Open××× 使用"用户名/密码"登陆验证

一．环境简介：

服务器：CentOS 5.7 64位

外网IP地址： 183.60.xxx.xxx

内网IP地址： 10.20.10.209

客户端：win7

所需软件：

open***-2.0.9.tar.gz   http://open***.net/release/open***-2.0.9.tar.gz

open***-2.0.9-gui-1.0.3-install.exe  客户端安装使用

lzo-2.03.tar.gz         http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz

openssl 为 CentOS 5.7 自带

pam_mysql-0.7RC1.tar.gz

http://ncu.dl.sourceforge.net/project/pam-mysql/pam-mysql/0.7RC1/pam_mysql-0.7RC1.tar.gz

mysql-5.1.60.tar.gz

http://soft.vpser.net/datebase/mysql/mysql-5.1.60.tar.gz

二．配置类型

Open××× Server 路由模式+ 口令认证+mysql

链接方式采用路由，认证方式采用mysql 认证，虚拟设备使用tun

 

三．配置过程

1.   安装Mysql

采用源码包的方式编译mysql，具体过程略

配置参数能够参考以下：

tar zxvf mysql-5.1.60.tar.gz

cd mysql-5.1.60

 

./configure --prefix=/usr/local/mysql --with-extra-charsets=complex \

--enable-thread-safe-client --enable-assembler \

--with-mysqld-ldflags=-all-static --with-charset=utf8 \

--enable-thread-safe-client --with-big-tables --with-readline \

--with-ssl --with-embedded-server --enable-local-infile 

make && make install

groupadd mysql

useradd -s /sbin/nologin -M -g mysql mysql

cp /usr/local/mysql/share/mysql/my-medium.cnf /etc/my.cnf

sed -i 's/skip-locking/skip-external-locking/g' /etc/my.cnf

/usr/local/mysql/bin/mysql_install_db --user=mysql

chown -R mysql /usr/local/mysql/var

chgrp -R mysql /usr/local/mysql/.

cp /usr/local/mysql/share/mysql/mysql.server /etc/init.d/mysqld

chmod 755 /etc/init.d/mysqld

 

cat > /etc/ld.so.conf.d/mysql.conf<<EOF

/usr/local/mysql/lib/mysql

/usr/local/lib

EOF

ldconfig

ln -s /usr/local/mysql/lib/mysql /usr/lib/mysql

ln -s /usr/local/mysql/include/mysql /usr/include/mysql

/etc/init.d/mysqld start

 

ln -s /usr/local/mysql/bin/mysql /usr/bin/mysql

ln -s /usr/local/mysql/bin/mysqldump /usr/bin/mysqldump

ln -s /usr/local/mysql/bin/myisamchk /usr/bin/myisamchk

 

 

2.      配置mysql建立数据库

 以管理员身份登陆数据库：

   mysql>create database ***;

 mysql>grant all on ***.* to ***@'10.20.10.209' identified by '***123';

mysql>flush privileges;

mysql>use ***;

                  

mysql>create table ***user(

         ->name char(20) NOT NULL,

         ->password char(128) default NULL,

         ->active int(10) NOT NULL DEFAULT 1,

         ->PRIMARY KEY(name)

         ->);

插入测试帐户：

mysql>insert into ***user(name,password) values('test',md5('test'));

 

3.  配置Open××× 和pam_mysql模块

安装pam_mysql模块使用mysql数据库存储用户数据。

解压：tar zxvf   pam_mysql-0.7RC1.tar.gz

        cd  pam_mysql-0.7RC1

        ./configure --with-openssl

        make

        cp .libs/pam_mysql.so /lib/security/

 

 

建立 /etc/pam.d/open*** 文件，文件内容以下：

vim /etc/pam.d/open***

auth sufficient /lib/security/pam_mysql.so user=*** passwd=***123 host=10.20.10.209 db=*** table=***user usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=3 verbose=1
account required /lib/security/pam_mysql.so user=*** passwd=***123 host=10.20.10.209 db=*** table=***user usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=3 verbose=1

 

该文件能够根据后续需求变动

 

下面检查pam_mysql是否正常工做,先检查saslauthd是否安装：

#rpm -qa|grep sasl

[root@***server ~]# rpm -qa|grep sasl
cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3
cyrus-sasl-2.1.22-5.el5_4.3
cyrus-sasl-devel-2.1.22-5.el5_4.3
cyrus-sasl-devel-2.1.22-5.el5_4.3
cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3

有cyrus-sas1-2.1.22就能够了

而后启动

/etc/rc.d/init.d/saslauthd start

同时加入/etc/rc.local

执行下面语句若以下显示就正常。说明pam_mysql没有问题能够配置Open×××服务器了。

 [root@***server ~]# /usr/sbin/testsaslauthd -u test -p test -s open***
0: OK "Success."

 

安装Open×××:

首先检查是否安装openssl，若是没装用yum安装吧。

       解压：tar zxvf lzo-2.03.tar.gz

                     cd  lzo-2.03

                     ./configure

                     make

                     make install

       解压： tar -zxvf open***-2.0.9.tar.gz

               cd  open***-2.0.9

                     ./configure –prefix=/usr/local/open***

                     make

                     make install

                     建立必要目录

                     mkdir /usr/local/open***/{etc,html,log}

                     mkdir /usr/local/open***/html/ccd

 

使用 TUN/TAP kernel module ：

执行 modprobe tun

并加入 /etc/rc.local

启用 IP 转发和设置iptables SNAT：

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -d 10.20.10.0/24 -j SNAT --to-source 10.20.10.209

 

配置××× Server：  

cd /root/open***-2.0.9/easy-rsa

vim vars

 

修改vars 文件
-----------------------------------------
# 定义你所在的国家，2个字符
export KEY_COUNTRY=CN
# 你所在的省份
export KEY_PROVINCE=SHANGHAI
# 你所在的城市
export KEY_CITY=SHANGHAI
# 你所在的组织
export KEY_ORG="Open××× ORG"
# 你的邮件地址
export KEY_EMAIL=" taylor_ge@staff.woyo.com"

 

#使修改的环境变量生效 
[root@***server easy-rsa]# source ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /root/open***-2.0.9/easy-rsa/keys
[root@***server easy-rsa]# ./clean-all #初始化keys目录
[root@*** /etc/open***/easy-rsa]# ./clean-all

 

#生成Root CA证书，用于签发Server和Client证书，请保护好keys/ca.key文件。
[root@***server easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
.....++++++
.........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Open××× ORG]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [taylor_ge@staff.woyo.com]:

 

#查看生成的证书

[root@***server easy-rsa]# ll keys
total 12
-rw-r--r-- 1 root root 1180 Aug 22 17:22 ca.crt
-rw------- 1 root root  887 Aug 22 17:22 ca.key
-rw-r--r-- 1 root root    0 Aug 22 17:21 index.txt
-rw-r--r-- 1 root root    3 Aug 22 17:21 serial

 

#咱们能够看到ca.crt ca.key文件已经生成了。
#下面咱们为服务器生成 Diffie-Hellman 文件

[root@***server easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...........................+.................................................................................................+......................................................................+....................+.+..............+........+.......................................................................................+..............................................................................................+................................+...+...................................................+............+..................................................+............................................................+..............................................+..............................+...............................+............................................................+....................+............+......................................+..............+................................................................+....+........................+......................................................................................................+......+......................................+.............................................................................................................................+........................................................+................................................................................................+......................................+................................................................................+.........................+............................................+.................................+......................+.......+.......+..++*++*++*

 

#建立并签发××× Server使用的CA

[root@***server easy-rsa]# ./build-key-server server
Generating a 1024 bit RSA private key
........................++++++
...........................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Open××× ORG]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:woyo
Email Address [taylor_ge@staff.woyo.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/open***-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'SHANGHAI'
localityName          :PRINTABLE:'SHANGHAI'
organizationName      :PRINTABLE:'Open××× ORG'
commonName            :PRINTABLE:'woyo'
emailAddress          :IA5STRING:'taylor_ge@staff.woyo.com'
Certificate is to be certified until Aug 20 09:27:16 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 

#一路回车，common name 须要输入一个名称，后面两个选择都选择y

为防止恶意***（如DOS、UDP port flooding），咱们生成一个"HMAC firewall"

/usr/local/open***/sbin/open*** --genkey --secret keys/ta.key

 

#把生成的key拷贝到/usr/local/open***/etc/

cd /root/open***-2.0.9/easy-rsa/keys

cp ca.crt  dh1024.pem server.crt  server.key  /usr/local/open***/etc/

 

#建立服务端配置文件

vim /usr/local/open***/etc/server.conf

 

port 1194
proto tcp
dev tun
ca /usr/local/open***/etc/ca.crt
cert /usr/local/open***/etc/server.crt
key /usr/local/open***/etc/server.key
dh /usr/local/open***/etc/dh1024.pem

server 172.16.0.0 255.255.0.0

push "route 172.16.0.0 255.255.0.0"
push "route 10.20.0.0 255.255.0.0"
;push "dhcp-option DNS 211.99.190.33"
;push "dhcp-option DNS 211.136.107.168"
;push "redirect-gateway"

client-config-dir /usr/local/open***/html/ccd
;route 10.0.0.0 255.255.255.0

duplicate-cn
keepalive 10 120
tls-auth /usr/local/open***/etc/ta.key 0
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /usr/local/open***/log/open***-status.log
log /usr/local/open***/log/open***.log
log-append /usr/local/open***/log/open***-append.log
verb 4
plugin /usr/local/open***/etc/open***-auth-pam.so open***
client-cert-not-required

username-as-common-name

 

#当即启动openen***

/usr/local/open***/sbin/open*** --daemon --config /usr/local/open***/etc/server.conf

 

 

#检查是否启动成功：

 

[root@***server log]# lsof -i :1194
COMMAND   PID   USER   FD   TYPE DEVICE SIZE NODE NAME
open*** 20216 nobody    5u  IPv4  97292       TCP *:open*** (LISTEN)

 

4.       客户端安装

配置 Open××× windows 客户端

a)  安装 open***-2.0.9-gui-1.0.3-install.exe

而后将刚才生成的ca.crt ta.key 这两个文件从服务器上下载下来放进 Open××× 的 conf 文件夹

建立open***客户端配置文件***.o***

client
dev tun
proto tcp
remote 183.60.xxx.xxx 1194
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 4
route-method exe
route-delay 2

 

（请根据实际状况修改）

 

注： 有不少朋友不知道open***-auth-pam.so这个文件怎么来的，这个是在open***的安装包下面plugin/auth-pam目录下面make产生的，根据你的配置文件拷贝到相应目录便可。

 

运行open***客户端，进行测试…