftp.magedu.com
OrganizationalUnit Name (eg, section) []:^C
[root@stu2ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr
You areabout to be asked to enter information that will be incorporated
into yourcertificate request.
What youare about to enter is what is called a Distinguished Name or a DN.
There arequite a few fields but you can leave some blank
For somefields there will be a default value,
If youenter '.', the field will be left blank.
-----
CountryName (2 letter code) [XX]:CN
State orProvince Name (full name) []:henan
LocalityName (eg, city) [Default City]:zhengzhou
OrganizationName (eg, company) [Default Company Ltd]:magedu
OrganizationalUnit Name (eg, section) []:tech
Common Name(eg, your name or your server's hostname) []:ftp.magedu.com
EmailAddress []:caadmin@magedu.com
Pleaseenter the following 'extra' attributes
to be sentwith your certificate request
A challengepassword []:
An optionalcompany name []:
[root@stu2ssl]# ls
vsftpd.csr vsftpd.key
有ca颁发ftp证书
opensslca :颁发CA证书的命令关键字
-in:指定证书签署请求文件
-out:输出颁发证书的文件
-days:限定证书的有效期,3656天
修改vsftpd的配置文件让其支持ssl功能,即在/etc/vsftpd/vsftpd.conf最后添上如下内容
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
客户端软件用FlashF软件测试
总结:ftp的传输方式是明文的,因此在服务器上通过抓包工具,可以获取用户的密码。命令为:# tcpdump -i eth0 -XX port 21这样对服务器是一个很大的安全隐患,因此基于ftps搭建的服务器是非常有必要的,上述讲解不足之处还请大家多多提醒,互相帮助,共同进步!
