标签:
基于ssl加密传输的vsftpd
主要适用于生产线上公网对外服务的ftp服务器
1.ftp有两种安全传输方式:
ftps=ftp+ssl/tls
Sftp=openssh,subsystem,sftp 基于ssh
2.基本ftps流程:
创建一个私有CA,由CA创建证书给vsftpd,再修改vsftpd配置文件。
3.相关操作流程:
[root@1ftp2dns3ntp vsftpd]# cd /etc/pki/CA/
[root@1ftp2dns3ntp CA]# ls
certs crl newcerts private
[root@1ftp2dns3ntp CA]# echo 01 > serial
[root@1ftp2dns3ntp CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
[root@1ftp2dns3ntp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JS
Locality Name (eg, city) [Default City]:YC
Organization Name (eg, company) [Default Company Ltd]:Luckyfairy
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server‘s hostname) []:ca.luckyfairy.com
Email Address []:
[root@1ftp2dns3ntp CA]# mkdir /etc/vsftpd/ssl
[root@1ftp2dns3ntp CA]# cd /etc/vsftpd/ssl
[root@1ftp2dns3ntp ssl]# (umask 077;openssl genrsa -out vsftpd.key 2048; )
Generating RSA private key, 2048 bit long modulus
...+++
...................................................+++
e is 65537 (0x10001)
[root@1ftp2dns3ntp ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JS
Locality Name (eg, city) [Default City]:YC
Organization Name (eg, company) [Default Company Ltd]:Luckyfairy
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server‘s hostname) []:ftp.lucjyfairy.com
Email Address []:^C
[root@1ftp2dns3ntp ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JS
Locality Name (eg, city) [Default City]:YC
Organization Name (eg, company) [Default Company Ltd]:Luckyfairy
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server‘s hostname) []:ftp.luckyfairy.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@1ftp2dns3ntp ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 2 07:56:14 2016 GMT
Not After : Aug 2 07:56:14 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = JS
organizationName = Luckyfairy
organizationalUnitName = Tech
commonName = ftp.luckyfairy.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7E:BE:2E:D8:42:E5:60:2B:E6:06:4B:81:F9:E6:DC:33:32:B7:4B:3C
X509v3 Authority Key Identifier:
keyid:98:4E:5D:94:EC:13:55:C7:AA:39:FA:47:9A:8F:5C:02:85:D0:EB:99
Certificate is to be certified until Aug 2 07:56:14 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
在配置文件中添加以下内容
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv3=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
重启vsftpd进程
4.连接ftp服务器时
需要有能支持加密的ftp客户端,在连接时必须使用设置秘钥时的ftp域名
标签:
原文地址:http://www.cnblogs.com/chauncy-y/p/5730945.html