Open××× 使用"用戶名/密碼"登陸驗證

一．環境簡介：

服務器：CentOS 5.7 64位

外網IP地址： 183.60.xxx.xxx

內網IP地址： 10.20.10.209

客戶端：win7

所需軟件：

open***-2.0.9.tar.gz   http://open***.net/release/open***-2.0.9.tar.gz

open***-2.0.9-gui-1.0.3-install.exe  客戶端安裝使用

lzo-2.03.tar.gz         http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz

openssl 爲 CentOS 5.7 自帶

pam_mysql-0.7RC1.tar.gz

http://ncu.dl.sourceforge.net/project/pam-mysql/pam-mysql/0.7RC1/pam_mysql-0.7RC1.tar.gz

mysql-5.1.60.tar.gz

http://soft.vpser.net/datebase/mysql/mysql-5.1.60.tar.gz

二．配置類型

Open××× Server 路由模式+ 口令認證+mysql

鏈接方式採用路由，認證方式採用mysql 認證，虛擬設備使用tun

 

三．配置過程

1.   安裝Mysql

採用源碼包的方式編譯mysql，具體過程略

配置參數能夠參考以下：

tar zxvf mysql-5.1.60.tar.gz

cd mysql-5.1.60

 

./configure --prefix=/usr/local/mysql --with-extra-charsets=complex \

--enable-thread-safe-client --enable-assembler \

--with-mysqld-ldflags=-all-static --with-charset=utf8 \

--enable-thread-safe-client --with-big-tables --with-readline \

--with-ssl --with-embedded-server --enable-local-infile 

make && make install

groupadd mysql

useradd -s /sbin/nologin -M -g mysql mysql

cp /usr/local/mysql/share/mysql/my-medium.cnf /etc/my.cnf

sed -i 's/skip-locking/skip-external-locking/g' /etc/my.cnf

/usr/local/mysql/bin/mysql_install_db --user=mysql

chown -R mysql /usr/local/mysql/var

chgrp -R mysql /usr/local/mysql/.

cp /usr/local/mysql/share/mysql/mysql.server /etc/init.d/mysqld

chmod 755 /etc/init.d/mysqld

 

cat > /etc/ld.so.conf.d/mysql.conf<<EOF

/usr/local/mysql/lib/mysql

/usr/local/lib

EOF

ldconfig

ln -s /usr/local/mysql/lib/mysql /usr/lib/mysql

ln -s /usr/local/mysql/include/mysql /usr/include/mysql

/etc/init.d/mysqld start

 

ln -s /usr/local/mysql/bin/mysql /usr/bin/mysql

ln -s /usr/local/mysql/bin/mysqldump /usr/bin/mysqldump

ln -s /usr/local/mysql/bin/myisamchk /usr/bin/myisamchk

 

 

2.      配置mysql建立數據庫

 以管理員身份登陸數據庫：

   mysql>create database ***;

 mysql>grant all on ***.* to ***@'10.20.10.209' identified by '***123';

mysql>flush privileges;

mysql>use ***;

                  

mysql>create table ***user(

         ->name char(20) NOT NULL,

         ->password char(128) default NULL,

         ->active int(10) NOT NULL DEFAULT 1,

         ->PRIMARY KEY(name)

         ->);

插入測試帳戶：

mysql>insert into ***user(name,password) values('test',md5('test'));

 

3.  配置Open××× 和pam_mysql模塊

安裝pam_mysql模塊使用mysql數據庫存儲用戶數據。

解壓：tar zxvf   pam_mysql-0.7RC1.tar.gz

        cd  pam_mysql-0.7RC1

        ./configure --with-openssl

        make

        cp .libs/pam_mysql.so /lib/security/

 

 

建立 /etc/pam.d/open*** 文件，文件內容以下：

vim /etc/pam.d/open***

auth sufficient /lib/security/pam_mysql.so user=*** passwd=***123 host=10.20.10.209 db=*** table=***user usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=3 verbose=1
account required /lib/security/pam_mysql.so user=*** passwd=***123 host=10.20.10.209 db=*** table=***user usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=3 verbose=1

 

該文件能夠根據後續需求變動

 

下面檢查pam_mysql是否正常工做,先檢查saslauthd是否安裝：

#rpm -qa|grep sasl

[root@***server ~]# rpm -qa|grep sasl
cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3
cyrus-sasl-2.1.22-5.el5_4.3
cyrus-sasl-devel-2.1.22-5.el5_4.3
cyrus-sasl-devel-2.1.22-5.el5_4.3
cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3

有cyrus-sas1-2.1.22就能夠了

而後啓動

/etc/rc.d/init.d/saslauthd start

同時加入/etc/rc.local

執行下面語句若以下顯示就正常。說明pam_mysql沒有問題能夠配置Open×××服務器了。

 [root@***server ~]# /usr/sbin/testsaslauthd -u test -p test -s open***
0: OK "Success."

 

安裝Open×××:

首先檢查是否安裝openssl，若是沒裝用yum安裝吧。

       解壓：tar zxvf lzo-2.03.tar.gz

                     cd  lzo-2.03

                     ./configure

                     make

                     make install

       解壓： tar -zxvf open***-2.0.9.tar.gz

               cd  open***-2.0.9

                     ./configure –prefix=/usr/local/open***

                     make

                     make install

                     建立必要目錄

                     mkdir /usr/local/open***/{etc,html,log}

                     mkdir /usr/local/open***/html/ccd

 

使用 TUN/TAP kernel module ：

執行 modprobe tun

並加入 /etc/rc.local

啓用 IP 轉發和設置iptables SNAT：

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -d 10.20.10.0/24 -j SNAT --to-source 10.20.10.209

 

配置××× Server：  

cd /root/open***-2.0.9/easy-rsa

vim vars

 

修改vars 文件
-----------------------------------------
# 定義你所在的國家，2個字符
export KEY_COUNTRY=CN
# 你所在的省份
export KEY_PROVINCE=SHANGHAI
# 你所在的城市
export KEY_CITY=SHANGHAI
# 你所在的組織
export KEY_ORG="Open××× ORG"
# 你的郵件地址
export KEY_EMAIL=" taylor_ge@staff.woyo.com"

 

#使修改的環境變量生效 
[root@***server easy-rsa]# source ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /root/open***-2.0.9/easy-rsa/keys
[root@***server easy-rsa]# ./clean-all #初始化keys目錄
[root@*** /etc/open***/easy-rsa]# ./clean-all

 

#生成Root CA證書，用於簽發Server和Client證書，請保護好keys/ca.key文件。
[root@***server easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
.....++++++
.........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Open××× ORG]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [taylor_ge@staff.woyo.com]:

 

#查看生成的證書

[root@***server easy-rsa]# ll keys
total 12
-rw-r--r-- 1 root root 1180 Aug 22 17:22 ca.crt
-rw------- 1 root root  887 Aug 22 17:22 ca.key
-rw-r--r-- 1 root root    0 Aug 22 17:21 index.txt
-rw-r--r-- 1 root root    3 Aug 22 17:21 serial

 

#咱們能夠看到ca.crt ca.key文件已經生成了。
#下面咱們爲服務器生成 Diffie-Hellman 文件

[root@***server easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...........................+.................................................................................................+......................................................................+....................+.+..............+........+.......................................................................................+..............................................................................................+................................+...+...................................................+............+..................................................+............................................................+..............................................+..............................+...............................+............................................................+....................+............+......................................+..............+................................................................+....+........................+......................................................................................................+......+......................................+.............................................................................................................................+........................................................+................................................................................................+......................................+................................................................................+.........................+............................................+.................................+......................+.......+.......+..++*++*++*

 

#建立並簽發××× Server使用的CA

[root@***server easy-rsa]# ./build-key-server server
Generating a 1024 bit RSA private key
........................++++++
...........................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Open××× ORG]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:woyo
Email Address [taylor_ge@staff.woyo.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/open***-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'SHANGHAI'
localityName          :PRINTABLE:'SHANGHAI'
organizationName      :PRINTABLE:'Open××× ORG'
commonName            :PRINTABLE:'woyo'
emailAddress          :IA5STRING:'taylor_ge@staff.woyo.com'
Certificate is to be certified until Aug 20 09:27:16 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 

#一路回車，common name 須要輸入一個名稱，後面兩個選擇都選擇y

爲防止惡意***（如DOS、UDP port flooding），咱們生成一個"HMAC firewall"

/usr/local/open***/sbin/open*** --genkey --secret keys/ta.key

 

#把生成的key拷貝到/usr/local/open***/etc/

cd /root/open***-2.0.9/easy-rsa/keys

cp ca.crt  dh1024.pem server.crt  server.key  /usr/local/open***/etc/

 

#建立服務端配置文件

vim /usr/local/open***/etc/server.conf

 

port 1194
proto tcp
dev tun
ca /usr/local/open***/etc/ca.crt
cert /usr/local/open***/etc/server.crt
key /usr/local/open***/etc/server.key
dh /usr/local/open***/etc/dh1024.pem

server 172.16.0.0 255.255.0.0

push "route 172.16.0.0 255.255.0.0"
push "route 10.20.0.0 255.255.0.0"
;push "dhcp-option DNS 211.99.190.33"
;push "dhcp-option DNS 211.136.107.168"
;push "redirect-gateway"

client-config-dir /usr/local/open***/html/ccd
;route 10.0.0.0 255.255.255.0

duplicate-cn
keepalive 10 120
tls-auth /usr/local/open***/etc/ta.key 0
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /usr/local/open***/log/open***-status.log
log /usr/local/open***/log/open***.log
log-append /usr/local/open***/log/open***-append.log
verb 4
plugin /usr/local/open***/etc/open***-auth-pam.so open***
client-cert-not-required

username-as-common-name

 

#當即啓動openen***

/usr/local/open***/sbin/open*** --daemon --config /usr/local/open***/etc/server.conf

 

 

#檢查是否啓動成功：

 

[root@***server log]# lsof -i :1194
COMMAND   PID   USER   FD   TYPE DEVICE SIZE NODE NAME
open*** 20216 nobody    5u  IPv4  97292       TCP *:open*** (LISTEN)

 

4.       客戶端安裝

配置 Open××× windows 客戶端

a)  安裝 open***-2.0.9-gui-1.0.3-install.exe

而後將剛纔生成的ca.crt ta.key 這兩個文件從服務器上下載下來放進 Open××× 的 conf 文件夾

建立open***客戶端配置文件***.o***

client
dev tun
proto tcp
remote 183.60.xxx.xxx 1194
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 4
route-method exe
route-delay 2

 

（請根據實際狀況修改）

 

注： 有不少朋友不知道open***-auth-pam.so這個文件怎麼來的，這個是在open***的安裝包下面plugin/auth-pam目錄下面make產生的，根據你的配置文件拷貝到相應目錄便可。

 

運行open***客戶端，進行測試…