FTP服务学习笔记之ssl/tls安全认证配置（3）

标签：配置ftp基于ssl认证

在Redhat5.8_X64bit上配置

一、实验说明

操作系统：Redhat5.8_x64bit

实验平台：VMware Workstation

实验目的：配置ftp基于ssl/tls安全认证

二、实验步骤如下：

1、安装vsftpd

#yum install vsftpd

#rpm -ql vsftpd

#service vsftpd start   

#chkconfig vsftpd on

2、配置CA

#cd /etc/pki/CA

#mkdir certs newcerts crl

#touch index.txt

#echo 1 > serial

/**生成私钥**/

[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048;)

Generating RSA private key, 2048 bit long modulus

...............................................+++

...........................................+++

e is 65537 (0x10001)

/*生成自签证书*/

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Beijing

Locality Name (eg, city) [Newbury]:fengtai

Organization Name (eg, company) [My Company Ltd]:zengxin          

Organizational Unit Name (eg, section) :Tech

Common Name (eg, your name or your server‘s hostname) []:ca.zengxin.com

Email Address []:caadmin@zengxin.com

3、生成vsftpd服务的私钥

# mkdir /etc/vsftpd/ssl   //创建ssl目录

# cd /etc/vsftpd/ssl/

/*生成vsftpd私钥*/

[root@localhost ssl]# (umask 077;openssl genrsa -out vsftpd.key 2048;)

Generating RSA private key, 2048 bit long modulus

.............................................+++

.........+++

e is 65537 (0x10001)

/*生成证书颁发请求*/

[root@localhost ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Beijing

Locality Name (eg, city) [Newbury]:fengtai

Organization Name (eg, company) [My Company Ltd]:zengxin

Organizational Unit Name (eg, section) :Tech

Common Name (eg, your name or your server‘s hostname) []:ftp.zengxin.com

Email Address []:

Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

4、修改openssl.cnf配置文件

# vim /etc/pki/tls/openssl.cnf

修改

dir  = ../../CA  

为

dir  = /etc/pki/CA

5、服务器端签发CA证书

[root@localhost ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt 

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Nov 28 08:04:32 2015 GMT

            Not After : Nov 27 08:04:32 2016 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Beijing

            organizationName          = zengxin

            organizationalUnitName    = Tech

            commonName                = ftp.zengxin.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                50:C5:C8:45:52:CF:CB:CD:0B:AD:96:4E:1A:93:6D:3C:2D:F9:4A:7E

            X509v3 Authority Key Identifier: 

                keyid:1C:A1:73:10:D1:5D:D2:C5:CE:CB:89:FB:18:2E:C2:BA:93:50:F7:25

Certificate is to be certified until Nov 27 08:04:32 2016 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@localhost ssl]# 

6、修改vsftpd.conf配置文件

# vim /etc/vsftpd/vsftpd.conf   -->添加如下内容

######ssl or tls#########

ssl_enable=YES

ssl_sslv3=YES

ssl_tlsv1=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt

rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key

#service vsftpd restart   //重启vsftpd服务

7、测试

[root@localhost ~]# ftp 192.168.3.3

Connected to 192.168.3.3.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.3.3:root): ftp    //使用匿名用户登录

331 Please specify the password.

Password:

230 Login successful.    //登录成功

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,3,3,33,2)

150 Here comes the directory listing.

drwxr-xr-x    2 0        0            4096 Dec 05  2011 pub

226 Directory send OK.

ftp> 

[root@localhost ~]# ftp 192.168.3.3

Connected to 192.168.3.3.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.3.3:root): lisi   //使用本地用户登录

530 Non-anonymous sessions must use encryption.  //提示非匿名用户需要通过认证登录

Login failed.  

ftp> 

在客户端使用FlashFXP登录服务器：

本文出自 “小曾” 博客，请务必保留此出处http://zengxin.blog.51cto.com/6098070/1717740

FTP服务学习笔记之ssl/tls安全认证配置（3）

标签：配置ftp基于ssl认证

原文地址：http://zengxin.blog.51cto.com/6098070/1717740