Chinaunix首页 | 论坛 | 博客
  • 博客访问: 637234
  • 博文数量: 244
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 130
  • 用 户 组: 普通用户
  • 注册时间: 2016-06-27 09:53
个人简介

记录学习,记录成长

文章分类

全部博文(244)

我的朋友

分类: LINUX

2015-09-09 20:38:57

                                             基于openssl的vsftpd(vsftpd+SSL/TLS)
1.  思路:找一个CA创建一个私有CA,然后让私有CA给vsftpd签发证书,最后配置vsftpd添加下列选项即可;
ssl_enable=YES #启用SSL功能;
ssl_tlsv1=YES #支持TLSV1协议;
ssl_sslv2=YES #支持SSLV2协议
ssl_sslv3=YES #支持SSLV3协议
allow_anon_ssl=NO #不允许匿名用户使用SSL
force_local_data_ssl=YES #强制本地用户数据传输时使用SSL;
force_local_logins_ssl=YES #强制本地用户登陆时使用SSL;
rsa_cert_file=/etc/vsftpd/ssl/vsftpd_cert.pem(可自定义) #指定RSA类型证书文件
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd_key.pem(可自定义)   #指定RSA类型密钥文件
验证过程:
2.  openssl的配置:
[root@www vsftpd]# cd /etc/pki/CA/
[root@www CA]# touch index.txt
[root@www CA]# echo 00 > serial
[root@www CA]# ls
certs  crl  index.txt  newcerts  private  serial
3.  创建私钥:
[root@www CA]# (umask 077; openssl genrsa -out private/cakey.pem 1024)
Generating RSA private key, 1024 bit long modulus
.............................++++++
..................++++++
e is 65537 (0x10001)
4.  生成自签证书:
[root@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Henan
Locality Name (eg, city) [Default City]:Nanyang
Organization Name (eg, company) [Default Company Ltd]:Skynet
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.a.com
Email Address []:caadmin@a.com
5.  创建vsftpd存放密钥及证书的目录:
[root@www CA]# mkdir /etc/vsftpd/ssl
[root@www CA]# cd /etc/vsftpd/ssl/
6.  创建私钥:
[root@www ssl]# (umask 077; openssl genrsa -out ./vsftpd.key 1024)
Generating RSA private key, 1024 bit long modulus
...............................................++++++
.......++++++
e is 65537 (0x10001)
7.  生成证书颁发请求:
[root@www ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Henan
Locality Name (eg, city) [Default City]:Nanyang
Organization Name (eg, company) [Default Company Ltd]:Skynet
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ftp.a.com
Email Address []:ftpadmin@a.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
8.  由于是在同一主机上直接该签发证书请求:
[root@www ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Sep  6 15:23:43 2015 GMT
            Not After : Sep  5 15:23:43 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Henan
            organizationName          = Skynet
            organizationalUnitName    = Tech
            commonName                = ftp.a.com
            emailAddress              = ftpadmin@a.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                CA:7B:19:F8:FF:10:55:C0:61:48:06:7C:40:50:F5:6B:D9:1F:97:35
            X509v3 Authority Key Identifier: 
                keyid:76:31:6C:5A:84:10:90:D9:CF:03:9C:BB:37:8A:BB:0E:FF:6E:B1:38
Certificate is to be certified until Sep  5 15:23:43 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
9.  编辑vsftpd.conf文件添加:
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv3=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
10.  重启服务后测试:
匿名用户登录(测试使用的是FlashFXP):


非匿名用户登录:


上面要求用户必须经过验证才能登陆,接下里设置能FlashFXP:
点击站点-->站点管理器-->新建站点(名称自定义)-->输入相关信息-->SSL选项勾选认证SSl项




登录成功,这就是基于openssl的FTP安全传输;
阅读(1017) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~