ss5 mysql radius_SS5+MYSQL

1. 安装SS5：

# tar -zxvf ss5-3.6.4-3.tar.gz

# cd ss5-3.6.4-3

# ./configure

# make

# make install

# cp conf/ss5.conf conf/ss5.passwd /etc/opt/ss5/

# vi /etc/init.d/ss5

原启动教本有误，请修改第34行的“if”为“elif”。

2. 配置SS5：

# vi /etc/opt/ss5/ss5.conf

============+============+============

#实现用户认证并限制带宽：

set SS5_DNSORDER

set SS5_PAM_AUTH

auth 0.0.0.0/0 - u

permit - 0.0.0.0/0 - 0.0.0.0/0    -     -       -       10240   -

#如果要实现不同用户认证并分别限制带宽，在/etc/opt/ss5目录创建user和file两个文件，该文件中含有要认证的用户名：

permit  - 0.0.0.0/0  -  0.0.0.0/0   -       -       user    10240   -

permit  - 0.0.0.0/0  -  0.0.0.0/0   -       -       file    102400   -

============+============+============

3. 配置PAM认证：

# vi /etc/pam.d/ss5

============+============+============

auth       optional     /usr/lib/security/pam_mysql.so user=ss5 \

passwd=121212 host=localhost db=ss5 table=user \

usercolumn=username passwdcolumn=passwd crypt=2

account    required     /usr/lib/security/pam_mysql.so user=ss5 \

passwd=121212 host=localhost db=ss5 table=user \

usercolumn=username passwdcolumn=passwd crypt=2

============+============+============

4. 安装PAM_MYSQL：

# tar -zxvf pam_mysql-0.7RC1.tar.gz

# cd pam_mysql-0.7RC1

# ./configure --with-openssl --with-mysql=/usr/local/mysql

# make

# make install

# echo "/usr/lib/security" >> /etc/ld.so.conf

# ldconfig

5. 创建数据库:

# mysqladmin -u root -pmysqldbserver create ss5

# mysql -u root -pmysqldbserver

mysql> use ss5;

mysql> GRANT ALL PRIVILEGES ON ss5.* TO 'ss5'@'localhost' IDENTIFIED BY '121212';

mysql> CREATE TABLE user (ID int not null auto_increment,USERNAME varchar(64), PASSWD varchar(255), primary key(ID) );

6. 添加测试用户：

mysql> insert into user (username,passwd) values ('test',password('1234'));

7. 附录：

Example 3, a case study

In the following case, ss5 works with:

1. PAM authentication using pam_winbind.so

2. Directory authorization with multiple userstore (Active Directory)

3. Authentication cache enable

4. Authorization cache enable

5. Netbios domain support

6. Proxy upstream through other socks server

7. Traffic dump to file

auth 0.0.0.0/0 - u

# Enable PAM authentication

set SS5_PAM_AUTH

# Set session timeout

set SS5_STIMEOUT 3600

# Enable Cache for authentication for 600 seconds

# set SS5_AUTHCACHEAGE 600

# Enable Cache for authorization for 600 seconds

# set SS5_AUTHOCACHEAGE 600

# Enable directory authorization with filter mode

set SS5_LDAP_FILTER

# Enable netbios domain mapping with directory

( socks username in the form: domainA\user1 )

set SS5_NETBIOS_DOMAIN

# Dump traffic data to file for connections through an Oracle db server

dump 182.10.10.20/32 1521 1

# Upstream proxy for 162.10.10.0 network

proxy 162.10.10.0/24 - 10.10.10.20 1080 -

# Permit http access to user who belong to WEB group into Active Directory

#Auth SHost SPort DHost DPort Fixup Group Band

permit u 0.0.0.0/0 - 182.10.0.0/16 80 - CN=WEB,CN=Users,DC=subDomainA,DC=DomainA,DC=it -

permit u 0.0.0.0/0 - 182.10.0.0/16 80 - CN=WEB,CN=Users,DC=subDomainB,DC=DomainB,DC=it -

# Netbios domain (in case of MSdomainA\userA)

ldap_profile_ip 162.10.20.1

ldap_profile_port 389

ldap_profile_base DC=subDomainA,DC=DomainA,DC=it

ldap_profile_filter cn

ldap_profile_attribute MemberOf

ldap_profile_dn CN=userReader,cn=Users,DC=subDomainA,DC=DomainA,DC=it

ldap_profile_pass password

ldap_netbios_domain MSDomainA

# Netbios domain (in case of MSdomainB\userB)

ldap_profile_ip 162.10.30.1

ldap_profile_port 389

ldap_profile_base DC=subDomainB,DC=DomainB,DC=it

ldap_profile_filter cn

ldap_profile_attribute MemberOf

ldap_profile_dn CN=userReader,cn=Users,DC=subDomainB,DC=DomainB,DC=it

ldap_profile_pass password

ldap_netbios_domain MSdomainB

使用密码文件认证：

# vi /etc/opt/ss5/ss5.passwd

test  123456

llzqq  123456