Open××× 使用"用户名/密码"登录验证

最新推荐文章于 2020-12-06 13:44:09 发布

D_SJ

最新推荐文章于 2020-12-06 13:44:09 发布

阅读量789

点赞数

文章标签： python 数据库开发工具

原文链接：http://blog.51cto.com/ljl2013/1359433

版权

Open××× 使用"用户名/密码"登录验证

一．环境简介：

服务器：CentOS 5.7 64位

外网IP地址： 183.60.xxx.xxx

内网IP地址： 10.20.10.209

客户端：win7

所需软件：

open***-2.0.9.tar.gz http://open***.net/release/open***-2.0.9.tar.gz

open***-2.0.9-gui-1.0.3-install.exe 客户端安装使用

lzo-2.03.tar.gz http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz

openssl 为CentOS 5.7 自带

pam_mysql-0.7RC1.tar.gz

http://ncu.dl.sourceforge.net/project/pam-mysql/pam-mysql/0.7RC1/pam_mysql-0.7RC1.tar.gz

mysql-5.1.60.tar.gz

http://soft.vpser.net/datebase/mysql/mysql-5.1.60.tar.gz<?xml:namespace prefix="o">?xml:namespace>

二．配置类型

Open××× Server 路由模式+口令认证+mysql

连接方式采用路由，认证方式采用mysql认证，虚拟设备使用tun

三．配置过程

1. 安装 Mysql

采用源码包的方式编译mysql，具体过程略

配置参数可以参考如下：

tar zxvf mysql-5.1.60.tar.gz

cd mysql-5.1.60

./configure --prefix=/usr/local/mysql --with-extra-charsets=complex \

--enable-thread-safe-client --enable-assembler \

--with-mysqld-ldflags=-all-static --with-charset=utf8 \

--enable-thread-safe-client --with-big-tables --with-readline \

--with-ssl --with-embedded-server --enable-local-infile

make && make install

groupadd mysql

useradd -s /sbin/nologin -M -g mysql mysql

cp /usr/local/mysql/share/mysql/my-medium.cnf /etc/my.cnf

sed -i 's/skip-locking/skip-external-locking/g' /etc/my.cnf

/usr/local/mysql/bin/mysql_install_db --user=mysql

chown -R mysql /usr/local/mysql/var

chgrp -R mysql /usr/local/mysql/.

cp /usr/local/mysql/share/mysql/mysql.server /etc/init.d/mysqld

chmod 755 /etc/init.d/mysqld

cat > /etc/ld.so.conf.d/mysql.conf<<EOF

/usr/local/mysql/lib/mysql

/usr/local/lib

EOF

ldconfig

ln -s /usr/local/mysql/lib/mysql /usr/lib/mysql

ln -s /usr/local/mysql/include/mysql /usr/include/mysql

/etc/init.d/mysqld start

ln -s /usr/local/mysql/bin/mysql /usr/bin/mysql

ln -s /usr/local/mysql/bin/mysqldump /usr/bin/mysqldump

ln -s /usr/local/mysql/bin/myisamchk /usr/bin/myisamchk

2. 配置mysql创建数据库

以管理员身份登录数据库：

mysql>create database ***;

mysql>grant all on ***.* to ***@'10.20.10.209' identified by '***123';

mysql>flush privileges;

mysql>use ***;

mysql>create table ***user(

->name char(20) NOT NULL,

->password char(128) default NULL,

->active int(10) NOT NULL DEFAULT 1,

->PRIMARY KEY(name)

->);

插入测试账户：

mysql>insert into ***user(name,password) values('test',md5('test'));

3. 配置Open××× 和pam_mysql模块

安装pam_mysql模块使用mysql数据库存储用户数据。

解压：tar zxvf pam_mysql-0.7RC1.tar.gz

cd pam_mysql-0.7RC1

./configure --with-openssl

make

cp .libs/pam_mysql.so /lib/security/

创建/etc/pam.d/open***文件，文件内容如下：

vim /etc/pam.d/open***

auth sufficient /lib/security/pam_mysql.so user=*** passwd=***123 host=10.20.10.209 db=*** table=***user usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=3 verbose=1
account required /lib/security/pam_mysql.so user=*** passwd=***123 host=10.20.10.209 db=*** table=***user usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=3 verbose=1

该文件可以根据后续需求变更

下面检查pam_mysql是否正常工作,先检查saslauthd是否安装：

#rpm -qa|grep sasl

[root@***server ~]# rpm -qa|grep sasl
cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3
cyrus-sasl-2.1.22-5.el5_4.3
cyrus-sasl-devel-2.1.22-5.el5_4.3
cyrus-sasl-devel-2.1.22-5.el5_4.3
cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3

有cyrus-sas1-2.1.22就可以了

然后启动

/etc/rc.d/init.d/saslauthd start

同时加入/etc/rc.local

执行下面语句若如下显示就正常。说明pam_mysql没有问题可以配置Open×××服务器了。

[root@***server ~]# /usr/sbin/testsaslauthd -u test -p test -s open***
0: OK "Success."

安装Open×××:

首先检查是否安装openssl，如果没装用yum安装吧。

解压：tar zxvf lzo-2.03.tar.gz

cd lzo-2.03

./configure

make

make install

解压：tar -zxvf open***-2.0.9.tar.gz

cd open***-2.0.9

./configure –prefix=/usr/local/open***

make

make install

创建必要目录

mkdir /usr/local/open***/{etc,html,log}

mkdir /usr/local/open***/html/ccd

使用TUN/TAP kernel module：

执行modprobe tun

并加入/etc/rc.local

启用IP转发和设置iptables SNAT：

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -d 10.20.10.0/24 -j SNAT --to-source 10.20.10.209

配置××× Server：

cd /root/open***-2.0.9/easy-rsa

vim vars

修改vars 文件
-----------------------------------------
# 定义你所在的国家，2个字符
export KEY_COUNTRY=CN
# 你所在的省份
export KEY_PROVINCE=SHANGHAI
# 你所在的城市
export KEY_CITY=SHANGHAI
# 你所在的组织
export KEY_ORG="Open××× ORG"
# 你的邮件地址
export KEY_EMAIL=" taylor_ge@staff.woyo.com"

#使修改的环境变量生效
[root@***server easy-rsa]# source ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /root/open***-2.0.9/easy-rsa/keys
[root@***server easy-rsa]# ./clean-all #初始化keys目录
[root@*** /etc/open***/easy-rsa]# ./clean-all

#生成Root CA证书，用于签发Server和Client证书，请保护好keys/ca.key文件。
[root@***server easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
.....++++++
.........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Open××× ORG]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [taylor_ge@staff.woyo.com]:

#查看生成的证书

[root@***server easy-rsa]# ll keys
total 12
-rw-r--r-- 1 root root 1180 Aug 22 17:22 ca.crt
-rw------- 1 root root 887 Aug 22 17:22 ca.key
-rw-r--r-- 1 root root 0 Aug 22 17:21 index.txt
-rw-r--r-- 1 root root 3 Aug 22 17:21 serial

#我们可以看到ca.crt ca.key文件已经生成了。
#下面我们为服务器生成 Diffie-Hellman 文件

[root@***server easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...........................+.................................................................................................+......................................................................+....................+.+..............+........+.......................................................................................+..............................................................................................+................................+...+...................................................+............+..................................................+............................................................+..............................................+..............................+...............................+............................................................+....................+............+......................................+..............+................................................................+....+........................+......................................................................................................+......+......................................+.............................................................................................................................+........................................................+................................................................................................+......................................+................................................................................+.........................+............................................+.................................+......................+.......+.......+..++*++*++*

#创建并签发××× Server使用的CA

[root@***server easy-rsa]# ./build-key-server server
Generating a 1024 bit RSA private key
........................++++++
...........................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Open××× ORG]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:woyo
Email Address [taylor_ge@staff.woyo.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/open***-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SHANGHAI'
localityName :PRINTABLE:'SHANGHAI'
organizationName :PRINTABLE:'Open××× ORG'
commonName :PRINTABLE:'woyo'
emailAddress :IA5STRING:'taylor_ge@staff.woyo.com'
Certificate is to be certified until Aug 20 09:27:16 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

#一路回车，common name 需要输入一个名称，后面两个选择都选择y

为防止恶意***（如DOS、UDP port flooding），我们生成一个"HMAC firewall"

/usr/local/open***/sbin/open*** --genkey --secret keys/ta.key

#把生成的key拷贝到/usr/local/open***/etc/

cd /root/open***-2.0.9/easy-rsa/keys

cp ca.crt dh1024.pem server.crt server.key /usr/local/open***/etc/

#创建服务端配置文件

vim /usr/local/open***/etc/server.conf

port 1194
proto tcp
dev tun
ca /usr/local/open***/etc/ca.crt
cert /usr/local/open***/etc/server.crt
key /usr/local/open***/etc/server.key
dh /usr/local/open***/etc/dh1024.pem

server 172.16.0.0 255.255.0.0

push "route 172.16.0.0 255.255.0.0"
push "route 10.20.0.0 255.255.0.0"
;push "dhcp-option DNS 211.99.190.33"
;push "dhcp-option DNS 211.136.107.168"
;push "redirect-gateway"

client-config-dir /usr/local/open***/html/ccd
;route 10.0.0.0 255.255.255.0

duplicate-cn
keepalive 10 120
tls-auth /usr/local/open***/etc/ta.key 0
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /usr/local/open***/log/open***-status.log
log /usr/local/open***/log/open***.log
log-append /usr/local/open***/log/open***-append.log
verb 4
plugin /usr/local/open***/etc/open***-auth-pam.so open***
client-cert-not-required

username-as-common-name

#立即启动openen***

/usr/local/open***/sbin/open*** --daemon --config /usr/local/open***/etc/server.conf

#检查是否启动成功：

[root@***server log]# lsof -i :1194
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
open*** 20216 nobody 5u IPv4 97292 TCP *:open*** (LISTEN)

4.客户端安装

配置Open××× windows客户端

a)安装open***-2.0.9-gui-1.0.3-install.exe

然后将刚才生成的ca.crt ta.key这两个文件从服务器上下载下来放进Open×××的conf文件夹

创建open***客户端配置文件***.o***

client
dev tun
proto tcp
remote 183.60.xxx.xxx 1194
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 4
route-method exe
route-delay 2

（请根据实际情况修改）

注：有很多朋友不知道open***-auth-pam.so这个文件怎么来的，这个是在open***的安装包下面plugin/auth-pam目录下面make产生的，根据你的配置文件拷贝到相应目录即可。

运行open***客户端，进行测试…

本文出自 “网事” 博客，请务必保留此出处http://gxjluck.blog.51cto.com/1211751/763962

附件下载：
　　open***.init启动脚本

转载于:https://blog.51cto.com/ljl2013/1359433

D_SJ

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Open××× 使用"用户名/密码"登录验证

Open×××使用"用户名/密码"登录验证一．环境简介：服务器：CentOS5.764位外网IP地址：183.60.xxx.xxx内网IP地址：10.20.10.209客户端：win7所需软件：open***-2.0.9.tar.gzhttp://open***.net/release/open***-2.0.9.tar.gzopen***-2.0.9-gui-1...
复制链接

扫一扫