Open×××使用User/Pass验证登录

最新推荐文章于 2024-11-27 16:35:16 发布

转载最新推荐文章于 2024-11-27 16:35:16 发布 · 566 阅读

1 ·

CC 4.0 BY-SA版权

原文链接：http://blog.51cto.com/duanfei/1339177

文章标签：

#数据库 #开发工具 #运维

本文介绍如何在CentOS环境下使用Username/Password方式配置Open***服务器，并与MySQL数据库结合进行用户验证。此外，还提供了客户端配置指南。

本文档要介绍使用Username/Password方式验证登录×××的方法，虽然使用的是User/Pass方式登录，但是在Server端仍然需要证书，这样的×××和web的HTTPs方式有点类似(不能等同)，只需Server端有证书，Client可以不提供自己的证书，Client只需验证Server的合法性即可，所以Client端只需ca.crt(根证书)即可。当然，由于Client不是使用证书验证的，所以安全性方面必然有所下降，但是省去了烦琐的CA管理，我们可以通过用户名和密码来登录×××，这样使得×××可以很容易和论坛、邮件系统或者其他统一验证系统结合，使用现成的管理界面。

下面开始介绍×××的安装和配置：

环境：
OS: Centos (在公司网络出口处，作路由或者是NAT设备使用)
eth0: *.*.154.166 (外网地址，直接与Internet相连)
eth1: *.*.1.166 (内网地址)

Client端硬件及网络环境配置：
OS: Windows7，IP地址不固定

Server端配置

首先检查pam-devel包是否安装，可以yum安装该软件包

[root@WEBGAME_CONTROL_SERVER ~]# rpm-qa | grep pam

pam-devel-1.1.1-10.el6_2.1.x86_64

pam_oath-2.0.2-3.el6.x86_64

pam_radius-1.3.17-2.el6.x86_64

pam_url-0.3.2-1.el6.x86_64

pam_mysql-0.7-0.12.rc1.el6.x86_64

pam_passwdqc-1.0.5-6.el6.x86_64

pamtester-0.1.2-1.el6.x86_64

pam_krb5-2.3.11-9.el6.x86_64

fprintd-pam-0.1-19.git04fd09cfa.el6.x86_64

pam_yubico-2.13-1.el6.x86_64

pam_ldap-debuginfo-185-11.el6.x86_64

pam-debuginfo-1.1.1-10.el6_2.1.x86_64

pam_ssh-1.98-1.el6.x86_64

pam_passwdqc-debuginfo-1.0.5-6.el6.x86_64

pam-1.1.1-10.el6_2.1.x86_64

pam_mapi-0.1.2-1.el6.x86_64

pam_pkcs11-0.6.2-11.1.el6.x86_64

pam_afs_session-2.5-3.el6.x86_64

pam_ssh_agent_auth-0.9-81.el6.x86_64

pam_krb5-debuginfo-2.3.11-9.el6.x86_64

pam_shield-0.9.5-8.el6.x86_64

pam_pkcs11-debuginfo-0.6.2-11.1.el6.x86_64

pam_ldap-185-11.el6.x86_64

[root@WEBGAME_CONTROL_SERVER ~]#

检查Mysql是否安装，确认mysql-devel包已经安装，自行安装此软件包（小艳协助安装）

[root@WEBGAME_CONTROL_SERVER ~]# rpm-qa | egrep "Percona|mysql"

Percona-Server-shared-compat-5.5.15-rel21.0.158.rhel5.x86_64

pam_mysql-0.7-0.12.rc1.el6.x86_64

Percona-Server-shared-55-5.5.15-rel21.0.158.rhel5.x86_64

Percona-Server-devel-55-5.5.15-rel21.0.158.rhel5.x86_64

Percona-Server-client-55-5.5.15-rel21.0.158.rhel5.x86_64

Percona-Server-server-55-5.5.15-rel21.0.158.rhel5.x86_64

[root@WEBGAME_CONTROL_SERVER ~]#

安装Lzo(一种数据压缩软件)

[root@WEBGAME_CONTROL_SERVERpackage]# tar zxvf lzo-2.04.tar.gz

[root@WEBGAME_CONTROL_SERVERpackage]# cd lzo-2.04

[root@WEBGAME_CONTROL_SERVERlzo-2.04]# ./configure --prefix=/usr/local/

[root@WEBGAME_CONTROL_SERVERlzo-2.04]# make

[root@WEBGAME_CONTROL_SERVERlzo-2.04]# make install

安装open***

[root@WEBGAME_CONTROL_SERVERpackage]# tar zxvf open***-2.2.2.tar.gz

[root@WEBGAME_CONTROL_SERVERopen***]# ./configure --with-lzo-lib=/usr/local/lzo/lib/ --disable-ssl--prefix=/usr/local/open***/

[root@WEBGAME_CONTROL_SERVER open***]#make

[root@WEBGAME_CONTROL_SERVER open***]#make install

复制open***所需的配置文件模板

[root@WEBGAME_CONTROL_SERVER open***]#cp easy-rsa/ /etc/open***/

生成open***-auth-pam.so文件用于建立pam于openvpen之间的联系

[root@WEBGAME_CONTROL_SERVER auth-pam]#cd ~/package/open***/plugin/auth-pam/

[root@WEBGAME_CONTROL_SERVER auth-pam]#make

复制到配置文件目录方便管理

[root@WEBGAME_CONTROL_SERVER auth-pam]#cp open***-auth-pam.so /etc/open***/2.0/conf/

复制主配置文件模板

[root@WEBGAME_CONTROL_SERVERsample-config-files]# cd ~/package/open***/sample-config-files/

[root@WEBGAME_CONTROL_SERVERsample-config-files]# cp server.conf /etc/open***/2.0/conf/

调整主配置文件参数

[root@WEBGAME_CONTROL_SERVER conf]# cd/etc/open***/2.0/conf

[root@WEBGAME_CONTROL_SERVER conf]# vimserver.conf

[root@WEBGAME_CONTROL_SERVER conf]# catserver.conf | egrep -v "^#|^$"、

详细参数如下

[root@WEBGAME_CONTROL_SERVER conf]# catserver.conf | egrep -v "^#|^$|^;"

port 1194 使用1194端口

proto tcp 使用tcp传输模式

dev tun 使用tun虚拟网卡设备（还有一种是Tap；详细资料可以百度）

ca /etc/open***/2.0/keys/ca.crt 指定server端证书路径

cert /etc/open***/2.0/keys/server.crt 指定server端证书路径

key/etc/open***/2.0/keys/server.key # Thisfile should be kept secret

dh /etc/open***/2.0/keys/dh1024.pem

server 10.8.0.0 255.255.255.0 open***使用的网络

push "route 10.8.0.0255.255.255.0" 添加open***路由

push "route 0.0.0.0 0.0.0.0"

ifconfig-pool-persist ipp.txt 客户端连入后使用的IP地址池

push "dhcp-option DNS8.8.8.8" 客户端连入后使用的DNS

push "dhcp-option DNS8.8.4.4"

keepalive 10 120 保持×××会话

comp-lzo 开启Lzo数据压缩

user nobody

group nobody

persist-key

persist-tun

status open***-status.log

verb 3

plugin/etc/open***/2.0/conf/open***-auth-pam.so open*** 调用open***-auth-pam.so于pam连接

client-cert-not-required 不请求客户的CA证书，使用User/Pass验证

username-as-common-name 使用客户提供的UserName作为Common Name

link-mtu 1500 设置MTU连接数值

修改vars文件

#定义你所在的国家，2个字符
export KEY_COUNTRY=CN
# 你所在的省份
export KEY_PROVINCE=Beijing
# 你所在的城市
export KEY_CITY=Beijing
# 你所在的组织
export KEY_ORG="cyou-inc"
# 你的邮件地址
export KEY_EMAIL="chengwei@cyou-inc.com"

使修改的环境变量生效

[root@WEBGAME_CONTROL_SERVER2.0]# cd /etc/open***/2.0/

[root@WEBGAME_CONTROL_SERVER2.0]# source vars

NOTE:when you run ./clean-all, I will be doing a rm -rf on /etc/open***/easy-rsa/keys

初始化keys目录

[root@WEBGAME_CONTROL_SERVER2.0]# cd /etc/open***/2.0/

[root@WEBGAME_CONTROL_SERVER2.0]# ./clean-all

生成Root CA证书，用于签发Server和Client证书，请保护好keys/ca.key文件

[root@WEBGAME_CONTROL_SERVER2.0]# cd /etc/open***/2.0/

[root@WEBGAME_CONTROL_SERVER2.0]# ./build-ca

Generatinga 1024 bit RSA private key
........................++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: #可直接回车
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [cyou-inc]:
Organizational Unit Name (eg, section) []: Open××× Service
Common Name (eg, your name or your server's hostname) []:Open××× Root CA
Email Address [chengwei@cyou-inc.com]:

以上步骤完成后将会有以下文件产生

[root@WEBGAME_CONTROL_SERVER2.0]# ls keys/

ca.crtca.key index.txt serial

为服务器生成Diffie-Hellman 文件

[root@WEBGAME_CONTROL_SERVER2.0]# cd /etc/open***/2.0/

[root@WEBGAME_CONTROL_SERVER 2.0]#./build-dh

GeneratingDH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+..............................................................+.................
...................................................+....+........+.........+.......
.............................................+.+...................................
...................................................................................
............................................+......................................
.+.................................+.............+.................................
................................................+..................................
.....................+.............................++*++*++*

创建并签发×××Server使用的CA `server'为创建后的文件名，分别为server.crt server.key

[root@WEBGAME_CONTROL_SERVER2.0]# ./build-key-server server

Generatinga 1024 bit RSA private key
......................++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [cyou-inc]:
Organizational Unit Name (eg, section) []:Open××× Service
Common Name (eg, your name or your server's hostname) []:open***
Email Address [chengwei@cyou-inc.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Beijing'
localityName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'cyou-inc'
organizationalUnitName:PRINTABLE:'Open××× Service'
commonName :PRINTABLE:'open***'
emailAddress :IA5STRING:'chengwei@cyou-inc.com'
Certificate is to be certified until Feb 26 14:43:44 2015 GMT (3650 days)
Sign the certificate? [y/n]:y

1out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

配置数据库用于管理open***的账户密码

以管理员身份登录数据库：
mysql> create database ***;
mysql> GRANT ALL ON ***.* TO ***@localhost IDENTIFIED BY '***123';
mysql> flush privileges;
mysql> use ***;
mysql> CREATE TABLE ***user (
-> name char(20)NOT NULL,
-> passwordchar(128) default NULL,
-> active int(10) NOT NULL DEFAULT 1,
-> PRIMARY KEY (name)
-> );
mysql> insert into ***user (name,password) values('ipad',password('ipad'));
mysql>

mysql>show tables ;

+---------------+

|Tables_in_*** |

+---------------+

|***user |

+---------------+

1row in set (0.00 sec)

mysql>select * from ***user ;

+------+-------------------------------------------+--------+

|name | password | active |

+------+-------------------------------------------+--------+

|ipad | *44249DDD1E67F607625C57A3B32D07FDC4663A14 | 1 |

+------+-------------------------------------------+--------+

1row in set (0.00 sec)

mysql>
#创建***用户，对***这个database有所有操作权限，密码为***123 在PAM配置中使用该用户
#active不为1，无权使用×××
#增加用户用户名：ipad 密码：ipad

配置pam_mysql模块

[root@WEBGAME_CONTROL_SERVERpam.d]# cd /etc/pam.d

[root@WEBGAME_CONTROL_SERVERpam.d]# vim open***

auth sufficient pam_mysql.so user=*** passwd=***123 host=127.0.0.1 db=*** \

table=***userusercolumn=name passwdcolumn=password \

where=active=1sqllog=0 crypt=2

accountrequired pam_mysql.so user=*** passwd=***123 host=127.0.0.1db=*** \

table=***userusercolumn=name passwdcolumn=password \

where=active=1sqllog=0 crypt=2

crypt(0)-- Used to decide to use MySQL's PASSWORD() function or crypt()

0= No encryption. Passwords in database in plaintext. NOT recommended!

1= Use crypt

2= Use MySQL PASSWORD() function

#crypt=0:明文密码
#crypt=1: 使用crpyt()函数(对应SQL数据里的encrypt()，encrypt()随机产生salt)
#crypt=2: 使用MYSQL中的password()函数加密。

#根据mysql内创建用户时配合使用 ipad用户使用password函数加密所以用crypt=2

Open***、mysql、pam连通性测试

开启系统的Forward功能

[root@WEBGAME_CONTROL_SERVER~]# vim /etc/sysctl.conf

#Controls IP packet forwarding
net.ipv4.ip_forward= 1 重要

修改iptables 设置

-APOSTROUTING -s 10.127.1.0/24 -o eth1 -j SNAT --to-source *.*.154.166

-APOSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

-AINPUT -p tcp -m tcp --dport 1194 -j ACCEPT

开启open***程序

[root@WEBGAME_CONTROL_SERVERpam.d]# /usr/local/sbin/open*** --config /etc/open***/2.0/conf/server.conf

[root@WEBGAME_CONTROL_SERVERpam.d]# lsof -i:1194

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

open*** 20430nobody 6u IPv4 45621140 0t0 TCP *:open*** (LISTEN)

开启mysql程序

[root@WEBGAME_CONTROL_SERVERpam.d]# service mysql start

[root@WEBGAME_CONTROL_SERVERpam.d]# lsof -i:3306

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

mysqld 6882 mysql 12u IPv4 45648773 0t0 TCP *:mysql (LISTEN)

检查下saslauthd是否有安装可以通过yum安装此测试工具

[root@WEBGAME_CONTROL_SERVERpam.d]# rpm -qa | grep cyrus-sasl

cyrus-sasl-gssapi-2.1.23-13.el6.x86_64

cyrus-sasl-lib-2.1.23-13.el6.x86_64

cyrus-sasl-2.1.23-13.el6.x86_64

cyrus-sasl-md5-2.1.23-13.el6.x86_64

cyrus-sasl-plain-2.1.23-13.el6.x86_64

[root@WEBGAME_CONTROL_SERVERpam.d]# saslauthd -a pam

[root@WEBGAME_CONTROL_SERVERpam.d]# testsaslauthd -u ipad -p ipad -s open***

0: OK "Success." 测试通过。

配置open***客户端

安装open***-2.1.1-install.exe应用

将由服务器上生成的ca.crt ta.key 文件复制到conf目录

编辑client.o***文件

;devtap
dev tun 使用虚拟网络设备tun 与server配置的必须相同
proto tcp 使用TCP传输与server配置必须相同
;proto udp
remote *.*.154.166 1194 open***服务所在的公网地址以及开启端口
;remote my-server-2 1194
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass 询问用户名和密码
ns-cert-type server
tls-auth ta.key 1
route 10.8.0.0 255.255.255.0 open***使用的网络段
comp-lzo 开启Lzo数据压缩
verb 4
;mute 20