ËíµÀ ±»Éè¼ÆÓÃÓÚÔ¶¶Ë¿Í»§¶ËºÍ±¾µØ(¿Éͨ¹ýinetdÆô¶¯)»òÔ¶¶Ë·þÎñÆ÷¼äµÄSSL¼ÓÃÜ·â×°¡£Ëü¿ÉÒÔÓÃÓÚΪinetd½ø³ÌÔö¼ÓSSL¹¦ÄÜ£¬ÏñPOP2£¨Òë×¢£º¶ò£¬POP2Õâ¸ö·þÎñ»¹ÓÐÈËÓÃô£¿£©£¬POP3ºÍIMAP·þÎñ¶ø²»±Ø¸Ä±ä³ÌÐò´úÂë¡£ËíµÀʹÓÃOpenSSL¿âÓÃÓÚ¼ÓÃÜ£¬Òò´ËËüÖ§³ÖÈκα»±àÒë½ø¿âµÄ¼ÓÃÜËã·¨¡£¼ò¶øÑÔÖ®£¬ËíµÀ¿ÉÒÔʹÈκÎÒ»¸ö²»°²È«µÄ¶Ë¿Ú±äµÃ°²È«¼ÓÃÜ¡£
ÔÚ±¾ÆªÖУ¬ÎÒ»áÃèÊöÈçºÎͨ¹ýSSLË®µ¾·â×°SSH¡£Õâ¸ö²½Öè·Ç³£¼òµ¥¡£ÄãÐèÒªÔÚÄãµÄ¿Í»§¶ËPCºÍÔ¶³ÌPC¶¼ÒѾ°²×°ÔËÐÐÁËsshd¡£
ÎÒÕýÔÚʹÓÃÏÂÃæÌáµ½µÄÁ½¸öϵͳ¡£
Ô¶³Ìϵͳ:
²Ù×÷ϵͳ: Debian 7
IP µØÖ·: 192.168.1.200/24
¿Í»§¶Ë(±¾µØ) ϵͳ:
²Ù×÷ϵͳ: Ubuntu 13.04 desktop
IP µØÖ·: 192.168.1.100/24
ÅäÖÃÔ¶³Ìϵͳ
ÈÃÎÒÃÇÔÚÔ¶³ÌDebian 7·þÎñÆ÷ÉÏ°²×°stunnel°ü¡£
# apt-get install stunnel4
ÏÖÔÚÈÃÎÒÃÇÏñÏÂÃæÄÇÑù´´½¨Ò»¸öSSLÖ¤Êé¡£
# openssl genrsa 1024 > stunnel.key
ʾÀýÊä³ö:
Generating RSA private key, 1024 bit long modulus
............................................++++++
...................++++++
e is 65537 (0x10001)
# openssl req -new -key stunnel.key -x509 -days 1000 -out stunnel.crt
Äã»á±»Ñ¯ÎÊÈô¸É¸öÎÊÌâÈç¹ú¼Ò¡¢ÖÝ¡¢¹«Ë¾Ï¸½ÚµÈ¡£
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Tamilnadu
Locality Name (eg, city) []:Erode
Organization Name (eg, company) [Internet Widgits Pty Ltd]:unixmen
Organizational Unit Name (eg, section) []:Technical
Common Name (e.g. server FQDN or YOUR name) []:server.unixmen.com
Email Address []:sk@unixmen.com
# cat stunnel.crt stunnel.key > stunnel.pem
# mv stunnel.pem /etc/stunnel/
ÏÖÔÚÎÒÃÇÐèÒªÅäÖÃstunnelÀ´½« 443(https)ËíµÀµ½22(ssh)¡£Õâ¿ÉÒÔͨ¹ýÔÚ/etc/stunnel/Ŀ¼Ï´´½¨stunnel.confÎļþÀ´ÊµÏÖ£º
# vi /etc/stunnel/stunnel.conf
²¢¼ÓÈëÏÂÃæµÄÐÐ:
pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem
[ssh]
accept = 192.168.1.200:443
connect = 127.0.0.1:22
ÉÏÃæµÄ¼¸ÐÐ˵Ã÷ÁËstunnelÔÚÄÄÀïÑ°ÕÒÖ¤ÊéÎļþºÍÄÄÀï½ÓÊÕºÍת·¢sshÁ´½Ó¡£ÔÚ±¾ÀýÖУ¬stunnel»á½ÓÊÕÀ´×Ô443¶Ë¿ÚµÄÁ÷Á¿²¢»áת·¢¸ø22¶Ë¿Ú¡£
±£´æ²¢¹Ø±ÕÎļþ¡£
ÏÖÔÚÈÃÎÒÃÇÆôÓÃstunnel·þÎñ¡£ÒªÕâô×ö£¬±à¼Îļþ /etc/default/stunnel4:
# vi /etc/default/stunnel4
¸Ä±äÐÐ´Ó ENABLED = 0 µ½ 1¡£
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel automatic startup
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
½Ó×ÅʹÓÃÃüÁîÆôÓÃstunnel·þÎñ:
# service stunnel4 start
ÅäÖñ¾µØϵͳ
ÓÃÕâ¸öÃüÁî°²×°stunnel:
$ sudo apt-get install stunnel4
ÎÒÃÇÐèÒªÔ¶³ÌϵͳÉÏÏàͬµÄÖ¤ÊéÎļþ(stunnel.pem)¡£¸´ÖÆÔ¶³ÌϵͳÉ쵀 stunnel.pemÎļþµ½ÎÒÃDZ¾µØϵͳÖв¢ÔÚÏàͬµÄλÖñ£´æ(Ò²¾ÍÊÇ /etc/stunnel)¡£
ÔÚ /etc/stunnel/Ŀ¼Ï´´½¨ÐµÄÎļþstunnel.conf£º
$ sudo vi /etc/stunnel/stunnel.conf
¼ÓÈëÏÂÃæµÄÐÐ:
pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem
client=yes
[ssh]
accept=443
connect=192.168.1.200:443
±£´æ²¢¹Ø±ÕÎļþ¡£ÕâÀïµÄ192.168.1.200ÊÇÎÒÃǵÄÔ¶³ÌϵͳIP¡£
ÏÖÔÚÈÃÎÒÃÇÆôÓÃstunnel·þÎñ¡£ÒªÕâô×ö£¬±à¼Îļþ/etc/default/stunnel4:
$ sudo vi /etc/default/stunnel4
¸Ä±äÐÐ´Ó ENABLED = 0 µ½ 1.
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel automatic startup
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
½Ó×ÅʹÓÃÃüÁîÆôÓÃstunnel·þÎñ:
$ sudo service stunnel4 start
²âÊÔSSHÁ¬½Ó
ÏÖÔÚÕâÑùÒѾºÜºÃÁË£¬Äã¿ÉÒÔʹÓÃÃüÁîÁ¬½Óµ½ÄãµÄÔ¶³Ì»úÆ÷ÉÏÁË£º
$ ssh sk@localhost -v -p 443
ʾÀýÊä³ö:
OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 443.
debug1: Connection established.
debug1: identity file /home/sk/.ssh/id_rsa type -1
debug1: identity file /home/sk/.ssh/id_rsa-cert type -1
debug1: identity file /home/sk/.ssh/id_dsa type -1
debug1: identity file /home/sk/.ssh/id_dsa-cert type -1
debug1: identity file /home/sk/.ssh/id_ecdsa type -1
debug1: identity file /home/sk/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4
debug1: match: OpenSSH_6.0p1 Debian-4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 78:05:ba:1b:73:02:75:86:10:33:8c:0f:21:61:d4:de
debug1: Host '[localhost]:443' is known and matches the ECDSA host key.
debug1: Found key in /home/sk/.ssh/known_hosts:12
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/sk/.ssh/id_rsa
debug1: Trying private key: /home/sk/.ssh/id_dsa
debug1: Trying private key: /home/sk/.ssh/id_ecdsa
debug1: Next authentication method: password
sk@localhost's password: # ## Enter your remote system user password
debug1: Authentication succeeded (password).
Authenticated to localhost ([127.0.0.1]:443).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_PAPER = en_IN.UTF-8
debug1: Sending env LC_ADDRESS = en_IN.UTF-8
debug1: Sending env LC_MONETARY = en_IN.UTF-8
debug1: Sending env LC_NUMERIC = en_IN.UTF-8
debug1: Sending env LC_TELEPHONE = en_IN.UTF-8
debug1: Sending env LC_IDENTIFICATION = en_IN.UTF-8
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending env LC_MEASUREMENT = en_IN.UTF-8
debug1: Sending env LC_TIME = en_IN.UTF-8
debug1: Sending env LC_NAME = en_IN.UTF-8
Linux server 3.2.0-4-486 #1 Debian 3.2.51-1 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon Dec 30 15:12:22 2013 from localhost
sk@server:~$
»òÕßÄã¿ÉÒÔ¼òµ¥µØʹÓÃÏÂÃæµÄÃüÁî:
$ ssh -p 443 sk@localhost
ʾÀýÊä³ö:
sk@localhost's password:
Linux server 3.2.0-4-486 #1 Debian 3.2.51-1 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon Dec 30 15:22:08 2013 from localhost
sk@server:~$
ÏÖÔÚÄã¿ÉÒÔÓÃsshÁ¬½Óµ½ÄãµÄÔ¶³Ì»úÆ÷ÉÏÁË£¬µ«ÊÇËùÓеÄÁ÷Á¿Í¨¹ýSSLËíµÀ¡£
ÄãÒѾÍê³ÉÁË£¡¼´Ê¹sshµÄĬÈ϶˿ڱ»·À»ðǽ×èÖ¹ÁË£¬ÄãÈÔÈ»¿ÉÒÔʹÓÃSSHµ½ÄãµÄÔ¶³Ìϵͳ¡£
²Î¿¼Á´½Ó:
stunnel Ö÷Ò³£ºhttps://www.stunnel.org/index.html
À´Ô´£ºlinux.cn
