OpenVPN使用User/Pass验证登录
在之前的OpenVPN+CA中已经介绍了使用CA验证登录的方式,详见:
http://bbs.chinaunix.net/forum/viewtopic.php?t=503434&show_type=new
本文主要介绍使用Username/Password方式验证登录VPN的方法,虽然使用的是User/Pass
方式登录,但是在Server端仍然需要证书,这样的VPN和web的HTTPs方式有点类似(不能等同),
只需Server端有证书,Client可以不提供自己的证书,Client只需验证Server的合法性即可,
所以Client端只需ca.crt(根证书)即可。当然,由于Client不是使用证书验证的,所以安全
性方面必然有所下降,但是省去了烦琐的CA管理,我们可以通过用户名和密码来登录VPN,
这样使得VPN可以很容易和论坛、邮件系统或者其他统一验证系统结合,使用现成的管理界面。
关于VPN的一些初步认识,可以从下面这个URL获得:(E文的)
http://blog.chinaunix.net/resserver.php?blogId=2389&resource=OpenVPN%20and%20the%20SSL%20VPN%20Revolution.pdf
原文出自:
http://www.giac.org/certified_professionals/practicals/gsec/3985.php
文中觉得很有意义的语句是: A VPN is a site-to-site tunnel. Let me say that one more time, a VPN is a site-to-site tunnel.
这篇文章介绍了OpenVPN1.x,也简单介绍了OpenVPN 2.x的一些新特性,同时也简单的介绍了
其他VPN以及不同方式实现的VPN产品、软件,有时间看看是很有必要的。
关于VPN比较通俗的理解,在OpenVPN的FAQ中找到的:
Imagine you had a direct physical wire (i.e. a long cable) connecting two computers (A and B) at different locations. On each computer there would be a /dev/longcable which would be a network device. You could route IP traffic over it, and do everything you could normally do with a network device.
下面开始介绍VPN的安装和配置:
环境:
OS: FC2 (在公司网络出口处,作路由或者是NAT设备使用)
eth0: 61.1.1.2 (外网地址,直接与Internet相连)
eth1: 192.168.0.1 (内网地址,连接公司内部,假设公司内部使用192.168.0.0/22这4个C地址)
Client端硬件及网络环境配置:
OS: Windown 2000 XP 为主,部分Linux (配置文件通用)
单网卡,IP地址不固定
需要达到的目的:
VPN Client可以随处通过User/Pass登录VPN,访问内网资源。
Server端配置
首先检查pam-devel包是否安装,否则从系统盘安装改软件包
[root@vpn ~]# rpm -qa | grep pam
pam_smb-1.1.7-3.1
pam-0.77-40
pam_krb5-2.0.10-1
pam-devel-0.77-40
[root@vpn ~]#
检查Mysql是否安装,确认mysql-devel包已经安装,否则从系统盘安装改软件包
[root@vpn ~]# rpm -qa | grep mysql
mysql-3.23.58-9
mysql-server-3.23.58-9
mysql-devel-3.23.58-9
[root@vpn ~]#
检查lzo包是否有安装,如果没有,可以到http://rpmfind.net去找
[root@vpn ~]# rpm -qa | grep lzo
[root@vpn ~]# wget ftp://rpmfind.net/linux/dag/fedora/2/en/i386/dag/RPMS/lzo-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# rpm -ivh lzo-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# wget ftp://rpmfind.net/linux/dag/fedora/2/en/i386/dag/RPMS/lzo-devel-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# rpm -ivh lzo-devel-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# rpm -qa | grep lzo
lzo-devel-1.08-3.1.fc2.dag
lzo-1.08-3.1.fc2.dag
[root@vpn ~]#
下面开始编译安装OpenVPN
[root@vpn ~]# wget http://mesh.dl.sourceforge.net/sourceforge/openvpn/openvpn-2.0_rc16.tar.gz
[root@vpn ~]# rpmbuild -tb openvpn-2.0_rc16.tar.gz
[root@vpn ~]# cd /usr/src/redhat/RPMS/i386/
[root@vpn /usr/src/redhat/RPMS/i386]# rpm -ivh openvpn-2.0_rc6-1.i386.rpm
为了能使用OpenVPN的PAM验证插件,我们安装pam_mysql使用MySQL数据库存储用户数据,其它数据库可以找相应的PAM验证模块
[root@vpn ~]# wget http://internap.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.5.tar.gz
[root@vpn ~]# tar -zxvf pam_mysql-0.5.tar.gz
[root@vpn ~]# cd pam_mysql
[root@vpn ~]# make
[root@vpn ~]# cp pam_mysql.so /lib/security/
配置数据库
以管理员身份登录数据库:
mysql>; create database vpn;
mysql>; GRANT ALL ON vpn.* TO vpn@localhost IDENTIFIED BY 'vpn123';
mysql>; flush privileges;
mysql>; use vpn;
mysql>; CREATE TABLE vpnuser (
->; name char(20) NOT NULL,
->; password char(128) default NULL,
->; active int(10) NOT NULL DEFAULT 1,
->; PRIMARY KEY (name)
->; );
mysql>; insert into vpnuser (name,password) values('elm',password('elm'));
#创建vpn用户,对vpn这个database有所有操作权限,密码为vpn123
#active不为1,无权使用VPN
#增加用户 用户名:elm 密码:elm
配置pam_mysql模块
创建/etc/pam.d/openvpn文件,文件内容如下:
===================CUT Here================
auth sufficient pam_mysql.so user=vpn passwd=vpn123 host=localhost db=vpn \
table=vpnuser usercolumn=name passwdcolumn=password \
where=active=1 sqllog=0 crypt=2
account required pam_mysql.so user=vpn passwd=vpn123 host=localhost db=vpn \
table=vpnuser usercolumn=name passwdcolumn=password \
where=active=1 sqllog=0 crypt=2
==================Cut Here=================
crypt(0) -- Used to decide to use MySQL's PASSWORD() function or crypt()
0 = No encryption. Passwords in database in plaintext. NOT recommended!
1 = Use crypt
2 = Use MySQL PASSWORD() function
下面可以测试pam_mysql是否工作正常,先检查saslauthd是否安装:
[root@vpn ~]# rpm -qa | grep sasl
cyrus-sasl-plain-2.1.18-2
cyrus-sasl-md5-2.1.18-2
cyrus-sasl-devel-2.1.18-2
cyrus-sasl-2.1.18-2
[root@vpn ~]#
有cyrus-sasl-2.1.18-2应该就可以了,如果没有请安装相应的软件包,不安装也行,可以通过其它方法测试
[root@vpn ~]# saslauthd -a pam
[root@vpn ~]# testsaslauthd -u elm -p elm -s openvpn
0: OK "Success."
[root@vpn ~]#
恭喜,pam_mysql工作正常了,下面可以开始配置OpenVPN服务器了。
配置VPN Server:
[root@vpn /usr/src/redhat/RPMS/i386]# cd
[root@vpn ~]# cp -r /usr/share/openvpn/easy-rsa/ /etc/openvpn/
[root@vpn ~]# cd /etc/openvpn/easy-rsa/
[root@vpn /etc/openvpn/easy-rsa]# vi vars
修改vars 文件
-----------------------------------------
# 定义你所在的国家,2个字符
export KEY_COUNTRY=CN
# 你所在的省份
export KEY_PROVINCE=Liaoning
# 你所在的城市
export KEY_CITY=Shenyang
# 你所在的组织
export KEY_ORG="ELM OpenVPN ORG"
# 你的邮件地址
export KEY_EMAIL="[email]elm@elm.freetcp.com[/email]"
-----------------------------------------
#使修改的环境变量生效
[root@vpn /etc/openvpn/easy-rsa]# . vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
#初始化keys目录
[root@vpn /etc/openvpn/easy-rsa]# ./clean-all
#生成Root CA证书,用于签发Server和Client证书,请保护好keys/ca.key文件。
[root@vpn /etc/openvpn/easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
........................++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: #如果无需修改,直接回车
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) []: OpenVPN Service
Common Name (eg, your name or your server's hostname) []:OpenVPN Root CA
Email Address [[email]elm@elm.freetcp.com[/email]]:
#查看生成的keys
[root@vpn /etc/openvpn/easy-rsa]# ls keys
ca.crt ca.key index.txt serial
#我们可以看到ca.crt ca.key文件已经生成了。
#面我们为服务器生成 Diffie-Hellman 文件
#TLS server 需要使用的一个文件
[root@vpn /etc/openvpn/easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+..............................................................+.................
...................................................+....+........+.........+.......
.............................................+.+...................................
...................................................................................
............................................+......................................
.+.................................+.............+.................................
................................................+..................................
.....................+.............................++*++*++*
#创建并签发VPN Server使用的CA
# `server' 为创建后的文件名,分别为server.crt server.key
[root@vpn /etc/openvpn/easy-rsa]# ./build-key-server server
Generating a 1024 bit RSA private key
......................++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) []:OpenVPN Service
Common Name (eg, your name or your server's hostname) []:Server No.1
Email Address [[email]elm@elm.freetcp.com[/email]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Liaoning'
localityName :PRINTABLE:'Shenyang'
organizationName :PRINTABLE:'ELM OpenVPN ORG'
organizationalUnitName:PRINTABLE:'OpenVPN Service'
commonName :PRINTABLE:'Server No.1'
emailAddress :IA5STRING:'[email]elm@elm.freetcp.com[/email]'
Certificate is to be certified until Feb 26 14:43:44 2015 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#为防止恶意攻击(如DOS、UDP port flooding),我们生成一个"HMAC firewall"
[root@vpn /etc/openvpn/easy-rsa]# openvpn --genkey --secret keys/ta.key
#Server使用的配置文件server.conf
----------------CUT Here-------------
port 1194
;proto tcp
proto udp
;dev tap
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
;client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0
plugin ./openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
;log /var/log/openvpn.log
;log-append openvpn.log
verb 4
;mute 20
--------------Cut Here-----------------
;client-to-client #如果让Client之间可以相互看见,去掉本行的注释掉,否则Client之间无法相互访问
;duplicate-cn #是否允许一个User同时登录多次,去掉本行注释后可以使用同一个用户名登录多次
plugin ./openvpn-auth-pam.so openvpn #说明使用的插件,openvpn为插件的参数,使用pam的servicesname
client-cert-not-required #不请求客户的CA证书,使用User/Pass验证
username-as-common-name #使用客户提供的UserName作为Common Name
把server.conf文件保存到/etc/opennvpn目录中,并把使用easy-rsa下的脚本什成的key都复制到/etc/openvpn目录下,命令如下:
[root@vpn /etc/openvpn/easy-rsa]# cp keys/ca.crt ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/server.crt ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/server.key ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/dh1024.pem ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/ta.key ../
[root@vpn /etc/openvpn/easy-rsa]# cp /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so ../
#立即启动openenvpn
[root@vpn /etc/openvpn/easy-rsa]# /etc/init.d/openvpn start
#接下来配置客户端的配置文件client.conf:
#Linux或Unix下使用扩展名为.conf Windows下使用的是.ovpn,并把需要使用的文件复制到配置文件所在目录ca.crt ta.key
-------------Cut Here---------------------
client
;dev tap
dev tun
;proto tcp
proto udp
remote 61.1.1.2 1194
;remote my-server-2 1194
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
ns-cert-type server
tls-auth ta.key 1
route 192.168.0.0 255.255.252.0
comp-lzo
verb 4
;mute 20
------------Cut Here-----------------------
auth-user-pass #询问用户名和密码
Linux下Client的OpenVPN的安装方法一样,只是配置文件和keys上的不同,只要把client.conf ca.crt ta.key复制到/etc/openvpn目录即可启动VPN。
Win下OpenVPN的安装,WIN下有图形界面的OpenVPN-GUI程序,下载地址http://openvpn.se
这里使用的是TUN设备,主要考虑到Client客户多,VPN的效率和广播的问题,选用TUN设备,因为客户端可能是
Windows系统,Win系统TUN设备获得的IP地址将会是/30的地址,所以有3*Client个地址浪费,所以地址池设置得比较大。
这样你每次使用VPN登录的时候,程序会自动询问你得用户名和密码,输入正确后就可以连接上VPN了,
连接VPN后所有访问内网(192.168.0.0/22)的数据都从VPN经过。
如果Win的Client比较多,可以试着把ca.crt ta.key client.ovpn打包到安装包程序里,具体操作方法参见:
http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html
然后发布改软件包即可,最好小心保管ta.key文件(防止Dos攻击)。
#首先要把系统的Forward打开
[root@vpn /etc]# vi sysctl.conf
修改
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
#IPTABLES的配置文件
[root@vpn /etc/sysconfig]# cat iptables
# Generated by iptables-save v1.2.1a on Tue Nov 6 19:50:51 2001
*nat
:PREROUTING ACCEPT [0]
:POSTROUTING ACCEPT [0]
:OUTPUT ACCEPT [0]
-A POSTROUTING -s 192.168.0.0/255.255.252.0 -o eth0 -j SNAT --to-source 61.1.1.2
COMMIT
*filter
:INPUT DROP [0]
:FORWARD ACCEPT [0]
:OUTPUT ACCEPT [0]
:BLOCK - [0]
:ANTIVIRUS - [0]
# block internal ip address
-A INPUT -i lo -j ACCEPT
-A INPUT -j BLOCK
-A INPUT -j ANTIVIRUS
-A BLOCK -s 192.168.0.0/16 -d 0/0 -j RETURN
-A BLOCK -s 172.16.0.0/12 -d 0/0 -j REJECT
-A BLOCK -s 10.0.0.0/8 -d 0/0 -j RETURN
-A BLOCK -s 127.0.0.0/8 -d 0/0 -j REJECT
-A BLOCK -s 0.0.0.0/8 -d 0/0 -j REJECT
-A BLOCK -s 169.254.0.0/16 -d 0/0 -j REJECT
-A BLOCK -s 192.0.2.0/24 -d 0/0 -j REJECT
-A BLOCK -s 204.152.64.0/23 -d 0/0 -j REJECT
-A BLOCK -s 224.0.0.0/3 -d 0/0 -j REJECT
-A INPUT -p icmp -j ACCEPT
# OSPFD
-A INPUT -d 224.0.0.0/24 -j ACCEPT
# sync time
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
# accept dns
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
# accept ssh from any
-A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
# accept dhcp request
-A INPUT -p udp -m udp --dport 67 -j ACCEPT
# OpenVPN 1194_UDP
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
# www
-A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
# keep stats
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
# Reject all packet to me
-A INPUT -p tcp -m tcp --syn -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp -j REJECT
-A FORWARD -j ANTIVIRUS
-A ANTIVIRUS -p tcp -m tcp --dport 135:139 -j DROP
-A ANTIVIRUS -p tcp -m tcp --dport 445 -j DROP
-A ANTIVIRUS -p udp -m udp --dport 69 -j DROP
-A ANTIVIRUS -p udp -m udp --dport 135:139 -j DROP
-A ANTIVIRUS -p udp -m udp --dport 1434 -j DROP
COMMIT
[root@vpn /etc/sysconfig]#
本文是本人在实验+一字一句的敲上去,如果转载,麻烦注明出处,谢谢
Blog: http://elm.blog.edu.cn
http://blog.chinaunix.net/index.php?blogId=2389
--ELM
于沈阳 05'消费者权益日
[ 本帖最后由 wenzk 于 2006-9-27 19:33 编辑 ]
gouya 回复于:2005-03-16 10:53:04
哥们在呀,先支持一下~~~~~~~~~~~`
wenzk 回复于:2005-03-16 11:07:59
呵呵,我在呀
昨天赶出来的,不知道有没有疏漏
gouya 回复于:2005-03-16 13:28:16
谢谢。
gouya 回复于:2005-03-16 13:31:41
Wed Mar 16 13:30:28 2005 us=105890 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=CN/ST=JL/L=CC/O=GOUYA_PLAY_GAME/CN=ROOT_CA/emailAddress=gouya08@163.com
Wed Mar 16 13:30:28 2005 us=106028 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Mar 16 13:30:28 2005 us=106046 TLS Error: TLS object ->; incoming plaintext read error
Wed Mar 16 13:30:28 2005 us=106057 TLS Error: TLS handshake failed
Wed Mar 16 13:30:28 2005 us=106209 TCP/UDP: Closing socket
Wed Mar 16 13:30:28 2005 us=106311 SIGUSR1[soft,tls-error] received, process restarting
Wed Mar 16 13:30:28 2005 us=106328 Restart pause, 2 second(s)
gouya 回复于:2005-03-16 14:15:01
[root@Linux bin]# rpm -qa | grep pam
pam-0.75-48
pam_krb5-1.60-1
pam-devel-0.75-48
pam_smb-1.1.6-7
[root@Linux bin]# rpm -qa | grep mysql
mysql-3.23.54a-11
mysql-server-3.23.54a-11
php-mysql-4.2.2-17
mysql-devel-3.23.54a-11
[root@Linux bin]# rpm -qa | grep sasl
cyrus-sasl-md5-2.1.10-4
cyrus-sasl-devel-2.1.10-4
cyrus-sasl-2.1.10-4
cyrus-sasl-plain-2.1.10-4
[root@Linux pam.]#cat openvpn
auth sufficient pam_mysql.so user=vpn passwd=vpn123 host=localhost db=v
pn table=vpnuser usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=2
account required pam_mysql.so user=vpn passwd=vpn123 host=localhost db=v
pn table=vpnuser usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=2
数据库:
# phpMyAdmin MySQL-Dump
# version 2.3.2
# http://www.phpmyadmin.net/ (download page)
#
# 主机: localhost
# 建立日期: Mar 16, 2005 at 06:36 AM
# 伺服机版本: 3.23.54
# PHP 版本: 4.2.2
# 数据库 : `vpn`
# --------------------------------------------------------
#
# 数据表的结构 `vpnuser`
#
CREATE TABLE vpnuser (
name char(20) NOT NULL default '',
password char(128) default NULL,
active int(10) NOT NULL default '1',
PRIMARY KEY (name)
) TYPE=MyISAM;
#
# 导出下面的数据库内容 `vpnuser`
#
INSERT INTO vpnuser VALUES ('elm', 'elm', 1);
呵呵。。。。。谢谢。
gouya 回复于:2005-03-16 14:35:35
好象是pam_mysql没好用。。。。
REDHAT9。0下用什么命令测试。。。。pam_mysql。
wenzk 回复于:2005-03-16 15:07:50
Wed Mar 16 13:30:28 2005 us=105890 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=CN/ST=JL/L=CC/O=GOUYA_PLAY_GAME/CN=ROOT_CA/emailAddress=gouya08@163.com
这应该是client端的错误吧,确定client的ca.crt和server的一致,server所用的证书是由ca.crt签发的
wenzk 回复于:2005-03-16 15:08:54
引用:原帖由 "gouya" 发表:
好象是pam_mysql没好用。。。。
REDHAT9。0下用什么命令测试。。。。pam_mysql。
也可以安装saslauthd来检测pam是否工作正常
wenzk 回复于:2005-03-16 15:22:32
引用:原帖由 "gouya" 发表:
好象是pam_mysql没好用。。。。
REDHAT9。0下用什么命令测试。。。。pam_mysql。
Mar 16 14:24:55 vpn openvpn: pam_sm_authenticate called.
Mar 16 14:24:55 vpn openvpn: dbuser changed.
Mar 16 14:24:55 vpn openvpn: dbpasswd changed.
Mar 16 14:24:55 vpn openvpn: host changed.
Mar 16 14:24:55 vpn openvpn: database changed.
Mar 16 14:24:55 vpn openvpn: table changed.
Mar 16 14:24:55 vpn openvpn: usercolumn changed.
Mar 16 14:24:55 vpn openvpn: passwdcolumn changed.
Mar 16 14:24:55 vpn openvpn: where changed.
Mar 16 14:24:55 vpn openvpn: sqllog changed.
Mar 16 14:24:55 vpn openvpn: crypt changed.
Mar 16 14:24:55 vpn openvpn: db_connect called.
Mar 16 14:24:55 vpn openvpn: returning 0 .
Mar 16 14:24:55 vpn openvpn: db_checkpasswd called.
Mar 16 14:24:55 vpn openvpn: pam_mysql: where clause = active=1
Mar 16 14:24:55 vpn openvpn: SELECT password FROM vpnuser WHERE name='elm' AND (active=1)
Mar 16 14:24:55 vpn openvpn: sqlLog called.
Mar 16 14:24:55 vpn openvpn: returning 0 .
Mar 16 14:24:55 vpn openvpn: returning 0.
Mar 16 14:24:55 vpn openvpn: pam_mysql: acct_mgmt called but not implemented. Dont panic though :)
这是pam_mysql验证成功/var/log/message中的日志。如果失败(口令错了)
日志:
Mar 16 15:01:00 vpn ntpdate[17646]: adjust time server 202.118.1.81 offset 0.333700 sec
Mar 16 15:21:00 vpn openvpn: pam_sm_authenticate called.
Mar 16 15:21:00 vpn openvpn: dbuser changed.
Mar 16 15:21:00 vpn openvpn: dbpasswd changed.
Mar 16 15:21:00 vpn openvpn: host changed.
Mar 16 15:21:00 vpn openvpn: database changed.
Mar 16 15:21:00 vpn openvpn: table changed.
Mar 16 15:21:00 vpn openvpn: usercolumn changed.
Mar 16 15:21:00 vpn openvpn: passwdcolumn changed.
Mar 16 15:21:00 vpn openvpn: where changed.
Mar 16 15:21:00 vpn openvpn: sqllog changed.
Mar 16 15:21:00 vpn openvpn: crypt changed.
Mar 16 15:21:00 vpn openvpn: db_connect called.
Mar 16 15:21:00 vpn openvpn: returning 0 .
Mar 16 15:21:00 vpn openvpn: db_checkpasswd called.
Mar 16 15:21:00 vpn openvpn: pam_mysql: where clause = active=1
Mar 16 15:21:00 vpn openvpn: SELECT password FROM vpnuser WHERE name='elm' AND (active=1)
Mar 16 15:21:00 vpn openvpn: returning 7 .
Mar 16 15:21:00 vpn openvpn: returning 7 after db_checkpasswd.
gouya 回复于:2005-03-16 15:25:02
root@Linux bin]# rpm -qa | grep sasl
cyrus-sasl-md5-2.1.10-4
cyrus-sasl-devel-2.1.10-4
cyrus-sasl-2.1.10-4
cyrus-sasl-plain-2.1.10-4
有这个但没有testsaslauthd
gouya 回复于:2005-03-16 15:26:48
mysql>; insert into vpnuer (name,password) values('elm',password('elm'));
我是用phpmyadmin添加的“ELM”帐号。
wenzk 回复于:2005-03-16 15:29:14
引用:原帖由 "gouya"]root@Linux bin 发表:
# rpm -qa | grep sasl
cyrus-sasl-md5-2.1.10-4
cyrus-sasl-devel-2.1.10-4
cyrus-sasl-2.1.10-4
cyrus-sasl-plain-2.1.10-4
有这个但没有testsaslauthd
看看路径是否有问题
[root@vpn ~]# rpm -qa | grep sasl
cyrus-sasl-plain-2.1.18-2
cyrus-sasl-md5-2.1.18-2
cyrus-sasl-devel-2.1.18-2
cyrus-sasl-2.1.18-2
[root@vpn ~]# rpm -ql cyrus-sasl-2.1.18-2 | grep test
/usr/sbin/testsaslauthd
[root@vpn ~]#
gouya 回复于:2005-03-16 15:33:35
Last login: Wed Mar 16 07:36:52 2005
[root@Linux root]# rpm -ql cyrus-sasl-2.1.18-2 | grep test
[root@Linux root]#
gouya 回复于:2005-03-16 15:37:09
呵呵~~~~~~~~~~~``
wenzk 回复于:2005-03-16 15:38:31
引用:原帖由 "gouya"]ux root]#
发表:
root@Linux bin]# rpm -qa | grep sasl
cyrus-sasl-md5-2.1.10-4
cyrus-sasl-devel-2.1.10-4
cyrus-sasl-2.1.10-4
cyrus-sasl-plain-2.1.10-4
你的应该是
rpm -ql cyrus-sasl-2.1.10-4 | grep test
wenzk 回复于:2005-03-16 15:39:35
引用:原帖由 "gouya"]呵呵~~~~~~~~~~~``
发表:
没有必要,检查日志,看看问题出现在什么地方
这样才能找到根本的原因
gouya 回复于:2005-03-16 16:47:45
Mar 16 15:21:00 vpn openvpn: pam_mysql: where clause = active=1
Mar 16 15:21:00 vpn openvpn: SELECT password FROM vpnuser WHERE name='elm' AND (active=1)
Mar 16 15:21:00 vpn openvpn: returning 7 .
Mar 16 15:21:00 vpn openvpn: returning 7 after db_checkpasswd.
呵呵~~~~~~~~~~~
这个肯定是密码错误吗?
可密码没错呀。
wenzk 回复于:2005-03-16 16:50:38
引用:原帖由 "gouya" 发表:
Mar 16 15:21:00 vpn openvpn: pam_mysql: where clause = active=1
Mar 16 15:21:00 vpn openvpn: SELECT password FROM vpnuser WHERE name='elm' AND (active=1)
Mar 16 15:21:00 vpn openvpn: returning 7 ...........
想办法测试一下pam验证是否 有问题,一步一步排除
实在不行去下载sasl的源代码自己编译,那样肯定 有testsaslauthd了
gouya 回复于:2005-03-16 16:59:07
谢谢。。。。。。。。。。
wenzk 回复于:2005-03-16 17:01:13
兄弟,刚看到:
INSERT INTO vpnuser VALUES ('elm', 'elm', 1);
不能这么写,应该是
INSERT INTO vpnuser VALUES ('elm', password('elm'), 1);
密码我是用mysql的password函数加密过的
insert into vpnuer (name,password) values('elm',password('elm'));
最好手动输入,我没有用过mysqlphpadmin,不知道是否可以正确使用password函数加密字符串
[root@vpn ~]# mysql -u vpn -p -D vpn;
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1543 to server version: 3.23.58
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>; select * from vpnuser;
+------+------------------+--------+
| name | password | active |
+------+------------------+--------+
| elm | 7bb6299c215b282b | 1 |
| wzk | 687c6752296a7c8b | 1 |
+------+------------------+--------+
2 rows in set (0.00 sec)
mysql>; \q
Bye
[root@vpn ~]#
看看你的password字串是否经过加密
gouya 回复于:2005-03-16 17:44:23
感谢你陪我度过无聊的下午。。。。。。
在XP上已经可以了,但在2000上不行。。。。。。。呵呵~~~~~~~~~~`
在问几个问题:
1、在2000下和在XP下有什么区别吗?
2、能不能不使用加密的密码?
3、怎么做成系统服务让机器启动后,自动启动VPN服务。
哥们的精神是我们永远学不完,在次表示谢。哥们的外语一定非常好,能否介绍点学外语的方法。。。。。。
我已经准备报个英语班,开学英语。。。。。。。呵呵~~~~~~~~~ :P
wenzk 回复于:2005-03-16 21:13:57
1 没有区别的,可能是其它的什么问题,我都是在2000下试验的
2 可以,把/etc/pam.d/openvpn 文件中的crypt=1 改成 crypt=0就可以了
3 在服务下可以找到OpenVPN服务的,直接设置成自动启动就OK了,默认是手动启动的
兄弟,多谢夸奖,兄弟我就英语最差,对于计算机的英语,我觉得多看几边就可以理解了
gouya 回复于:2005-03-16 23:47:12
太谦虚了。......
将服务改成自动启动,那密码到哪去读取呀?我试了,根本就不提示输入密码....
wenzk 回复于:2005-03-17 00:46:02
--auth-user-pass [up]
Authenticate with server using username/password. up is a file containing username/password on 2 lines.
If up is omitted, username/password will be prompted from the console.
呵呵;)
gouya 回复于:2005-03-17 00:57:56
Wed Mar 16 13:30:28 2005 us=105890 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=CN/ST=JL/L=CC/O=GOUYA_PLAY_GAME/CN=ROOT_CA/emailAddress=gouya08@163.com
Wed Mar 16 13:30:28 2005 us=106028 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Mar 16 13:30:28 2005 us=106046 TLS Error: TLS object ->; incoming plaintext read error
Wed Mar 16 13:30:28 2005 us=106057 TLS Error: TLS handshake failed
Wed Mar 16 13:30:28 2005 us=106209 TCP/UDP: Closing socket
Wed Mar 16 13:30:28 2005 us=106311 SIGUSR1[soft,tls-error] received, process restarting
Wed Mar 16 13:30:28 2005 us=106328 Restart pause, 2 second
同样文件COPY到有一台XP系统下一切正常工作......
可是在我自己用的这台机器上什么系统也不好用,做CA的时候也有类似的问题,后来知道怎么就好了。能不能和硬件或者系统的版本有关系呀...我用的2000是professional+SP3的.
命苦呀。~~~~~~~~~`
呵呵~~~~~~~~~~`
能不能跟版本有关系呀,...........
gouya 回复于:2005-03-17 01:15:07
引用:原帖由 "wenzk" 发表:
Authenticate with server using username/password. up is a file containing username/password on 2 lines.
If up is omitted, username/password will be prompted from the console.
呵呵;)
auth-user-pass user.txt
user.txt
elm
elm
在两行.
也不好用......
wenzk 回复于:2005-03-17 09:10:16
呵呵,看到了:)
2004.12.05 -- Version 2.0-beta20
* The ability to read --askpass and --auth-user-pass
passwords from a file has been disabled by default.
To re-enable, use ./configure --enable-password-save.
兄弟,要自己编译OpenVPN了,win下没有自己编译过:(
gouya 回复于:2005-03-17 10:22:04
呵呵。。。。。。。
1、真的要在WIN下编译才能实现,自动启动吗?
2、关于2000的问题,我测试的结果是,server下没问题,但在professional下怎么也上不去。补丁从SP2一直打到SP4,wenzk 有时间帮忙查资料是不上有这个问题。。。。有没有解决的方案。
gouya 回复于:2005-03-17 10:29:57
引用:原帖由 "gouya" 发表:
呵呵。。。。。。。
1、真的要在WIN下编译才能实现,自动启动吗?
2、关于2000的问题,我测试的结果是,server下没问题,但在professional下怎么也上不去。补丁从SP2一直打到SP4,wenzk 有时间帮忙查资料是不上有?.........
在采用CA认证中不存在2000 professional上不去的问题。
wenzk 回复于:2005-03-17 11:51:24
你换太机器试试
我测试的另一台机器就是2000 pro
没有问题的
gouya 回复于:2005-03-17 11:59:18
光盘我也换了两个,机器也换了两台,真他妈。。。。。闹挺。。。。一会我让别人在外网试试。。。。。
对了。。。用户名和密码除了编译有没有别的办法。我用的是。。。openvpn-2.0_rc16
wenzk 回复于:2005-03-17 14:29:03
那就只能手动输入了,呵呵
gouya 回复于:2005-03-17 19:52:32
辛苦了。。。。
有机会谢谢你。。。。。。。。。。。
gouya 回复于:2005-03-17 20:03:07
也不知道为什么放了。。。。24小时就好了。。。。
奇怪。。。。没有原因。
1、openvpn这东西每个客户端不知道能占用多少CPU和内存。
2、客户端这个服务器通信的是时候,能不能在服务器捕捉到客户端的信息,我才用的UDP协议。
wenzk 回复于:2005-03-17 21:00:58
引用:原帖由 "gouya" 发表:
也不知道为什么放了。。。。24小时就好了。。。。
奇怪。。。。没有原因。
1、openvpn这东西每个客户端不知道能占用多少CPU和内存。
2、客户端这个服务器通信的是时候,能不能在服务器捕捉到客户端的信息,我..........
呵呵:)
1 相对我pptpd来说,CPU使用率好像低很多。
2 tcpdump -i tun0 -n就可以看到了
gouya 回复于:2005-03-17 21:45:43
我的PPTPD在LAN内只能有一个连接,怎么解决呀。。。。。
wenzk 回复于:2005-03-17 21:56:56
听说可以打补丁,后来OpenVPN可以支持用户名密码验证我就放弃pptpd了
gouya 回复于:2005-03-19 08:05:56
我没什么事来看看,,,你呵呵~~~~~~~~~~~
gouya 回复于:2005-03-19 22:57:43
不知道TUN模式的VPN能不能防止“冲击波”一类的病毒攻击服务器
wenzk 回复于:2005-03-20 12:54:28
TUN不是万能的,Tun是IP层的一个虚拟设备
gouya 回复于:2005-03-20 12:59:52
谢谢。。。。
wenzk 回复于:2005-03-20 22:26:35
引用:原帖由 "gouya"]谢谢。。。。
发表:
不用客气
http://blog.chinaunix.net/resserver.php?blogId=2389&resource=openvpn.exe
支持从文件中读取User/Pass的OpenVPN 2.0_rc17,覆盖原来的文件即可
由于是自己编译的,不知道为什么自己编译后的程序比官方的大了不少
gouya 回复于:2005-03-20 22:44:47
tun模式的openvpn不知道,类似“冲击波”的病毒能不能攻击到VPN服务器。。。
wenzk 回复于:2005-03-20 23:12:15
那些病毒是攻击win主机的吧,这个与机器上是否安装OpenVPN没有关系
gouya 回复于:2005-03-21 09:43:45
引用:原帖由 "wenzk"]那些病毒是攻击win主机的吧,这个与机器上是否安装OpenVPN没有关系
发表:
客户端当然是WIN,客户和服务器接通后,类似于“冲击波”这些蠕虫,病毒疯狂的向服务器发包。我用SOCKS5的时候是有这种显现的。
在一个问题是能不能让OPENVPN快速更新状态文件“openvpn-status.log”默认好象要5分钟左右。例如:一个用户断线要5分钟才能,更新这个文件。。。
wenzk 回复于:2005-03-21 23:31:21
引用:原帖由 "gouya" 发表:
客户端当然是WIN,客户和服务器接通后,类似于“冲击波”这些蠕虫,病毒疯狂的向服务器发包。我用SOCKS5的时候是有这种显现的。
在一个问题是能不能让OPENVPN快速更新状态文件“openvpn-status.log”默认好象..........
这个是没有办法用VPN来防止的
--status file [n]
Write operational status to file every n seconds.
Status can also be written to the syslog by sending a SIGUSR2
signal.
--status-version [n]
Choose the status file format version number. Currently n can
be 1 or 2 and defaults to 1.
victorchang 回复于:2005-06-14 16:33:16
我在FC3 /MYSQL 3。58 /上已经测试成功了,CA方式和USNAME/PASS方式,只是有一个问题。
如果客户端每台都要安装OPENVPN的客户端程序也太麻烦了,能不能通过HTTPS的方式,再登录后,客户端只需输入用户名和口令即可以登录VPN网络,可以访问局域网内的资源呢?
谢谢 :( [size=18][/size]
wenzk 回复于:2005-06-14 20:16:18
这个是不行的,可以参考他们的ssl explorer
victorchang 回复于:2005-06-16 08:58:17
wenzk 发表于: 2005-06-14 20:16 发表主题:
--------------------------------------------------------------------------------
这个是不行的,可以参考他们的ssl explorer
————————————————————————————————
SSL EXPLORER我没有找到相关的资料,不知道能否帮助查找一下,谢谢。
wenzk 回复于:2005-06-16 20:31:30
我对这个不了解:(
ucdos2003 回复于:2006-01-27 10:35:24
insert into vpnuer (name,password) values('elm',password('elm'));
这里的vpnuer应该为vpnuser,请楼主改一下哦
huangyong191 回复于:2006-04-15 22:14:46
请问,我按照您的方法操作到验证pam_mysql是否正常的时候,提示size read failed ,我到日志里看到
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/pam_mysql.so)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/pam_mysql.so: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/pam_mysql.so
Apr 15 20:09:28 adsl saslauthd[6245]: PAM (openvpn) illegal module type: crypt(0)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM pam_parse: expecting return value; [...--]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/Used)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/Used: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/Used
Apr 15 20:09:28 adsl saslauthd[6245]: PAM (openvpn) illegal module type: 0
Apr 15 20:09:28 adsl saslauthd[6245]: PAM pam_parse: expecting return value; [...=]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/No)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/No: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/No
Apr 15 20:09:28 adsl saslauthd[6245]: PAM (openvpn) illegal module type: 1
Apr 15 20:09:28 adsl saslauthd[6245]: PAM pam_parse: expecting return value; [...=]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/Use)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/Use: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/Use
它是什么文件找不到呢,麻烦帮我看看!谢谢!
wenzk 回复于:2006-04-17 01:54:54
没有这个文件 /lib/security/pam_mysql.so
首先检查是否已经安装pam_mysql,如果安装了
看看是否在/usr/lib下或者其他什么地方,cp过去就OK了
huangyong191 回复于:2006-04-17 14:09:31
谢谢您的回答,我看了,/lib/security/目录里有pam_mysql.so这个文件,编译这个文件的时候有些警告,没有错误提示,编译出来后我就cp到/lib/security/里了,但就是验证不成功,我用的是redhat AS4 U1 ,不知道哪个文件找不到!谢谢你!
wenzk 回复于:2006-04-17 22:36:46
看看message文件,看什么错误
huangyong191 回复于:2006-04-18 09:49:21
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/pam_mysql.so)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/pam_mysql.so: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/pam_mysql.so
Apr 15 20:09:28 adsl saslauthd[6245]: PAM (openvpn) illegal module type: crypt(0)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM pam_parse: expecting return value; [...--]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/Used)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/Used: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/Used
Apr 15 20:09:28 adsl saslauthd[6245]: PAM (openvpn) illegal module type: 0
Apr 15 20:09:28 adsl saslauthd[6245]: PAM pam_parse: expecting return value; [...=]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/No)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/No: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/No
Apr 15 20:09:28 adsl saslauthd[6245]: PAM (openvpn) illegal module type: 1
Apr 15 20:09:28 adsl saslauthd[6245]: PAM pam_parse: expecting return value; [...=]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/Use)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/Use: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/Use
这就是messages日志里的记录,麻烦帮我看看,谢谢!
wenzk 回复于:2006-04-19 15:21:10
$ ldd /lib/security/pam_mysql.so
libz.so.1 => /usr/lib/libz.so.1 (0x00792000)
libmysqlclient.so.10 => /usr/lib/mysql/libmysqlclient.so.10 (0x00b1c000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00b54000)
libc.so.6 => /lib/tls/libc.so.6 (0x007b4000)
libnsl.so.1 => /lib/libnsl.so.1 (0x009c9000)
libm.so.6 => /lib/tls/libm.so.6 (0x00997000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x003d4000)
$
把这个结果帖出来
huangyong191 回复于:2006-04-19 15:31:23
[root@adsl security]# ldd pam_mysql.so
libz.so.1 => /usr/lib/libz.so.1 (0x00b06000)
libmysqlclient.so.14 => /usr/lib/mysql/libmysqlclient.so.14 (0x00824000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00111000)
libc.so.6 => /lib/tls/libc.so.6 (0x00508000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00675000)
libm.so.6 => /lib/tls/libm.so.6 (0x0015c000)
libssl.so.4 => /lib/libssl.so.4 (0x00e1c000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x00b8e000)
/lib/ld-linux.so.2 (0x001aa000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0031f000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x001c1000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x00dfe000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00638000)
libresolv.so.2 => /lib/libresolv.so.2 (0x0013f000)
libdl.so.2 => /lib/libdl.so.2 (0x00ff4000)
有少文件吗?谢谢!
tqbhit 回复于:2006-04-30 09:33:17
使用crypt=0好用 而用其他的crypt=1,crypt=2都不好用
crypt=0 时的帐户是未加密的,crypt=2时的帐户是加密的
crypt=2的log为
Apr 30 09:23:49 debian openvpn[3567]: pam_mysql - SELECT password FROM vpnuser WHERE name = 'elmk' AND (active=1)
pam_mysql - pam_mysql_sql_log() called.
pam_mysql - pam_mysql_sql_log() returning 0.
pam_mysql - pam_mysql_check_passwd() returning 6.
pam_mysql - pam_sm_authenticate() returning 7.
pam_mysql - pam_mysql_release_ctx() called.
pam_mysql - pam_mysql_destroy_ctx() called.
pam_mysql - pam_mysql_close_db() called.
pam_mysql - option verbose is set to "1"
pam_mysql - pam_mysql_close_db() called.
pam_mysql - pam_sm_authenticate() called.
pam_mysql - pam_mysql_converse() called.
pam_mysql - pam_mysql_open_db() called.
pam_mysql - pam_mysql_open_db() returning 0.
pam_mysql - pam_mysql_check_passwd() called.
pam_mysql - pam_mysql_format_string() called
pam_mysql - pam_mysql_quick_escape() called.
[ 本帖最后由 tqbhit 于 2006-4-30 09:38 编辑 ]
wenzk 回复于:2006-05-02 13:45:37
crypt (plain)
The method to encrypt the user's password:
0 (or "plain") = No encryption. Passwords stored in plaintext.
HIGHLY DISCOURAGED.
1 (or "Y") = Use crypt(3) function.
2 (or "mysql") = Use MySQL PASSWORD() function. It is possible
that the encryption function used by PAM-MySQL
is different from that of the MySQL server, as
PAM-MySQL uses the function defined in MySQL's
C-client API instead of using PASSWORD() SQL function
in the query.
3 (or "md5") = Use plain hex MD5.
4 (or "sha1") = Use plain hex SHA1.
函数不一样
Jedliu 回复于:2006-09-16 11:27:12
在我按照wenzk 做法在做的时候,开始的时候我使用testsaslauthd测试,没有成功,我因为pam_mysql模块的问题,因为在编译的时候报如下的错误:
mkdir -p ./dynamic
gcc -O2 -Dlinux -DLINUX_PAM -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wshadow -pedantic -fPIC -DPAM_DYNAMIC -c pam_mysql.c -o dynamic/pam_mysql.o
pam_mysql.c: In function `breakArgs':
pam_mysql.c:157: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `parseArgs':
pam_mysql.c:233: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `db_connect':
pam_mysql.c:391: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `db_close':
pam_mysql.c:420: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `db_checkpasswd':
pam_mysql.c:429: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `converse':
pam_mysql.c:613: warning: traditional C rejects ISO C style function definitions
pam_mysql.c:617: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c: In function `saltify':
pam_mysql.c:636: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `updatePasswd':
pam_mysql.c:675: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `askForPassword':
pam_mysql.c:800: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `sqlLog':
pam_mysql.c:839: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `pam_sm_authenticate':
pam_mysql.c:982: warning: traditional C rejects ISO C style function definitions
pam_mysql.c:1009: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c:1014: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c: In function `pam_sm_acct_mgmt':
pam_mysql.c:1047: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `pam_sm_setcred':
pam_mysql.c:1057: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `pam_sm_chauthtok':
pam_mysql.c:1069: warning: traditional C rejects ISO C style function definitions
pam_mysql.c:1113: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c:1120: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c:1147: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c:1158: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c:1173: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c:1180: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c: In function `pam_sm_open_session':
pam_mysql.c:1201: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `pam_sm_close_session':
pam_mysql.c:1211: warning: traditional C rejects ISO C style function definitions
gcc -shared -Xlinker -x -L/usr/lib/mysql -lz -o pam_mysql.so dynamic/pam_mysql.o -lmysqlclient -lcrypt
我的网络上找相关的资料,但是没有找到解决的办法,却在http://bbs.chinaunix.net/viewthread.php?tid=818254的帖子中发现password加密的长度的问题,在wenzk建表中,password设置的是char(12),于是我重新设置password字段的长度,问题解决0: OK "Success."
在那个帖子中提到password的长度是41位,但是我用select LENGTH(PASSWOR('test'))得出的却是16,而wenzk设置的是12,不知道这其中的缘由....
[ 本帖最后由 Jedliu 于 2006-9-16 11:38 编辑 ]
wenzk 回复于:2006-09-25 11:59:58
引用:原帖由 Jedliu 于 2006-9-16 11:27 发表
在我按照wenzk 做法在做的时候,开始的时候我使用testsaslauthd测试,没有成功,我因为pam_mysql模块的问题,因为在编译的时候报如下的错误:
mkdir -p ./dynamic
gcc -O2 -Dlinux -DLINUX_PAM -ansi - ...
呵呵,刚才查了一下,由于发表文章的时候没有把表情符号禁用,原先设置是128的,后来只能看到12,目前已经将原帖的表情符号禁用了
多谢提醒
[ 本帖最后由 wenzk 于 2006-9-27 19:35 编辑 ]
zhangshoug 回复于:2006-12-14 23:20:25
我想要同时使用CA认证和USER\pass认证,应该怎么配置?就像l2tp\ipsec的配置先ipsec用CA认证,成功后l2tp用USER\pass认证。也就是要经过两次认证均成功才能连通vpn.
wenzk 回复于:2006-12-15 10:29:26
引用:原帖由 zhangshoug 于 2006-12-14 23:20 发表
我想要同时使用CA认证和USER\pass认证,应该怎么配置?就像l2tp\ipsec的配置先ipsec用CA认证,成功后l2tp用USER\pass认证。也就是要经过两次认证均成功才能连通vpn.
可以实现的
ioiioi 回复于:2006-12-18 09:39:19
openvpn可以结合ldap验证用户吗?
如果能和win AD就更好了,可以吗?
zhangshoug 回复于:2007-01-06 22:13:09
plugin ./openvpn-auth-pam.so openvpn
openvpn-auth-pam.so这个文件在什么地方,我的机器上怎么没有这个文件?
wenzk 回复于:2007-01-08 00:29:26
rpm -ql `rpm -qa | grep openvpn` | grep auth
zhangshoug 回复于:2007-01-09 11:37:21
我是自己从源码编译安装的openvpn,使用的是openvpn-2.0.9.tar.gz
wenzk 回复于:2007-01-10 08:48:28
引用:原帖由 zhangshoug 于 2007-1-9 11:37 发表
我是自己从源码编译安装的openvpn,使用的是openvpn-2.0.9.tar.gz
到源代码目录找
zhangshoug 回复于:2007-01-10 18:22:39
# cd /usr/local/src/openvpn-2.0.9
# find . -print|grep openvpn-auth-pam.so
没有返回任何结果.
wenzk 回复于:2007-01-10 20:45:12
引用:原帖由 zhangshoug 于 2007-1-10 18:22 发表
# cd /usr/local/src/openvpn-2.0.9
# find . -print|grep openvpn-auth-pam.so
没有返回任何结果.
bash-2.05b# pwd
/root/openvpn-2.0.5
bash-2.05b# find . -name "*pam*"
./plugin/auth-pam
./plugin/auth-pam/auth-pam.c
./plugin/auth-pam/pamdl.c
./plugin/auth-pam/pamdl.h
./plugin/auth-pam/auth-pam.o
./plugin/auth-pam/pamdl.o
./plugin/auth-pam/openvpn-auth-pam.so
./sample-scripts/auth-pam.pl
bash-2.05b#
如果没有就
cd plugin/auth-pam
make
[ 本帖最后由 wenzk 于 2007-1-10 20:46 编辑 ]
zhy0414 回复于:2007-05-23 17:38:34
请问我在testsaslauthd -u elm -p elm -s openvpn
时候也是显示:
size read failed
为啥?
我的password长的写的是128啊
zhy0414 回复于:2007-05-23 17:53:02
现在显示connect() : Connection refused
在 testsaslauthd -u elm -p elm -s openvpn时候
为什吗?
所有设置都是按照文档进行的
mysql不是很熟悉,请指点一下,谢谢
wenzk 回复于:2007-05-24 00:18:47
saslauthd没有启动吧
zhy0414 回复于:2007-05-24 09:07:42
多谢指点,确实是没有启动,万分感激
zhy0414 回复于:2007-05-24 09:19:24
现在提示0: NO "authentication failed"
是哪里的问题?
谢谢
wenzk 回复于:2007-05-25 09:22:37
把password字段的加密取消试试
jessewan 回复于:2007-05-28 00:16:27
好帖子
感谢
cjc108 回复于:2007-06-04 01:16:10
wenzk 版主:
您好,我按照您的文章试着在Slackware 11 Linux 下实践了一下,我从网上弄了个openvpn-2.0.9-i486.tgz的包,直接installpkg openvpn-2.0.9-i486.tgz后,chmod +x /etc/rc.d/rc.openvpn 再在rc.M中增加启动rc.openvpn的语句,然后reboot,奇怪的是居然提示openvpn启动成功了,而我还没有做任何配置的 ?!
由于从源码编译pam_mysql,./configure时总提示什么 cpp 错误的,所以我就抓个pam_mysql-0.6.2.i386.rpm回来, 装了后/lib/security/下也发现有了pam_mysql.so ,还有我无法测试pam_mysql是否成功,因为我的saslauthd启动不了!然后生成证书等,都很正常,但到后来#find / -name "openvpv-auth-pam.so"根本就没有,[难道是openvpn的版本问题 ?] 无奈下,我直接从一个openvpn-2.1-0.19.rc4.fc7.i386.rpm中提取了一个openvpv-auth-pam.so出来
放到了/etc/openvpn/下,也把server.conf ,证书等放到了/etc/openvpn/下
这时候reboot,不幸的是openvpn好象启动了,但提示something is wrong !
#!/bin/sh
#
# openvpn This shell script takes care of starting and stopping
# openvpn on RedHat or other chkconfig-based system.
#
# chkconfig: 345 24 76
#
# description: OpenVPN is a robust and highly flexible tunneling application that
# uses all of the encryption, authentication, and certification features
# of the OpenSSL library to securely tunnel IP networks over a single
# UDP port.
#
# Contributed to the OpenVPN project by
# Douglas Keller <doug@voidstar.dyndns.org>
# 2002.05.15
# Location of openvpn binary
openvpn=""
openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"
for location in $openvpn_locations
do
if [ -f "$location" ]
then
openvpn=$location
fi
done
# Lockfile
lock="/var/lock/subsys/openvpn"
# PID directory
piddir="/var/run/openvpn"
# Our working directory
work=/etc/openvpn
# Check that binary exists
if ! [ -f $openvpn ]
then
echo "openvpn binary not found"
exit 0
fi
# See how we were called.
case "$1" in
start)
echo -n $"Starting openvpn: "
# /sbin/modprobe tun >/dev/null 2>&1
# From a security perspective, I think it makes
# sense to remove this, and have users who need
# it explictly enable in their --up scripts or
# firewall setups.
#echo 1 > /proc/sys/net/ipv4/ip_forward
# Run startup script, if defined
if [ -f $work/openvpn-startup ]; then
$work/openvpn-startup
fi
if [ ! -d $piddir ]; then
mkdir $piddir
fi
if [ -f $lock ]; then
# we were not shut down correctly
for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
if [ -s $pidf ]; then
kill `cat $pidf` >/dev/null 2>&1
fi
rm -f $pidf
done
rm -f $lock
sleep 2
fi
rm -f $piddir/*.pid
cd $work
# Start every .conf in $work and run .sh if exists
errors=0
successes=0
for c in `/bin/ls *.conf 2>/dev/null`; do
bn=${c%%.conf}
if [ -f "$bn.sh" ]; then
. $bn.sh
fi
rm -f $piddir/$bn.pid
$openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work
if [ $? = 0 ]; then
successes=1
else
errors=1
fi
done
if [ $errors = 1 ]; then
echo "Something is wrong"
else
echo "All done"
fi
if [ $successes = 1 ]; then
touch $lock
fi
;;
stop)
echo -n $"Shutting down openvpn: "
for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
if [ -s $pidf ]; then
kill `cat $pidf` >/dev/null 2>&1
fi
rm -f $pidf
done
# Run shutdown script, if defined
if [ -f $work/openvpn-shutdown ]; then
$work/openvpn-shutdown
fi
rm -f $lock
;;
restart)
$0 stop
sleep 2
$0 start
;;
reload)
if [ -f $lock ]; then
for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
if [ -s $pidf ]; then
kill -HUP `cat $pidf` >/dev/null 2>&1
fi
done
else
echo "openvpn: service not started"
exit 1
fi
;;
reopen)
if [ -f $lock ]; then
for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
if [ -s $pidf ]; then
kill -USR1 `cat $pidf` >/dev/null 2>&1
fi
done
else
echo "openvpn: service not started"
exit 1
fi
;;
condrestart)
if [ -f $lock ]; then
$0 stop
# avoid race
sleep 2
$0 start
fi
;;
status)
if [ -f $lock ]; then
for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
if [ -s $pidf ]; then
kill -USR2 `cat $pidf` >/dev/null 2>&1
fi
done
echo "Status written to /var/log/messages"
else
echo "openvpn: service not started"
exit 1
fi
;;
*)
echo "Usage: openvpn {start|stop|restart|condrestart|reload|reopen|status}"
exit 1
;;
esac
exit 0
怎么办 ?我还用不了openvpn :em16: !!
[ 本帖最后由 cjc108 于 2007-6-4 01:18 编辑 ]
wenzk 回复于:2007-06-05 11:04:00
不太清楚那些系统,所以他们的包里面有什么东西也不好说
嘿嘿,我现在没有办法解决哦
cjc108 回复于:2007-06-06 00:52:50
大哥,可以帮分析下什么问题么 ?
[ 本帖最后由 cjc108 于 2007-6-8 19:10 编辑 ]
wenzk 回复于:2007-06-07 11:43:44
日志太少
改成verb 4然后贴全日志
cjc108 回复于:2007-06-07 18:24:48
唉,通过在linuxpackages.net下一个Linux-PAM ,install后,重新编译那2个.so,有趣的是,OpenVPN竟然可以启动起来了!
/var/log/openvpn.log
Fri Jun 8 17:50:51 2007 us=322166 Current Parameter Settings:
Fri Jun 8 17:50:51 2007 us=323164 config = 'server.conf'
Fri Jun 8 17:50:51 2007 us=323208 mode = 1
Fri Jun 8 17:50:51 2007 us=323363 persist_config = DISABLED
Fri Jun 8 17:50:51 2007 us=323408 persist_mode = 1
Fri Jun 8 17:50:51 2007 us=323436 show_ciphers = DISABLED
Fri Jun 8 17:50:51 2007 us=323464 show_digests = DISABLED
Fri Jun 8 17:50:51 2007 us=323491 show_engines = DISABLED
Fri Jun 8 17:50:51 2007 us=323519 genkey = DISABLED
Fri Jun 8 17:50:51 2007 us=323547 key_pass_file = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=323574 show_tls_ciphers = DISABLED
Fri Jun 8 17:50:51 2007 us=323602 proto = 0
Fri Jun 8 17:50:51 2007 us=323630 local = '199.199.199.68'
Fri Jun 8 17:50:51 2007 us=323660 remote_list = NULL
Fri Jun 8 17:50:51 2007 us=323728 remote_random = DISABLED
Fri Jun 8 17:50:51 2007 us=323760 local_port = 1194
Fri Jun 8 17:50:51 2007 us=323787 remote_port = 1194
Fri Jun 8 17:50:51 2007 us=323815 remote_float = DISABLED
Fri Jun 8 17:50:51 2007 us=323842 ipchange = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=323870 bind_local = ENABLED
Fri Jun 8 17:50:51 2007 us=323898 dev = 'tap'
Fri Jun 8 17:50:51 2007 us=323925 dev_type = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=323953 dev_node = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=323981 tun_ipv6 = DISABLED
Fri Jun 8 17:50:51 2007 us=324008 ifconfig_local = '10.5.0.1'
Fri Jun 8 17:50:51 2007 us=324052 ifconfig_remote_netmask = '255.255.255.0'
Fri Jun 8 17:50:51 2007 us=324083 ifconfig_noexec = DISABLED
Fri Jun 8 17:50:51 2007 us=324111 ifconfig_nowarn = DISABLED
Fri Jun 8 17:50:51 2007 us=324138 shaper = 0
Fri Jun 8 17:50:51 2007 us=324166 tun_mtu = 1500
Fri Jun 8 17:50:51 2007 us=324193 tun_mtu_defined = ENABLED
Fri Jun 8 17:50:51 2007 us=324221 link_mtu = 1500
Fri Jun 8 17:50:51 2007 us=324249 link_mtu_defined = DISABLED
Fri Jun 8 17:50:51 2007 us=324276 tun_mtu_extra = 32
Fri Jun 8 17:50:51 2007 us=324304 tun_mtu_extra_defined = ENABLED
Fri Jun 8 17:50:51 2007 us=324332 fragment = 0
Fri Jun 8 17:50:51 2007 us=324490 mtu_discover_type = -1
Fri Jun 8 17:50:51 2007 us=324521 mtu_test = 0
Fri Jun 8 17:50:51 2007 us=324549 mlock = DISABLED
Fri Jun 8 17:50:51 2007 us=324638 keepalive_ping = 10
Fri Jun 8 17:50:51 2007 us=324666 keepalive_timeout = 120
Fri Jun 8 17:50:51 2007 us=324694 inactivity_timeout = 0
Fri Jun 8 17:50:51 2007 us=324722 ping_send_timeout = 10
Fri Jun 8 17:50:51 2007 us=324749 ping_rec_timeout = 240
Fri Jun 8 17:50:51 2007 us=324777 ping_rec_timeout_action = 2
Fri Jun 8 17:50:51 2007 us=324805 ping_timer_remote = DISABLED
Fri Jun 8 17:50:51 2007 us=324833 remap_sigusr1 = 0
Fri Jun 8 17:50:51 2007 us=324875 explicit_exit_notification = 0
Fri Jun 8 17:50:51 2007 us=324903 persist_tun = ENABLED
Fri Jun 8 17:50:51 2007 us=324931 persist_local_ip = DISABLED
Fri Jun 8 17:50:51 2007 us=324959 persist_remote_ip = DISABLED
Fri Jun 8 17:50:51 2007 us=324986 persist_key = ENABLED
Fri Jun 8 17:50:51 2007 us=325014 mssfix = 1450
Fri Jun 8 17:50:51 2007 us=325041 passtos = DISABLED
Fri Jun 8 17:50:51 2007 us=325069 resolve_retry_seconds = 1000000000
Fri Jun 8 17:50:51 2007 us=325097 connect_retry_seconds = 5
Fri Jun 8 17:50:51 2007 us=325125 username = 'nobody'
Fri Jun 8 17:50:51 2007 us=325153 groupname = 'nobody'
Fri Jun 8 17:50:51 2007 us=325180 chroot_dir = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=325208 cd_dir = '/etc/openvpn'
Fri Jun 8 17:50:51 2007 us=325236 writepid = '/var/run/openvpn/server.pid'
Fri Jun 8 17:50:51 2007 us=325264 up_script = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=325291 down_script = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=325318 down_pre = DISABLED
Fri Jun 8 17:50:51 2007 us=325346 up_restart = DISABLED
Fri Jun 8 17:50:51 2007 us=325373 up_delay = DISABLED
Fri Jun 8 17:50:51 2007 us=325401 daemon = ENABLED
Fri Jun 8 17:50:51 2007 us=325429 inetd = 0
Fri Jun 8 17:50:51 2007 us=328809 log = ENABLED
Fri Jun 8 17:50:51 2007 us=328907 suppress_timestamps = DISABLED
Fri Jun 8 17:50:51 2007 us=329122 nice = 0
Fri Jun 8 17:50:51 2007 us=329155 verbosity = 4
Fri Jun 8 17:50:51 2007 us=329183 mute = 0
Fri Jun 8 17:50:51 2007 us=329211 gremlin = 0
Fri Jun 8 17:50:51 2007 us=329239 status_file = 'openvpn-status.log'
Fri Jun 8 17:50:51 2007 us=329267 status_file_version = 1
Fri Jun 8 17:50:51 2007 us=329295 status_file_update_freq = 60
Fri Jun 8 17:50:51 2007 us=329323 occ = ENABLED
Fri Jun 8 17:50:51 2007 us=329351 rcvbuf = 65536
Fri Jun 8 17:50:51 2007 us=329379 sndbuf = 65536
Fri Jun 8 17:50:51 2007 us=329408 socks_proxy_server = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=329436 socks_proxy_port = 0
Fri Jun 8 17:50:51 2007 us=329464 socks_proxy_retry = DISABLED
Fri Jun 8 17:50:51 2007 us=329548 fast_io = DISABLED
Fri Jun 8 17:50:51 2007 us=329576 comp_lzo = ENABLED
Fri Jun 8 17:50:51 2007 us=329604 comp_lzo_adaptive = ENABLED
Fri Jun 8 17:50:51 2007 us=329632 route_script = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=329660 route_default_gateway = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=329688 route_noexec = DISABLED
Fri Jun 8 17:50:51 2007 us=329716 route_delay = 0
Fri Jun 8 17:50:51 2007 us=329744 route_delay_window = 30
Fri Jun 8 17:50:51 2007 us=329772 route_delay_defined = DISABLED
Fri Jun 8 17:50:51 2007 us=329800 management_addr = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=329828 management_port = 0
Fri Jun 8 17:50:51 2007 us=329856 management_user_pass = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=329884 management_log_history_cache = 250
Fri Jun 8 17:50:51 2007 us=329913 management_echo_buffer_size = 100
Fri Jun 8 17:50:51 2007 us=329941 management_query_passwords = DISABLED
Fri Jun 8 17:50:51 2007 us=329969 management_hold = DISABLED
Fri Jun 8 17:50:51 2007 us=330001 plugin[0] ./openvpn-auth-pam.so 'openvpn'
Fri Jun 8 17:50:51 2007 us=330031 shared_secret_file = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=330059 key_direction = 1
Fri Jun 8 17:50:51 2007 us=330088 ciphername_defined = ENABLED
Fri Jun 8 17:50:51 2007 us=330116 ciphername = 'BF-CBC'
Fri Jun 8 17:50:51 2007 us=330144 authname_defined = ENABLED
Fri Jun 8 17:50:51 2007 us=330172 authname = 'SHA1'
Fri Jun 8 17:50:51 2007 us=330199 keysize = 0
Fri Jun 8 17:50:51 2007 us=330227 engine = DISABLED
Fri Jun 8 17:50:51 2007 us=330255 replay = ENABLED
Fri Jun 8 17:50:51 2007 us=330299 mute_replay_warnings = DISABLED
Fri Jun 8 17:50:51 2007 us=330328 replay_window = 64
Fri Jun 8 17:50:51 2007 us=330355 replay_time = 15
Fri Jun 8 17:50:51 2007 us=330383 packet_id_file = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=330411 use_iv = ENABLED
Fri Jun 8 17:50:51 2007 us=330438 test_crypto = DISABLED
Fri Jun 8 17:50:51 2007 us=330542 tls_server = ENABLED
Fri Jun 8 17:50:51 2007 us=330574 tls_client = DISABLED
Fri Jun 8 17:50:51 2007 us=330602 key_method = 2
Fri Jun 8 17:50:51 2007 us=330629 ca_file = 'ca.crt'
Fri Jun 8 17:50:51 2007 us=330657 dh_file = 'dh1024.pem'
Fri Jun 8 17:50:51 2007 us=330685 cert_file = 'server.crt'
Fri Jun 8 17:50:51 2007 us=330713 priv_key_file = 'server.key'
Fri Jun 8 17:50:51 2007 us=330741 pkcs12_file = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=330768 cipher_list = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=330796 tls_verify = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=330824 tls_remote = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=330851 crl_file = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=330879 ns_cert_type = 0
Fri Jun 8 17:50:51 2007 us=330907 tls_timeout = 2
Fri Jun 8 17:50:51 2007 us=330935 renegotiate_bytes = 0
Fri Jun 8 17:50:51 2007 us=330963 renegotiate_packets = 0
Fri Jun 8 17:50:51 2007 us=330991 renegotiate_seconds = 3600
Fri Jun 8 17:50:51 2007 us=331020 handshake_window = 60
Fri Jun 8 17:50:51 2007 us=331047 transition_window = 3600
Fri Jun 8 17:50:51 2007 us=331095 single_session = DISABLED
Fri Jun 8 17:50:51 2007 us=331124 tls_exit = DISABLED
Fri Jun 8 17:50:51 2007 us=331152 tls_auth_file = 'ta.key'
Fri Jun 8 17:50:51 2007 us=331188 server_network = 10.5.0.0
Fri Jun 8 17:50:51 2007 us=331506 server_netmask = 255.255.255.0
Fri Jun 8 17:50:51 2007 us=331547 server_bridge_ip = 0.0.0.0
Fri Jun 8 17:50:51 2007 us=331577 server_bridge_netmask = 0.0.0.0
Fri Jun 8 17:50:51 2007 us=331606 server_bridge_pool_start = 0.0.0.0
Fri Jun 8 17:50:51 2007 us=331636 server_bridge_pool_end = 0.0.0.0
Fri Jun 8 17:50:51 2007 us=331664 push_list = 'route-gateway 10.5.0.1,ping 10,ping-restart 120'
Fri Jun 8 17:50:51 2007 us=331693 ifconfig_pool_defined = ENABLED
Fri Jun 8 17:50:51 2007 us=331722 ifconfig_pool_start = 10.5.0.2
Fri Jun 8 17:50:51 2007 us=331751 ifconfig_pool_end = 10.5.0.254
Fri Jun 8 17:50:51 2007 us=331780 ifconfig_pool_netmask = 255.255.255.0
Fri Jun 8 17:50:51 2007 us=331809 ifconfig_pool_persist_filename = 'ipp.txt'
Fri Jun 8 17:50:51 2007 us=331837 ifconfig_pool_persist_refresh_freq = 600
Fri Jun 8 17:50:51 2007 us=331865 ifconfig_pool_linear = DISABLED
Fri Jun 8 17:50:51 2007 us=331945 n_bcast_buf = 256
Fri Jun 8 17:50:51 2007 us=331973 tcp_queue_limit = 64
Fri Jun 8 17:50:51 2007 us=332001 real_hash_size = 256
Fri Jun 8 17:50:51 2007 us=332029 virtual_hash_size = 256
Fri Jun 8 17:50:51 2007 us=332057 client_connect_script = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=332085 learn_address_script = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=332114 client_disconnect_script = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=332142 client_config_dir = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=332170 ccd_exclusive = DISABLED
Fri Jun 8 17:50:51 2007 us=332197 tmp_dir = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=332225 push_ifconfig_defined = DISABLED
Fri Jun 8 17:50:51 2007 us=332359 push_ifconfig_local = 0.0.0.0
Fri Jun 8 17:50:51 2007 us=332398 push_ifconfig_remote_netmask = 0.0.0.0
Fri Jun 8 17:50:51 2007 us=332427 enable_c2c = ENABLED
Fri Jun 8 17:50:51 2007 us=332455 duplicate_cn = DISABLED
Fri Jun 8 17:50:51 2007 us=332482 cf_max = 0
Fri Jun 8 17:50:51 2007 us=332511 cf_per = 0
Fri Jun 8 17:50:51 2007 us=332539 max_clients = 1024
Fri Jun 8 17:50:51 2007 us=332568 max_routes_per_client = 256
Fri Jun 8 17:50:51 2007 us=332596 client_cert_not_required = ENABLED
Fri Jun 8 17:50:51 2007 us=332624 username_as_common_name = ENABLED
Fri Jun 8 17:50:51 2007 us=332749 auth_user_pass_verify_script = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=332780 auth_user_pass_verify_script_via_file = DISABLED
Fri Jun 8 17:50:51 2007 us=332808 client = DISABLED
Fri Jun 8 17:50:51 2007 us=332835 pull = DISABLED
Fri Jun 8 17:50:51 2007 us=332863 auth_user_pass_file = '[UNDEF]'
Fri Jun 8 17:50:51 2007 us=332930 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] built on Jun 6 2007
Fri Jun 8 17:50:51 2007 us=440021 PLUGIN_INIT: POST ./openvpn-auth-pam.so 'openvpn' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Fri Jun 8 17:50:51 2007 us=589419 Diffie-Hellman initialized with 1024 bit key
Fri Jun 8 17:50:51 2007 us=771246 WARNING: file 'server.key' is group or others accessible
Fri Jun 8 17:50:51 2007 us=859250 WARNING: This configuration may accept clients which do not present a certificate
Fri Jun 8 17:50:51 2007 us=863360 WARNING: file 'ta.key' is group or others accessible
Fri Jun 8 17:50:51 2007 us=863502 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Jun 8 17:50:51 2007 us=874085 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 8 17:50:51 2007 us=874264 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 8 17:50:51 2007 us=875250 TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Jun 8 17:50:52 2007 us=439336 TUN/TAP device tap0 opened
Fri Jun 8 17:50:52 2007 us=463410 TUN/TAP TX queue length set to 100
Fri Jun 8 17:50:52 2007 us=469671 /sbin/ifconfig tap0 10.5.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.5.0.255
Fri Jun 8 17:50:52 2007 us=649895 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Jun 8 17:50:52 2007 us=681399 GID set to nobody
Fri Jun 8 17:50:52 2007 us=682098 UID set to nobody
Fri Jun 8 17:50:52 2007 us=682683 Socket Buffers: R=[107520->131072] S=[107520->131072]
Fri Jun 8 17:50:52 2007 us=683364 UDPv4 link local (bound): 199.199.199.68:1194
Fri Jun 8 17:50:52 2007 us=683582 UDPv4 link remote: [undef]
Fri Jun 8 17:50:52 2007 us=706233 MULTI: multi_init called, r=256 v=256
Fri Jun 8 17:50:52 2007 us=741811 IFCONFIG POOL: base=10.5.0.2 size=253
Fri Jun 8 17:50:52 2007 us=742355 IFCONFIG POOL LIST
Fri Jun 8 17:50:52 2007 us=742424 dcmserp,10.5.0.2
Fri Jun 8 17:50:52 2007 us=742451 test,10.5.0.3
Fri Jun 8 17:50:52 2007 us=743034 Initialization Sequence Completed
Fri Jun 8 17:52:06 2007 us=979737 MULTI: multi_create_instance called
Fri Jun 8 17:52:07 2007 us=420 199.199.199.69:1074 Re-using SSL/TLS context
Fri Jun 8 17:52:07 2007 us=925 199.199.199.69:1074 LZO compression initialized
Fri Jun 8 17:52:07 2007 us=42159 199.199.199.69:1074 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Jun 8 17:52:07 2007 us=42322 199.199.199.69:1074 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Jun 8 17:52:07 2007 us=42607 199.199.199.69:1074 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Jun 8 17:52:07 2007 us=42637 199.199.199.69:1074 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Jun 8 17:52:07 2007 us=42826 199.199.199.69:1074 Local Options hash (VER=V4): '360696c5'
Fri Jun 8 17:52:07 2007 us=42867 199.199.199.69:1074 Expected Remote Options hash (VER=V4): '13a273ba'
Fri Jun 8 17:52:07 2007 us=51583 199.199.199.69:1074 TLS: Initial packet from 199.199.199.69:1074, sid=5e99d9e4 38e34a9e
AUTH-PAM: BACKGROUND: user 'test' failed to authenticate: Permission denied
Fri Jun 8 17:52:07 2007 us=319935 199.199.199.69:1074 PLUGIN_CALL: POST ./openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Jun 8 17:52:07 2007 us=320160 199.199.199.69:1074 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: ./openvpn-auth-pam.so
Fri Jun 8 17:52:07 2007 us=320225 199.199.199.69:1074 TLS Auth Error: Auth Username/Password verification failed for peer
Fri Jun 8 17:52:07 2007 us=349989 199.199.199.69:1074 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Fri Jun 8 17:52:07 2007 us=350137 199.199.199.69:1074 [] Peer Connection Initiated with 199.199.199.69:1074
Fri Jun 8 17:52:07 2007 us=729243 199.199.199.69:1074 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jun 8 17:52:07 2007 us=729444 199.199.199.69:1074 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Fri Jun 8 17:52:07 2007 us=729481 199.199.199.69:1074 Delayed exit in 5 seconds
Fri Jun 8 17:52:12 2007 us=59767 199.199.199.69:1074 SIGTERM[soft,delayed-exit] received, client-instance exiting
Fri Jun 8 17:55:29 2007 us=722226 MULTI: multi_create_instance called
Fri Jun 8 17:55:29 2007 us=728957 199.199.199.69:1076 Re-using SSL/TLS context
Fri Jun 8 17:55:29 2007 us=729151 199.199.199.69:1076 LZO compression initialized
Fri Jun 8 17:55:29 2007 us=729375 199.199.199.69:1076 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Jun 8 17:55:29 2007 us=729413 199.199.199.69:1076 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Jun 8 17:55:29 2007 us=729526 199.199.199.69:1076 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Jun 8 17:55:29 2007 us=729554 199.199.199.69:1076 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Jun 8 17:55:29 2007 us=729595 199.199.199.69:1076 Local Options hash (VER=V4): '360696c5'
Fri Jun 8 17:55:29 2007 us=729628 199.199.199.69:1076 Expected Remote Options hash (VER=V4): '13a273ba'
Fri Jun 8 17:55:29 2007 us=729917 199.199.199.69:1076 TLS: Initial packet from 199.199.199.69:1076, sid=27aa5a3f 0e60ea37
AUTH-PAM: BACKGROUND: user 'elm' failed to authenticate: Permission denied
Fri Jun 8 17:55:29 2007 us=909524 199.199.199.69:1076 PLUGIN_CALL: POST ./openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Jun 8 17:55:29 2007 us=909646 199.199.199.69:1076 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: ./openvpn-auth-pam.so
Fri Jun 8 17:55:29 2007 us=909695 199.199.199.69:1076 TLS Auth Error: Auth Username/Password verification failed for peer
Fri Jun 8 17:55:29 2007 us=929730 199.199.199.69:1076 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Fri Jun 8 17:55:29 2007 us=929869 199.199.199.69:1076 [] Peer Connection Initiated with 199.199.199.69:1076
Fri Jun 8 17:55:30 2007 us=409389 199.199.199.69:1076 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jun 8 17:55:30 2007 us=409602 199.199.199.69:1076 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Fri Jun 8 17:55:30 2007 us=409636 199.199.199.69:1076 Delayed exit in 5 seconds
Fri Jun 8 17:55:35 2007 us=658938 199.199.199.69:1076 SIGTERM[soft,delayed-exit] received,
[ 本帖最后由 cjc108 于 2007-6-10 09:46 编辑 ]
cjc108 回复于:2007-06-08 18:53:45
接上边的 . . .
client-instance exiting
Fri Jun 8 17:55:43 2007 us=479334 MULTI: multi_create_instance called
Fri Jun 8 17:55:43 2007 us=479546 199.199.199.69:1077 Re-using SSL/TLS context
Fri Jun 8 17:55:43 2007 us=479663 199.199.199.69:1077 LZO compression initialized
Fri Jun 8 17:55:43 2007 us=479879 199.199.199.69:1077 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Jun 8 17:55:43 2007 us=479918 199.199.199.69:1077 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Jun 8 17:55:43 2007 us=480030 199.199.199.69:1077 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Jun 8 17:55:43 2007 us=480058 199.199.199.69:1077 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Jun 8 17:55:43 2007 us=480100 199.199.199.69:1077 Local Options hash (VER=V4): '360696c5'
Fri Jun 8 17:55:43 2007 us=480133 199.199.199.69:1077 Expected Remote Options hash (VER=V4): '13a273ba'
Fri Jun 8 17:55:43 2007 us=480211 199.199.199.69:1077 TLS: Initial packet from 199.199.199.69:1077, sid=3e3e8f19 b380fd26
AUTH-PAM: BACKGROUND: user 'vpn' failed to authenticate: Permission denied
Fri Jun 8 17:55:43 2007 us=635556 199.199.199.69:1077 PLUGIN_CALL: POST ./openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Jun 8 17:55:43 2007 us=635753 199.199.199.69:1077 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: ./openvpn-auth-pam.so
Fri Jun 8 17:55:43 2007 us=635803 199.199.199.69:1077 TLS Auth Error: Auth Username/Password verification failed for peer
Fri Jun 8 17:55:43 2007 us=649129 199.199.199.69:1077 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Fri Jun 8 17:55:43 2007 us=649269 199.199.199.69:1077 [] Peer Connection Initiated with 199.199.199.69:1077
Fri Jun 8 17:55:44 2007 us=9208 199.199.199.69:1077 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jun 8 17:55:44 2007 us=9353 199.199.199.69:1077 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Fri Jun 8 17:55:44 2007 us=9384 199.199.199.69:1077 Delayed exit in 5 seconds
Fri Jun 8 17:55:49 2007 us=168986 199.199.199.69:1077 SIGTERM[soft,delayed-exit] received, client-instance exiting
但在 客户端怎么也连接不成功,老弹出用户/密码 登陆 !图标为黄色 !!
client.log为 :
Fri Jun 08 18:02:46 2007 us=601905 Current Parameter Settings:
Fri Jun 08 18:02:46 2007 us=601984 config = 'client.ovpn'
Fri Jun 08 18:02:46 2007 us=601997 mode = 0
Fri Jun 08 18:02:46 2007 us=602010 show_ciphers = DISABLED
Fri Jun 08 18:02:46 2007 us=602021 show_digests = DISABLED
Fri Jun 08 18:02:46 2007 us=602033 show_engines = DISABLED
Fri Jun 08 18:02:46 2007 us=602044 genkey = DISABLED
Fri Jun 08 18:02:46 2007 us=602056 key_pass_file = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602067 show_tls_ciphers = DISABLED
Fri Jun 08 18:02:46 2007 us=602079 proto = 0
Fri Jun 08 18:02:46 2007 us=602090 local = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602103 remote_list[0] = {'199.199.199.68', 1194}
Fri Jun 08 18:02:46 2007 us=602114 remote_random = DISABLED
Fri Jun 08 18:02:46 2007 us=602126 local_port = 1194
Fri Jun 08 18:02:46 2007 us=602155 remote_port = 1194
Fri Jun 08 18:02:46 2007 us=602167 remote_float = DISABLED
Fri Jun 08 18:02:46 2007 us=602178 ipchange = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602189 bind_local = DISABLED
Fri Jun 08 18:02:46 2007 us=602200 dev = 'tap'
Fri Jun 08 18:02:46 2007 us=602211 dev_type = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602223 dev_node = '[UNDEF]'
Fri Jun 08 18: |
