RHEL6.3如何實現(xiàn)基于加密的用戶認(rèn)證驗證訪問

本篇文章給大家分享的是有關(guān)RHEL6.3如何實現(xiàn)基于加密的用戶認(rèn)證驗證訪問，小編覺得挺實用的，因此分享給大家學(xué)習(xí)，希望大家閱讀完這篇文章后可以有所收獲，話不多說，跟著小編一起來看看吧。

成都創(chuàng)新互聯(lián)公司秉承實現(xiàn)全網(wǎng)價值營銷的理念，以專業(yè)定制企業(yè)官網(wǎng)，成都網(wǎng)站建設(shè)、成都網(wǎng)站制作，成都小程序開發(fā)，網(wǎng)頁設(shè)計制作，手機(jī)網(wǎng)站制作設(shè)計，全網(wǎng)營銷推廣幫助傳統(tǒng)企業(yè)實現(xiàn)“互聯(lián)網(wǎng)+”轉(zhuǎn)型升級專業(yè)定制企業(yè)官網(wǎng),公司注重人才、技術(shù)和管理，匯聚了一批優(yōu)秀的互聯(lián)網(wǎng)技術(shù)人才,對客戶都以感恩的心態(tài)奉獻(xiàn)自己的專業(yè)和所長。

一、業(yè)務(wù)需求

Apache需要實現(xiàn)加密的基于用戶身份認(rèn)證的驗證訪問，來保證特定站點頁面的安全。這里是需求的實現(xiàn)過程，請看如下分解。

二、具體實現(xiàn)步驟：

1、建立主目錄及網(wǎng)頁

[root@test1 www]# mkdir virt1

[root@test1 www]# ls

cgi-bin error html icons manual virt1

[root@test1 www]# cd virt1

[root@test1 virt1]# echo "welcomt to apache website">index.html

[root@test1 virt1]# ls

index.html

[root@test1 virt1]# cat index.html

welcomt to apache website

2、使用apache自帶的htpasswd工具生成密碼文件來作為用戶訪問認(rèn)證的來源

格式：htpasswd options FilePath user

-c ：第一次創(chuàng)建時使用該選項

-m ：將密碼使用MD5加密存放

-D ：從密碼文件中刪除用戶

[root@test1 conf]# htpasswd -cm .htpasswd aaa

New password:

Re-type new password:

Adding password for user aaa

[root@test1 conf]# cat .htpasswd

aaa:$apr1$hhFTA/vU$GwUfNDRNGFGIyHWftqc2M1

[root@test1 conf]# htpasswd -m .htpasswd bbb

New password:

Re-type new password:

Adding password for user bbb

[root@test1 conf]# cat .htpasswd

aaa:$apr1$hhFTA/vU$GwUfNDRNGFGIyHWftqc2M1

bbb:$apr1$QHr2Dpff$wMtQI74PcbNOMrY0mPgpa0

[root@test1 conf]#

如果是要刪除用戶

#htpasswd -D .htpasswd aaa

3、對指定的網(wǎng)頁目錄使用基本身份認(rèn)證驗證

比如對test1.demo.com網(wǎng)站的訪問需要基于用戶認(rèn)證驗證

配置apache的主配置文件：/etc/httpd/conf/httpd.conf

NameVirtualHost 192.168.1.123:80

DocumentRoot /var/www/virt1

ServerName test1.demo.com

ErrorLog logs/test1.demo.com-error.log

authName "realm"

AuthType basic

AuthUserFile /etc/httpd/conf/.htpasswd

Require User aaa bbb

[root@test1 virt1]# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: [ OK ]

4、加密配置

[root@test1 conf]# (umask 077;openssl genrsa -des3 -out server.key)

Generating RSA private key, 512 bit long modulus

....++++++++++++

e is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

[root@test1 conf]# openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:CN

State or Province Name (full name) []:

Locality Name (eg, city) [Beijing]:Beijing

Organization Name (eg, company) [Default Company Ltd]:Tianli

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:test1.demo.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@test1 conf]# openssl ca -in server.csr -out server.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 3 (0x3)

Validity

Not Before: Jan 31 05:37:44 2013 GMT

Not After : Jan 31 05:37:44 2014 GMT

Subject:

countryName = CN

stateOrProvinceName = Hebei

organizationName = Default Company Ltd

commonName = test1.demo.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

CB:3D:6E:BD:48:ED:BD:FE:39:BD:27:C5:B5:57:19:96:79:11:23:14

X509v3 Authority Key Identifier:

keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62

Certificate is to be certified until Jan 31 05:37:44 2014 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

將httpd.conf中的這一段復(fù)制放到ssl.conf中并修改和添加SSL認(rèn)證語句

NameVirtualHost 192.168.1.123:443

DocumentRoot /var/www/virt1

SSLEngine on

SSLCertificateFile /etc/httpd/conf/server.crt

SSLCertificateKeyFile /etc/httpd/conf/server.key

ServerName test1.demo.com

ErrorLog logs/test1.demo.com-error.log

authName "realm"

AuthType basic

AuthUserFile /etc/httpd/conf/.htpasswd

Require User aaa bbb

注：需要將原h(huán)ttpd.conf文件中的這一段進(jìn)行注釋或屏蔽。

[root@test1 conf]# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: [Thu Jan 31 01:29:41 2013] [warn] NameVirtualHost 192.168.1.123:80 has no VirtualHosts

Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

Server test1.demo.com:443 (RSA)

Enter pass phrase:

OK: Pass Phrase Dialog successful.

[ OK ]

[root@test1 conf]#

三、測試

在FIREFOX中輸入https://test1.demo.com進(jìn)行瀏覽