Centos 6.5 Open*** 2.3.4搭建
參考http://mjjwu.blog.51cto.com/600072/1311008配置
配置環境:
server:Centos6.5 Open*** 2.3.4
client:Windows7-64 Open***GUI 2.3.4
服務器端配置:
1、安裝基礎庫
[root@demo open***]# for i in $(rpm -q gcc gcc-c++ openssl openssl-devel lzo lzo-devel pam pam-devel) do yum –y install $i; done |
安裝lzo壓縮算法
不安裝的話configure的時候就會提示configure: error: lzo enabled but missing
[root@demo open***]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz [root@demo open***]# tar zxvf lzo-2.06.tar.gz [root@demo open***]# cd lzo-2.06 [root@demo open***]# ./configure [root@demo open***]# make && make install |
2、安裝Open***2.3.4
[root@demo open***]# wget -c http://swupdate.open***.org/community/releases/open***-2.3.4.tar.gz [root@demo open***]# tar zxvf open***-2.3.4.tar.gz [root@demo open***]# cd open***-2.3.4 [root@demo open***]# ./configure --prefix=/opt/open*** [root@demo open***]# make && make install |
3、配置Open***
在github上拉一個resy-rsa2.0下來、地址:https://github.com/Open***/easy-rsa
下載好之後解壓到目錄/opt/open***
再把easy-rsa搞到(cp複製過去)這個文件夾中,然後進入這個文件夾:
[root@demo open***]# cp -arp easy-rsa /opt/open***/ |
看看這個文件夾裏面的東西
[root@demo open***]# chmod u+x /opt/open***/easy-rsa/easy-rsa/2.0/* [root@demo open***]# ll /opt/open***/easy-rsa/easy-rsa/2.0/ total 112 -rwxr-xr-x. 1 root root 119 Jul 5 10:49 build-ca -rwxr-xr-x. 1 root root 352 Jul 5 10:49 build-dh -rwxr-xr-x. 1 root root 188 Jul 5 10:49 build-inter -rwxr-xr-x. 1 root root 163 Jul 5 10:49 build-key -rwxr-xr-x. 1 root root 157 Jul 5 10:49 build-key-pass -rwxr-xr-x. 1 root root 249 Jul 5 10:49 build-key-pkcs12 -rwxr-xr-x. 1 root root 268 Jul 5 10:49 build-key-server -rwxr-xr-x. 1 root root 213 Jul 5 10:49 build-req -rwxr-xr-x. 1 root root 158 Jul 5 10:49 build-req-pass -rwxr-xr-x. 1 root root 449 Jul 5 10:49 clean-all -rwxr-xr-x. 1 root root 1471 Jul 5 10:49 inherit-inter -rwxr-xr-x. 1 root root 302 Jul 5 10:49 list-crl -rwxr-xr-x. 1 root root 7791 Jul 5 10:49 openssl-0.9.6.cnf -rwxr-xr-x. 1 root root 8348 Jul 5 10:49 openssl-0.9.8.cnf -rwxr-xr-x. 1 root root 8245 Jul 5 10:49 openssl-1.0.0.cnf -rwxr-xr-x. 1 root root 12984 Jul 5 10:49 pkitool -rwxr-xr-x. 1 root root 928 Jul 5 10:49 revoke-full -rwxr-xr-x. 1 root root 178 Jul 5 10:49 sign-req -rwxr-xr-x. 1 root root 2077 Jul 5 10:49 vars -rwxr-xr-x. 1 root root 740 Jul 5 10:49 whichopensslcnf |
4、生成CA證書
修改vars文件
[root@demo open***]# cd /opt/open***/easy-rsa/easy-rsa/2.0/ [root@demo 2.0]# vim vars ................ export KEY_COUNTRY=""CN" export KEY_PROVINCE=""BJ" export KEY_CITY=""BeiJing" export KEY_ORG=""xxxx" export KEY_EMAIL=""[email protected]" export KEY_OU=""MyOpen***" ................. |
這一部分按照自己的情況來填啦,修改完成後保存退出。
然後:
[root@demo 2.0]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /opt/open***/easy-rsa/easy-rsa/2.0/keys |
之後執行./clean-all
[root@demo open***]# ./clean-all |
這是爲了針對已經有了keys/而想用改寫的vars重新生成證書的情況而執行的
第一次安的話不執行也好
當然在這一步之前如果執行./clean-all 和 ./build-ca兩條命令的話將會出現以下提示:
[root@demo open***]# ./clean-all Please source the vars script first (i.e. "source ./vars") Make sure you have edited it to reflect your configuration. |
[root@demo open***]# ./build-ca Please edit the vars script to reflect your configuration, then source it with "source ./vars". Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run "./clean-all". Finally, you can run this tool (pkitool) to build certificates/keys. |
大意就是說修改好vars之後執行source./vars然後才能執行這些
5、初始化keys
然後執行./build-ca生成證書:
[root@demo 2.0]# ./build-ca Generating a 2048 bit RSA private key ....+++ .............................................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [LN]: Locality Name (eg, city) [ChengDu]: Organization Name (eg, company) [xxxx]: Organizational Unit Name (eg, section) [MyOpen***]: Common Name (eg, your name or your server's hostname) [xxxx CA]: Name [EasyRSA]: Email Address [[email protected]]: |
這樣一直回車就好(這些是、vars裏設置的東西) 或者輸入些想輸入的什麼的, 即可結束keys的初始化。
看下keys/中都有些什麼文件:
[root@demo 2.0]# ll keys/ total 12 -rw-r--r--. 1 root root 1655 Oct 19 00:37 ca.crt -rw-------. 1 root root 1704 Oct 19 00:37 ca.key -rw-r--r--. 1 root root 0 Oct 19 00:36 index.txt -rw-r--r--. 1 root root 3 Oct 19 00:36 serial |
6、生成DH文件
下面是生成DH文件,執行./build-dh:
[root@demo 2.0]# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ...........+.............................................................................................................+..........................................................................................................++*++* [root@demo 2.0]# ll keys/ total 16 -rw-r--r--. 1 root root 1655 Oct 19 00:37 ca.crt -rw-------. 1 root root 1704 Oct 19 00:37 ca.key -rw-r--r--. 1 root root 424 Oct 19 00:42 dh2048.pem -rw-r--r--. 1 root root 0 Oct 19 00:36 index.txt -rw-r--r--. 1 root root 3 Oct 19 00:36 serial |
7、生成服務器證書
執行./build-key-server [證書名]爲服務器生成證書:
[root@demo 2.0]# ./build-key-server Open***_Server Generating a 2048 bit RSA private key ..+++ ..+++ writing new private key to 'Open***_Server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [LN]: Locality Name (eg, city) [ChengDu]: Organization Name (eg, company) [xxxx]: Organizational Unit Name (eg, section) [MyOpen***]: Common Name (eg, your name or your server's hostname) [Open***_Server]: Name [EasyRSA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /opt/open***/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'LN' localityName :PRINTABLE:'ChengDu' organizationName :PRINTABLE:'xxxx' organizationalUnitName:PRINTABLE:'MyOpen***' commonName :T61STRING:'Open***_Server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Oct 16 16:43:29 2023 GMT (3650 days) Sign the certificate? [y/n]:y (注意:這裏輸入y) 1 out of 1 certificate requests certified, commit? [y/n]y (注意:這裏輸入y) Write out database with 1 new entries Data Base Updated |
這樣服務器證書搞定了 可以看到keys/文件夾中東西又多了..
[root@demo 2.0]# ll keys/ total 52 -rw-r--r--. 1 root root 5373 Oct 19 00:43 01.pem -rw-r--r--. 1 root root 1655 Oct 19 00:37 ca.crt -rw-------. 1 root root 1704 Oct 19 00:37 ca.key -rw-r--r--. 1 root root 424 Oct 19 00:42 dh2048.pem -rw-r--r--. 1 root root 125 Oct 19 00:43 index.txt -rw-r--r--. 1 root root 21 Oct 19 00:43 index.txt.attr -rw-r--r--. 1 root root 0 Oct 19 00:36 index.txt.old -rw-r--r--. 1 root root 5373 Oct 19 00:43 Open***_Server.crt -rw-r--r--. 1 root root 1066 Oct 19 00:43 Open***_Server.csr -rw-------. 1 root root 1704 Oct 19 00:43 Open***_Server.key -rw-r--r--. 1 root root 3 Oct 19 00:43 serial -rw-r--r--. 1 root root 3 Oct 19 00:36 serial.old |
8、生成客戶端證書(mysql驗證可不用)
接下來爲我自己申請了一份客戶端證書(這些到時要copy到客戶端上以便能和服務器進行認證):
[root@demo 2.0]# ./build-key client1 Generating a 2048 bit RSA private key ...+++ ....................................................................+++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [LN]: Locality Name (eg, city) [ChengDu]: Organization Name (eg, company) [xxxx]: Organizational Unit Name (eg, section) [MyOpen***]: Common Name (eg, your name or your server's hostname) [client1]: #重要: 每個不同的 client 生成的證書, 名字必須不同 Name [EasyRSA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /opt/open***/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'LN' localityName :PRINTABLE:'ChengDu' organizationName :PRINTABLE:'xxxx' organizationalUnitName:PRINTABLE:'MyOpen***' commonName :PRINTABLE:'client1' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Oct 16 16:45:15 2023 GMT (3650 days) Sign the certificate? [y/n]:y (注意:這裏輸入y) 1 out of 1 certificate requests certified, commit? [y/n]y (注意:這裏輸入y) Write out database with 1 new entries Data Base Updated |
依次類推生成其他客戶端證書/key代碼:
./build-key client2
./build-key client3
然後我們將CA證書和客戶端證書打包下載,好在客戶端上作爲驗證使用
[root@demo 2.0]# cd keys/ [root@demo keys]# tar -zcvf client1.tar.gz client1.* ca.* client1.crt client1.csr client1.key ca.crt ca.key |
9、服務器端配置文件修改
將server.conf文件複製到/opt/conf/open***中
[root@demo open***]# cp -arp /soft/open***-2.3.4/sample/sample-config-files/server.conf /opt /open***/conf [root@demo open***]# vim /opt/open***/conf/server.conf .... # Which local IP address should Open*** # listen on? (optional) ;local a.b.c.d
# Which TCP/UDP port should Open*** listen on? # If you want to run multiple Open*** instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port 1194
# TCP or UDP server? ;proto tcp proto tcp .... ca /opt/open***/easy-rsa/easy-rsa/2.0/keys/ca.crt cert /opt/open***/easy-rsa/easy-rsa/2.0/keys/Open***_Serve.crt key /opt/open***/easy-rsa/easy-rsa/2.0/keys/Open***_Serve.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh /opt/open***/easy-rsa/easy-rsa/2.0/keys/dh2048.pem .... .... server 10.8.0.0 255.255.255.0 #這裏配置的是***爲客戶端分配地址的網段,用私有地址就好,這裏沒必要改 .... .... ;push "route 192.168.20.0 255.255.255.0" #這條是將路由信息推送到客戶端 .... .... ;push “redirect-gateway def1 bypass-dhcp" #改成這個樣紙: push "redirect-gateway def1" .... .... ;client-to-client #這句話取消註釋可以讓用戶藉助open***轉發互相訪問 #效率會高一點 .... .... ;duplicate-cn #若是client所使用的CA的CommonName有重複連接***,不打開該選項的話只會允#許一名用戶連接*** .... .... comp-lzo #數據壓縮算法,服務器端 用戶端要一致 .... .... user nobody group nobody #用於運行open***的用戶 .... .... ;log open***.log ;log-append open***.log 這兩句定義open***日誌文件位置以及追加日誌方式寫入,我將它修改成這個樣紙了0.0: log /opt/open***/log/open***.log log-append log/open***.log .... .... status log/open***-status.log |
# #號和;號開頭的都是註釋
# 設置監聽IP,默認是監聽所有IP ;local a.b.c.d local 192.168.228.155
# 設置監聽端口,必須要對應的在防火牆裏面打開 port 1194
# 設置用TCP還是UDP協議? ;proto tcp proto udp
# 設置創建tun的路由IP通道,還是創建tap的以太網通道 # 路由IP容易控制,所以推薦使用它;但如果如IPX等必須 # 使用第二層才能通過的通訊,則可以用tap方式,tap也 # 就是以太網橋接 ;dev tap dev tun
# Windows需要給網卡一個名稱,這裏設置,linux不需要 ;dev-node MyTap
# 這裏是重點,必須指定SSL/TLS root certificate (ca), # certificate(cert), and private key (key) # ca文件是服務端和客戶端都必須使用的,但不需要ca.key # 服務端和客戶端指定各自的.crt和.key # 請注意路徑,可以使用以配置文件開始爲根的相對路徑, # 也可以使用絕對路徑 # 請小心存放.key密鑰文件 ca ./easy-rsa/keys/ca.crt cert ./easy-rsa/keys/server.crt key ./easy-rsa/keys/server.key # This file should be kept secret
# 指定Diffie hellman parameters. dh ./easy-rsa/keys/dh1024.pem
# 配置***使用的網段,Open***會自動提供基於該網段的DHCP # 服務,但不能和任何一方的局域網段重複,保證唯一 server 10.8.0.0 255.255.255.0
# 維持一個客戶端和virtual IP的對應表,以方便客戶端重新 # 連接可以獲得同樣的IP ifconfig-pool-persist ipp.txt
# 配置爲以太網橋模式,但需要使用系統的橋接功能 # 這裏不需要使用 ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# 爲客戶端創建對應的路由,以另其通達公司網內部服務器 # 但記住,公司網內部服務器也需要有可用路由返回到客戶端 ;push "route 192.168.20.0 255.255.255.0" push "route 192.168.56.0 255.255.255.0"
# 爲特定的客戶端指定IP或指定路由,該路由通常是客戶端後面的 # 內網網段,而不是服務端連接的網段 # ccd是/etc/open***下的目錄,其中建有希望限制的客戶端Common # Name爲文件名的文件,並通過下面的命令寫入固定IP地址 # 例如Common Name爲client1,則在/opt/open***/ccd/client1寫有: # ifconfig-push 10.9.0.1 10.9.0.2 ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248
# 爲可以對不同的客戶端設置防火牆等權限 # 可以讓其自動運行對應腳本,可參考man ;learn-address ./script
# 若客戶端希望所有的流量都通過***傳輸,則可以使用該語句 # 其會自動改變客戶端的網關爲***服務器,推薦關閉 # 一旦設置,請小心服務端的DHCP設置問題 ;push "redirect-gateway"
# 用Open***的DHCP功能爲客戶端提供指定的DNS、WINS等 ;push "dhcp-option DNS 10.8.0.1" ;push "dhcp-option WINS 10.8.0.1"
# 默認客戶端之間是不能直接通訊的,除非把下面的語句註釋掉 client-to-client
# 如果您希望有相同Common Name的客戶端都可以登陸 # 也可以註釋下面的語句,推薦每個客戶端都使用不用的Common Name # 常用於測試 ;duplicate-cn
# 設置服務端檢測的間隔和超時時間 keepalive 10 120
# 下面是一些對安全性增強的措施,後續說明吧 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # open*** --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be 0 # on the server and 1 on the clients. ;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES
# 使用lzo壓縮的通訊,服務端和客戶端都必須配置 comp-lzo
# 設置最大用戶數 ;max-clients 100
# 讓Open***以nobody用戶和組來運行(安全) ;user nobody ;group nobody
# The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun
# 輸出短日誌,每分鐘刷新一次,以顯示當前的客戶端 status /var/log/open***/open***-status.log
# 缺省日誌會記錄在系統日誌中,但也可以導向到其他地方 # 建議調試的使用先不要設置,調試完成後再定義 ;log /var/log/open***/open***.log ;log-append /var/log/open***/open***.log
# 設置日誌的級別 # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3
# Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20
# 打開管理界面,可以定義監控的IP和端口 management localhost 7505 |
10、防火牆設置
sysctl -w net.ipv4.ip_forward=1 net.ipv4.ip_forward=1 |
-A FORWARD -j ACCEPT 或者刪除 #-A FORWARD -j REJECT --reject-with icmp-host-prohibited |
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 另一種模板 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source a.b.c.d |
11、設置 Open*** 服務器reboot後自動啓動 open***
執行命令:
代碼:
vi /etc/rc.local
然後在最後面加入此行:
代碼:
/opt/sbin/open*** --daemon --config /opt/open***/conf/server.conf > /dev/null 2>&1 &
由於我是將open***安裝在/usr/local/文件夾中,所以做個軟連接鏈接到sbin中以便以後方便使用,不過到了sbin普通用戶可是不能啓動或停止的哦
[root@demo open***]# ls -n /usr/local/open***/sbin/open*** /sbin/open*** [root@demo open***]# open*** --daemon --config /opt/open***/conf/server.conf |
這裏不加--daemon的話,會在shell前臺執行。
客戶端配置過程
客戶端採用Open***-GUI,版本要和服務器版本相對應.
在http://open***.se/development.html這裏是可以下載的 不過這裏沒有2.3.0的版本。
沒辦法啊 掛着代理跑去官網下了一記:open***.net
下載好 安裝好 然後進行下面的配置:
1、將剛纔從服務器下載的證書解壓到config文件夾中
2、在sample-config中複製client.o***到config文件夾,做如下修改:
;proto tcp proto udp 改成 proto tcp ;proto udp
remote my-server-1 1194 my-server-1填寫你的open***服務器的地址 ns-cert-type server 打開這個選項
ca ca.crt cert client.crt key client.key 剛好剛纔將證書都扔到了config文件夾下,也就在一起了,改個名字就行了: ca ca.crt cert client1.crt key client1.key |
然後就改完了 準備開始***之旅了哈0.0
由於我在windows下配置的客戶端 有些針對linux的修改就跳過了的…
現在嘗試連接一下,應該是可以連通的哦~~~
到目前爲止,***是假設好了,但是要網絡轉NAT還得繼續。
讓服務器那邊進行數據包轉發
Open***訪問公網設置
在server.conf中打開下面的配置:
push "dhcp-option DNS10.8.0.1"
push "dhcp-option DNS8.8.8.8"
push "dhcp-option DNS8.8.4.4"
這樣就好~
這回就都完成了 啓動open***服務器(要是剛剛開着的話退掉重開哦 killall open***):
[root@demo ~]# open*** --daemon--config opt/open***/conf/server.conf
Open***+mysql驗證方式
目的:客戶端還是連接到公司局域網中,但爲了用戶管理方便,認證數據從mysql 數
據庫中提取。
Open***Server 基本設定:連接方式採用路由,認證方式採用mysql認證,虛擬設備使用tun
1.首先檢查pam-devel包是否安裝
rpm–qa | grep pam
2.檢查Mysql是否安裝
確認mysql-devel包已經安裝,否則從系統盤安裝改軟件包
rpm –qa | grep msql ##5.6還需要mysql-share要不pam_mysql編譯不過
mysql-5.0.45-7.el5
mysql-devel-5.0.45-7.el5
mysql-server-5.0.45-7.el5
3.安裝pam_mysql
[root@localhost~]#wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
[root@localhost ~]# gzip -cd pam_mysql-0.7RC1.tar.gz | tar xvf – [root@localhost ~]# cd pam_mysql-0.7RC1 [root@localhost pam_mysql-0.7RC1]# ./configure --with-openssl [root@localhost pam_mysql-0.7RC1]# make [root@localhost pam_mysql-0.7RC1]# cp .libs/pam_mysql.so /lib64/security/ |
4.配置mysql 數據庫和pam
4.1 配置數據庫
以管理員身份登錄數據庫:
mysql>;create database ***;
mysql>;GRANT ALL ON ***.* TO ***@localhost IDENTIFIED BY '***123';
mysql>;flush privileges;
mysql>;use ***;
創建數據庫: CREATE TABLE ***user ( id int(11) unsigned NOT NULL AUTO_INCREMENT, name CHAR (20) NOT NULL, password CHAR (128) NOT NULL, active INT (10) NOT NULL DEFAULT 1 comment '值爲1 可以用***', PRIMARY KEY (id) ); 插入測試數據: #增加用戶 用戶名:elm 密碼:elm
mysql>insert into ***user (name,password) values('elm',md5('elm')); b)對應mysqlpass加密方式 mysql>insert into ***user (name,password) values('elm',password('elm')); |
4.2 配置pam_mysql模塊
創建/etc/pam.d/open***文件,添加文件內容如下:
auth sufficient pam_mysql.so user=*** passwd=***123 host=localhost db=*** \ table=***user usercolumn=name passwdcolumn=password \ where=active=1 sqllog=0 crypt=3 verbose=1 account required pam_mysql.so user=*** passwd=***123 host=localhost db=*** \ table=***user usercolumn=name passwdcolumn=password \ where=active=1 sqllog=0 crypt=3 verbose=1 |
注意:(1)crypt=3這個參數的設置,表示數據庫密碼是使用MD5加密。
這裏如果你設置crypt=2,使用mysql的password的函數來加密。
0 (or"plain" ) = 明文 No encryption. Passwordsstored in plaintext. HIGHLY DISCOURAGED.
1 (or "Y") = Usecrypt(3) function.
2 (or"mysql") = Use MySQLPASSWORD() function. It is possible that the encryption function used byPAM-MySQL is different from that of the MySQL server, as PAM-MySQL uses thefunction defined in MySQL's C-client API instead of using PASSWORD() SQL function in the query.
3 (or "md5") = Useplain hex MD5.
4 (or "sha1") = Useplain hex SHA1.
(2) verbose=1 詳細日誌
4.3測試pam_mysql是否工作正常,
先檢查saslauthd是否安裝:
[root@localhostpam_mysql-0.7RC1]# rpm -qa | grep sasl
cyrus-sasl-plain-2.1.22-4
cyrus-sasl-devel-2.1.22-4
cyrus-sasl-2.1.22-4
cyrus-sasl-lib-2.1.22-4
有cyrus-sasl-2.1.22-4應該就可以了
[root@*** ~]# saslauthd -a pam
[root@*** ~]# testsaslauthd -u elm -p elm -sopen***
0:OK "Success."
恭喜,pam_mysql工作正常了,下面可以開始配置Open***服務器了。
相關日誌有所體現:
/var/log/syslog
/var/log/auth.log
4.4 配置 open*** 服務器及客戶端有關認證的內容:
1.在server.conf最下面添加如下內容
#說明使用的插件,open***爲插件的參數,使用pam的servicesname plugin /opt/open***/lib/open***/plugins/open***-auth-pam.so open*** #不請求客戶的CA證書,使用User/Pass驗證 client-cert-not-required #使用客戶提供的UserName作爲Common Name username-as-common-name |
Or: 進入 open*** 源代碼目,在 plugin/auth-pam 下將 open*** 認證模塊編譯出來: # cd /usr/local/src/open***/open***-2.0.9/plugin/auth-pam # make 32位系統: # cp -f open***-auth-pam.so /lib/security/. 64位系統: # cp -f open***-auth-pam.so /lib64/security/. 在open***服務器端的配置文件中加入認證模塊: # vi /opt/open***/etc/open***.conf 在最後一行加入: plugin /lib64/security/open***-auth-pam.so open*** #32位系統做相關的改動。 |
注:open*** 2.0以上驗證會出問題,需要編譯低版本的模塊:
wget http://down1.chinaunix.net/distfiles/open***-2.0.7.tar.gz
tar-zxvfopen***-2.0.7.tar.gz
cdopen***-2.0.7/
./configure
cdplugin/auth-pam/
make
cpopen***-auth-pam.so/opt/open***/lib/open***/plugins/
2. 配置客戶端配置文件
註釋掉 ;cert client1.crt ;key client1.key 增加: #詢問用戶名和密碼 auth-user-pass |
Open***+ldap驗證(沒有實際驗證待測試)
2. 修改配置文件:auth-ldap.conf
<LDAP> # LDAP server URL URL ldap://192.168.1.208 # Bind DN (If your LDAP server doesn't support anonymous binds) BindDN cn=admin,dc=gxw,dc=com # Bind Password Password secret # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable no # Follow LDAP Referrals (anonymously) FollowReferrals no # TLS CA Certificate File #TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory #TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required #TLSCertFile /usr/local/etc/ssl/client-cert.pem #TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN BaseDN "dc=gxw,dc=com" # User Search Filter SearchFilter "(uid=%u)" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_***_users <Group> BaseDN "ou=tech,dc=gxw,dc=com" SearchFilter "(|(cn=developers)(cn=artists))" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_***_eng </Group> </Authorization> |
3. 修改open***配置文件
open*** 的配置文件類似 mysql
plugin /usr/local/lib/open***-auth-ldap.so /etc/open***/auth/ldap.conf
client-cert-not-required
username-as-common-name