标签:配置ftp基于ssl认证
在Redhat5.8_X64bit上配置
一、实验说明
操作系统:Redhat5.8_x64bit
实验平台:VMware Workstation
实验目的:配置ftp基于ssl/tls安全认证
二、实验步骤如下:
1、安装vsftpd
#yum install vsftpd
#rpm -ql vsftpd
#service vsftpd start
#chkconfig vsftpd on
2、配置CA
#cd /etc/pki/CA
#mkdir certs newcerts crl
#touch index.txt
#echo 1 > serial
/**生成私钥**/
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048;)
Generating RSA private key, 2048 bit long modulus
...............................................+++
...........................................+++
e is 65537 (0x10001)
/*生成自签证书*/
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Beijing
Locality Name (eg, city) [Newbury]:fengtai
Organization Name (eg, company) [My Company Ltd]:zengxin
Organizational Unit Name (eg, section) :Tech
Common Name (eg, your name or your server‘s hostname) []:ca.zengxin.com
Email Address []:caadmin@zengxin.com
3、生成vsftpd服务的私钥
# mkdir /etc/vsftpd/ssl //创建ssl目录
# cd /etc/vsftpd/ssl/
/*生成vsftpd私钥*/
[root@localhost ssl]# (umask 077;openssl genrsa -out vsftpd.key 2048;)
Generating RSA private key, 2048 bit long modulus
.............................................+++
.........+++
e is 65537 (0x10001)
/*生成证书颁发请求*/
[root@localhost ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Beijing
Locality Name (eg, city) [Newbury]:fengtai
Organization Name (eg, company) [My Company Ltd]:zengxin
Organizational Unit Name (eg, section) :Tech
Common Name (eg, your name or your server‘s hostname) []:ftp.zengxin.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4、修改openssl.cnf配置文件
# vim /etc/pki/tls/openssl.cnf
修改
dir = ../../CA
为
dir = /etc/pki/CA
5、服务器端签发CA证书
[root@localhost ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 28 08:04:32 2015 GMT
Not After : Nov 27 08:04:32 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = zengxin
organizationalUnitName = Tech
commonName = ftp.zengxin.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
50:C5:C8:45:52:CF:CB:CD:0B:AD:96:4E:1A:93:6D:3C:2D:F9:4A:7E
X509v3 Authority Key Identifier:
keyid:1C:A1:73:10:D1:5D:D2:C5:CE:CB:89:FB:18:2E:C2:BA:93:50:F7:25
Certificate is to be certified until Nov 27 08:04:32 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl]#
6、修改vsftpd.conf配置文件
# vim /etc/vsftpd/vsftpd.conf -->添加如下内容
######ssl or tls#########
ssl_enable=YES
ssl_sslv3=YES
ssl_tlsv1=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
#service vsftpd restart //重启vsftpd服务
7、测试
[root@localhost ~]# ftp 192.168.3.3
Connected to 192.168.3.3.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.3.3:root): ftp //使用匿名用户登录
331 Please specify the password.
Password:
230 Login successful. //登录成功
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,3,3,33,2)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Dec 05 2011 pub
226 Directory send OK.
ftp>
[root@localhost ~]# ftp 192.168.3.3
Connected to 192.168.3.3.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.3.3:root): lisi //使用本地用户登录
530 Non-anonymous sessions must use encryption. //提示非匿名用户需要通过认证登录
Login failed.
ftp>
在客户端使用FlashFXP登录服务器:
本文出自 “小曾” 博客,请务必保留此出处http://zengxin.blog.51cto.com/6098070/1717740
标签:配置ftp基于ssl认证
原文地址:http://zengxin.blog.51cto.com/6098070/1717740