document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-02-03 23:40:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #32 from LCTT/master

Browse Source 
翻译提交前的更新。
This commit is contained in:
FSSlc 2020-01-23 17:46:23 +08:00 committed by GitHub
commit bdf0d17725
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 1110 additions and 347 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

333
published/20190619 Getting started with OpenSSL- Cryptography basics.md Normal file
View File

@ -0,0 +1,333 @@
[#]: collector: (lujun9972)
[#]: translator: (wxy)
[#]: reviewer: (wxy)
[#]: publisher: (wxy)
[#]: url: (https://linux.cn/article-11810-1.html)
[#]: subject: (Getting started with OpenSSL: Cryptography basics)
[#]: via: (https://opensource.com/article/19/6/cryptography-basics-openssl-part-1)
[#]: author: (Marty Kalin https://opensource.com/users/mkalindepauledu/users/akritiko/users/clhermansen)
OpenSSL 入门:密码学基础知识
======
> 想要入门密码学的基础知识,尤其是有关 OpenSSL 的入门知识吗?继续阅读。
![](https://img.linux.net.cn/data/attachment/album/202001/23/142249fpnhyqz9y2cz1exe.jpg)
本文是使用 [OpenSSL][2] 的密码学基础知识的两篇文章中的第一篇OpenSSL 是在 Linux 和其他系统上流行的生产级库和工具包。(要安装 OpenSSL 的最新版本,请参阅[这里][3]。OpenSSL 实用程序可在命令行使用,程序也可以调用 OpenSSL 库中的函数。本文的示例程序使用的是 C 语言,即 OpenSSL 库的源语言。
本系列的两篇文章涵盖了加密哈希、数字签名、加密和解密以及数字证书。你可以从[我的网站][4]的 ZIP 文件中找到这些代码和命令行示例。
让我们首先回顾一下 OpenSSL 名称中的 SSL。
### OpenSSL 简史
<ruby>[安全套接字层][5]<rt>Secure Socket Layer</rt></ruby>SSL是 Netscape 在 1995 年发布的一种加密协议。该协议层可以位于 HTTP 之上,从而为 HTTPS 提供了 S<ruby>安全<rt>secure</rt></ruby>。SSL 协议提供了各种安全服务,其中包括两项在 HTTPS 中至关重要的服务:
* <ruby>对等身份验证<rt>Peer authentication</rt></ruby>(也称为相互质询):连接的每一边都对另一边的身份进行身份验证。如果 Alice 和 Bob 要通过 SSL 交换消息,则每个人首先验证彼此的身份。
* <ruby>机密性<rt>Confidentiality</rt></ruby>:发送者在通过通道发送消息之前先对其进行加密。然后,接收者解密每个接收到的消息。此过程可保护网络对话。即使窃听者 Eve 截获了从 Alice 到 Bob 的加密消息(即*中间人*攻击Eve 会发现他无法在计算上解密此消息。
反过来,这两个关键 SSL 服务与其他不太受关注的服务相关联。例如SSL 支持消息完整性,从而确保接收到的消息与发送的消息相同。此功能是通过哈希函数实现的,哈希函数也随 OpenSSL 工具箱一起提供。
SSL 有多个版本(例如 SSLv2 和 SSLv3并且在 1999 年出现了一个基于 SSLv3 的类似协议<ruby>传输层安全性<rt>Transport Layer Security</rt></ruby>TLS。TLSv1 和 SSLv3 相似,但不足以相互配合工作。不过,通常将 SSL/TLS 称为同一协议。例如,即使正在使用的是 TLS而非 SSLOpenSSL 函数也经常在名称中包含 SSL。此外调用 OpenSSL 命令行实用程序以 `openssl` 开始。
除了 man 页面之外OpenSSL 的文档是零零散散的,鉴于 OpenSSL 工具包很大,这些页面很难以查找使用。命令行和代码示例可以将主要主题集中起来。让我们从一个熟悉的示例开始(使用 HTTPS 访问网站),然后使用该示例来选出我们感兴趣的加密部分进行讲述。
### 一个 HTTPS 客户端
此处显示的 `client` 程序通过 HTTPS 连接到 Google
```
/* compilation: gcc -o client client.c -lssl -lcrypto */
#include <stdio.h>
#include <stdlib.h>
#include <openssl/bio.h> /* BasicInput/Output streams */
#include <openssl/err.h> /* errors */
#include <openssl/ssl.h> /* core library */
#define BuffSize 1024
void report_and_exit(const char* msg) {
perror(msg);
ERR_print_errors_fp(stderr);
exit(-1);
}
void init_ssl() {
SSL_load_error_strings();
SSL_library_init();
}
void cleanup(SSL_CTX* ctx, BIO* bio) {
SSL_CTX_free(ctx);
BIO_free_all(bio);
}
void secure_connect(const char* hostname) {
char name[BuffSize];
char request[BuffSize];
char response[BuffSize];
const SSL_METHOD* method = TLSv1_2_client_method();
if (NULL == method) report_and_exit("TLSv1_2_client_method...");
SSL_CTX* ctx = SSL_CTX_new(method);
if (NULL == ctx) report_and_exit("SSL_CTX_new...");
BIO* bio = BIO_new_ssl_connect(ctx);
if (NULL == bio) report_and_exit("BIO_new_ssl_connect...");
SSL* ssl = NULL;
/* 链路 bio 通道SSL 会话和服务器端点 */
sprintf(name, "%s:%s", hostname, "https");
BIO_get_ssl(bio, &ssl); /* 会话 */
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); /* 鲁棒性 */
BIO_set_conn_hostname(bio, name); /* 准备连接 */
/* 尝试连接 */
if (BIO_do_connect(bio) <= 0) {
cleanup(ctx, bio);
report_and_exit("BIO_do_connect...");
}
/* 验证信任库,检查证书 */
if (!SSL_CTX_load_verify_locations(ctx,
"/etc/ssl/certs/ca-certificates.crt", /* 信任库 */
"/etc/ssl/certs/")) /* 其它信任库 */
report_and_exit("SSL_CTX_load_verify_locations...");
long verify_flag = SSL_get_verify_result(ssl);
if (verify_flag != X509_V_OK)
fprintf(stderr,
"##### Certificate verification error (%i) but continuing...\n",
(int) verify_flag);
/* 获取主页作为示例数据 */
sprintf(request,
"GET / HTTP/1.1\x0D\x0AHost: %s\x0D\x0A\x43onnection: Close\x0D\x0A\x0D\x0A",
hostname);
BIO_puts(bio, request);
/* 从服务器读取 HTTP 响应并打印到输出 */
while (1) {
memset(response, '\0', sizeof(response));
int n = BIO_read(bio, response, BuffSize);
if (n <= 0) break; /* 0 代表流结束,< 0 代表有错误 */
puts(response);
}
cleanup(ctx, bio);
}
int main() {
init_ssl();
const char* hostname = "www.google.com:443";
fprintf(stderr, "Trying an HTTPS connection to %s...\n", hostname);
secure_connect(hostname);
return 0;
}
```
可以从命令行编译和执行该程序(请注意 `-lssl``-lcrypto` 中的小写字母 `L`
```
gcc -o client client.c -lssl -lcrypto
```
该程序尝试打开与网站 [www.google.com][13] 的安全连接。在与 Google Web 服务器的 TLS 握手过程中,`client` 程序会收到一个或多个数字证书,该程序会尝试对其进行验证(但在我的系统上失败了)。尽管如此,`client` 程序仍继续通过安全通道获取 Google 主页。该程序取决于前面提到的安全工件,尽管在上述代码中只着重突出了数字证书。但其它工件仍在幕后发挥作用,稍后将对它们进行详细说明。
通常,打开 HTTP非安全通道的 C 或 C++ 的客户端程序将使用诸如*文件描述符*或*网络套接字*之类的结构,它们是两个进程(例如,这个 `client` 程序和 Google Web 服务器)之间连接的端点。另一方面,文件描述符是一个非负整数值,用于在程序中标识该程序打开的任何文件类的结构。这样的程序还将使用一种结构来指定有关 Web 服务器地址的详细信息。
这些相对较低级别的结构不会出现在客户端程序中,因为 OpenSSL 库会将套接字基础设施和地址规范等封装在更高层面的安全结构中。其结果是一个简单的 API。下面首先看一下 `client` 程序示例中的安全性详细信息。
* 该程序首先加载相关的 OpenSSL 库,我的函数 `init_ssl` 中对 OpenSSL 进行了两次调用:
```
SSL_load_error_strings();
SSL_library_init();
```
* 下一个初始化步骤尝试获取安全*上下文*,这是建立和维护通往 Web 服务器的安全通道所需的信息框架。如对 OpenSSL 库函数的调用所示,在示例中使用了 TLS 1.2
```
const SSL_METHOD* method = TLSv1_2_client_method(); /* TLS 1.2 */
```
如果调用成功,则将 `method` 指针被传递给库函数,该函数创建类型为 `SSL_CTX` 的上下文:
```
SSL_CTX* ctx = SSL_CTX_new(method);
```
`client` 程序会检查每个关键的库调用的错误,如果其中一个调用失败,则程序终止。
* 现在还有另外两个 OpenSSL 工件也在发挥作用SSL 类型的安全会话,从头到尾管理安全连接;以及类型为 BIO<ruby>基本输入/输出<rt>Basic Input/Output</rt></ruby>)的安全流,用于与 Web 服务器进行通信。BIO 流是通过以下调用生成的:
```
BIO* bio = BIO_new_ssl_connect(ctx);
```
请注意,这个最重要的上下文是其参数。`BIO` 类型是 C 语言中 `FILE` 类型的 OpenSSL 封装器。此封装器可保护 `client` 程序与 Google 的网络服务器之间的输入和输出流的安全。
* 有了 `SSL_CTX``BIO`,然后程序在 SSL 会话中将它们组合在一起。三个库调用可以完成工作:
```
BIO_get_ssl(bio, &ssl); /* 会话 */
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); /* 鲁棒性 */
BIO_set_conn_hostname(bio, name); /* 准备连接 */
```
安全连接本身是通过以下调用建立的:
```
BIO_do_connect(bio);
```
如果最后一个调用不成功,则 `client` 程序终止;否则,该连接已准备就绪,可以支持 `client` 程序与 Google Web 服务器之间的机密对话。
在与 Web 服务器握手期间,`client` 程序会接收一个或多个数字证书,以认证服务器的身份。但是,`client` 程序不会发送自己的证书这意味着这个身份验证是单向的。Web 服务器通常配置为**不**需要客户端证书)尽管对 Web 服务器证书的验证失败,但 `client` 程序仍通过了连接到 Web 服务器的安全通道继续获取 Google 主页。
为什么验证 Google 证书的尝试会失败?典型的 OpenSSL 安装目录为 `/etc/ssl/certs`,其中包含 `ca-certificates.crt` 文件。该目录和文件包含着 OpenSSL 自带的数字证书,以此构成<ruby>信任库<rt>truststore</rt></ruby>。可以根据需要更新信任库,尤其是可以包括新信任的证书,并删除不再受信任的证书。
`client` 程序从 Google Web 服务器收到了三个证书,但是我的计算机上的 OpenSSL 信任库并不包含完全匹配的证书。如目前所写,`client` 程序不会通过例如验证 Google 证书上的数字签名(一个用来证明该证书的签名)来解决此问题。如果该签名是受信任的,则包含该签名的证书也应受信任。尽管如此,`client` 程序仍继续获取页面,然后打印出 Google 的主页。下一节将更详细地介绍这些。
### 客户端程序中隐藏的安全性
让我们从客户端示例中可见的安全工件(数字证书)开始,然后考虑其他安全工件如何与之相关。数字证书的主要格式标准是 X509生产级的证书由诸如 [Verisign][14] 的<ruby>证书颁发机构<rt>Certificate Authority</rt></ruby>CA颁发。
数字证书中包含各种信息(例如,激活日期和失效日期以及所有者的域名),也包括发行者的身份和*数字签名*(这是加密过的*加密哈希*值)。证书还具有未加密的哈希值,用作其标识*指纹*。
哈希值来自将任意数量的二进制位映射到固定长度的摘要。这些位代表什么(会计报告、小说或数字电影)无关紧要。例如,<ruby>消息摘要版本 5<rt>Message Digest version 5</rt></ruby>MD5哈希算法将任意长度的输入位映射到 128 位哈希值,而 SHA1<ruby>安全哈希算法版本 1<rt>Secure Hash Algorithm version 1</rt></ruby>)算法将输入位映射到 160 位哈希值。不同的输入位会导致不同的(实际上在统计学上是唯一的)哈希值。下一篇文章将会进行更详细的介绍,并着重介绍什么使哈希函数具有加密功能。
数字证书的类型有所不同(例如根证书、中间证书和最终实体证书),并形成了反映这些证书类型的层次结构。顾名思义,*根*证书位于层次结构的顶部其下的证书继承了根证书所具有的信任。OpenSSL 库和大多数现代编程语言都具有 X509 数据类型以及处理此类证书的函数。来自 Google 的证书具有 X509 格式,`client` 程序会检查该证书是否为 `X509_V_OK`
X509 证书基于<ruby>公共密钥基础结构<rt>public-key infrastructure</rt></ruby>PKI其中包括的算法RSA 是占主导地位的算法)用于生成*密钥对*:公共密钥及其配对的私有密钥。公钥是一种身份:[Amazon][15] 的公钥对其进行标识,而我的公钥对我进行标识。私钥应由其所有者负责保密。
成对出现的密钥具有标准用途。可以使用公钥对消息进行加密,然后可以使用同一个密钥对中的私钥对消息进行解密。私钥也可以用于对文档或其他电子工件(例如程序或电子邮件)进行签名,然后可以使用该对密钥中的公钥来验证签名。以下两个示例补充了一些细节。
在第一个示例中Alice 将她的公钥分发给全世界,包括 Bob。然后Bob 用 Alice 的公钥加密邮件,然后将加密的邮件发送给 Alice。用 Alice 的公钥加密的邮件将可以用她的私钥解密(假设是她自己的私钥),如下所示:
```
+------------------+ encrypted msg +-------------------+
Bob's msg--->|Alice's public key|--------------->|Alice's private key|---> Bob's msg
+------------------+ +-------------------+
```
理论上可以在没有 Alice 的私钥的情况下解密消息,但在实际情况中,如果使用像 RSA 这样的加密密钥对系统,则在计算上做不到。
现在,第二个示例,请对文档签名以证明其真实性。签名算法使用密钥对中的私钥来处理要签名的文档的加密哈希:
```
+-------------------+
Hash of document--->|Alice's private key|--->Alice's digital signature of the document
+-------------------+
```
假设 Alice 以数字方式签署了发送给 Bob 的合同。然后Bob 可以使用 Alice 密钥对中的公钥来验证签名:
```
+------------------+
Alice's digital signature of the document--->|Alice's public key|--->verified or not
+------------------+
```
假若没有 Alice 的私钥,就无法轻松伪造 Alice 的签名因此Alice 有必要保密她的私钥。
`client` 程序中,除了数字证书以外,这些安全性都没有明确展示。下一篇文章使用使用 OpenSSL 实用程序和库函数的示例填充更多详细的信息。
### 命令行的 OpenSSL
同时,让我们看一下 OpenSSL 命令行实用程序:特别是在 TLS 握手期间检查来自 Web 服务器的证书的实用程序。调用 OpenSSL 实用程序可以使用 `openssl` 命令,然后添加参数和标志的组合以指定所需的操作。
看看以下命令:
```
openssl list-cipher-algorithms
```
该输出是组成<ruby>加密算法套件<rt>cipher suite<rt></ruby>的相关算法的列表。下面是列表的开头,加了澄清首字母缩写词的注释:
```
AES-128-CBC ## Advanced Encryption Standard, Cipher Block Chaining
AES-128-CBC-HMAC-SHA1 ## Hash-based Message Authentication Code with SHA1 hashes
AES-128-CBC-HMAC-SHA256 ## ditto, but SHA256 rather than SHA1
...
```
下一条命令使用参数 `s_client` 将打开到 [www.google.com][13] 的安全连接,并在屏幕上显示有关此连接的所有信息:
```
openssl s_client -connect www.google.com:443 -showcerts
```
端口号 443 是 Web 服务器用于接收 HTTPS而不是 HTTP 连接)的标准端口号。(对于 HTTP标准端口为 80Web 地址 www.google.com:443 也出现在 `client` 程序的代码中。如果尝试连接成功,则将显示来自 Google 的三个数字证书以及有关安全会话、正在使用的加密算法套件以及相关项目的信息。例如,这是开头的部分输出,它声明*证书链*即将到来。证书的编码为 base64
```
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIQdCea9tmy/T6rK/dDD1isujANBgkqhkiG9w0BAQsFADBU
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMSUw
...
```
诸如 Google 之类的主要网站通常会发送多个证书进行身份验证。
输出以有关 TLS 会话的摘要信息结尾,包括加密算法套件的详细信息:
```
SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: A2BBF0E4991E6BBBC318774EEE37CFCB23095CC7640FFC752448D07C7F438573
...
```
`client` 程序中使用了协议 TLS 1.2`Session-ID` 唯一地标识了 `openssl` 实用程序和 Google Web 服务器之间的连接。`Cipher` 条目可以按以下方式进行解析:
* `ECDHE`<ruby>椭圆曲线 Diffie-Hellman临时<rt>Elliptic Curve Diffie Hellman Ephemeral</rt></ruby>)是一种用于管理 TLS 握手的高效的有效算法。尤其是ECDHE 通过确保连接双方(例如,`client` 程序和 Google Web 服务器)使用相同的加密/解密密钥(称为*会话密钥*)来解决“密钥分发问题”。后续文章会深入探讨该细节。
* `RSA`Rivest Shamir Adleman是主要的公共密钥密码系统并以 1970 年代末首次描述了该系统的三位学者的名字命名。这个正在使用的密钥对是使用 RSA 算法生成的。
* `AES128`<ruby>高级加密标准<rt>Advanced Encryption Standard</rt></ruby>)是一种<ruby>块式加密算法<rt>block cipher</rt></ruby>,用于加密和解密<ruby>位块<rt>blocks of bits</rt></ruby>。(另一种算法是<ruby>流式加密算法<rt>stream cipher</rt></ruby>它一次加密和解密一个位。这个加密算法是对称加密算法因为使用同一个密钥进行加密和解密这首先引起了密钥分发问题。AES 支持 128此处使用、192 和 256 位的密钥大小:密钥越大,安全性越好。
通常,像 AES 这样的对称加密系统的密钥大小要小于像 RSA 这样的非对称基于密钥对系统的密钥大小。例如1024 位 RSA 密钥相对较小,而 256 位密钥则当前是 AES 最大的密钥。
* `GCM`<ruby>伽罗瓦计数器模式<rt>Galois Counter Mode</rt></ruby>)处理在安全对话期间重复应用的加密算法(在这种情况下为 AES128。AES128 块的大小仅为 128 位,安全对话很可能包含从一侧到另一侧的多个 AES128 块。GCM 非常有效,通常与 AES128 搭配使用。
* `SHA256`<ruby>256 位安全哈希算法<rt>Secure Hash Algorithm 256 bits</rt></ruby>)是我们正在使用的加密哈希算法。生成的哈希值的大小为 256 位,尽管使用 SHA 甚至可以更大。
加密算法套件正在不断发展中。例如不久前Google 使用 RC4 流加密算法RSA 的 Ron Rivest 后来开发的 Ron's Cipher 版本 4。 RC4 现在有已知的漏洞,这大概部分导致了 Google 转换为 AES128。
### 总结
我们通过安全的 C Web 客户端和各种命令行示例对 OpenSSL 做了首次了解,使一些需要进一步阐明的主题脱颖而出。[下一篇文章会详细介绍][17],从加密散列开始,到对数字证书如何应对密钥分发挑战为结束的更全面讨论。
--------------------------------------------------------------------------------
via: https://opensource.com/article/19/6/cryptography-basics-openssl-part-1
作者:[Marty Kalin][a]
选题:[lujun9972][b]
译者:[wxy](https://github.com/wxy)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/mkalindepauledu/users/akritiko/users/clhermansen
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/BUSINESS_3reasons.png?itok=k6F3-BqA (A lock on the side of a building)
[2]: https://www.openssl.org/
[3]: https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/
[4]: http://condor.depaul.edu/mkalin
[5]: https://en.wikipedia.org/wiki/Transport_Layer_Security
[6]: https://en.wikipedia.org/wiki/Netscape
[7]: http://www.opengroup.org/onlinepubs/009695399/functions/perror.html
[8]: http://www.opengroup.org/onlinepubs/009695399/functions/exit.html
[9]: http://www.opengroup.org/onlinepubs/009695399/functions/sprintf.html
[10]: http://www.opengroup.org/onlinepubs/009695399/functions/fprintf.html
[11]: http://www.opengroup.org/onlinepubs/009695399/functions/memset.html
[12]: http://www.opengroup.org/onlinepubs/009695399/functions/puts.html
[13]: http://www.google.com
[14]: https://www.verisign.com
[15]: https://www.amazon.com
[16]: http://www.google.com:443
[17]: https://opensource.com/article/19/6/cryptography-basics-openssl-part-2

29
translated/tech/20200115 Organize and sync your calendar with khal and vdirsyncer.md → published/20200115 Organize and sync your calendar with khal and vdirsyncer.md
View File

@ -1,22 +1,24 @@
[#]: collector: (lujun9972)
[#]: translator: (geekpi)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: reviewer: (wxy)
[#]: publisher: (wxy)
[#]: url: (https://linux.cn/article-11812-1.html)
[#]: subject: (Organize and sync your calendar with khal and vdirsyncer)
[#]: via: (https://opensource.com/article/20/1/open-source-calendar)
[#]: author: (Kevin Sonney https://opensource.com/users/ksonney)
使用 khal 和 vdirsyncer 组织和同步你的日历
======
保存和共享日历可能会有点麻烦。在我们的 20 个使用开源提升生产力的系列的第五篇文章中了解如何让它更简单。
![Calendar close up snapshot][1]
> 保存和共享日历可能会有点麻烦。在我们的 20 个使用开源提升生产力的系列的第五篇文章中了解如何让它更简单。
![](https://img.linux.net.cn/data/attachment/album/202001/23/150009wsr3d5ovg4g1vzws.jpg)
去年,我在 19 天里给你介绍了 19 个新(对你而言)的生产力工具。今年,我换了一种方式:使用你在使用或者还没使用的工具,构建一个使你可以在新一年更加高效的环境。
### 使用 khal 和 vdirsyncer 跟踪你的日程
处理日历很_麻烦_要找到好的工具总是很困难的。但是自从我去年将日历列为[我的“失败“之一][2]以来,我已经取得了一些进步。
处理日历很*麻烦*,要找到好的工具总是很困难的。但是自从我去年将日历列为[我的“失败"之一][2]以来,我已经取得了一些进步。
目前使用日历最困难的是一直需要以某种方式在线共享。两种最受欢迎的在线日历是 Google Calendar 和 Microsoft Outlook/Exchange。两者都在公司环境中大量使用这意味着我的日历必须支持其中之一或者两个。
@ -28,10 +30,9 @@
![vdirsyncer][6]
Vdirsyncer 是个 Python 3 程序,可以通过软件包管理器或 pip 安装。它可以同步 CalDAV、VCalendar/iCalendar、Google Calendar 和目录中的本地文件。由于我使用 Google Calendar尽管这不是最简单的设置我也将以它为例。
在 vdirsyncer 中设置 Google Calendar 是[有文档参考的][7],所以这里我不再赘述。重要的是确保同步对设置将 Google Calendar 设置为冲突解决的”赢家“。也就是说,如果同一事件有两个更新,那么需要知道哪个更新优先。类似这样做:
Vdirsyncer 是个 Python 3 程序,可以通过软件包管理器或 `pip` 安装。它可以同步 CalDAV、VCalendar/iCalendar、Google Calendar 和目录中的本地文件。由于我使用 Google Calendar尽管这不是最简单的设置我也将以它为例。
在 vdirsyncer 中设置 Google Calendar 是[有文档参考的][7],所以这里我不再赘述。重要的是确保设置你的同步对,将 Google Calendar 设置为冲突解决的“赢家”。也就是说,如果同一事件有两个更新,那么需要知道哪个更新优先。类似这样做:
```
[general]
@ -56,12 +57,11 @@ path = "~/.calendars/Personal"
fileext = ".ics"
```
在第一次 vdirsyncer 同步之后,你将在存储路径中看到一系列目录。每个文件夹都将包含多个文件,日历中的每个事件都是一个文件。下一步是导入 khal。首先运行 **khal configure** 进行初始设置。
在第一次 vdirsyncer 同步之后,你将在存储路径中看到一系列目录。每个文件夹都将包含多个文件,日历中的每个事件都是一个文件。下一步是导入 khal。首先运行 `khal configure` 进行初始设置。
![Configuring khal][8]
现在,运行 **khal interactive** 将显示本文开头的界面。输入 **n** 将打开“新事件”对话框。这里要注意的一件事:日历的名称与 vdirsyncer 创建的目录匹配,但是你可以更改 khal 配置文件来指定更清晰的名称。根据条目所在的日历向条目添加颜色还可以帮助你确定日历内容:
现在,运行 `khal interactive` 将显示本文开头的界面。输入 `n` 将打开“新事件”对话框。这里要注意的一件事:日历的名称与 vdirsyncer 创建的目录匹配,但是你可以更改 khal 配置文件来指定更清晰的名称。根据条目所在的日历,向条目添加颜色还可以帮助你确定日历内容:
```
[calendars]
@ -76,7 +76,7 @@ path = ~/.calendars/Personal/c5i68sj5edpm4rrfdchm6rreehgm6t3j81jn4rrle0n7cbj3c5m
color = brown
```
现在,当你运行 **khal interactive** 时,每个日历将被着色以区别于其他日历,并且当你添加新条目时,它将有更具描述性的名称。
现在,当你运行 `khal interactive` 时,每个日历将被着色以区别于其他日历,并且当你添加新条目时,它将有更具描述性的名称。
![Adding a new calendar entry][9]
@ -89,7 +89,7 @@ via: https://opensource.com/article/20/1/open-source-calendar
作者:[Kevin Sonney][a]
选题:[lujun9972][b]
译者:[geekpi](https://github.com/geekpi)
校对:[校对者ID](https://github.com/校对者ID)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
@ -103,3 +103,4 @@ via: https://opensource.com/article/20/1/open-source-calendar
[6]: https://opensource.com/sites/default/files/uploads/productivity_5-2.png (vdirsyncer)
[7]: https://vdirsyncer.pimutils.org/en/stable/config.html#google
[8]: https://opensource.com/sites/default/files/uploads/productivity_5-3.png (Configuring khal)
[9]: https://opensource.com/sites/default/files/uploads/productivity_5-4.png

249
sources/tech/20200122 9 favorite open source tools for Node.js developers.md Normal file
View File

@ -0,0 +1,249 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (9 favorite open source tools for Node.js developers)
[#]: via: (https://opensource.com/article/20/1/open-source-tools-nodejs)
[#]: author: (Hiren Dhadhuk https://opensource.com/users/hirendhadhuk)
9 favorite open source tools for Node.js developers
======
Of the wide range of tools available to simplify Node.js development,
here are the 10 best.
![Tools illustration][1]
I recently read a survey on [StackOverflow][2] that said more than 49% of developers use Node.js for their projects. This came as no surprise to me.
As an avid user of technology, I think it's safe to say that the introduction of Node.js led to a new era of software development. It is now one of the most preferred technologies for software development, right next to JavaScript.
### What is Node.js, and why is it so popular?
Node.js is a cross-platform, open source runtime environment for executing JavaScript code outside of the browser. It is also a preferred runtime environment built on Chrome's JavaScript runtime and is mainly used for building fast, scalable, and efficient network applications.
I remember when we used to sit for hours and hours coordinating between front-end and back-end developers who were writing different scripts for each side. All of this changed as soon as Node.js came into the picture. I believe that the one thing that drives developers towards this technology is its two-way efficiency.
With Node.js, you can run your code simultaneously on both the client and the server side, speeding up the whole process of development. Node.js bridges the gap between front-end and back-end development and makes the development process much more efficient.
### A wave of Node.js tools
For 49% of all developers (including me), Node.js is at the top of the pyramid when it comes to front-end and back-end development. There are tons of [Node.js use cases][3] that have helped me and my team deliver complex projects within our deadlines. Fortunately, Node.js' rising popularity has also produced a wave of open source projects and tools to help developers working with the environment.
Recently, there has been a sudden increase in demand for projects built with Node.js. Sometimes, I find it quite challenging to manage these projects and keep up the pace while delivering high-quality results. So I decided to automate certain aspects of development using some of the most efficient of the many open source tools available for Node.js developers.
In my extensive experience with Node.js, I've worked with a wide range of tools that have helped me with the overall development process—from streamlining the coding process to monitoring to content management.
To help my fellow Node.js developers, I compiled this list of 9 of my favorite open source tools for simplifying Node.js development.
### Webpack
[Webpack][4] is a handy JavaScript module bundler used to simplify front-end development. It detects modules with dependencies and transforms them into static assets that represent the modules.
You can install the tool through either the npm or Yarn package manager.
With npm:
```
`npm install --save-dev webpack`
```
With Yarn:
```
`yarn add webpack --dev`
```
Webpack creates single bundles or multiple chains of assets that can be loaded asynchronously at runtime. Each asset does not have to be loaded individually. Bundling and serving assets becomes quick and efficient with the Webpack tool, making the overall user experience better and reducing the developer's hassle in managing load time.
### Strapi
[Strapi][5] is an open source headless content management system (CMS). A headless CMS is basically software that lets you manage your content devoid of a prebuilt frontend. It is a backend-only system that functions using RESTful APIs.
You can install Strapi through Yarn or npx packages.
With Yarn:
```
`yarn create strapi-app my-project --quickstart`
```
With npx:
```
`npx create-strapi-app my-project --quickstart`
```
Strapi's goal is to fetch and deliver your content in a structured manner across any device. The CMS makes it easy to manage your applications' content and make sure they are dynamic and accessible across any device.
It provides a lot of features, including file upload, a built-in email system, JSON Web Token (JWT) authentication, and auto-generated documentation. I find it very convenient, as it simplifies the overall CMS and gives me full autonomy in editing, creating, or deleting all types of contents.
In addition, the content structure built through Strapi is extremely flexible because you can create and reuse groups of content and customizable APIs.
### Broccoli
[Broccoli][6] is a powerful build tool that runs on an [ES6][7] module. Build tools are software that let you assemble all the different assets within your application or website, e.g., images, CSS, JavaScript, etc., into one distributable format. Broccoli brands itself as the "asset pipeline for ambitious applications."
You need a project directory to work with Broccoli. Once you have the project directory in place, you can install Broccoli with npm using:
```
npm install --save-dev broccoli
npm install --global broccoli-cli
```
You can also use Yarn for installation. 
The current version of Node.js would be the best version for the tool as it provides long-time support. This helps you avoid the hassle of updating and reinstalling as you go. Once the installation process is completed, you can include the build specification in your Brocfile.js.
In Broccoli, the unit of abstraction is a tree, which stores files and subdirectories within specific subdirectories. Therefore, before you build, you must have a specific idea of what you want your build to look like.
The best part about Broccoli is that it comes with a built-in server for development that lets you host your assets on a local HTTP server. Broccoli is great for streamlined rebuilds, as its concise architecture and flexible ecosystem boost rebuild and compilation speeds. Broccoli lets you get organized to save time and maximize productivity during development.
### Danger
[Danger][8] is a very handy open source tool for streamlining your pull request (PR) checks. As Danger's library description says, the tool helps you "formalize" your code review system by managing PR checks. Danger integrates with your CI and helps you speed up the review process.
Integrating Danger with your project is an easy step-by-step process—you just need to include the Danger module and create a Danger file for each project. However, it's more convenient to create a Danger account (easy to do through GitHub or Bitbucket), then set up access tokens for your open source software projects.
Danger can be installed via NPM or Yarn. To use Yarn, add danger -D to add it to your package.JSON.
After you add Danger to your CI, you can:
* Highlight build artifacts of importance
* Manage sprints by enforcing links to tools like Trello and Jira
* Enforce changelogs
* Utilize descriptive labels
* And much more
For example, you can design a system that defines the team culture and sets out specific rules for code review and PR checks. Common issues can be solved based on the metadata Danger provides along with its extensive plugin ecosystem.
### Snyk
Cybersecurity is a major concern for developers. [Snyk][9] is one of the most well-known tools to fix vulnerabilities in open source components. It started as a project to fix vulnerabilities in Node.js projects and has evolved to detect and fix vulnerabilities in Ruby, Java, Python, and Scala apps as well. Snyk mainly runs in four stages:
* Finding vulnerability dependencies
* Fixing specific vulnerabilities
* Preventing security risks by PR checks
* Monitoring apps continuously
Snyk can be integrated with your project at any stage, including coding, CI/CD, and reporting. I find it extremely helpful for testing Node.js projects to test out npm packages for security risks or at build-time. You can also run PR checks for your applications in GitHub to make your projects more secure. Synx also provides a range of integrations that you can use to monitor dependencies and fix specific problems.
To run Snyk on your machine locally, you can install it through NPM:
```
`npm install -g snyk`
```
### Migrat
[Migrat][10] is an extremely easy to use data-migration tool that uses plain text. It works across a diverse range of stacks and processes that make it even more convenient. You can install Migrat with a simple line of code:
```
`$ npm install -g migrat`
```
Migrat is not specific to a particular database engine. It supports multi-node environments, as migrations can run on one node globally or once per server. What makes Migrat convenient is the facilitation of passing context to each migration.
You can define what each migration is for (e.g.,. database sets, connections, logging interfaces, etc.). Moreover, to avoid haphazard migrations, where multiple servers are running migrations globally, Migrat facilitates global lockdown while the process is running so that it can run only once globally. It also comes with a range of plug-ins for SQL databases, Slack, HipChat, and the Datadog dashboard. You can send live migrations to any of these platforms.
### Clinic.js
[Clinic.js][11] is an open source monitoring tool for Node.js projects. It combines three different tools—Doctor, Bubbleprof, and Flame—that help you monitor, detect, and solve performance issues with Node.js.
You can install Clinic.js from npm by running this command:
```
`$ npm install clinic`
```
You can choose which of the three tools that comprise Clinic.js you want to use based on which aspect of your project you want to monitor and the report you want to generate:
* Doctor provides detailed metrics by injecting probes and provides recommendations on the overall health of your project.
* Bubbleprof is great for profiling and generates metrics using async_hooks.
* Flame is great for uncovering hot paths and bottlenecks in your code.
### PM2
Monitoring is one of the most important aspects of any backend development process. [PM2][12] is a process management tool for Node.js that helps developers monitor multiple aspects of their projects such as logs, delays, and speed. The tool is compatible with Linux, MacOS, and Windows and supports all Node.js versions starting from Node.js 8.X.
You can install PM2 with npm using:
```
`$ npm install pm2 --g`
```
If you do not already have Node.js installed, you can use:
```
`wget -qO- https://getpm2.com/install.sh | bash`
```
Once it's installed, start the application with:
```
`$ pm2 start app.js`
```
The best part about PM2 is that it lets you run your apps in cluster mode. You can spawn a process for multiple CPU cores at a time. This makes it easy to enhance application performance and maximize reliability. PM2 is also great for updates, as you can update your apps and reload them with zero downtime using the "hot reload" option. Overall, it's a great tool to simplify process management for Node.js applications.
### Electrode
[Electrode][13] is an open source application platform from Walmart Labs. The platform helps you build large-scale, universal React/Node.js applications in a structured manner.
The Electrode app generator lets you build a flexible core focused on the code, provides some great modules to add complex features to the app, and comes with a wide range of tools to optimize your app's Node.js bundle.
Electrode can be installed using npm. Once the installation is finished, you can start the app using Ignite and dive right in with the Electrode app generator.
You can install Electrode using NPM:
```
`npm install -g electrode-ignite xclap-cli`
```
### Which are your favorite?
These are just a few of the always-growing list of open source tools that can come in handy at different stages when working with Node.js. Which are your go-to open source Node.js tools? Please share your recommendations in the comments.
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/1/open-source-tools-nodejs
作者:[Hiren Dhadhuk][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/hirendhadhuk
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/tools_hardware_purple.png?itok=3NdVoYhl (Tools illustration)
[2]: https://insights.stackoverflow.com/survey/2019#technology-_-other-frameworks-libraries-and-tools
[3]: https://www.simform.com/nodejs-use-case/
[4]: https://webpack.js.org/
[5]: https://strapi.io/
[6]: https://broccoli.build/
[7]: https://en.wikipedia.org/wiki/ECMAScript#6th_Edition_-_ECMAScript_2015
[8]: https://danger.systems/
[9]: https://snyk.io/
[10]: https://github.com/naturalatlas/migrat
[11]: https://clinicjs.org/
[12]: https://pm2.keymetrics.io/
[13]: https://www.electrode.io/

72
sources/tech/20200122 Get your RSS feeds and podcasts in one place with this open source tool.md Normal file
View File

@ -0,0 +1,72 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Get your RSS feeds and podcasts in one place with this open source tool)
[#]: via: (https://opensource.com/article/20/1/open-source-rss-feed-reader)
[#]: author: (Kevin Sonney https://opensource.com/users/ksonney)
Get your RSS feeds and podcasts in one place with this open source tool
======
Keep up with your news feed and podcasts with Newsboat in the twelfth in
our series on 20 ways to be more productive with open source in 2020.
![Ship captain sailing the Kubernetes seas][1]
Last year, I brought you 19 days of new (to you) productivity tools for 2019. This year, I'm taking a different approach: building an environment that will allow you to be more productive in the new year, using tools you may or may not already be using.
### Access your RSS feeds and podcasts with Newsboat
RSS news feeds are an exceptionally handy way to keep up to date on various websites. In addition to Opensource.com, I follow the annual [SysAdvent][2] sysadmin tools feed, some of my favorite authors, and several webcomics. RSS readers allow me to "batch up" my reading, so I'm not spending every day on a bunch of different websites.
![Newsboat][3]
[Newsboat][4] is a terminal-based RSS feed reader that looks and feels a lot like the email program [Mutt][5]. It makes news reading easy and has a lot of nice features.
Installing Newsboat is pretty easy since it is included with most distributions (and Homebrew on MacOS). Once it is installed, adding the first feed is as easy as adding the URL to the **~/.newsboat/urls** file. If you are migrating from another feed reader and have an OPML file export of your feeds, you can import that file with:
```
`newsboat -i </path/to/my/feeds.opml>`
```
After you've added your feeds, the Newsboat interface is _very_ familiar, especially if you've used Mutt. You can scroll up and down with the arrow keys, check for new items in a feed with **r**, check for new items in all feeds with **R**, press **Enter** to open a feed and select an article to read.
![Newsboat article list][6]
You are not limited to just the local URL list, though. Newsboat is also a client for news reading services like [Tiny Tiny RSS][7], ownCloud and Nextcloud News, and a few Google Reader successors. Details on that and a whole host of other configuration options are covered in [Newsboat's documentation][8].
![Reading an article in Newsboat][9]
#### Podcasts
Newsboat also provides [podcast support][10] through Podboat, an included application that facilitates downloading and queuing podcast episodes. While viewing a podcast feed in Newsboat, press **e** to add the episode to your download queue. All the information will be stored in a queue file in the **~/.newsboat** directory. Podboat reads this queue and downloads the episode(s) to your local drive. You can do this from the Podboat user interface (which looks and acts like Newsboat), or you can tell Podboat to download them all with **podboat -a**. As a podcaster and podcast listener, I think this is _really_ handy.
![Podboat][11]
Overall, Newsboat has some really great features and is a nice, lightweight alternative to web-based or desktop apps.
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/1/open-source-rss-feed-reader
作者:[Kevin Sonney][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/ksonney
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/ship_captain_devops_kubernetes_steer.png?itok=LAHfIpek (Ship captain sailing the Kubernetes seas)
[2]: https://sysadvent.blogspot.com/
[3]: https://opensource.com/sites/default/files/uploads/productivity_12-1.png (Newsboat)
[4]: https://newsboat.org
[5]: http://mutt.org/
[6]: https://opensource.com/sites/default/files/uploads/productivity_12-2.png (Newsboat article list)
[7]: https://tt-rss.org/
[8]: https://newsboat.org/releases/2.18/docs/newsboat.html
[9]: https://opensource.com/sites/default/files/uploads/productivity_12-3.png (Reading an article in Newsboat)
[10]: https://newsboat.org/releases/2.18/docs/newsboat.html#_podcast_support
[11]: https://opensource.com/sites/default/files/uploads/productivity_12-4.png (Podboat)

110
sources/tech/20200122 Screenshot your Linux system configuration with Bash tools.md Normal file
View File

@ -0,0 +1,110 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Screenshot your Linux system configuration with Bash tools)
[#]: via: (https://opensource.com/article/20/1/screenfetch-neofetch)
[#]: author: (Don Watkins https://opensource.com/users/don-watkins)
Screenshot your Linux system configuration with Bash tools
======
ScreenFetch and Neofetch make it easy to share your Linux environment
with others.
![metrics and data shown on a computer screen][1]
There are many reasons you might want to share your Linux configuration with other people. You might be looking for help troubleshooting a problem on your system, or maybe you're so proud of the environment you've created that you want to showcase it to fellow open source enthusiasts.
You could get some of that information with a **cat /proc/cpuinfo** or **lscpu** command at the Bash prompt. But if you want to share more details, such as your operating system, kernel, uptime, shell environment, screen resolution, etc., you have two great tools to choose: screenFetch and Neofetch.
### ScreenFetch
[ScreenFetch][2] is a Bash command-line utility that can produce a very nice screenshot of your system configuration and uptime. It is an easy way to share your system's configuration with others in a colorful way.
It's simple to install screenFetch for many Linux distributions. 
On Fedora, enter:
```
`$ sudo dnf install screenfetch`
```
On Ubuntu, enter:
```
`$ sudo apt install screenfetch`
```
For other operating systems, including FreeBSD, MacOS, and more, consult the screenFetch wiki's [installation page][3]. Once screenFetch is installed, it can produce a detailed and colorful screenshot like this:
![screenFetch][4]
ScreenFetch also provides various command-line options to fine-tune your results. For example, **screenfetch -v** returns verbose output that presents each option line-by-line along with the display shown above.
And **screenfetch -n** eliminates the operating system icon when it displays your system information.
![screenfetch -n option][5]
Other options include **screenfetch -N**, which strips all color from the output; **screenfetch -t**, which truncates the output depending on the size of the terminal; and **screenFetch -E**, which suppresses errors.
Be sure to check the man page on your system for other options. ScreenFetch is open source under the GPLv3, and you can learn more about the project in its [GitHub repository][6].
### Neofetch
[Neofetch][7] is another tool to create a screenshot with your system information. It is written in Bash 3.2 and is open source under the [MIT License][8].
According to the project's website, "Neofetch supports almost 150 different operating systems. From Linux to Windows, all the way to more obscure operating systems like Minix, AIX, and Haiku."
![Neofetch][9]
The project maintains a wiki with excellent [installation documentation][10] for a variety of distributions and operating systems.
If you are on Fedora, RHEL, or CentOS, you can install Neofetch at the Bash prompt with:
```
`$ sudo dnf install neofetch`
```
On Ubuntu 17.10 and greater, you can use:
```
`$ sudo apt install neofetch`
```
On its first run, Neofetch writes a **~/.config/neofetch/config.conf** file to your home directory (**.config/config.conf**), which enables you to [customize and control][11] every aspect of Neofetch's output. For example, you can configure Neofetch to use the image, ASCII file, or wallpaper of your choice—or nothing at all. The config.conf file also makes it easy to share your customization with others.
If Neofetch doesn't support your operating system or provide all the options you are looking for, be sure to open up an issue in the project's [GitHub repo][12].
### Conclusion
No matter why you want to share your system configuration, screenFetch or Neofetch should enable you to do so. Do you know of another open source tool that provides this functionality on Linux? Please share your favorite in the comments.
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/1/screenfetch-neofetch
作者:[Don Watkins][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/don-watkins
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/metrics_data_dashboard_system_computer_analytics.png?itok=oxAeIEI- (metrics and data shown on a computer screen)
[2]: https://github.com/KittyKatt/screenFetch
[3]: https://github.com/KittyKatt/screenFetch/wiki/Installation
[4]: https://opensource.com/sites/default/files/uploads/screenfetch.png (screenFetch)
[5]: https://opensource.com/sites/default/files/uploads/screenfetch-n.png (screenfetch -n option)
[6]: http://github.com/KittyKatt/screenFetch
[7]: https://github.com/dylanaraps/neofetch
[8]: https://github.com/dylanaraps/neofetch/blob/master/LICENSE.md
[9]: https://opensource.com/sites/default/files/uploads/neofetch.png (Neofetch)
[10]: https://github.com/dylanaraps/neofetch/wiki/Installation
[11]: https://github.com/dylanaraps/neofetch/wiki/Customizing-Info
[12]: https://github.com/dylanaraps/neofetch/issues

212
sources/tech/20200122 Setting up passwordless Linux logins using public-private keys.md Normal file
View File

@ -0,0 +1,212 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Setting up passwordless Linux logins using public/private keys)
[#]: via: (https://www.networkworld.com/article/3514607/setting-up-passwordless-linux-logins-using-publicprivate-keys.html)
[#]: author: (Sandra Henry-Stocker https://www.networkworld.com/author/Sandra-Henry_Stocker/)
Setting up passwordless Linux logins using public/private keys
======
Using a set of public/private keys to allow you to log into a remote Linux system or run commands using ssh without a password can be very convenient, but setup is just tad tricky. Here's how and a script to help.
Ivanastar / Getty Images
Setting up an account on a [Linux][1] system that allows you to log in or run commands remotely without a password isnt all that hard, but there are some tedious details that you need to get right if you want it to work. In this post, were going to run through the process and then show a script that can help manage the details.
Once set up, passwordless access is especially useful if you want to run ssh commands within a script, especially one that you might want to schedule to run automatically.
Its important to note that you do not have to be using the same user account on both systems. In fact, you can use your public key for a number of accounts on a system or for different accounts on multiple systems.
[][2]
BrandPost Sponsored by HPE
[Take the Intelligent Route with Consumption-Based Storage][2]
Combine the agility and economics of HPE storage with HPE GreenLake and run your IT department with efficiency.
Heres how to set this up.
### Which system to start on?
First, you need to start on the system from which you want to issue commands. That's the system that you will use to create the ssh keys.  You also need to have access to the account on the remote system on which those commands will be run.
To keep the roles clear, well call that first system in our scenario the “boss” since it will issue commands to be run on the other system.
Thus, the command prompt:
[RELATED: Linux hardening: a 15-step checklist for a secure Linux server][3]
```
boss$
```
If you do not already have a public/private key pair set up for your account on the boss system, create one using a command like that shown below. Note that you can choose between the various encryption algorithms. (Either RSA or DSA is generally used.) Note that to access the system without typing a password, you will need to enter no password for the two prompts shown in the dialog below.
If you already have a public/private key pair associated with this account, skip this step.
```
boss$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/myself/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): <== just press the enter key
Enter same passphrase again: <== just press the enter key
Your identification has been saved in /home/myself/.ssh/id_rsa.
Your public key has been saved in /home/myself/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:1zz6pZcMjA1av8iyojqo6NVYgTl1+cc+N43kIwGKOUI myself@boss
The key's randomart image is:
+---[RSA 3072]----+
| . .. |
| E+ .. . |
| .+ .o + o |
| ..+.. .o* . |
| ... So+*B o |
| + ...==B . |
| . o . ....++. |
|o o . . o..o+ |
|=..o.. ..o o. |
+----[SHA256]-----+
```
The command shown above will create both a public and a private key. What one encrypts, the other will decrypt. So, the relationship between these keys is critical and the private key should **never** be shared. Instead, it should stay in your .ssh folder on the boss system.
Notice that your public and private keys, on creation, will be saved in your .ssh folder.
The next step is to copy the **public** key to the system you want to access from the boss system without using a password. You can use **scp** to do this though, at this point, youll still need to enter your password. In this example, that system is called “target”.
```
boss$ scp .ssh/id_rsa.pub myacct@target:/home/myaccount
myacct@target's password:
```
On the target system (the one on which the commands will be run), you will need to install your public key. If you dont have a .ssh directory (e.g., if youve never used ssh on that system), running a command like this will set one up for you:
```
target$ ssh localhost date
target$ ls -la .ssh
total 12
drwx------ 2 myacct myacct 4096 Jan 19 11:48 .
drwxr-xr-x 6 myacct myacct 4096 Jan 19 11:49 ..
-rw-r--r-- 1 myacct myacct 222 Jan 19 11:48 known_hosts
```
Still on the target system, you then need to add the public key you transferred from the “boss” system to your .ssh/authorized_keys file. The command below will add the key to the end of the file if it exists already or create the file and add the key if the file does not exist.
```
target$ cat id_rsa.pub >> .ssh/authorized_keys
```
Next, you need to make sure that the permissions on your authorized_keys file are set to 600. If not, run the **chmod 600 .ssh/authorized_keys** command.
```
target$ ls -l authorized_keys
-rw------- 1 myself myself 569 Jan 19 12:10 authorized_keys
```
Also check to be sure that permissions on your .ssh directory on the target system are set to 700. Fix the permissions with **chmod 700 .ssh** if needed.
```
target$ ls -ld .ssh
drwx------ 2 myacct myacct 4096 Jan 14 15:54 .ssh
```
At this point, you should be able to run a command remotely from your boss system to your target system without entering a password. This should work unless the target user account on the target system has an old public key for the same user and host as the one youre trying to connect from. If so, you should be able to remove the earlier (and conflicting) entry.
### Using a script
Using a script can make some work a lot easier. In the example script below, however, the one annoying problem that youll run into is that youll have to enter the target users password numerous times before the password-free access is configured. One option would be to break the script into two parts the commands that need to be run on the boss system and the commands that need to be run on the target system.
Heres the do-it-all version of the script:
```
#!/bin/bash
# NOTE: This script requires that you have the password for the remote acct
# in order to set up password-free access using your public key
LOC=`hostname` # the local system from which you want to run commands from
# wo a password
# get target system and account
echo -n "target system> "
read REM
echo -n "target user> "
read user
# create a key pair if no public key exists
if [ ! -f ~/.ssh/id_rsa.pub ]; then
ssh-keygen -t rsa
fi
# ensure a .ssh directory exists in the remote account
echo checking for .ssh directory on remote system
ssh $user@$REM "if [ ! -d /home/$user/.ssh ]; then mkdir /home/$user/.ssh; fi"
# share the public key (using local hostname)
echo copying the public key
scp ~/.ssh/id_rsa.pub $user@$REM:/home/$user/$user-$LOC.pub
# put the public key into the proper location
echo adding key to authorized_keys
ssh $user@$REM "cat /home/$user/$user-$LOC.pub >> /home/$user/.ssh/authorized_ke
ys"
# set permissions on authorized_keys and .ssh (might be OK already)
echo setting permissions
ssh $user@$REM "chmod 600 ~/.ssh/authorized_keys"
ssh $user@$REM "chmod 700 ~/.ssh"
# try it out -- should NOT ask for a password
echo testing -- if no password is requested, you are all set
ssh $user@$REM /bin/hostname
```
The script has been configured to tell you what it is doing each time you will have to enter a password. Interaction will look something like this:
```
$ ./rem_login_setup
target system> fruitfly
target user> lola
checking for .ssh directory on remote system
lola@fruitfly's password:
copying the public key
lola@fruitfly's password:
id_rsa.pub 100% 567 219.1KB/s 00:00
adding key to authorized_keys
lola@fruitfly's password:
setting permissions
lola@fruitfly's password:
testing -- if no password is requested, you are all set
fruitfly
```
After the scenario shown above, you'd be able to log into lola's account on fruitfly like this:
```
$ ssh lola@fruitfly
[lola@fruitfly ~]$
```
Once passwordless login is set up, youll both be able to log in from the boss system to the target system without a password and run arbitrary ssh commands. Running without a password in this way does not imply that your account is less secure. However, protecting your password on the boss system could become considerably more important depending on the nature of the target.
Join the Network World communities on [Facebook][4] and [LinkedIn][5] to comment on topics that are top of mind.
--------------------------------------------------------------------------------
via: https://www.networkworld.com/article/3514607/setting-up-passwordless-linux-logins-using-publicprivate-keys.html
作者:[Sandra Henry-Stocker][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://www.networkworld.com/author/Sandra-Henry_Stocker/
[b]: https://github.com/lujun9972
[1]: https://www.networkworld.com/article/3215226/what-is-linux-uses-featres-products-operating-systems.html
[2]: https://www.networkworld.com/article/3440100/take-the-intelligent-route-with-consumption-based-storage.html?utm_source=IDG&utm_medium=promotions&utm_campaign=HPE21620&utm_content=sidebar ( Take the Intelligent Route with Consumption-Based Storage)
[3]: https://www.networkworld.com/article/3143050/linux/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.html#tk.nww-fsb
[4]: https://www.facebook.com/NetworkWorld/
[5]: https://www.linkedin.com/company/network-world

119
sources/tech/20200123 Wine 5.0 is Released- Here-s How to Install it.md Normal file
View File

@ -0,0 +1,119 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Wine 5.0 is Released! Heres How to Install it)
[#]: via: (https://itsfoss.com/wine-5-release/)
[#]: author: (Ankush Das https://itsfoss.com/author/ankush/)
Wine 5.0 is Released! Heres How to Install it
======
_**Brief: A new major release of Wine is here. With Wine 5.0, running Windows applications and games on Linux is further improved.**_
With some efforts, you can [run Windows applications on Linux][1] using Wine. Wine is a tool that you may try when you must use a software that is available only on Windows. It supports a number of such software.
A new major release for Wine has landed i.e Wine 5.0, almost after a year of its 4.0 release.
Wine 5.0 release introduces a couple of major features and a lot of significant changes/improvements. In this article, Ill highlight whats new and also mention the installation instructions.
### Whats New In Wine 5.0?
![][2]
The key changes in 5.0 release as mentioned in their [official announcement][3]:
* Builtin modules in PE format.
* Multi-monitor support.
* XAudio2 reimplementation.
* Vulkan 1.1 support.
* Microsoft Installer (MSI) Patch Files are supported.
* Performance improvements.
So, with Vulkan 1.1 support and multi-monitor support Wine 5.0 release is a big deal.
In addition to the key highlights, you can also expect better controller support in the new version considering thousands of changes/improvements involved in the new release.
It is also worth noting that this release is being dedicated to the memory of **Józef Kucia** (_lead developer of the vkd3d project_)
Theyve also mentioned this in their [release notes][4]:
> This release is dedicated to the memory of Józef Kucia, who passed away in August 2019 at the young age of 30. Józef was a major contributor to Wines Direct3D implementation, and the lead developer of the vkd3d project. His skills and his kindness are sorely missed by all of us.
### How to install Wine 5.0 on Ubuntu and Linux Mint
Note
_If you have Wine installed before, you should remove it completely to avoid any conflict (as you wish). Also, the WineHQ key repository key was changed recently, you should refer to its_ [_download page_][5] _for additional instructions on that according to your Linux distribution._
The source for Wine 5.0 is available on its [official website][3]. You can read more about [building wine][6] in order to make it work. Arch-based users should be getting it soon.
Here Ill show you the steps to install Wine 5.0 on Ubuntu and other Ubuntu-based distributions.
First, remove existing Wine install with this command:
```
sudo apt remove winehq-stable wine-stable wine1.6
```
Download the official Wine repository key and add it:
```
wget -qO - https://dl.winehq.org/wine-builds/winehq.key | sudo apt-key add -
```
_**Now the next step involves adding the repository and for that, you need to [know your Ubuntu version][7] first.**_
For **Ubuntu 19.10**, add this repository:
```
sudo apt-add-repository 'deb https://dl.winehq.org/wine-builds/ubuntu/ eoan main'
```
If you are using **Ubuntu 18.04** or **Linux Mint 19.x**, use this command to add the repository:
```
sudo apt-add-repository 'deb https://dl.winehq.org/wine-builds/ubuntu/ bionic main'
```
For **Ubuntu 16.04 and Linux Mint 18.x series**, you can use this command:
```
sudo apt-add-repository 'deb https://dl.winehq.org/wine-builds/ubuntu/ xenial main'
```
Now that you have added the correct repository, you can install Wine 5.0 using this command:
```
sudo apt update && sudo apt install --install-recommends winehq-stable
```
**Wrapping Up**
Have you tried the latest Wine 5.0 release yet? If yes, what improvements do you see in action?
Let me know your thoughts on the new release in the comments below.
--------------------------------------------------------------------------------
via: https://itsfoss.com/wine-5-release/
作者:[Ankush Das][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://itsfoss.com/author/ankush/
[b]: https://github.com/lujun9972
[1]: https://itsfoss.com/use-windows-applications-linux/
[2]: https://i2.wp.com/itsfoss.com/wp-content/uploads/2020/01/wine_5.png?ssl=1
[3]: https://www.winehq.org/news/2020012101
[4]: https://www.winehq.org/announce/5.0
[5]: https://wiki.winehq.org/Download
[6]: https://wiki.winehq.org/Building_Wine
[7]: https://itsfoss.com/how-to-know-ubuntu-unity-version/

333
translated/tech/20190619 Getting started with OpenSSL- Cryptography basics.md
View File

@ -1,333 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: (wxy)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Getting started with OpenSSL: Cryptography basics)
[#]: via: (https://opensource.com/article/19/6/cryptography-basics-openssl-part-1)
[#]: author: (Marty Kalin https://opensource.com/users/mkalindepauledu/users/akritiko/users/clhermansen)
OpenSSL 入门:密码学基础知识
======
> 需要有关基础的密码学入门知识,尤其是有关 OpenSSL 的入门知识吗?继续阅读。
![A lock on the side of a building][1]
本文是两篇使用 [OpenSSL][2] 的密码学基础知识的第一篇OpenSSL 是在 Linux 和其他系统上流行的生产级库和工具包。(要安装 OpenSSL 的最新版本,请参阅[这里][3]。OpenSSL 实用程序可在命令行使用,而程序可以从 OpenSSL 库中调用函数。本文的示例程序使用 C 语言,即 OpenSSL 库的源语言。
本系列的两篇文章共同介绍了加密哈希、数字签名、加密和解密以及数字证书。你可以从[我的网站][4]的 ZIP 文件中找到代码和命令行示例。
让我们首先回顾一下 OpenSSL 名称中的 SSL。
### OpenSSL 简史
[安全套接字层][5]SSL是 Netscape 在 1995 年发布的一种加密协议。该协议层可以位于 HTTP 之上,从而为 HTTPS 提供了 S安全。SSL 协议提供了各种安全服务,其中包括两项在 HTTPS 中至关重要的服务:
* <ruby>对等身份验证<rt>Peer authentication</rt></ruby>(也称为相互挑战):连接的每一边都对另一边的身份进行身份验证。如果 Alice 和 Bob 要通过 SSL 交换消息,则每个人首先验证彼此的身份。
* <ruby>机密性<rt>Confidentiality</rt></ruby>:发送者在通过通道发送消息之前先对其进行加密。接收者然后解密每个接收到的消息。此过程可保护网络对话。即使窃听者 Eve 截获了从 Alice 到 Bob 的加密消息(*中间人*攻击Eve 仍发现他在计算上无法解密此消息。
  
反过来,这两个关键 SSL 服务与其他获得较少关注的服务捆绑在一起。例如SSL 支持消息完整性,从而确保接收到的消息与发送的消息相同。此功能是通过散列函数实现的,散列函数也随 OpenSSL 工具箱一起提供。
SSL 已版本化(例如 SSLv2 和 SSLv3并且在 1999 年,<ruby>传输层安全性<rt>Transport Layer Security</rt></ruby>TLS成为基于 SSLv3 的类似协议。TLSv1 和 SSLv3 相似,但不足以相互配合。 但是,通常将 SSL/TLS 称为同一协议。例如,即使正在使用的是 TLS而非 SSLOpenSSL 函数也经常在名称中包含 SSL。此外调用 OpenSSL 命令行实用程序以术语 `openssl` 开始。
OpenSSL 在其 man 页面之外的文档是零散的,鉴于 OpenSSL 工具包有多大,这些页面变得难以查找使用。命令行和代码示例是将主要主题集中起来的一种方法。让我们从一个熟悉的示例开始(使用 HTTPS 访问网站),然后使用该示例来挑选我们感兴趣的加密部分。
### 一个 HTTPS 客户端
此处显示的 `client` 程序通过 HTTPS 连接到 Google
```
/* compilation: gcc -o client client.c -lssl -lcrypto */
#include <stdio.h>
#include <stdlib.h>
#include <openssl/bio.h> /* BasicInput/Output streams */
#include <openssl/err.h> /* errors */
#include <openssl/ssl.h> /* core library */
#define BuffSize 1024
void report_and_exit(const char* msg) {
perror(msg);
ERR_print_errors_fp(stderr);
exit(-1);
}
void init_ssl() {
SSL_load_error_strings();
SSL_library_init();
}
void cleanup(SSL_CTX* ctx, BIO* bio) {
SSL_CTX_free(ctx);
BIO_free_all(bio);
}
void secure_connect(const char* hostname) {
char name[BuffSize];
char request[BuffSize];
char response[BuffSize];
const SSL_METHOD* method = TLSv1_2_client_method();
if (NULL == method) report_and_exit("TLSv1_2_client_method...");
SSL_CTX* ctx = SSL_CTX_new(method);
if (NULL == ctx) report_and_exit("SSL_CTX_new...");
BIO* bio = BIO_new_ssl_connect(ctx);
if (NULL == bio) report_and_exit("BIO_new_ssl_connect...");
SSL* ssl = NULL;
/* link bio channel, SSL session, and server endpoint */
sprintf(name, "%s:%s", hostname, "https");
BIO_get_ssl(bio, &ssl); /* session */
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); /* robustness */
BIO_set_conn_hostname(bio, name); /* prepare to connect */
/* try to connect */
if (BIO_do_connect(bio) <= 0) {
cleanup(ctx, bio);
report_and_exit("BIO_do_connect...");
}
/* verify truststore, check cert */
if (!SSL_CTX_load_verify_locations(ctx,
"/etc/ssl/certs/ca-certificates.crt", /* truststore */
"/etc/ssl/certs/")) /* more truststore */
report_and_exit("SSL_CTX_load_verify_locations...");
long verify_flag = SSL_get_verify_result(ssl);
if (verify_flag != X509_V_OK)
fprintf(stderr,
"##### Certificate verification error (%i) but continuing...\n",
(int) verify_flag);
/* now fetch the homepage as sample data */
sprintf(request,
"GET / HTTP/1.1\x0D\x0AHost: %s\x0D\x0A\x43onnection: Close\x0D\x0A\x0D\x0A",
hostname);
BIO_puts(bio, request);
/* read HTTP response from server and print to stdout */
while (1) {
memset(response, '\0', sizeof(response));
int n = BIO_read(bio, response, BuffSize);
if (n <= 0) break; /* 0 is end-of-stream, < 0 is an error */
puts(response);
}
cleanup(ctx, bio);
}
int main() {
init_ssl();
const char* hostname = "www.google.com:443";
fprintf(stderr, "Trying an HTTPS connection to %s...\n", hostname);
secure_connect(hostname);
return 0;
}
```
可以从命令行编译和执行该程序(请注意 `-lssl``-lcrypto` 中的小写字母 `L`
```
gcc -o client client.c -lssl -lcrypto
```
该程序尝试打开与网站 [www.google.com][13] 的安全连接。作为与 Google Web 服务器的 TLS 握手的一部分,`client` 程序会接收一个或多个数字证书,该程序会尝试对其进行验证(但在我的系统上失败了)。尽管如此,`client` 程序仍继续通过安全通道获取 Google 主页。该程序取决于前面提到的安全工件,尽管在代码中只突出了数字证书。其他工件仍在幕后,稍后将对其进行详细说明。
通常,打开 HTTP非安全通道的 C 或 C++ 客户端程序将使用诸如*文件描述符*或*网络套接字*之类的结构,这些是两个进程(例如,客户端程序和 Google Web 服务器)之间连接的端点。另一方面,文件描述符是一个非负整数值,它在程序中标识该程序打开的任何文件类的结构。这样的程序还将使用一种结构来指定有关 Web 服务器地址的详细信息。
这些相对较低级别的结构都不会出现在客户端程序中,因为 OpenSSL 库会将套接字基础设施和地址规范等封装在高级的安全结构中。其结果是一个简单的 API。下面首先看一下 `client` 程序示例中的安全性详细信息。
* 该程序首先加载相关的 OpenSSL 库,而我的函数 `init_ssl` 则对 OpenSSL 进行了两次调用:
```
SSL_library_init(); SSL_load_error_strings();
```
* 下一个初始化步骤尝试获取安全*上下文*,这是建立和维护通往 Web 服务器的安全通道所需的信息框架。 在示例中使用了 TLS 1.2,如对 OpenSSL 库函数的调用所示:
```
const SSL_METHOD* method = TLSv1_2_client_method(); /* TLS 1.2 */
```
如果调用成功,则将 `method ` 指针被传递给库函数,该函数创建类型为 `SSL_CTX` 的上下文:
```
SSL_CTX* ctx = SSL_CTX_new(method);
```
`client` 程序检查每个关键库调用中的错误,然后如果其中一个调用失败,则程序终止。
* 现在还有另外两个 OpenSSL 工件在起作用SSL 类型的安全会话从头到尾管理安全连接以及类型为BIO基本输入/输出)的安全流,用于与 Web 服务器进行通信。BIO 流是通过以下调用生成的:
```
BIO* bio = BIO_new_ssl_connect(ctx);
```
请注意,最重要的上下文是参数。`BIO` 类型是 C 语言中 `FILE` 类型的 OpenSSL 封装器。此封装器可保护 `client` 程序与 Google 的网络服务器之间的输入和输出流。
* 有了 `SSL_CTX``BIO`,然后程序在 SSL 会话中将它们组合在一起。三个库调用可以完成工作:
```
BIO_get_ssl(bio, &ssl); /* get a TLS session */
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); /* for robustness */
BIO_set_conn_hostname(bio, name); /* prepare to connect to Google */
```
安全连接本身是通过以下调用建立的:
```
BIO_do_connect(bio);
```
如果最后一次调用不成功,则 `client` 程序终止;否则,该连接已准备就绪,可以支持 `client` 程序与Google Web 服务器之间的机密对话。
在与 Web 服务器握手期间,`client` 程序会接收一个或多个数字证书,以认证服务器的身份。 但是,`client` 程序不会发送自己的证书,这意味着身份验证是单向的。(通常将 Web 服务器配置为**不**需要客户端证书。)尽管对 Web 服务器证书的验证失败,但 `client` 程序仍通过到 Web 服务器的安全通道继续获取 Google 主页。
为什么验证 Google 证书的尝试失败?典型的 OpenSSL 安装目录为 `/etc/ssl/certs`,其中包含 `ca-certificates.crt` 文件。该目录和文件包含着 OpenSSL 自带的数字证书,以此构成信任库。可以根据需要更新信任库,尤其是可以包括新信任的证书,并删除不再受信任的证书。
`client` 程序从 Google Web 服务器接收了三个证书,但是我的计算机上的 OpenSSL 信任库不包含完全匹配项。如目前所写,`client` 程序不会通过例如验证 Google 证书上的数字签名(一个用来证明该证书的签名)来解决此问题。如果该签名是受信任的,则包含该签名的证书也应受信任。尽管如此,`client` 程序仍继续进行获取页面,然后打印 Google 的主页。下一节将更详细地介绍。
### 客户端程序中隐藏的安全性
让我们从客户端示例中的可见安全工件(数字证书)开始,然后考虑其他安全工件如何与之相关。数字证书的主要布局标准是 X509生产级证书由诸如 [Verisign][14] 的证书颁发机构CA颁发。
数字证书包含各种信息(例如,激活和有效日期以及所有者的域名),包括发行者的身份和*数字签名*(这是加密过的*加密哈希*值)。证书还具有未加密的哈希值,用作其标识*指纹*。
哈希值来自将任意数量的位映射到固定长度的摘要。这些位代表什么(会计报告、小说或数字电影)无关紧要。例如,<ruby>消息摘要版本 5<rt>Message Digest version 5</rt></ruby>MD5哈希算法将任意长度的输入位映射到 128 位哈希值,而 SHA1<ruby>安全哈希算法版本 1<rt>Secure Hash Algorithm version 1</rt></ruby>)算法将输入位映射到 160 位值。不同的输入位会导致不同的(实际上是统计学上唯一的)哈希值。下一篇文章将进行更详细的介绍,并着重介绍什么使哈希函数具有加密功能。
数字证书的类型有所不同(例如根证书、中间证书和最终实体证书),并形成了反映这些类型的层次结构。 顾名思义,*根*证书位于层次结构的顶部其下的证书继承了根证书所具有的信任。OpenSSL 库和大多数现代编程语言都具有 X509 类型以及处理此类证书的函数。来自 Google 的证书具有 X509 格式,`client` 程序会检查该证书是否为 `X509_V_OK`
X509 证书基于<ruby>公共密钥基础结构<rt>public-key infrastructure</rt></ruby>PKI其中包括的算法RSA 是占主导地位的算法)用于生成*密钥对*:公共密钥及其配对的私有密钥。公钥是一种身份:[Amazon][15] 的公钥对其进行标识,而我的公钥对我进行标识。私钥应由其所有者保密。
成对出现的密钥具有标准用途。可以使用公钥对消息进行加密,然后可以使用同一个密钥对中的私钥对消息进行解密。私钥也可以用于对文档或其他电子产品(例如程序或电子邮件)进行签名,然后可以使用该对密钥中的公钥来验证签名。以下两个示例填充了一些细节。
在第一个示例中Alice 将她的公钥分发给世界,包括 Bob。然后Bob 用 Alice 的公钥加密邮件,然后将加密的邮件发送给 Alice。用 Alice 的公钥加密的邮件将用她的私钥解密(假设是她自己的私钥),如下所示:
```
+------------------+ encrypted msg +-------------------+
Bob's msg--->|Alice's public key|--------------->|Alice's private key|---> Bob's msg
+------------------+ +-------------------+
```
原则上可以在没有 Alice 的私钥的情况下解密消息,但在实际情况下,如果使用像 RSA 这样的加密密钥对系统,则无法实现。
现在,对于第二个示例,请考虑对文档签名以证明其真实性。签名算法使用密钥对中的私钥来处理要签名的文档的加密哈希:
```
+-------------------+
Hash of document--->|Alice's private key|--->Alice's digital signature of the document
+-------------------+
```
假设 Alice 以数字方式签署了发送给 Bob 的合同。然后Bob 可以使用密钥对中的 Alice 的公钥来验证签名:
```
+------------------+
Alice's digital signature of the document--->|Alice's public key|--->verified or not
+------------------+
```
假若没有 Alice 的私钥,就无法伪造 Alice 的签名因此Alice 有必要保密她的私钥。
`client` 程序中,除了数字证书以外,这些安全性都没有明确规定。下一篇文章使用使用 OpenSSL 实用程序和库函数的示例填充详细信息。
### 命令行的 OpenSSL
同时,让我们看一下 OpenSSL 命令行实用程序:特别是在 TLS 握手期间检查来自 Web 服务器的证书的实用程序。调用 OpenSSL 实用程序从`openssl` 命令开始,然后添加参数和标志的组合以指定所需的操作。
看看以下命令:
```
openssl list-cipher-algorithms
```
该输出是组成<ruby>加密算法套件<rt>cipher suite<rt></ruby>的相关算法的列表。下面是列表的开头,注释以澄清首字母缩写词:
```
AES-128-CBC ## Advanced Encryption Standard, Cipher Block Chaining
AES-128-CBC-HMAC-SHA1 ## Hash-based Message Authentication Code with SHA1 hashes
AES-128-CBC-HMAC-SHA256 ## ditto, but SHA256 rather than SHA1
...
```
使用参数 `s_client` 的下一条命令将打开到 [www.google.com][13] 的安全连接,并在屏幕上显示有关此连接的所有信息:
```
openssl s_client -connect www.google.com:443 -showcerts
```
端口号 443 是 Web 服务器用于接收 HTTPS 而不是 HTTP 连接的标准端口号。(对于 HTTP标准端口为 80网络地址 [www.google.com:443 也出现在 `client` 程序的代码中。如果尝试的连接成功,则将显示来自 Google 的三个数字证书以及有关安全会话、正在使用的加密算法套件以及相关项目的信息。例如,这是从头开始的一部分输出,它声明*证书链*即将到来。证书的编码为 base64
```
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIQdCea9tmy/T6rK/dDD1isujANBgkqhkiG9w0BAQsFADBU
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMSUw
...
```
诸如 Google 之类的主要网站通常会发送多个证书进行身份验证。
输出以有关 TLS 会话的摘要信息结尾,包括加密算法套件的详细信息:
```
SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: A2BBF0E4991E6BBBC318774EEE37CFCB23095CC7640FFC752448D07C7F438573
...
```
`client` 程序中使用了协议 TLS 1.2`Session-ID` 唯一地标识了 `openssl` 实用程序和 Google Web 服务器之间的连接。 `Cipher` 条目可以按以下方式进行解析:
* `ECDHE`<ruby>Elliptic Curve Diffie Hellman Ephemeral<rt>椭圆曲线 Diffie-Hellman临时</rt></ruby>)是一种用于管理 TLS 握手的有效而高效的算法。尤其是ECDHE 通过确保连接双方(例如,`client` 程序和 Google Web 服务器)使用相同的加密/解密密钥(称为*会话密钥*)来解决“密钥分发问题”。后续文章会深入探讨该细节。
* `RSA`Rivest Shamir Adleman是主要的公共密钥密码系统并以 1970 年代后期首次描述该系统的三位学者的名字命名。这个正在使用的密钥对是使用 RSA 算法生成的。
* `AES128`<ruby>高级加密标准<rt>Advanced Encryption Standard</rt></ruby>)是一种<ruby>块式加密算法<rt>block cipher</rt></ruby>,用于加密和解密<ruby>位块<rt>blocks of bits</rt></ruby>。(另一种算法是<ruby>流式加密算法<rt>stream cipher</rt></ruby>它一次加密和解密一个位。该加密算法是对称加密算法因为使用同一个密钥进行加密和解密这首先引起了密钥分发问题。AES 支持 128此处使用、192 和 256 位的密钥大小:密钥越大,保护越好。
通常,像 AES 这样的对称加密系统的密钥大小要小于像 RSA 这样的非对称基于密钥对系统的密钥大小。例如1024 位 RSA 密钥相对较小,而 256 位密钥当前是 AES 最大的密钥。
* `GCM`<ruby>伽罗瓦计数器模式<rt>Galois Counter Mode</rt></rubny>)处理在安全对话期间重复应用加密算法(在这种情况下为 AES128。AES128 块的大小仅为 128 位,安全对话很可能包含从一侧到另一侧的多个 AES128 块。GCM 非常有效,通常与 AES128 搭配使用。
* `SHA256` <ruby>256 位安全哈希算法<rt>Secure Hash Algorithm 256 bits</rt></ruby>)是正在使用的加密哈希算法。生成的哈希值的大小为 256 位,尽管使用 SHA 甚至可以更大。
加密算法套件正在不断发展中。例如不久前Google 使用 RC4 流加密算法(是 RSA 的 Ron Rivest 后来开发的 Ron's Cipher 版本 4。 RC4 现在有已知的漏洞,这至少部分导致了 Google 转换为 AES128。
### 总结
通过安全的 C Web 客户端和各种命令行示例对 OpenSSL 的首次了解,使一些需要进一步阐明的主题脱颖而出。[下一篇文章会详细介绍][17],从加密散列开始,到结束时对数字证书如何应对密钥分发挑战的更全面讨论。
--------------------------------------------------------------------------------
via: https://opensource.com/article/19/6/cryptography-basics-openssl-part-1
作者:[Marty Kalin][a]
选题:[lujun9972][b]
译者:[wxy](https://github.com/wxy)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/mkalindepauledu/users/akritiko/users/clhermansen
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/BUSINESS_3reasons.png?itok=k6F3-BqA (A lock on the side of a building)
[2]: https://www.openssl.org/
[3]: https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/
[4]: http://condor.depaul.edu/mkalin
[5]: https://en.wikipedia.org/wiki/Transport_Layer_Security
[6]: https://en.wikipedia.org/wiki/Netscape
[7]: http://www.opengroup.org/onlinepubs/009695399/functions/perror.html
[8]: http://www.opengroup.org/onlinepubs/009695399/functions/exit.html
[9]: http://www.opengroup.org/onlinepubs/009695399/functions/sprintf.html
[10]: http://www.opengroup.org/onlinepubs/009695399/functions/fprintf.html
[11]: http://www.opengroup.org/onlinepubs/009695399/functions/memset.html
[12]: http://www.opengroup.org/onlinepubs/009695399/functions/puts.html
[13]: http://www.google.com
[14]: https://www.verisign.com
[15]: https://www.amazon.com
[16]: http://www.google.com:443
[17]: https://opensource.com/article/19/6/cryptography-basics-openssl-part-2