课程第2次：2020-02-15星期六

botang · 发表于 2020-2-15 20:46:30

1. /etc/dhcp/dhcpd.conf：

ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.0 {

复制代码

option routers 192.168.0.254;
option subnet-mask 255.255.255.0;
option domain-name "example.com";
option domain-name-servers 192.168.0.254;
default-lease-time 21600;
max-lease-time 43200;

复制代码

PXE特别需要：

filename "/var/ftp/pub/workstation.cfg";

复制代码

PXE特别需要：tftp

next-server classroom.example.com;

复制代码

PXE极其需要：

option space PXE;
class "PXE" {
match if substring(option vendor-class-identifier, 0, 9) = "PXEClient";
option vendor-encapsulated-options 01:04:00:00:00:00:ff;
option boot-size 0x1;
filename "pxelinux.0";
option tftp-server-name "classroom.example.com";
option vendor-class-identifier "PXEClient";
vendor-option-space PXE;
}

复制代码

可选的配置：要在subnet大范围之内

host desktop3 {
hardware ethernet 00:0C:29:E7:1C:6D;
fixed-address 192.168.0.3;
}

复制代码

2. 测试名字服务器：

[root@classroom ~]# dig desktop4.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el8 <<>> desktop4.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26722
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e885426657c53e0cdfd9e9b95e47e7568f4b425f66b9f448 (good)
;; QUESTION SECTION:
;desktop4.example.com. IN A
;; ANSWER SECTION:
desktop4.example.com. 86400 IN A 192.168.0.4
;; AUTHORITY SECTION:
example.com. 86400 IN NS classroom.example.com.
;; ADDITIONAL SECTION:
classroom.example.com. 86400 IN A 192.168.0.254
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Feb 15 20:43:02 CST 2020
;; MSG SIZE rcvd: 133
[root@classroom ~]# dig server4.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el8 <<>> server4.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31197
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 1d37347955f443018107858c5e47e75eac3190a29a03cfb3 (good)
;; QUESTION SECTION:
;server4.example.com. IN A
;; ANSWER SECTION:
server4.example.com. 86400 IN A 192.168.0.104
;; AUTHORITY SECTION:
example.com. 86400 IN NS classroom.example.com.
;; ADDITIONAL SECTION:
classroom.example.com. 86400 IN A 192.168.0.254
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Feb 15 20:43:10 CST 2020
;; MSG SIZE rcvd: 132
[root@classroom ~]# dig example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el8 <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6299
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c33afce287191a70de495cf05e47e765fdcc491c5133902f (good)
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 86400 IN A 192.168.0.254
;; AUTHORITY SECTION:
example.com. 86400 IN NS classroom.example.com.
;; ADDITIONAL SECTION:
classroom.example.com. 86400 IN A 192.168.0.254
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Feb 15 20:43:17 CST 2020
;; MSG SIZE rcvd: 124
[root@classroom ~]# dig -t mx example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el8 <<>> -t mx example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46251
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 315b836166cbe9a74171ba255e47e76da0e04046dad5e097 (good)
;; QUESTION SECTION:
;example.com. IN MX
;; ANSWER SECTION:
example.com. 86400 IN MX 10 classroom.example.com.
;; AUTHORITY SECTION:
example.com. 86400 IN NS classroom.example.com.
;; ADDITIONAL SECTION:
classroom.example.com. 86400 IN A 192.168.0.254
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Feb 15 20:43:25 CST 2020
;; MSG SIZE rcvd: 124
[root@classroom ~]# dig cracker133.cracker.org
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el8 <<>> cracker133.cracker.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16721
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ce1b38effdbb9d52f198b2415e47e7a697516f8a5156156e (good)
;; QUESTION SECTION:
;cracker133.cracker.org. IN A
;; ANSWER SECTION:
cracker133.cracker.org. 86400 IN A 192.168.1.133
;; AUTHORITY SECTION:
cracker.org. 86400 IN NS server1.cracker.org.
;; ADDITIONAL SECTION:
server1.cracker.org. 86400 IN A 192.168.1.254
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Feb 15 20:44:22 CST 2020
;; MSG SIZE rcvd: 133
[root@classroom ~]# ping cracker133.cracker.org
PING cracker133.cracker.org (192.168.1.133) 56(84) bytes of data.
64 bytes from cracker133.cracker.org (192.168.1.133): icmp_seq=1 ttl=64 time=0.496 ms
64 bytes from cracker133.cracker.org (192.168.1.133): icmp_seq=2 ttl=64 time=0.336 ms
64 bytes from cracker133.cracker.org (192.168.1.133): icmp_seq=3 ttl=64 time=0.387 ms
64 bytes from cracker133.cracker.org (192.168.1.133): icmp_seq=4 ttl=64 time=0.363 ms
64 bytes from cracker133.cracker.org (192.168.1.133): icmp_seq=5 ttl=64 time=0.410 ms
64 bytes from cracker133.cracker.org (192.168.1.133): icmp_seq=6 ttl=64 time=0.319 ms
64 bytes from cracker133.cracker.org (192.168.1.133): icmp_seq=7 ttl=64 time=0.352 ms
64 bytes from cracker133.cracker.org (192.168.1.133): icmp_seq=8 ttl=64 time=2.20 ms

复制代码

3. 解释一台CLASSROOM后半段:

从430行开始：
什么是CA ？任何浏览器（操作系统）都内嵌8个CA的公钥。 RHCE密码学-->数字签名-->CA拿它的私钥“处理”你的公钥。https (https的公钥被签名)。

时间必需要同步，line 443-481 时间服务器chronyd

4. 如何成为CA(x509格式只要一般了解):

openssl req -days 3650 -new -x509 -nodes -out example-ca.crt -keyout private/example-ca.key -subj '/C=US/ST=North Carolina/L=Raleigh/O=Example, Inc./CN=example.com Certificate Authority'

复制代码