четверг, 5 июня 2014 г.

Сервер vsftpd с аутентификацией через radius

Настройка сервера VSFTPD с аутентификацией через Radius в Debian:
# aptitude install vsftpd libpam-radius-auth
# cat /etc/pam.d/vsftpd
# Standard behaviour for ftpd(8).

auth    sufficient      pam_radius_auth.so client_id=openvpn
account sufficient      pam_radius_auth.so client_id=openvpn
@include common-account
@include common-session
@include common-auth
auth    required        pam_shells.so
Client_id -- это атрибут Nas-identifier в радиус-запросе.
# cat /etc/pam_radius_auth.conf
# server[:port]  shared_secret      timeout (s)
10.100.4.100    mymegasecretkey       3
# cat /etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=NO
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
nopriv_user=ftp
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
user_sub_token=$USER
guest_username=ftp
guest_enable=YES

среда, 4 июня 2014 г.

Сервер OpenVPN с аутентификацией через Radius

Настройка сервера OpenVPN с аутентификацией через Radius в Debian:
# aptitude install openvpn openvpn-auth-radius
# cat /etc/openvpn/radiusplugin.cnf
NAS-Identifier=openvpn
Service-Type=2
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=10.100.10.85
OpenVPNConfig=/etc/openvpn/server.conf
subnet=255.255.255.0
overwriteccfiles=true
server
{
        # The UDP port for radius accounting.
        acctport=1815
        # The UDP port for radius authentication.
        authport=1812
        # The name or ip address of the radius server.
        name=10.100.4.100
        # How many times should the plugin send the if there is no response?
        retry=1
        # How long should the plugin wait for a response?
        wait=1
        # The shared secret.
        sharedsecret=mymegasecretkey
}
# cat /etc/openvpn/server.conf
local my_public_ip
port 443
proto tcp
dev tun
tun-mtu 1500
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key 
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
client-cert-not-required
username-as-common-name
ifconfig-pool-persist ipp.txt
push "route 10.100.0.0 255.255.0.0"
push "route 10.102.0.0 255.255.0.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/status.log 1
plugin /usr/lib/openvpn/radiusplugin.so
log-append  /var/log/openvpn/openvpn.log
verb 3