CA-SSH-DHCP服务实现

文章目录

一、证书相关概念二、实现私有CA和证书申请

2.1 创建CA的私钥2.2 给CA颁发自签名证书2.3 用户生成私钥和证书申请2.4 CA颁发证书2.5 查看证书三、SSH常用参数、用法四、SSH常见应用

4.1 实现基于密钥的登录方式4.2 使用SSH实现端口转发五、dhcp服务小结

一、证书相关概念

公共密钥加密体系：PKI签证机构：CA注册机构：RA证书吊销列表：CRLX.509：定义了证书的结构以及认证协议标准（包含：版本号、序列号、签名算法、颁发者、有效期限、主体名称等等）

证书类型：

证书授权机构的证书服务器证书用户证书

获取证书两种方法：
1.自签名的证书：自已签发自己的公钥
2.使用证书授权机构：

生成证书请求（csr）将证书请求csr发送给CACA签名颁发证书

二、实现私有CA和证书申请

建立私有CA：可以使用OpenCA软件，也可以直接使用openssl。

2.1 创建CA的私钥

使用openssl命令生成需要的私钥，默认密钥长度为2048。修改文件权限为600.

[root@centos7 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem
Generating RSA private key, 2048 bit long modulus
..................+++
.....+++
e is 65537 (0x10001)
[root@centos7 ~]# cd /etc/pki/CA
[root@centos7 CA]# ll private/cakey.pem
-rw-r--r--. 1 root root 1675 Feb 22 16:29 private/cakey.pem
[root@centos7 CA]# chmod 600 private/cakey.pem
[root@centos7 CA]# ll private/cakey.pem
-rw-------. 1 root root 1675 Feb 22 16:29 private/cakey.pem
[root@centos7 CA]#

2.2 给CA颁发自签名证书

给CA颁发自签名证书，有效期为10年。

[root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out                                                             cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:GZ
Organization Name (eg, company) [Default Company Ltd]:AI
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:jiangde.com
Email Address []:jiang111@139.com
[root@centos7 CA]#
[root@centos7 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
    └── cakey.pem

4 directories, 2 files
[root@centos7 CA]#

2.3 用户生成私钥和证书申请

根据/etc/pki/tls/openssl.cnf配置文件中的策略，证书申请中的countryName、stateOrProvinceName、organizationName需要上面第2点填写一致。commonName该项为必须填写的。

[root@centos7 CA]# cd /data
[root@centos7 data]# (umask 066; openssl genrsa -out /data/app1.key 2048)
Generating RSA private key, 2048 bit long modulus
.....................+++
........+++
e is 65537 (0x10001)
[root@localhost CA]# vim /etc/pki/tls/openssl.cnf
......省略部分输出

 81 policy          = policy_match
 82
 83 # For the CA policy
 84 [ policy_match ]
 85 countryName             = match
 86 stateOrProvinceName     = match
 87 organizationName        = match
 88 organizationalUnitName  = optional
 89 commonName              = supplied
 90 emailAddress            = optional

......省略部分输出
[root@centos7 data]# 
[root@centos7 data]# openssl req -new -key /data/app1.key -out /data/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:GZ
Organization Name (eg, company) [Default Company Ltd]:AI
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:app1.jiangde.com
Email Address []:app1@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos7 data]#

2.4 CA颁发证书

index.txt和serial文件在颁发证书时需要使用，如果不存在，会出现以下错误提示。
另外，如果在cnetos8上，需要先创建相应的目录：mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}

[root@centos7 data]# openssl ca -in app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140309127034768:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
140309127034768:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@centos7 data]#
[root@centos7 data]# touch /etc/pki/CA/index.txt
[root@centos7 data]# openssl ca -in app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140599648216976:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
140599648216976:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@centos7 data]#
[root@centos7 data]# echo 01 > /etc/pki/CA/serial
[root@centos7 data]# openssl ca -in app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 18 19:18:36 2022 GMT
            Not After : Nov 14 19:18:36 2024 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GD
            organizationName          = AI
            organizationalUnitName    = IT
            commonName                = app1.jiangde.com
            emailAddress              = app1@163.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                FC:92:FC:30:E3:CB:33:76:0A:2E:07:2A:63:89:E0:55:4F:B6:21:F5
            X509v3 Authority Key Identifier:
                keyid:38:16:21:53:13:2B:90:FB:62:AC:26:8F:91:7B:A3:46:6F:B8:91:D                                                            6

Certificate is to be certified until Nov 14 19:18:36 2024 GMT (1000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data base Updated
[root@centos7 data]# tree /etc/pki/Ca
/etc/pki/Ca [error opening dir]

0 directories, 0 files
[root@centos7 data]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│?? └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│?? └── 01.pem
├── private
│?? └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files
[root@centos7 data]#

2.5 查看证书

[root@centos7 CA]# cat certs/app1.crt
Certificate:
    data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=GD, L=GZ, O=AI, OU=IT, CN=jiangde.com/emailAddress=jiang_de@139.com
        Validity
            Not Before: Feb 18 19:18:36 2022 GMT
            Not After : Nov 14 19:18:36 2024 GMT
        Subject: C=CN, ST=GD, O=AI, OU=IT, CN=app1.jiangde.com/emailAddress=app1@163.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c3:b6:bb:f9:ce:98:5d:2e:32:07:02:f7:c6:00:
                    e4:a8:db:6e:1c:a6:50:0f:2b:9e:b7:d7:a9:7e:c9:
                    8c:dc:4a:bc:1c:62:99:da:31:96:b8:5e:da:77:8a:
                    1e:2b:1b:d7:3b:98:2b:4d:0a:f7:ed:20:ae:ee:9d:
                    45:86:8c:16:62:bd:17:6b:62:e8:bb:42:07:fb:81:
                    ab:75:2d:87:2a:aa:3c:ff:9a:03:e6:53:fd:1e:c6:
                    4b:51:65:3a:4e:1e:de:1c:1c:f8:51:f9:7a:7f:92:
                    fd:69:43:77:b9:0d:68:f4:69:04:4a:92:99:17:eb:
                    5e:c4:9a:35:48:27:7e:4c:9e:f9:77:e5:2f:ea:56:
                    b1:63:ee:48:a5:e3:de:84:b6:03:17:ed:8c:44:07:
                    d1:7c:bf:da:59:66:92:3f:0a:d1:07:81:c4:33:fd:
                    68:48:24:9b:3a:46:dc:ad:f6:ca:5b:ef:04:d7:1a:
                    1a:e4:6e:f2:f2:cc:d8:43:af:1b:35:a8:db:db:a9:
                    38:23:d5:66:e8:1e:ea:69:77:38:ae:ef:46:21:9f:
                    79:25:7a:2a:c2:c5:54:3c:f3:68:0a:be:81:a6:28:
                    c1:fb:87:55:1b:15:d5:2b:93:f4:d3:41:f4:56:1d:
                    c2:04:35:ad:ba:4c:c4:ab:82:76:98:2e:0b:87:85:
                    e4:2b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                FC:92:FC:30:E3:CB:33:76:0A:2E:07:2A:63:89:E0:55:4F:B6:21:F5
            X509v3 Authority Key Identifier:
                keyid:38:16:21:53:13:2B:90:FB:62:AC:26:8F:91:7B:A3:46:6F:B8:91:D6

    Signature Algorithm: sha256WithRSAEncryption
         5a:c5:85:b4:ec:99:89:85:3a:8d:07:d2:a0:84:f5:15:fb:a4:
         d7:50:23:d6:bd:a2:31:f6:31:29:c1:c0:93:27:5c:7e:72:ba:
         fd:08:52:fc:ed:44:26:f0:af:3c:3b:ed:0d:44:4c:fb:4e:8f:
         ce:78:a3:61:50:6d:87:c8:a5:72:be:f9:c1:5e:ec:65:1b:fc:
         c9:7a:e2:16:ee:55:0f:37:2b:81:5e:ab:72:17:5c:15:64:8a:
         d1:ac:63:59:35:38:80:a5:6b:ad:a2:dc:b9:76:c7:a9:f9:c4:
         88:3c:e4:f9:36:3c:96:ee:ac:b0:0d:ba:a2:cd:a5:03:cf:bc:
         92:7a:d3:06:58:88:ae:2b:08:de:09:78:6b:7a:11:aa:d5:90:
         99:56:c7:d0:e8:27:72:a4:55:01:e4:55:f9:4b:4a:79:53:a4:
         f6:c1:38:42:9a:3f:80:a6:6d:0d:0b:1d:b7:d4:fa:61:19:30:
         23:03:b6:9f:35:b3:32:78:e6:82:1f:7c:e4:31:6a:3d:10:85:
         23:18:1d:47:97:6f:10:f1:4e:95:9b:7d:cf:9e:9e:66:c0:ee:
         75:3c:de:4b:fb:42:70:16:97:75:05:21:46:fb:b6:c5:a3:cd:
         96:e4:f7:b6:2c:4c:86:49:c2:8a:82:50:05:ea:33:fd:ec:4c:
         3d:4c:b6:dc
-----BEGIN CERTIFICATE-----
MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADB4MQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCR0QxCzAJBgNVBAcMAkdaMQswCQYDVQQKDAJBSTELMAkGA1UECwwC
SVQxFDASBgNVBAMMC2ppYW5nZGUuY29tMR8wHQYJKoZIhvcNAQkBFhBqaWFuZ19k
ZUAxMzkuY29tMB4XDTIyMDIxODE5MTgzNloXDTI0MTExNDE5MTgzNlowbDELMAkG
A1UEBhMCQ04xCzAJBgNVBAgMAkdEMQswCQYDVQQKDAJBSTELMAkGA1UECwwCSVQx
GTAXBgNVBAMMEGFwcDEuamlhbmdkZS5jb20xGzAZBgkqhkiG9w0BCQEWDGFwcDFA
MTYzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMO2u/nOmF0u
MgcC98YA5KjbbhymUA8rnrfXqX7JjNxKvBximdoxlrhe2neKHisb1zuYK00K9+0g
ru6dRYaMFmK9F2ti6LtCB/uBq3UthyqqPP+aA+ZT/R7GS1FlOk4e3hwc+FH5en+S
/WlDd7kNaPRpBEqSmRfrXsSaNUgnfkye+XflL+pWsWPuSKXj3oS2AxftjEQH0Xy/
2llmkj8K0QeBxDP9aEgkmzpG3K32ylvvBNcaGuRu8vLM2EOvGzWo29upOCPVZuge
6ml3OK7vRiGfeSV6KsLFVDzzaAq+gaYowfuHVRsV1SuT9NNB9FYdwgQ1rbpMxKuC
dpguC4eF5CsCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPyS/DDjyzN2Ci4H
KmOJ4FVPtiH1MB8GA1UdIwQYMBaAFDgWIVMTK5D7Yqwmj5F7o0ZvuJHWMA0GCSqG
SIb3DQEBCwUAA4IBAQBaxYW07JmJhTqNB9KghPUV+6TXUCPWvaIx9jEpwcCTJ1x+
crr9CFL87UQm8K88O+0NREz7To/OeKNhUG2HyKVyvvnBXuxlG/zJeuIW7lUPNyuB
XqtyF1wVZIrRrGNZNTiApWutoty5dsep+cSIPOT5NjyW7qywDbqizaUDz7ySetMG
WIiuKwjeCXhrehGq1ZCZVsfQ6CdypFUB5FX5S0p5U6T2wThCmj+Apm0NCx231Pph
GTAjA7afNbMyeOaCH3zkMWo9EIUjGB1Hl28Q8U6Vm33Pnp5mwO51PN5L+0JwFpd1
BSFG+7bFo82W5Pe2LEyGScKKglAF6jP97Ew9TLbc
-----END CERTIFICATE-----
[root@centos7 CA]# 
[root@centos7 CA]# 
[root@centos7 CA]# cat index.txt
V       241114191836Z           01      unknown /C=CN/ST=GD/O=AI/OU=IT/CN=app1.jiangde.com/emailAddress=app1@163.com

三、SSH常用参数、用法

telnet协议是使用明文的方式进行传输，这就非常地不安全，而ssh协议是密文传输的，实现了加密通信。在CentOS系统上默认安装了openssh(ssh协议的开源实现)。
ssh执行指纹核对（fingerprint verification）来确保用户连接到正确的远程主机。在第一次连接到服务器上时，ssh默认会存储指纹信息，在之后的连接过程中核对该指纹。
ssh命令是ssh客户端，允许实现对远程系统经验证地加密安全访问。

格式 ：
ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]

常见选项：
-p port     #远程服务器监听的端口
-b          #指定连接的源IP
-v          #调试模式
-C          #压缩方式
-X          #支持x11转发
-t          #强制伪tty分配，如：ssh -t remoteserver1 ssh -t remoteserver2
-o option   #如：-o StrictHostKeyChecking=no
-i    #指定私钥文件路径，实现基于key验证，默认使用文件： ~/.ssh/id_dsa,	~/.ssh/id_ecdsa, ~/.ssh/id_ed25519，~/.ssh/id_rsa等

#远程执行命令
[root@centos7 ~]# ssh root@192.168.1.31 "echo user: $(whoami);echo OS: $(uname)"
The authenticity of host '192.168.1.31 (192.168.1.31)' can't be established.
ECDSA key fingerprint is SHA256:910aHeL6lF7RojTWGrsyimfrEYtBLydn9eJpHbVSNC8.
ECDSA key fingerprint is MD5:f4:18:ae:98:8e:f8:65:2a:00:a9:7d:a1:c7:2d:4a:16.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.31' (ECDSA) to the list of known hosts.
root@192.168.1.31's password:
user: root
OS: Linux
[root@centos7 ~]#

四、SSH常见应用 4.1 实现基于密钥的登录方式

为实现登录过程自动化，可以利用SSH密钥实现自动登录。SSH采用了非对称加密技术，认证密钥包括了公钥和私钥。要实现自动化认证，公钥必须放置在服务器中。

设置SSH认证自动化需要两步：

在本地主机上创建SSH密钥；将生成的公钥传给远程主机。

[root@centos7 ~]# ll ~/.ssh
ls: cannot access /root/.ssh: No such file or directory
[root@centos7 ~]# 
[root@centos7 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:IZoh0ZwghDDd4TgkuDaQz0rbhBoK8GyOi66co72zDCc root@centos7.jiangde.com
The key's randomart image is:
+---[RSA 2048]----+
|X++=.o           |
|*=.+=            |
|o*= o . .        |
|+=*+ + . .       |
|**= o   S        |
|=...             |
|E..              |
|+Bo              |
|*+*+             |
+----[SHA256]-----+
[root@centos7 ~]# ll ~/.ssh
total 12
-rw------- 1 root root 1679 Feb 23 22:19 id_rsa       #生成的私钥
-rw-r--r-- 1 root root  406 Feb 23 22:19 id_rsa.pub   #生成的公钥

#远程主机接收上面的公钥，放置在~/.ssh/
[root@localhost ~]# ll ~/.ssh       #未传过来时没有相应的目录和文件
ls: cannot access /root/.ssh: No such file or directory
[root@localhost ~]# ll .ssh         #传过来后
total 4
-rw-------. 1 root root 406 Feb 23 17:26 authorized_keys
[root@localhost ~]# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAO17FNVU6aeq9z+NoYm6B5KrP4g1fxhYXN2XoA58RrVewQGa5nQ8tQT+m76Q3TT9JO0fQmKdfYI+a90HQ0/OdKEs/3i08NCcrRNduJMr1THwmXBhUYq5UnihN30GxkZYylYEztGO1X7V4H4nxH0Oujrhy7+mQlH31aJ69AxQVUahVt5AcvzRLAkwpDAA3EipH4C2RYbAHUSL3HOuF8jiBWRV7JTh75tMlYU2i9u1SPuGrfea797eLxdIG/smRcFDschSlxxq3B+JGwQSTIjecn0XkUsFnLEdHyytsjQ4lI5Ki2uUobdk7WkesygOTxH57FGRGSpcSdXMEIlLWtrcn root@centos7.jiangde.com
[root@localhost ~]#

#测试
[root@centos7 ~]# ssh 192.168.1.31         #不再需要密码就可以登录进来
Last login: Wed Feb 23 17:00:50 2022 from 192.168.1.12
[root@localhost ~]#
[root@localhost ~]# hostname -I
192.168.1.31 2409:8a55:475:3280:20c:29ff:fec3:468d
[root@localhost ~]#

4.2 使用SSH实现端口转发

端口转发可以将来自某台主机的IP连接重定向到另一台主机。如果你用Linux系统作为防火墙，你可以将某端口（如1234）上的连接重定向至其他内部地址（如192.168.1.10:22），从而为外部提供一个可以抵达内部主机的ssh隧道。

下列命令会将本地主机端口8000上的流量转发到www.kernel.org的端口80上：

 ssh -L 8000:www.kernel.org:80 user@localhost    # user为本地主机上的用户名

下列命令会将远程主机端口8000上的流量转发到www.kernel.org的端口80上：

ssh -L 8000:www.kernel.org:80 user@REMOTE_MACHINE  #REMOTE_MACHINE为远程主机名或ip地址，user为使用ssh进行访问的用户名

五、dhcp服务

DHCP使用UDP协议工作，主要用途：可以实现客户机自动获得DHCP服务器分配的IP地址和子网掩码等信息。DHCP工作在：67/68端口，分别作为DHCP Server和DHCP Client的服务端口。

#dhcp服务器侧
[root@localhost ~]# yum install -y dhcp
[root@localhost ~]# cat /etc/dhcp/dhcpd.conf
#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.example
#   see dhcpd.conf(5) man page
#
subnet 192.168.1.0 netmask 255.255.255.0 {
    option routers 192.168.1.31;
    option domain-name-servers 114.114.114.114;
    option subnet-mask 255.255.255.0;
    range dynamic-bootp 192.168.1.67 192.168.1.69;
    default-lease-time 21600;
    max-lease-time 43200;
}
[root@localhost ~]# systemctl start dhcpd    #需要写好dhcpd.conf,不然启动服务会报错。
[root@localhost ~]# cat /var/lib/dhcpd/dhcpd.leases
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.2.5

server-duid "00010001)2563473150014)303F215";

lease 192.168.1.67 {
  starts 1 2022/02/28 01:54:25;
  ends 1 2022/02/28 07:54:25;
  cltt 1 2022/02/28 01:54:25;
  binding state active;
  next binding state free;
  rewind binding state free;
  hardware ethernet 00:0c:29:90:05:d8;
  client-hostname "centos7";
}
[root@localhost ~]#

#客户机侧
[root@centos7 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
BOOTPROTO="dhcp"
NAME="ens33"
DEVICE="ens33"
ONBOOT="yes"
[root@centos7 ~]# systemctl restart network
[root@centos7 ~]# ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens33:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:90:05:d8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.67/24 brd 192.168.1.255 scope global noprefixroute dynamic ens33
       valid_lft 21448sec preferred_lft 21448sec
    inet6 fe80::20c:29ff:fe90:5d8/64 scope link
       valid_lft forever preferred_lft forever
[root@centos7 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search jiangde.com
nameserver 114.114.114.114
[root@centos7 ~]#
[root@centos7 ~]# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.958 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=1.42 ms
^C
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.958/1.191/1.424/0.233 ms
[root@centos7 ~]#

小结

1. 证书这块涉及了加密算法，还有证书的吊销等知识，还需要多学习一下。
2. ssh的高级的应用后续还要再实验。
3. dhcp服务也还有其他配置未列出，需要多学习。

CA-SSH-DHCP服务实现

Linux相关栏目本月热门文章