1 对称加密过程由哪三部分组成
由明文、密钥和加密算法组成
2 使用openssl 中的aes堆成加密算法对文件file.txt进行加密,然后解密
echo 'test测试' > test.txt
[vagrant@localhost tmp]$ ls
systemd-private-4e3b169927094230ab8aa988ed6da655-chronyd.service-FnDdQ5
test.txt
[vagrant@localhost tmp]$ openssl enc -e -aes256 -a -salt -in ./test.txt -out test.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
[vagrant@localhost tmp]$ openssl enc -d -aes256 -a -salt -in ./test.enc -out line.txt
enter aes-256-cbc decryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
[vagrant@localhost tmp]$ ls
line.txt
systemd-private-4e3b169927094230ab8aa988ed6da655-chronyd.service-FnDdQ5
test.enc
test.txt
[vagrant@localhost tmp]$ cat line.txt
test测试
3 搭建CA和申请证书
[root@localhost tmp]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@localhost tmp]# tree /etc/pki/CA/
/etc/pki/CA/
|-- certs
|-- crl
|-- newcerts
`-- private
4 directories, 0 files
[root@localhost tmp]# touch /etc/pki/CA/index.txt
[root@localhost tmp]# echo 0F > /etc/pki/CA/serial
[root@localhost tmp]# cd /etc/pki/CA/
[root@localhost CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................+++++
.............................+++++
e is 65537 (0x010001)
[root@localhost CA]# tree
.
|-- certs
|-- crl
|-- index.txt
|-- newcerts
|-- private
| `-- cakey.pem
`-- serial
4 directories, 3 files
[root@localhost CA]# ll private/
total 4
-rw-------. 1 root root 1679 Aug 3 14:49 cakey.pem
[root@localhost CA]# cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyOokroS1FGEVllCc+blA9V/RYDT3LFRH2whQtlMm7aeiNM/N
S8ZbBjcuAR4a+b2w4Y2mY7LNXKytyxoIp+fKHhNaIgLFZegb5qr8YDJT5q9GEnp0
b6F91kw5smLGygtZ/8XhVqef7GPSKczHKqfa3vRaySEZxX1s2+ypGJKNVAZFuRAK
vfF+JkjDqLyB0V0CIpaDZvpC5sAO86f1W/lBhHPF46E6D1V6zWJ6x4jOq6HrHGvt
CY867XBI7Ai1Dzm15wXKNs0VsVmwTbSNBKgcq6R/g2n82hnhd792rT8ELq6HSQpW
TumetKKH2Opoh5FKecfR1a2dGUNF2m9xKTKAWwIDAQABAoIBACuXOWwv2MXaJn/d
b6Fywxg5uMih1Trl8k0gabqVIe4QH85Lg6Q8HgWkNTQC3yFuOZFGVWJuKcZApNhb
BqO/U4fg9P5KEaABkwQh9u28HZ4ASzi5HsgVhqLXGPGOIsk1W0p2GWTeq4DzS2bM
Si4ECyWyaHwY1WmWw+aXWzy8lzMyYsbnDCc+p5zR2XYLnRuBrKvR5OSJ3tcsMht1
m75XfMTfB6xm5AGmSDI/VdrmajfIqxGNPCtQEQwefydHT3xmS5FUE0WO0T1oaOLr
ftFNSIUUezzjL/Ei9EirBZYQkQhRE1I+BEjDb4/9YhWK2YTTq+y4neai3LX9X95f
KRC/REkCgYEA4zOYRvS4M66XrCJQuYWAScEQeqJXnSEtCJ4Ti/cRWtkB0XGIRrGp
CQS3D5RqFNlgBn0QEWVx3gY905XJESkBrZccsqcKuYKbknifppK/Ee15SGvBO00U
r06oSjGS0ttRRSEzHIsKmpEgiJps7M1xoYbRAYPwtTmVMcbCj3QXezUCgYEA4mGS
I8dNAgdR6tKmIYEfRzLK9YOSpzF9eASsrXNSrmaHdb5DN4UGfFMhIKiXfr8RLTqe
2y5dIHpjfx3+2QjYO70TX3DBLOr2rhfVef32VQoFHOPMv9EPQK24mAB8aHlnq9oT
NKyGYE/aUt/YCu/z0xJRReY9ZQXUP+dCPFLZ708CgYAwJJus1Wg+000iVXcjiK1h
c36JbeMA0anYPJ7JtsW/qWIgPl1xFW5LEeu0am98EX+ugEuqVAOn10y8i+26LCVF
4lJbbNfx7UIH7HVv94JzSw27EdI1PaUXbKRubEi/U2fKLTnGX5QUopHxQD+6geIF
JysclheoXxZFIOfTO/dJzQKBgQDKVSi337bdXEuEFPg1M+IP0b8DBrD5zEr3DT6E
3HEGvU7PFtme8r9kOSx/sw+MUht5EE7RWbQUhi8Ne3K+6p/RbOG2yOFvUyZdXaII
ocscIJOHSbdDrgfy6BH3kV+gRPo65/OIfbawuE5LChRfWi3T9ig70FgJRdd5silK
H0b4EwKBgQCEcddqAYvJC72bUwLJkodQ+WxOrX3m1gLdyyjRVBRT4/Wui9ls2Afw
0DsjZr0EOq6+Dq+pTtQZsErI/btMRt5oOufgwk2EElexMwCgZjgunzgQ0rMTmIsD
UilZN75Va1vTNFRAIqyxzHImwl88Y6i4wrIyD++ykbydQDXReAwsuQ==
-----END RSA PRIVATE KEY-----
[root@localhost CA]# openssl req -new -x509 -key /etc/p
pam.d/ pki/ prelink.conf.d/ protocols
passwd pm/ printcap
passwd- polkit-1/ profile
pkcs11/ popt.d/ profile.d/
[root@localhost CA]# openssl req -new -x509 -key /etc/p
pam.d/ pki/ prelink.conf.d/ protocols
passwd pm/ printcap
passwd- polkit-1/ profile
pkcs11/ popt.d/ profile.d/
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:biejing
Organization Name (eg, company) [Default Company Ltd]:magedu111
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.magedu111.org
Email Address []:tree /etc/pki/CA
[root@localhost CA]# tree /etc/pki/CA
/etc/pki/CA
|-- cacert.pem
|-- certs
|-- crl
|-- index.txt
|-- newcerts
|-- private
| `-- cakey.pem
`-- serial
4 directories, 4 files
[root@localhost CA]# cat /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIIEBzCCAu+gAwIBAgIUXyzdfc8XVLavhQrHUTwWrBbOJEswDQYJKoZIhvcNAQEL
BQAwgZIxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdiZWlqaW5nMRAwDgYDVQQHDAdi
aWVqaW5nMRIwEAYDVQQKDAltYWdlZHUxMTExDzANBgNVBAsMBmRldm9wczEZMBcG
A1UEAwwQY2EubWFnZWR1MTExLm9yZzEfMB0GCSqGSIb3DQEJARYQdHJlZSAvZXRj
L3BraS9DQTAeFw0yMDA4MDMxNDUyMjlaFw0zMDA4MDExNDUyMjlaMIGSMQswCQYD
VQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzEQMA4GA1UEBwwHYmllamluZzESMBAG
A1UECgwJbWFnZWR1MTExMQ8wDQYDVQQLDAZkZXZvcHMxGTAXBgNVBAMMEGNhLm1h
Z2VkdTExMS5vcmcxHzAdBgkqhkiG9w0BCQEWEHRyZWUgL2V0Yy9wa2kvQ0EwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDI6iSuhLUUYRWWUJz5uUD1X9Fg
NPcsVEfbCFC2Uybtp6I0z81LxlsGNy4BHhr5vbDhjaZjss1crK3LGgin58oeE1oi
AsVl6BvmqvxgMlPmr0YSenRvoX3WTDmyYsbKC1n/xeFWp5/sY9IpzMcqp9re9FrJ
IRnFfWzb7KkYko1UBkW5EAq98X4mSMOovIHRXQIiloNm+kLmwA7zp/Vb+UGEc8Xj
oToPVXrNYnrHiM6roesca+0JjzrtcEjsCLUPObXnBco2zRWxWbBNtI0EqByrpH+D
afzaGeF3v3atPwQurodJClZO6Z60oofY6miHkUp5x9HVrZ0ZQ0Xab3EpMoBbAgMB
AAGjUzBRMB0GA1UdDgQWBBQrcX437F/PGahgtMnokkAb0HG2STAfBgNVHSMEGDAW
gBQrcX437F/PGahgtMnokkAb0HG2STAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQACHC9xBv/Dr4VvoyA8itXW9GzUXDjphB+RiF7tkK6vHK8ed6yt
danbGVozsD/rhhG7cj3iPxhhm2mQwbX7AXITdI2uv6NDm9+n23XVuVRCMc+BeRYb
sCrQo91f+MT76gpj13XTzvz3/GxRYbdqJ6P50oSYb9sW4EfDNDpMpbKiK+YElNb2
DqYvVb3bSttlyWTtN2ZSEc8Y94zIDF4hPZ47nyDYsu7/szOX0upy3NpwgRpYOft3
ubyTKLoHsS2HrwydjG5dSpdCPlcKeUh4EChbvRuTFMwgPQbnloJd2CLy1UI4eswR
RvuasZQnphv0MaOCuwdCoGV98LcLjog1iqav
-----END CERTIFICATE-----
[root@localhost CA]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5f:2c:dd:7d:cf:17:54:b6:af:85:0a:c7:51:3c:16:ac:16:ce:24:4b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = biejing, O = magedu111, OU = devops, CN = ca.magedu111.org, emailAddress = tree /etc/pki/CA
Validity
Not Before: Aug 3 14:52:29 2020 GMT
Not After : Aug 1 14:52:29 2030 GMT
Subject: C = CN, ST = beijing, L = biejing, O = magedu111, OU = devops, CN = ca.magedu111.org, emailAddress = tree /etc/pki/CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c8:ea:24:ae:84:b5:14:61:15:96:50:9c:f9:b9:
40:f5:5f:d1:60:34:f7:2c:54:47:db:08:50:b6:53:
26:ed:a7:a2:34:cf:cd:4b:c6:5b:06:37:2e:01:1e:
1a:f9:bd:b0:e1:8d:a6:63:b2:cd:5c:ac:ad:cb:1a:
08:a7:e7:ca:1e:13:5a:22:02:c5:65:e8:1b:e6:aa:
fc:60:32:53:e6:af:46:12:7a:74:6f:a1:7d:d6:4c:
39:b2:62:c6:ca:0b:59:ff:c5:e1:56:a7:9f:ec:63:
d2:29:cc:c7:2a:a7:da:de:f4:5a:c9:21:19:c5:7d:
6c:db:ec:a9:18:92:8d:54:06:45:b9:10:0a:bd:f1:
7e:26:48:c3:a8:bc:81:d1:5d:02:22:96:83:66:fa:
42:e6:c0:0e:f3:a7:f5:5b:f9:41:84:73:c5:e3:a1:
3a:0f:55:7a:cd:62:7a:c7:88:ce:ab:a1:eb:1c:6b:
ed:09:8f:3a:ed:70:48:ec:08:b5:0f:39:b5:e7:05:
ca:36:cd:15:b1:59:b0:4d:b4:8d:04:a8:1c:ab:a4:
7f:83:69:fc:da:19:e1:77:bf:76:ad:3f:04:2e:ae:
87:49:0a:56:4e:e9:9e:b4:a2:87:d8:ea:68:87:91:
4a:79:c7:d1:d5:ad:9d:19:43:45:da:6f:71:29:32:
80:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
2B:71:7E:37:EC:5F:CF:19:A8:60:B4:C9:E8:92:40:1B:D0:71:B6:49
X509v3 Authority Key Identifier:
keyid:2B:71:7E:37:EC:5F:CF:19:A8:60:B4:C9:E8:92:40:1B:D0:71:B6:49
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
02:1c:2f:71:06:ff:c3:af:85:6f:a3:20:3c:8a:d5:d6:f4:6c:
d4:5c:38:e9:84:1f:91:88:5e:ed:90:ae:af:1c:af:1e:77:ac:
ad:75:a9:db:19:5a:33:b0:3f:eb:86:11:bb:72:3d:e2:3f:18:
61:9b:69:90:c1:b5:fb:01:72:13:74:8d:ae:bf:a3:43:9b:df:
a7:db:75:d5:b9:54:42:31:cf:81:79:16:1b:b0:2a:d0:a3:dd:
5f:f8:c4:fb:ea:0a:63:d7:75:d3:ce:fc:f7:fc:6c:51:61:b7:
6a:27:a3:f9:d2:84:98:6f:db:16:e0:47:c3:34:3a:4c:a5:b2:
a2:2b:e6:04:94:d6:f6:0e:a6:2f:55:bd:db:4a:db:65:c9:64:
ed:37:66:52:11:cf:18:f7:8c:c8:0c:5e:21:3d:9e:3b:9f:20:
d8:b2:ee:ff:b3:33:97:d2:ea:72:dc:da:70:81:1a:58:39:fb:
77:b9:bc:93:28:ba:07:b1:2d:87:af:0c:9d:8c:6e:5d:4a:97:
42:3e:57:0a:79:48:78:10:28:5b:bd:1b:93:14:cc:20:3d:06:
e7:96:82:5d:d8:22:f2:d5:42:38:7a:cc:11:46:fb:9a:b1:94:
27:a6:1b:f4:31:a3:82:bb:07:42:a0:65:7d:f0:b7:0b:8e:88:
35:8a:a6:af
[root@localhost CA]# sz /etc/pki/CA/cacert.pem
4 使用脚本实现多个用户key验证免密登录
#!/bin/bash
yum install -y epel-release &> /dev/null
yum install -y sshpass &> /dev/null
net=192.168.1
pass=123456
ssh-keygen -P "" -f /root/.ssh/id_rsa &> /dev/null
for i in {1..254};do
{
sshpass -p $pass ssh-copy-id -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa.pub $net.$i &> /dev/null
}&
done
wait