实现基于SSL的FTPS

    目  录

        1、查看当前vsftpd是否具有ssl模块

        2、创建自签名证书

        3、查看证书

        4、配置vsftp支持ssl

        5、测试、利用filezilla 登录测试

        6、wireshark抓包结果

Vsfptd普通数据传输十分不安全，例如用户密码等很容易被窃取 

1、查看当前vsftpd是否具有ssl模块

[root@localhost ~]# ldd $(which vsftpd) |grep ssl

libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f55009bf000)

2、创建自签名证书

[root@localhost ~]# cd /etc/pki/tls/certs/[root@localhost certs]# make vsftpd.pem[root@localhost certs]# make vsftpd.pemumask 77 ; \PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365  \  -out $PEM2 -set_serial 0 ; \cat $PEM1 >  vsftpd.pem ; \echo ""    >> vsftpd.pem ; \cat $PEM2 >> vsftpd.pem ; \rm -f $PEM1 $PEM2Generating a 2048 bit RSA private key..................................................+++............................+++writing new private key to '/tmp/openssl.x3aynR'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:mageOrganizational Unit Name (eg, section) []:ftpCommon Name (eg, your name or your server's hostname) []:172.16.250.90Email Address []:ftp@mage.com

3、查看证书

[root@localhost certs]# openssl x509 -in vsftpd.pem -noout -textCertificate:    Data:        Version: 3 (0x2)        Serial Number: 0 (0x0)    Signature Algorithm: sha1WithRSAEncryption        Issuer: C=CN, ST=beijing, L=beijing, O=mage, OU=ftp,         CN=172.16.250.90/emailAddress=ftp@mage.com        Validity            Not Before: Dec 20 15:44:44 2016 GMT            Not After : Dec 20 15:44:44 2017 GMT        Subject: C=CN, ST=beijing, L=beijing, O=mage, OU=ftp,         CN=172.16.250.90/emailAddress=ftp@mage.com        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (2048 bit)                Modulus:                    00:e4:7c:a3:98:d5:b6:a0:6c:3e:67:86:b0:98:79:                    ec:3d:d2:6a:76:bf:43:2f:8f:f9:bd:29:c2:11:50:                    7a:64:24:b6:bc:64:9b:53:62:e2:25:44:7f:f4:ef:                    ea:81:01:92:ae:3a:02:f9:0a:75:92:00:62:97:64:                    a9:1e:d8:c0:89:4b:e0:1c:84:ea:d1:49:9b:80:97:                    a8:42:8d:00:ae:41:91:f7:3b:7e:19:58:32:57:2e:                    6f:b3:e4:84:59:cc:4e:fe:04:6e:76:a2:6f:8b:ac:                    5e:6c:98:28:1d:28:cb:d7:7f:df:e0:9c:85:eb:93:                    bf:c3:d7:8e:35:80:03:bf:8e:19:92:dd:4b:39:c3:                    68:27:d2:4a:5e:b4:18:5d:02:08:2a:ce:66:00:64:                    25:83:5b:dc:aa:9c:da:b2:5f:2e:59:bb:b7:eb:f0:                    2c:e2:63:a4:f8:e0:2e:38:d8:ad:ba:0e:05:96:e5:                    91:26:87:a6:a0:64:c5:bd:b0:ad:00:4e:b0:be:e2:                    91:35:f2:36:5b:b3:56:f7:0a:fa:3d:e9:f9:4f:6b:                    ab:c0:2b:2a:a4:0b:d7:f7:5b:06:86:c1:85:59:b8:                    6a:78:1b:55:05:e9:5c:51:dd:d3:0e:1a:75:0e:f1:                    3a:b3:42:e6:62:02:d4:8b:30:fb:36:ec:75:5a:6d:                    43:89                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Subject Key Identifier:                 C6:F8:38:E5:9A:17:9B:0E:D8:31:BE:DE:4E:29:14:DD:7F:                EF:FB:FE            X509v3 Authority Key Identifier:                 keyid:C6:F8:38:E5:9A:17:9B:0E:D8:31:BE:DE:4E:29:14:                DD:7F:EF:FB:FE            X509v3 Basic Constraints:                 CA:TRUE    Signature Algorithm: sha1WithRSAEncryption         dd:5f:de:d3:ff:53:ba:3a:69:7c:46:78:38:b1:07:b6:cd:5a:         5d:aa:fc:fb:4d:19:63:a9:06:1e:95:8c:56:2f:c5:1f:3c:7e:         b2:6d:9c:7e:ec:c6:ba:60:6c:25:b5:35:6a:87:32:06:0c:37:         89:f1:b1:c2:bd:4a:17:91:2a:a7:5f:f9:56:eb:64:a5:b1:1c:         b1:db:f2:dc:eb:60:fc:37:4c:ca:c2:68:9b:f5:36:77:d4:36:         43:e8:4b:54:48:72:f8:dc:fe:80:96:c0:6a:1d:2a:95:5a:f9:         47:2e:14:1f:7a:ba:db:d2:5b:5c:6e:d6:4b:d1:f9:1b:4d:26:         a2:47:69:14:23:52:f5:13:d7:2f:57:f2:d4:be:77:c8:b0:c5:         4f:04:43:66:5e:fe:8e:2f:5b:e7:8b:f3:6b:b1:13:a1:cd:95:         90:f5:94:2f:b6:75:0d:67:45:58:36:d8:82:7d:ac:fd:79:2c:         28:24:d9:a2:98:02:30:31:8a:91:a5:c6:15:49:c6:91:19:ae:         90:5a:fb:57:ff:c7:36:27:5b:29:e1:79:ea:7b:33:68:2b:1a:         e7:89:0e:96:7d:ac:eb:d3:81:d6:5f:35:ca:bb:3d:cf:1e:f7:         87:28:00:c8:c9:ff:9e:50:ca:aa:13:66:29:be:2c:f1:11:28:         02:19:b3:ca

4、配置vsftp支持ssl

anonymous_enable=NO   #禁止匿名用户登录chroot_local_user=YES    #禁锢所用系统用户在家目录中ssl_enable=YES  #启用sslallow_anon_ssl=NO   #匿名不支持SSLforce_local_logins_ssl=YES   #本地用户登录加密force_local_data_ssl=YES   #本地数据传输加密rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem   #证书[root@localhost ~]# useradd  -s /sbin/nologin  wang    创建测试用户[root@localhost ~]# passwd  wang

5、测试、利用filezilla 登录测试  

6、wireshark抓包结果