码迷,mamicode.com
首页 > 其他好文 > 详细

基于ssl加密传输的vsftpd

时间:2016-08-02 23:58:03      阅读:473      评论:0      收藏:0      [点我收藏+]

标签:

基于ssl加密传输的vsftpd

 

主要适用于生产线上公网对外服务的ftp服务器

 

1.ftp有两种安全传输方式:

ftps=ftp+ssl/tls

Sftp=openssh,subsystem,sftp  基于ssh

 

2.基本ftps流程:

创建一个私有CA,由CA创建证书给vsftpd,再修改vsftpd配置文件。

 

3.相关操作流程:

 

 

[root@1ftp2dns3ntp vsftpd]# cd /etc/pki/CA/

[root@1ftp2dns3ntp CA]# ls

certs  crl  newcerts  private

 

 

[root@1ftp2dns3ntp CA]# echo 01 > serial

[root@1ftp2dns3ntp CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)

 

 

[root@1ftp2dns3ntp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:JS

Locality Name (eg, city) [Default City]:YC

Organization Name (eg, company) [Default Company Ltd]:Luckyfairy        

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server‘s hostname) []:ca.luckyfairy.com

Email Address []:

 

 

 

 

 

[root@1ftp2dns3ntp CA]# mkdir /etc/vsftpd/ssl

[root@1ftp2dns3ntp CA]# cd /etc/vsftpd/ssl

[root@1ftp2dns3ntp ssl]# (umask 077;openssl genrsa -out vsftpd.key 2048; )

Generating RSA private key, 2048 bit long modulus

...+++

...................................................+++

e is 65537 (0x10001)

[root@1ftp2dns3ntp ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:JS

Locality Name (eg, city) [Default City]:YC

Organization Name (eg, company) [Default Company Ltd]:Luckyfairy

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server‘s hostname) []:ftp.lucjyfairy.com

Email Address []:^C

[root@1ftp2dns3ntp ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:JS

Locality Name (eg, city) [Default City]:YC

Organization Name (eg, company) [Default Company Ltd]:Luckyfairy

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server‘s hostname) []:ftp.luckyfairy.com

Email Address []:

 

Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@1ftp2dns3ntp ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Aug  2 07:56:14 2016 GMT

            Not After : Aug  2 07:56:14 2017 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = JS

            organizationName          = Luckyfairy

            organizationalUnitName    = Tech

            commonName                = ftp.luckyfairy.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                7E:BE:2E:D8:42:E5:60:2B:E6:06:4B:81:F9:E6:DC:33:32:B7:4B:3C

            X509v3 Authority Key Identifier:

                keyid:98:4E:5D:94:EC:13:55:C7:AA:39:FA:47:9A:8F:5C:02:85:D0:EB:99

 

Certificate is to be certified until Aug  2 07:56:14 2017 GMT (365 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

 

在配置文件中添加以下内容

 

ssl_enable=YES

ssl_tlsv1=YES

ssl_sslv3=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt

rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key

 

重启vsftpd进程

 

4.连接ftp服务器时

需要有能支持加密的ftp客户端,在连接时必须使用设置秘钥时的ftp域名

基于ssl加密传输的vsftpd

标签:

原文地址:http://www.cnblogs.com/chauncy-y/p/5730945.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!