open***配置文本认证登录方式
1、前面环境搭好,
环境部署请看以下链接:
http://11012498.blog.51cto.com/11002498/1868352
2、修改服务器端配置文件server.conf
[root@web1 open***]# cat server.conf
local 192.168.1.9
port 52115
proto tcp
dev tun
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/server.crt
key /etc/open***/keys/server.key
dh /etc/open***/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
verb 3
client-to-client
duplicate-cn
log /var/log/open***.log
#push "dhcp-option DNS 10.8.0.81" #这一段是×××配置
#push "redirect-gateway def1 bypass-dhcpbypass-dns"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
script-security 3 #允许用户自定义的脚本在×××里面使用
auth-user-pass-verify/etc/open***/checkpsw.sh via-env
client-cert-not-required
username-as-common-name
配置这个调用脚本/etc/open***/checkpsw.sh
给执行权限chmod +x /etc/open***/checkpsw.sh
[root@web1 open***]# cat /etc/open***/checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman<mathias@open***.se>
#
# This script will authenticate Open××× users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/open***/psw-file"
LOG_FILE="/var/log/open***-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo"${TIME_STAMP}: Could not open password file \"${PASSFILE}\" forreading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print$2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo"${TIME_STAMP}: User does not exist: username=\"${username}\",password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}"]; then
echo"${TIME_STAMP}: Successful authentication:username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password:username=\"${username}\", password=\"${password}\".">> ${LOG_FILE}
exit 1
接下来就是配置密码文件了/etc/open***/psw-file,以后有用户密码就放这里
权限改为400 chmod 400 /etc/open***/psw-file
cat /etc/open***/psw-file
oldboy 111111
test 111111
接下来就是客户端配置了
这客户端是abu.o***该文件
client
dev tun
proto tcp
remote 58.67.159.47 52115
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
#cert abu.crt #关掉以前认证方式
#key abu.key
ns-cert-type server
comp-lzo
verb 3
auth-user-pass ←通过用户密码验证方式登录
OK,然后直接测试连接就好
部署过程中遇到一个严重的错误(重点)
open***2.2.2 本地验证故障解决
谷歌的解决方法:
http://bbs.chinaunix.net/thread-1680296-1-1.html
拨号是服务端有如下提示:
cat /var/log/open***.log
上Wed Nov 2 10:06:39 2016 183.238.56.227:49601 WARNING:Failed running command (--auth-user-pass-verify): externalprogram fork failed
Wed Nov 2 10:06:39 2016183.238.56.227:49601 TLS Auth Error: Auth Username/Password verification failedfor peer
Wed Nov 2 10:06:40 2016183.238.56.227:49601 Control Channel: TLSv1, cipher TLSv1/SSLv3DHE-RSA-AES256-SHA
错误描述:他说不让运行这个命令
(--auth-user-pass-verify)
解决方法:
服务器的配置文件中添加这行,允许你定义的脚本执行
server.conf配置文件里面加入如下参数
script-security 3 ←允许用户自定义的脚本在×××里面使用
转载于:https://blog.51cto.com/11012498/1868388