Centos 6.8安装open***.三种认证方式
Centos X64 6.8下安装Open***,三种认证方式
环境说明:
主机名称:open***01
安装版本为open***-2.3.11-1.el6.x86_64
相关资源下载连接如下:
链接:http://pan.baidu.com/s/1c2zDX5Y 密码:mooz
链接:http://pan.baidu.com/s/1bAXh6m 密码:vgq8
链接:http://pan.baidu.com/s/1qYkwty8 密码:1n32
前提条件,关闭selinux安全
# vi /etc/selinux/config
把SELINUX=enforcing 改为SELINUX=disabled后存盘退出,重启机器.
1. 安装"EPEL"源
# rpm -ivh rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
# wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -Uvh epel-release-6-8.noarch.rpm
2. 安装open***
# yum install lzo lzo-devel
# rpm -qa | grep lzo
lzo-devel-2.03-3.1.el6_5.1.x86_64
lzo-minilzo-2.03-3.1.el6_5.1.x86_64
lzo-2.03-3.1.el6_5.1.x86_64
# yum -y install openssl openssl-devel
# rpm -qa | grep openssl
openssl-devel-1.0.1e-48.el6_8.1.x86_64
openssl-1.0.1e-48.el6_8.1.x86_64
openssl098e-0.9.8e-20.el6.centos.1.x86_64
# yum install open*** easy-rsa
# rpm -qa | grep open***
open***-2.3.11-1.el6.x86_64
或者 wget http://dl.fedoraproject.org/pub/epel/6/x86_64/open***-2.3.11-1.el6.x86_64.rpm
3. easy-rsa配置
# mkdir -p /etc/open***/easy-rsa/keys
# cp -rf /usr/share/easy-rsa/2.0/* /etc/open***/easy-rsa/
4. 创建CA证书和密钥
# vi /etc/open***/easy-rsa/vars
# PKCS11 fixes
# export PKCS11_MODULE_PATH="dummy"
# export PKCS11_PIN="dummy"
export KEY_COUNTRY="CN"
export KEY_PROVINCE="CA"
export KEY_CITY="Dongguan"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@33jack.com"
export KEY_OU="33jack"
更改你自己的国家,省份,城市,邮箱等等
[root@open***01 ]# cd /etc/open***/easy-rsa
[root@open***01 easy-rsa]# cp openssl-1.0.0.cnf openssl.cnf
[root@open***01 easy-rsa]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys
[root@open***01 easy-rsa]# ./clean-all
创建CA证书和密钥
[root@open***01 easy-rsa]# ./build-ca
5. 创建服务端的证书和密钥
# ./build-key-server server
6. 创建客户端的证书和密钥
# ./build-key client
7. 创建 迪菲 霍尔曼密钥交换参数
创建DH参数.此过程时间比较久,等个10分钟就好了
# ./build-dh
8、生成ta.key文件
# open*** --genkey --secret /etc/open***/easy-rsa/keys/ta.key
客户端证书秘钥:ca.crt、client.crt、client.key、ta.key(编辑open***客户端配置文件会用到)
9、更改主机名称,不然启动会报错。
# vi /etc/hosts
127.0.0.1 localhost open***01 localhost4.localdomain4
10.直接使用证书认证方式
# vi /etc/open***/server.conf
port 443
proto udp
dev tun
ca /etc/open***/easy-rsa/keys/ca.crt
cert /etc/open***/easy-rsa/keys/server.crt
key /etc/open***/easy-rsa/keys/server.key
dh /etc/open***/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 210.0.255.250"
push "dhcp-option DNS 218.102.23.228"
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway"
duplicate-cn
keepalive 10 120
tls-auth /etc/open***/easy-rsa/keys/ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status open***-status.log
log /var/log/open***.log
verb 3
11、启动服务
# mkdir /var/log/open***
# service open*** start
tarting open***: /etc/init.d/open***: line 162: 328 Segmentation fault
这里可能报错,因为open***的启动脚本和发行版稍有差别,如果报错,编辑文件/etc/init.d/open***里面注释如下几行:
# Source networking configuration.
#. /etc/sysconfig/network
# Check that networking is up.
#if [ ${NETWORKING} = "no" ]
#then
# echo "Networking isdown"
# exit 0
#fi
客户端配置请参见文章http://864522.blog.51cto.com/854522/1845253
====================================================================================
一、使用Mysql pam数据库认证(认证方法一)
1、安装并建立数据库
先删除以前版本数据库
# rpm -qa | grep mysql
mysql-5.0.77-4.el5_6.6
mod_auth_mysql-3.0.0-3.2.el5_3
mysql-libs-5.1.73-3.el6_5.x86_64
# rpm -e mod_auth_mysql-3.0.0-3.2.el5_3
# rpm -e mysql-5.0.77-4.el5_6.6
# yum -y remove mysql-libs-5.1*
请按顺序删除旧版本的数据库。
rpm安装Mysql 5.7.4-m14版本,
# rpm -ivh MySQL-server-5.7.4_m14-1.el6.x86_64.rpm
# rpm -ivh MySQL-client-5.7.4_m14-1.el6.x86_64.rpm
# rpm -ivh MySQL-devel-5.7.4_m14-1.el6.x86_64.rpm
# rpm -ivh MySQL-shared-5.7.4_m14-1.el6.x86_64.rpm
# rpm -ivh MySQL-shared-compat-5.7.4_m14-1.el6.x86_64.rpm
# chown -R mysql:mysql /var/lib/mysql
注意,默认密码请到下面文件中查看
You will find that password in '/root/.mysql_secret'.
# service mysql start
# mysql -uroot -p
登录后,用下面命令设定密码为pk168007
mysql> set password=password('pk168007');
mysql> flush privileges;
mysql> quit
[root@open***01 open***]# service mysql restart
[root@open***01 open***]# chkconfig mysql on
[root@open***01 open***]# mysql -u root -p
运行以下SQL命令:
– 创建数据库
mysql> CREATE DATABASE open***;
– 切换数据库
mysql> USE open***;
创建用户,用户名open***,密码evanmis(可自行设定)
mysql>GRANT ALL ON open***.* TO 'open***'@'localhost' IDENTIFIED BY 'evanmis';
– 创建用户数据表
CREATE TABLE IF NOT EXISTS `user` (
`username` char(32) COLLATE utf8_unicode_ci NOT NULL,
`password` char(128) COLLATE utf8_unicode_ci DEFAULT NULL,
`active` int(10) NOT NULL DEFAULT '1',
`creation` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
`name` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
`email` char(128) COLLATE utf8_unicode_ci DEFAULT NULL,
`note` text COLLATE utf8_unicode_ci,
`quota_cycle` int(10) NOT NULL DEFAULT '30',
`quota_bytes` bigint(20) NOT NULL DEFAULT '10737418240',
`enabled` int(10) NOT NULL DEFAULT '1',
PRIMARY KEY (`username`),
KEY `idx_active` (`active`),
KEY `idx_enabled` (`enabled`)
) DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
-- 创建日志数据表
CREATE TABLE IF NOT EXISTS `log` (
`username` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
`start_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
`end_time` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
`trusted_ip` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,
`trusted_port` int(10) DEFAULT NULL,
`protocol` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
`remote_ip` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,
`remote_netmask` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,
`bytes_received` bigint(20) DEFAULT '0',
`bytes_sent` bigint(20) DEFAULT '0',
`status` int(10) NOT NULL DEFAULT '1',
KEY `idx_username` (`username`),
KEY `idx_start_time` (`start_time`),
KEY `idx_end_time` (`end_time`)
) DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
2、建立客户端的×××拨入帐号
登入MySQL数据库:
[root@open***01 open***]# mysql -uopen*** -p
执行以下命令:
mysql> USE open***;
mysql> INSERT INTO user(username, password) VALUES('test', ENCRYPT('123456'));
mysql> INSERT INTO user(username, password) VALUES('evan', ENCRYPT('evanmis'));
mysql> INSERT INTO user(username, password) VALUES('jack', ENCRYPT('345345'));
这样就建立好了一个用户test,密码为123456的帐号。
再查看当然数据库中的用户数量。如下
mysql> select * from user;
+----------+---------------+--------+---------------------+------+-------+------+-------------+-------------+---------+
| username | password | active | creation | name | email | note | quota_cycle | quota_bytes | enabled |
+----------+---------------+--------+---------------------+------+-------+------+-------------+-------------+---------+
| test | st3rCn.zSAbZU | 1 | 2012-05-08 08:56:24 | | NULL | NULL | 30 | 10737418240 | 1 |
| evan | bT.y7RjLv90mc | 1 | 2012-05-08 14:57:43 | | NULL | NULL | 30 | 10737418240 | 1 |
+----------+---------------+--------+---------------------+------+-------+------+-------------+-------------+---------+
2 rows in set (0.00 sec)
3、配置Open×××的PAM Mysql认证
安装pam_mysql验证安装包
[root@open***01 open***]# yum install pam_krb5 pam pam-devel
[root@open***01 open***]# rpm -ivh pam_mysql-0.7-0.12.rc1.el6.x86_64.rpm
[root@open***01 open***]# rpm -qa | grep pam_mysql
pam_mysql-0.7-0.12.rc1.el6.x86_64
并确认这个文件已经存在 /lib64/security/pam_mysql.so
[root@open***01 ~]# rpm -qa | grep pam
pam-devel-1.1.1-22.el6.x86_64
pam_mysql-0.7-0.12.rc1.el6.x86_64
fprintd-pam-0.1-22.git04fd09cfa.el6.x86_64
pam_passwdqc-1.0.5-8.el6.x86_64
pam-1.1.1-22.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
[root@open***01 ~]# touch /etc/pam.d/open***_mysql
[root@open***01 ~]# vi /etc/pam.d/open***_mysql
auth sufficient pam_mysql.so \
user=open*** passwd=evanmis host=localhost db=open*** \
table=user usercolumn=username passwdcolumn=password \
where=active=1 sqllog=0 crypt=1
account required pam_mysql.so \
user=open*** passwd=evanmis host=localhost db=open*** \
table=user usercolumn=username passwdcolumn=password \
where=active=1 sqllog=0 crypt=1
4、测试pam验证是否成功
[root@open***01 open***]# /etc/init.d/saslauthd restart
[root@open***01 open***]# chkconfig saslauthd on
[root@open***01 open***]# testsaslauthd -u test -p 123456 -s open***_mysql
如果显示
0: OK "Success."
则说明mysql认证配置成功。否则,请根据/var/log/auth.log日志查找原因。
5、复制Open××× PAM认证模块。
注意,2.2.2版本的认证模块文件有问题,会造成帐号密码无法得到认证,所以只能用2.0.9版的生成。
[root@open***01 open***]# wget http://open***.net/release/open***-2.0.9.tar.gz
[root@open***01 open***]# tar zxvf open***-2.0.9.tar.gz
[root@open***01 open***]# cd /open***/open***-2.0.9/plugin/auth-pam/
[root@open***01 auth-pam]# make
编译生成认证模块文件open***-auth-pam.so
[root@mailserver auth-pam]# cp open***-auth-pam.so /lib64/security/
[root@open***01 open***]# vi /etc/open***/server.conf
将下面一行启用。注意:Mysql 与Radius两种认证只能启用其中一种,不能2个同时使用.
plugin /lib64/security/open***-auth-pam.so open***_mysql
==========================================================================================
二、配置Open××× PAM Radius认证模块(认证方法二)
使用Radius认证,必须事先架设一台Radius server. 相关教程,请自行找文章。
[root@open***01 open***]# mkdir /etc/raddb/
[root@open***01 open***]# wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz
[root@open***01 open***]# tar zxvf pam_radius-1.4.0.tar.gz
[root@open***01 open***]# cd pam_radius-1.4.0
[root@open***01 pam_radius-1.4.0]# vi pam_radius_auth.conf
修改部分:
# server[:port] shared_secret timeout (s)
114.112.260.90 pk888 1
#other-server other-secret 3
备注:114.112.260.90 是radius服务器,pk888是shred共享密码,只需改一行即可。
[root@open***01 pam_radius-1.4.0]# ./configure
[root@open***01 pam_radius-1.4.0]# make
[root@open***01 pam_radius-1.4.0]# cp pam_radius_auth.so /etc/open***
[root@open***01 pam_radius-1.4.0]# cp pam_radius_auth.so /lib64/security
[root@open***01 pam_radius-1.4.0]# cp pam_radius_auth.conf /etc/raddb/server
配置PAM认证
[root@mailserver pam.d]# vi /etc/pam.d/open***_radius
account required /lib64/security/pam_radius_auth.so
auth required /lib64/security/pam_radius_auth.so
[root@mailserver software]# /etc/init.d/saslauthd restart
[root@mailserver software]# testsaslauthd -u bbb -p 456456 -s open***_radius
备注:帐号bbb,密码456456 是radius服务器114.112.260.90中建立的。
配置Open×××服务器的配置文件,注意与以前的Mysql认证相比,只是更改了一行。即下面红色的那一行
# vi /etc/server.conf
dev tun
proto udp
port 443
management 127.0.0.1 7505
sndbuf 409600
rcvbuf 409600
mssfix
cipher BF-CBC
ca /etc/open***/easy-rsa/keys/ca.crt
cert /etc/open***/easy-rsa/keys/server.crt
key /etc/open***/easy-rsa/keys/server.key
dh /etc/open***/easy-rsa/keys/dh2048.pem
#tls -auth /etc/open***/easy-rsa/ta.key 0
push "dhcp-option DNS 210.0.255.250"
push "dhcp-option DNS 218.102.23.228"
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 60
persist-key
persist-tun
comp-lzo
duplicate-cn
log /var/log/open***.log
status /var/log/open***-status.log
verb 3
#mute 5
# user/pass auth from Mysql
#plugin /lib64/security/open***-auth-pam.so open***_mysql
# user/pass auth from Radius
plugin /etc/open***/open***-auth-pam.so open***_radius
client-cert-not-required
username-as-common-name
auth-nocache
备注:push "redirect-gateway" 表示所有用户端流量都走×××出去。
6) 设置IP包转发:
a) 关闭服务器、防火墙上所有对SSH(22)、open***(443)的拦截。
b) [root@open***01 open***]#vi /etc/sysctl.conf
将 net.ipv4.ip_forward = 1 值改为1.
[root@open***01 open***]# sysctl -p
7) 导入防火墙配置文件iptables(附件中),再重起服务。
[root@open***01 open***]# service iptables restart
[root@open***01 open***]# chkconfig saslauthd on
==========================================================
交流QQ:1564778559
转载于:https://blog.51cto.com/liwenhn/1845530