open***配置文本认证登录方式

1、前面环境搭好,

环境部署请看以下链接:

http://11012498.blog.51cto.com/11002498/1868352

 

2、修改服务器端配置文件server.conf

[root@web1 open***]# cat server.conf

local 192.168.1.9

port 52115

proto tcp

dev tun

ca /etc/open***/keys/ca.crt

cert /etc/open***/keys/server.crt

key /etc/open***/keys/server.key

dh /etc/open***/keys/dh1024.pem

server 10.8.0.0 255.255.255.0

push "route 192.168.1.0 255.255.255.0"

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo   

persist-key

persist-tun

status open***-status.log

verb 3

client-to-client

duplicate-cn

log /var/log/open***.log

#push "dhcp-option DNS 10.8.0.81"       #这一段是×××配置

#push "redirect-gateway def1 bypass-dhcpbypass-dns"

#push "dhcp-option DNS 8.8.8.8"

#push "dhcp-option DNS 8.8.4.4"

script-security 3                       #允许用户自定义的脚本在×××里面使用

auth-user-pass-verify/etc/open***/checkpsw.sh via-env

client-cert-not-required

username-as-common-name

 

配置这个调用脚本/etc/open***/checkpsw.sh

给执行权限chmod +x /etc/open***/checkpsw.sh

[root@web1 open***]# cat /etc/open***/checkpsw.sh

#!/bin/sh

###########################################################

# checkpsw.sh (C) 2004 Mathias Sundman<mathias@open***.se>

#

# This script will authenticate Open××× users against

# a plain text file. The passfile should simply contain

# one row per user with the username first followed by

# one or more space(s) or tab(s) and then the password.

 

PASSFILE="/etc/open***/psw-file"

LOG_FILE="/var/log/open***-password.log"

TIME_STAMP=`date "+%Y-%m-%d %T"`

 

###########################################################

 

if [ ! -r "${PASSFILE}" ]; then

  echo"${TIME_STAMP}: Could not open password file \"${PASSFILE}\" forreading." >> ${LOG_FILE}

  exit 1

fi

 

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print$2;exit}' ${PASSFILE}`

 

if [ "${CORRECT_PASSWORD}" = "" ]; then

  echo"${TIME_STAMP}: User does not exist: username=\"${username}\",password=\"${password}\"." >> ${LOG_FILE}

  exit 1

fi

 

if [ "${password}" = "${CORRECT_PASSWORD}"]; then

  echo"${TIME_STAMP}: Successful authentication:username=\"${username}\"." >> ${LOG_FILE}

  exit 0

fi

 

echo "${TIME_STAMP}: Incorrect password:username=\"${username}\", password=\"${password}\".">> ${LOG_FILE}

exit 1

接下来就是配置密码文件了/etc/open***/psw-file,以后有用户密码就放这里

权限改为400  chmod 400 /etc/open***/psw-file

 

cat /etc/open***/psw-file

oldboy 111111

test 111111

 

接下来就是客户端配置了

这客户端是abu.o***该文件

client

dev tun

proto tcp

remote 58.67.159.47 52115

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

#cert abu.crt           #关掉以前认证方式

#key abu.key

ns-cert-type server

comp-lzo

verb 3

auth-user-pass      ←通过用户密码验证方式登录

OK,然后直接测试连接就好

 

部署过程中遇到一个严重的错误(重点)

open***2.2.2 本地验证故障解决

谷歌的解决方法:

http://bbs.chinaunix.net/thread-1680296-1-1.html

拨号是服务端有如下提示:

cat /var/log/open***.log

上Wed Nov  2 10:06:39 2016 183.238.56.227:49601 WARNING:Failed running command (--auth-user-pass-verify): externalprogram fork failed

Wed Nov  2 10:06:39 2016183.238.56.227:49601 TLS Auth Error: Auth Username/Password verification failedfor peer

Wed Nov  2 10:06:40 2016183.238.56.227:49601 Control Channel: TLSv1, cipher TLSv1/SSLv3DHE-RSA-AES256-SHA

 

错误描述:他说不让运行这个命令

(--auth-user-pass-verify)

 

解决方法:

服务器的配置文件中添加这行,允许你定义的脚本执行

server.conf配置文件里面加入如下参数

script-security 3                       ←允许用户自定义的脚本在×××里面使用