![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2015-06-10
目錄
- pam_userdb.so
-
db-util
- db_load - Setup PAM authentication with OpenVPN’s auth-pam module
- OpenVPN 設定
- PAM 的 required 與 requisite
- Debug
介紹
module pam_userdb.so 係用 Berkeley DB 去存取 login info
Berkeley DB database:
indexed by the username, and the data fields corresponding to the username keys are the passwords.
測試環境: Ubuntu 12
pam_userdb.so
Ubuntu 12
apt-get install libpam-modules
Centos 6
* Default 有 (/lib/security/pam_userdb.so)
Usage
pam_userdb.so db=/path/database
db-util
Berkeley Database Utilities
Ubuntu 安裝 (22.04)
apt-get install db-util # 相當於安裝 db5.3-util
CLI
- db_load - is used to create database files from flat files created with db_dump.
- db_verify - is used to run consistency checks on database files.
- db_stat - displays database environment statistics.
- db_dump - converts database files to a flat file format readable by db_load.
- db_recover - is used to restore a database to a consistent state after a failure.
Usage Example
users.txt
user1 pass1 user2 pass2
db_load
db_load -T -t hash -f /etc/openvpn/users.txt /etc/openvpn/users.db
# allows non-Berkeley DB applications to easily load text files into databases.
# If the -T option is specified, the underlying access method type must be specified using the -t option.
# -T
# Specify the underlying access method.
# -t hash
file users.db
users.db: Berkeley DB (Hash, version 9, native byte-order)
db_verify
db_verify users.db
Verification of users.db succeeded.
db_stat
db_stat -d users.db
-d Display database statistics for the specified file, as described in DB->stat.
Thu Apr 30 17:10:00 2015 Local time
61561 Hash magic number
9 Hash version number
Little-endian Byte order
Flags
3 Number of pages in the database
4096 Underlying database page size
0 Specified fill factor
1 Number of keys in the database
1 Number of data items in the database
2 Number of hash buckets
8123 Number of bytes free on bucket pages (0% ff)
0 Number of overflow pages
0 Number of bytes free in overflow pages (0% ff)
0 Number of bucket overflow pages
0 Number of bytes free in bucket overflow pages (0% ff)
0 Number of duplicate pages
0 Number of bytes free in duplicate pages (0% ff)
0 Number of pages on the free list
Setup PAM authentication with OpenVPN’s auth-pam module
(Using Shared Object)
# tell the OpenVPN server to validate the username/password entered by clients
# using the "openvpn" PAM module.
# ( pass the username/password to a plugin via virtual memory )
# Centos6
plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
# U12.04
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
# linux system account
/etc/pam.d/openvpn
auth required pam_unix.so shadow nodelay auth requisite pam_succeed_if.so uid >= 500 quiet auth requisite pam_succeed_if.so user ingroup wheel quiet
# lock out the account after 4 consecutive unsuccessful authentication attempts.
# After 1200 seconds, the counter will reset back to 0.
auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200
account required pam_unix.so
* /lib/x86_64-linux-gnu/security/pam_userdb.so
# Berkeley DB
/etc/pam.d/openvpn
auth required pam_userdb.so db=/etc/openvpn/users.db crypt=none
** default: crypt=none
[ crypt=[crypt|none] ]
* username/password authentication only
# remove the cert and key directives, but not the ca directive
client-cert-not-required
--client-cert-not-required requires --mode server
# For debug
# Allow any user
auth sufficient pam_permit.so
** 不用 restart
OpenVPN 設定
--username-as-common-name
For --auth-user-pass-verify authentication, use the authenticated username as the common name
--max-routes-per-client n
Allow a maximum of n internal routes per client (default=256). This is designed to help contain DoS attacks where an authenticated client floods the server with packets appearing to come from many unique MAC addresses, forcing the server to deplete virtual memory as its internal routing table expands. This directive can be used in a --client-config-dir file or auto-generated by a --client-connect script to override the global value for a particular client.
Note that this directive affects OpenVPN's internal routing table, not the kernel routing table.
PAM 的 required 與 requisite
required
The module result must be successful for authentication to continue.
If the test fails at this point, the user is not notified until the results of all module tests that reference that interface are complete.
requisite
The module result must be successful for authentication to continue.
However, if a test fails at this point, the user is notified immediately with a message reflecting the first failed required or requisite module test.
Debug
DB 位置
位置
/etc/openvpn/users.db
設定
auth sufficient pam_userdb.so db=/etc/openvpn/users成功的 log
Apr 30 18:52:29 localhost openvpn[23126]: pam_userdb(openvpn:auth): user 'tim' granted access
dump
設定
auth sufficient pam_userdb.so db=/etc/openvpn/users dump
log
Apr 30 18:53:41 localhost openvpn[23126]: pam_userdb(openvpn:auth): Database dump: Apr 30 18:53:41 localhost openvpn[23126]: pam_userdb(openvpn:auth): key[len=3] = `xxx??#177', data[len=8] = `xxxxxxxx????#177' Apr 30 18:53:41 localhost openvpn[23126]: pam_userdb(openvpn:auth): user 'tim' granted access
