I. Ставим стандартные пакеты
apt-get install openvpn libpam-radius-auth libradiusclient-ng2 radiusclient1
II. Скачать исходники OpenVPN. И собрать дополнительный модуль для работы с pam, должны получить бинарик
/openvpn-2.1_rc15/plugin/auth-pam/openvpn-auth-pam.so
III. Конфиг openvpn сервера привести к такому виду. Сгенерить сертификаты.
/etc/openvpn/server.conf
port 1194
proto udp
dev tun
# CERT
ca ssl/ca.crt
cert ssl/server.crt
key ssl/server.key # This file should be kept secret
dh ssl/dh1024.pem
#
server 192.168.3.224 255.255.255.224
push "route 192.168.0.0 255.255.0.0"
push "route 172.16.0.0 255.255.0.0"
push "dhcp-option DNS 192.168.2.4"
client-to-client
duplicate-cn
keepalive 10 60
tls-server
tls-auth ssl/ta.key 0
tls-timeout 120
auth MD5
cipher BF-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3
username-as-common-name
;auth-user-pass-verify scripts/auth-pam.pl via-file
plugin /etc/openvpn/scripts/openvpn-auth-pam.so radius
client-cert-not-required
IV. Создать свой файл pam модуля и прописать туда путь до библиотеки с pam_radius
/etc/pam.d/radius
#%PAM-1.0
account required /lib/security/pam_radius_auth.so
account required /lib/security/pam_radius_auth.so
auth required /lib/security/pam_radius_auth.so conf=/etc/pam_radius_auth.conf debug no_warn try_first_pass
Pam модуль авторизации с радиусом тоже требует некоторый конфиг, где указываем адреса домен контроллера и ключ авторизации клиента, который прописыватеся в IAS сервере, когда создаешь RADIUS-клиента.
/etc/pam_radius_auth
pdc.domain.local 123
bdc.domain.local 123
V. На сервере где стоит IAS создаем RADIUS-клиента с нашим IP адресом где стоит OpenVPN, даем ему пароль (в примере 123). Заходим в политики безопасности соединения,ставим галочку использовать PAP, иначе будем получать в логах
openvpn[16125]: pam_radius_auth: Sending RADIUS request code 1
openvpn[16125]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 438027072.
openvpn[16125]: pam_radius_auth: Got RADIUS response code 3
openvpn[16125]: pam_radius_auth: authentication failed
Клиентский конфиг приводим к такому виду, и кладем в туже папку где и конфиг корневой сертификат ca.crt и ключ проверки ta.key
client
dev tun
proto udp
remote _ADRESS_OPENVPN_SERVER_ 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
tls-auth ta.key 1
auth MD5
comp-lzo
verb 3
auth-user-pass
Вроде все.
add comment | permalink | related link | ( 0 / 0 )
Configure Radius Authentication for SSH login Centos 5.2 Linux
Monday, October 4, 2010, 10:57 - -Unix/Linux
Posted by Guest
Using the plug-in modular nature of PAM we can get a linux server to use RADIUS to authenticate users connecting via SSH. This guide tells you how to setup a Centos 5.2 server as your Radius "client" and Juniper Steel-Belted as your radius server authentication "server". We are going to use the pam_radius_module from free radius to provide the mechanism of authenticating ssh logins against a radius box.
For this example my environment consists of
A centos 5.2 radius client called "cyclone"
A Steel-Belted Radius server is called "turbo"
A username of dave
Of course you will change these silly names to the hostnames or ip addresses that suit your own setup.
Preparation
We have to to build a radius client module for our centos linux server so some preperation is required on this box to enable us to do that. It isn't as complex as it sounds.
1. Install the correct development tools
Since the pam_radius_auth security module is not available in mighty yum repository we have to make this ourselves using the source files. To do this we need the correct C compiler this can be installed via yum using the following command
yum install gcc-c++
After a little while the C compiler will be installed an ready for use. The next requirement is the pam development module. This is also installed via yum with this command:
yum install pam-devel
2. Download the pam Radius source files.
You need to download the radius pam module here ftp://ftp.freeradius.org/pub/radius/
Choose the file pam_radius-1.3.17.tar.gz
This is done easily via the wget command. So from the centos machine run
wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz
download this to a temporary folder where you can build the software from
I chose a directory called pam under my root users home directory
/root/pam
Once the file is downloaded unzip the file with gunzip
using the command
gunzip /root/pam/pam_radius-1.3.17.tar.gz
untar the file using the command
tar -xvf /root/pam/pam_radius-1.3.17.tar
this should then upack the contents into a directory structure like this
/root/pam/pam_radius-1.3.17
change to this directory and type
make
the system should then compile with something like the following output:
cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o
pam_radius_auth.c: In function âtalk_radiusâ:
pam_radius_auth.c:886: warning: pointer targets in passing argument 6 of ârecvfromâ differ in signedness
pam_radius_auth.c: In function âpam_sm_authenticateâ:
pam_radius_auth.c:1102: warning: assignment from incompatible pointer type
cc -Wall -fPIC -c -o md5.o md5.c
ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so
this should create a file called
pam_radius_auth.so
copy this to the /lib/security/ folder.
Configure the Centos Server to use radius Authentication
1. Create a user you wish to login as, on the centos system. I am creating one called "dave" for this example.
useradd -d /home/dave/ dave
NOTE: There is no reason to set a password to this unix user as you will be using your radius account to provide the password.
2. Create the radius client configuration file folder structure.
Create a directory under the /etc folder called raddb.
So you have a directory path which looks like /etc/raddb
This is done like so
mkdir /etc/raddb
3. Copy the sample client configuration file pam_radius_auth.conf to /etc/raddb/server
This sample file is found in the unarchived folder you downloaded earlier - in my example so I would run:
cp /root/pam/pam_radius-1.3.17/pam_radius_auth.conf /etc/raddb/server
3. Edit the /etc/raddb/server to match the radius server "turbo".
open the /etc/raddb/server in an editor such as vi
Under the section that looks like
# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
other-server other-secret 3
Add a line that represents your radius server. You will need to enter your servers hostname or IP address and a sharesecret that you will need to assign in this file and on your radius server. So make a note of this password.
I am going to add my radius server "turbo" and specify a shared secret of "s3cret". So after editing my file looks like this
# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
turbo s3cret 3
Now edit the /etc/pam.d/sshd file. This file controls the authentication method for sshd service which facilitates SSH logins. We need to tell it to use the /lib/security/pam_radius_auth.so file we created compiled earlier.
Before the top line
auth include system-auth
add this line
auth required pam_radius_auth.so
so the first two lines will look like this
auth sufficient pam_radius_auth.so
auth include system-auth
This will tell the SSH service / daemon to use the radius protocol and server for authentication.
With this configuration the SSHD will also check local system sccount passwords as a fall back. This means you can log in as root or other unix local accounts should your radius server be off line.
NOTE! You are changing the authentication method for logging in to your centos box via SSH. Make sure you can get into it via console (monitor mouse and keyboard) in case this goes wrong and you get locked out of SSH
Configure your Steel Belted Radius Server
1. Setup Cyclone as a radius client
Right "Click Radius Clients"
Click ADD
In the Add RADIUS client window add the IP address or hostname of the centos cyclone box and add the shared secret we decided on earlier in this example "s3cret"
2. Add a username on the radius box "turbo"
Right Click "users"
Click Add
Add a native user and set a password.
Test a Logon to the Centos SSH service
Fire up your SSH client
Connect to the box and login as the user and password you set on radius server earlier. In my case "dave"
If it lets you voila - job done. You have used the radius server to provide SSH authentication. If it doesn't then you might start by looking in the /var/log/secure/file for clues. Also the centos forum is pretty good I often find some helpful people on there - if you are really desperate you can leave a comment here! :)
add comment | permalink | related link | ( 0 / 0 )
Easy openVPN Server in CentOS 5.3
Monday, October 4, 2010, 10:57 - Redhat
Posted by Guest
1. Install necessary library
yum install lzo lzo-devel zlib zlib-devel
2. At this moment openssl should already installed.
(A required package for a server)
3. Install the openvpn package
yum install openvpn
4. Copy necessary sample scripts and configuration file
cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn
cp /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf /etc/openvpn
5. Before running scripts, make sure that it has the executable permission.
If not perform the following:
cd /etc/openvpn/easy-rsa
chmod +x clean-all
chmod +a build*
6. Modidy you CA configuration
vi /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY=AU
export KEY_PROVINCE=VIC
export KEY_CITY=MELBOURNE
export KEY_ORG=”THROXVPN”
export KEY_EMAIL=”name@email.com”
7. Save your modified settings and run:
. ./vars
mkdir /etc/openvpn/keys
./clean-all
8. Now your configuration is ready, create your server CA authentication files
cd /etc/openvpn/easy-rsa
./build-ca
9. Build your server keys
./build-key-server vpnserver
10. Building Diffie Hellman file
./build-dh
11. Modify the sample /etc/openvpn/server.conf
mode server
client-to-client
port 1194
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
mute 20
12.Please note of the ipp.txt which contains something like this
client1,10.10.10.4
client2,10.10.10.5
13. Configure the services to autostart and eventually start the service
service openvpn restart
/etc/init.d/openvpn start
14. Server is up at this moment. You can now create keys for each of your client.
15. Done.
add comment | permalink | related link | ( 0 / 0 )
Install OpenVPN Server on CentOS 5.4
Monday, October 4, 2010, 10:55 - Redhat
Posted by Guest
Sat, 04/03/2010 - 19:21 | admin
There are many guys asking me how to install OpenVPN on CentOS 5.2/5.4. I have a server with that system (minimal installation) exactly and I cannot find an all correct guide for this setup step. So I decide to write this post.
You cannot count on the post to explain what OpenVPN is. But if you just wanna a simple guide for installation, you’ve got it.
Preparation:
1 A server running with CentOS 5.2/5.4. I don’t know which services you’ve installed, so I have to install all necessary components by bash command. You can skip that command if you know that is installed.
2 A KVM, an SSH client or another way to connect to your server.
3 You must know how to use tool vi to edit file.
Setup guide:
All blue texts should be typed into bash command line, and press Enter after each command. All black texts are just commit. Read them as you wish.
Install some tools.
yum install -y wget Install a tool for downloading packages.
yum install -y iptables Install the controller for inputting firewall rules.
Configure yum to install OpenVPN
yum install -y yum-priorities Let your yum to install more packages.
cd /tmp
wget http://packages.sw.be/rpmforge-release/ ... f.i386.rpm for x86 (32bit) only
wget http://packages.sw.be/rpmforge-release/ ... x86_64.rpm for x64 (64bit) only
rpm -i rpmforge-release-0.5.1-1.el5.rf.*.rpm
yum check-update
Install OpenVPN
yum install -y openvpn
Configure OpenVPN Server
cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
. ../vars There is a space between the 1st and 2nd dot.
chmod +rwx *
source ./vars
vi ../vars Modify the last several lines of this file to match your location and org name.
vi vars Modify the last several lines of this file to match your location and org name.
./build-ca Input your location and org name.
source ./vars
./clean-all
./build-ca Always press enter directly. You can verify your infomation in this step.
./build-key-server server Answer y twice for the 2 questions in the end, press enter directly for others.
Configure OpenVPN Setting. Following this post, you will get a server running at port 1194 with UDP protocol, and the sub network for VPN clients is 10.0.0.0/24. You can modify this document with the rest commands synchronously.
vi /etc/openvpn/openvpn.conf Create setting file.
Type all green text below to the edit form of vi.
port 1194 Use port 1194.
proto udp Use udp protocol. You can change this into tcp as you wish. It seems that udp is faster. Tcp can be used when you are using a udp banned network.
dev tun Mode. You can choose tun or tap. I don’t wanna explain this.
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.0.0.0 255.255.255.0 Sub network for VPN clients
push "dhcp-option DNS 208.67.222.222" Use DNS of OpenDNS.
push "dhcp-option DNS 208.67.220.220" Use DNS of OpenDNS.
push "redirect-gateway" Let all traffic from client to go though with this VPN server. Remove this line if you don’t want it.
ifconfig-pool-persist ipp.txt Let OpenVPN server to record the last used IP for each client, which allows client to use the same IP when reconnected.
keepalive 10 120
comp-lzo Enable compression for saving bandwidth.
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client Allow clients to communicate with each others. Remove this line if you dont’t want it.
Save this file.
cp keys/{ca.crt,ca.key,server.crt,server.key} /etc/openvpn/
./build-dh This may take a while.
cp keys/dh1024.pem /etc/openvpn/
/etc/init.d/openvpn start Service starts!
chkconfig --list | grep vpn
Create key for each client.
The working folder is /etc/openvpn/easy-rsa/2.0 and you can verify it by typing pwd if you like. If it’s not, type cd /etc/openvpn/easy-rsa/2.0 to change it. Run source ./vars if needed.
Run this command for each client.
./build-key
Final steps and add some firewall rules
service iptables start Start the iptables service.
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT Allow udp datagrams to be received from port 1194 of your nic eth0. Notice that there are 2 hyphens before dport.
iptables -A OUTPUT -o eth0 -p udp --dport 1194 -j ACCEPT Allow udp datagrams to be sent from port 1194 of y0ur nic eth0. Notice that there are 2 hyphens before dport.
iptables -A INPUT -i tun0 -j ACCEPT Allow traffic from OpenVPN nic tun0. Change it to tap0 if you use tap mode in server configuration.
iptables -A OUTPUT -o tun0 -j ACCEPT Allow traffic from OpenVPN nic tun0. Change it to tap0 if you use tap mode in server configuration.
iptables -A FORWARD -o tun0 -j ACCEPT Allow traffic from OpenVPN nic tun0. Change it to tap0 if you use tap mode in server configuration.
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE Enable NAT.
/etc/init.d/iptables save Save iptables’ rules.
/etc/init.d/iptables restart Restart iptables service.
chkconfig iptables on Let iptables be started automatically.
chkconfig openvpn on So is openvpn.
vi /etc/sysctl.conf
Find a line with text net.ipv4.ip_forward = 0, change it into net.ipv4.ip_forward = 1, and save this file.
You’ve finished the configuration of server. Please restart it.
shutdown -r now
All certifications and key files can be found at /etc/openvpn/easy-rsa/2.0/keys. You should download ca.crt,
I’ll go on to create an OpenVPN client in Windows for example.
Download and install OpenVPN Windows Version.
Copy ca.crt,
Create a text file with extension “ovpn” in the folder which contains these 3 files with all green text below.
client
dev tun
proto udp
remote
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert
key
ns-cert-type server
comp-lzo
verb 3
Save this file.
Start OpenVPN Client, right click the icon in the system tray and connect the server. If you are running Windows Vista / 7 or Windows Server 2008 / 2008 R2, you have to run this program as administrator coz Route.exe which will be run by OpenVPN need this.
I hope you get it though.
Hiç yorum yok:
Yorum Gönder