Authentication Gateway HOWTO
Nathan Zorn
zornnh@musc.edu
yomoyomo - ú{êó
ymgrtq@ma.neweb.ne.jp
Revision History
Revision 0.03 2001-12-06 Revised by: nhz
Revision 0.02 2001-09-28 Revised by: KET
Revision 0.01 2001-09-06 Revised by: nhz
³ülbg[NâA}Ùâ¾ÈÇÌöJANZXGAɨ¯éZL
eBÉÍA½ÌOª èÜ·B»¤µ½OÍA»sÌZL
eBÀÅÍðūܹñB»ÌñðôƵÄAFØQ[gEFCðp·
éû@ª§³êīܵ½B±ÌQ[gEFCÍA[Uªlbg[Nð
p·éÛÉFØð§·é±ÆÅAZL
eBÉÖ·éOÉæèg
ÞàÌÅ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
Table of Contents
1. ͶßÉ
1.1. ì îñ
1.2. ÆÓ
1.3. ÅVÅ
1.4. NWbg
1.5. tB[hobN
2. KvÈàÌ
2.1. Netfilter
2.2. Netfilter [p PAM
2.3. DHCP T[o
2.4. FØÌJjY
2.5. DNS T[o
3. Q[gEFCT[rXÌÝè
3.1. Netfilter ÌÝè
3.2. PAM iptables W
[
3.3. DHCP T[oÝè
3.4. FØè@ÌÝè
3.5. DNS ÌÝè
4. FØQ[gEFCÌp
5. IíèÉ
6. ÇÁÌîñ¹
7. ¿âƦ
8. ú{êóÉ¢Ä
1. ͶßÉ
³ülbg[NâöJANZXGAÉA³êÄÈ¢[UªANZX
·éÌÍÆÄàÈPÅ·B³êÄÈ¢[UÅàAÊMðTèA»ÌÊM
©çÚ±îñð¡æèÅ«Ü·B³êÄÈ¢[UªA}VðöJ^[
~iÉÂȬAlbg[NÉANZX·é±ÆªÂ\ÈÌÅ·BZL
eBª WEP ÈÇÅ®õ³êīĢܷªA±¤µ½àÌÉæéZL
eB
ÍAAirSnort ÈÇÌc[ÉæÁÄjçêéÂ\«ª èÜ·BÈãÌâèð
ð·éAv[`ÌêÂƵÄA³üÌZL
eB@\Éç¸Aãíè
ɳülbg[NâöJANZXGAÌOÊÉFØQ[gEFCðÝuµ
A[Uªlbg[Nðp·éOÉA»ÌQ[gEFCÉFØðó¯é±
Æð§·éÆ¢¤Ìª èÜ·B±Ì HOWTO ÍALinux űÌQ[gEFC
ð\z·éû@ðྷéàÌÅ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
1.1. ì îñ
This document is copyrighted (c) 2001 Nathan Zorn. ±Ì¶Ì¡»Azz
AC³ÍAFree Software Foundation ÉæèöJ³êÄ¢éA GNU Free
Documentation License (Ⱥ GFDL) o[W 1.1AàµÍ»êÈ~Ìo
[W̳ųêÜ·B½¾µA±Ì¶ÉÍ GFDL ÅKè³êÄ¢é
uÏXsªvÍ èܹñµAܽ\eLXgâ \eLXgÈÇà
èܹñB±ÌCZXÌRs[ÍAhttp://www.gnu.org/copyleft/
fdl.html ÅüèÂ\Å·B
½©¿âª êÎA<zornnh@musc.edu> ÉAµÄ¾³¢B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
1.2. ÆÓ
±Ì¶ÌàeÉÖµÄÍA½ÌÓCàÄܹñB²©gÌÓC̳ÅA±
̶ÌRZvgAáA»µÄ»Ì¼ÌàeðpµÄ¾³¢B±êÍ{
¶ÌVÅÅ·ÌÅAëèâs³mÈLqðÜñÅ¢é©àµêܹñµA»
êçÌëèâs³mÈLqÉæÁÄA ȽÌVXeÉíQð^¦éÂ\«
àܽRȪç èÜ·BTdÉÇÝiñž³¢BÀÛɽç©ÌíQ
ð¶¸éÆ¢Á½Â\«ÍÙÆñdz¢Í¸Å·ªA½Æ¦»¤µ½±ÆªN
«ÄµÜÁ½ÆµÄàAÒ(B)ÍA»êÉ¢ĽÌÓCà¢Ü¹ñB
ÁÉLqªÈ¢ÀèAì Í»ê¼êÌÛLÒÉA·éàÌƵܷBܽ
±Ì¶Ågp³êépêÍAe¤WÌÍÍÉïGµÈ¢àÌƵܷB
Áè̤i¼âuh¼ð°½êÅàA»êçð§·éàÌÅÍ è
ܹñB
åvÈCXg[ðs¤OɲpÌVXeÌobNAbvðæèA»µ
ÄobNAbvðèúIÉs¤±Æð¨©ßµÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
1.3. ÅVÅ
±êÍúöJÅÅ·B
±Ì¶ÌÅVÅÍA http://www.itlab.musc.edu/ ~nathan/
authentication_gateway/ <http://www.itlab.musc.edu/~nathan/
authentication_gateway/> É èÜ·BÖA·é HOWTO ¶ÍA Linux
Documentation Project <http://www.linuxdoc.org/> z[y[Wũ¯ç
êÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
1.4. NWbg
Jamin W. Collins
Kristin E Thomas
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
1.5. tB[hobN
±Ì¶ÉÖ·étB[hobNðAà¿ëñ½}µÜ·B Ƚª½ÌñÄ
âÓ©ªÈ¯êÎA±Ì¶Í¶ÝµÈ©Á½Åµå¤BÇÁAá]A»µÄ
á»ðȺÌdq[AhXÜŨ辳¢: <zornnh@musc.edu>
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2. KvÈàÌ
±ÌZNVÅÍAFØQ[gEFCÉKvÈàÌÉ¢ÄLqµÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.1. Netfilter
FØQ[gEFCÍAt@CEH[ðÇ·éÌÉANetfilter Æ
iptables ðpµÜ·B Netfi lter HOWTO <http://netfilter.samba.org/
unreliable-guides/packet-filtering-HOWTO/index.html> ðQƾ³¢B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.2. Netfilter [p PAM
±êÍ Nathan Zorn ÉæÁÄ©ê½vOÂ\FØW
[(PAM)ÅA
http://www.itlab.musc.edu/~nathan/pa m_iptables <http://
www.itlab.musc.edu/~nathan/pam_iptables/> ©çüèÅ«Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.3. DHCP T[o
FØQ[gEFCÍAöJlbg[NÉεÄA®IzXgÝèvgR
(DHCP)T[oÌððʽµÜ·B»êÍöJlbg[N©çÌ DHCP T[
rXvÉÌݵܷBÍ ISC DHCP Server <http://www.isc.org/
products/DHCP/> ðgpµÜµ½B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.4. FØÌJjY
Q[gEFCÍAPAM ÌFØû@ÈçÇêÅàpÅ«Ü·BTEXJC
iãåªgpµÄ¢éFØ@\Í LDAP Å·B LDAP ðFØÚIÉgpµÜ·
ÌÅAQ[gEFCãÌ PAM W
[ÍALDAP ðgp·éæ¤ÉÝè³ê
ܵ½BàÁƽÌîñðA http://www.padl.com/pam_ldap.html ũ¯
é±ÆªÅ«Ü·BPAM ÉæèA½ÌFØèiðpÅ«éæ¤ÉÈèÜ·
B¼Ìè@É¢ÄÌîñðàÁÆmè½¢êÍA PAM W
[É¢Ä
Ì¶Í <http://www.kernel.org/pub/linux/libs/pam/modules.html> ðQƵ
ľ³¢B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.5. DNS T[o
Q[gEFCÍAöJlbg[NÉηé DNS T[oÌ@\àʽµÜ·B
Í Bind <http://www.isc.org/products/BIND/> ðCXg[µA»êð
LbVOl[T[oƵÄgpµÄ¢Ü·BLbVOT[o\zÉ
Í Red Hat ɯ«³êÄ¢é caching-namserver Æ¢¤ RPM pbP[Wà
pÂ\Å·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
3. Q[gEFCT[rXÌÝè
±ÌZNVÅÍAFØQ[gEFCÌeªÌÝèû@ðྵܷB±
±Ågp³êéáÍATulbgª 10.0.1.0 ÌvCx[göJlbg[
NÅ·Beth0 Íàlbg[NÉÚ±³êéAQ[gEFCÌC^tF[
XÅ·Beth1 ªöJlbg[NÉÚ±³êéC^tF[XÅ·B±ÌC
^tF[X¤Ì IP AhXÍ 10.0.1.1 Å·B±êçÌÝèÍA Ƚª
pµÄ¢élbg[Nɤæ¤ÉÏXÂ\Å·BQ[gEFCÉÍ Red
Hat 7.1 ðpµ½ÌÅA½Ì᪠Red Hat ÉÀè³êÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
3.1. Netfilter ÌÝè
netfilter ðÝè·é½ßÉÍAnetfilter T|[gðÁ¦ÄJ[lðÄR
pCµÈ¯êÎÈèܹñBJ[lÌÝèÆRpCÉ¢ÄàÁÆ
îñªKvÈçA Kernel-HOWTO <http://www.linuxdoc.org/HOWTO/
Kernel-HOWTO.html> ðQƵľ³¢B
ÌJ[lÝèÍAȺÌæ¤È´¶Å·B
¡¢
#
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
# CONFIG_NETLINK is not set
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_INET_ECN is not set
# CONFIG_SYN_COOKIES is not set
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_UNCLEAN=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_MIRROR=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
¤£
iptables ðCXg[·éKvª èÜ·Biptables ðCXg[·é
ÉÍA²pÌfBXgr
[Vɯ«³êÄ¢épbP[Wðp·
é©A\[X©çCXg[µÄ¾³¢BãLÌIvVðÝèµVµ
¢J[lðì¬µÄ iptables ðCXg[µ½ãÉAÍȺÌæ¤É
ftHgÌt@CEH[[ðÝèµÜµ½B
¡¢
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT
¤£
ãLÌR}hÍAT[oªÄN®·éÛÉN®·éæ¤ÉAinitscript Ì
Éu±ÆàÅ«Ü·B[ªÇÁ³ê½±Æðm©ßé½ßÉAȺÌR
}hðÀsµÄ¾³¢B
¡¢
iptables -v -t nat -L
iptables -v -t filter -L
¤£
ÈãÌ[ðÛ¶·é½ßAÍ Red Hat Ì init XNvgðpµÜµ
½B
¡¢
/etc/init.d/iptables save
/etc/init.d/iptables restart
¤£
[ªKØÉÝè³ê½çAȺÌR}hðÀsµÄA IP tH[fB
OðLøɵľ³¢B
¡¢
echo 1 > /proc/sys/net/ipv4/ip_forward
¤£
}VÌÄN®É IP tH[fBOªmÀÉLøÉÈéæ¤ÉAȺÌ
sð /etc/sysctl.conf ÉÇÁµÄ¾³¢B
¡¢
net.ipv4.ip_forward = 1
¤£
±êÅQ[gEFCÍlbg[NAhXÏ·(NAT)ðs¦éæ¤ÉÈèÜ·
ªAöJlbg[NÌ©çM³ê½Q[gEFC¶ÄÌpPbgÈOÍ
AtH[fBOpPbgð·×ÄjüµÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
3.2. PAM iptables W
[
±ÌW
[ÍAFسê½NCAgÌtH[fBOð·éÌ
ÉKvÈAt@CEH[[ð}ü·é PAM ZbVW
[Å·
B±êðÈPÉZbgAbv·éÉÍAPÉ\[X <ftp://
ftp.itlab.musc.edu/pub/pam_iptables.tar.gz> ðüèµAȺÌR}hð
쮳¹ÄARpCðsÁľ³¢B
¡¢
gcc -fPIC -c pam_iptables.c
ld -x --shared -o pam_iptables.so pam_iptables.o
¤£
±êÅ pam_iptables.so Æ pam_iptables.o Æ¢¤¼OÌñÂÌoCiªÅ
«é͸ŷBpam_iptables.so ð /lib/security/pam_iptables.so ÉRs[
µÄ¾³¢B
¡¢
cp pam_iptables.so /lib/security/pam_iptables.so
¤£
Q[gEFCÉIð³ê½FØNCAgÍ SSH ¾Á½ÌÅAȺÌsð /
etc/pam.d/sshd ÉÇÁµÜµ½B
¡¢
session required /lib/security/pam_iptables.so
¤£
±êÅ[UªSSHÅOC·êÎAt@CEH[[ªÇÁ³êéæ
¤ÉÈèÜ·B
pam_iptables ÌftHgC^tF[XÍ eth0 Å·B±ÌftHgÝè
ÍAC^tF[Xp[^ðÇÁ·é±ÆÅÏXÂ\Å·B
¡¢
session required /lib/security/pam_iptables.so interface=eth1
¤£
±ÌÝèÍAOlbg[NÉÚ±·éC^tF[X¼ª eth0 ÅÈ¢ê
ÌÝKvÉÈèÜ·B
pam_iptables W
[ª®ìµÄ¢é©eXg·éÉÍAȺÌèðÀs
µÄ¾³¢B
1. SSH ÅQ[gEFCÉOCB
2. [ªÇÁ³êÄ¢é©Aiptables -L ÅmFB
3. Q[gEFC©çOAEgµÄA»Ì[ªí³êÄ¢éÌðmF
B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
3.3. DHCP T[oÝè
ÍAÈºÌ dhcpd.conf ðp¢A DHCP ð±üµÜµ½B
¡¢
subnet 10.0.1.0 netmask 255.255.255.0 {
# --- default gateway
option routers 10.0.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.1.255;
option domain-name-servers 10.0.1.1;
range 10.0.1.3 10.0.1.254;
option time-offset -5; # Eastern Standard Time
default-lease-time 21600;
max-lease-time 43200;
}
¤£
DHCPT[oͱÌêAöJlbgÌC^tF[XÅ éAeth1 ¤ÉεÄ
쮳¹Üµ½B
¡¢
/usr/sbin/dhcpd eth1
¤£
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
3.4. FØè@ÌÝè
OÌZNVÅq×½æ¤ÉAÍFØÉ LDAP ðgp·éæ¤Q[gEF
CÌÝèðs¢Üµ½Bµ©µA Ƚª½Í PAM ªFØðe·éÇÌû@
ÅàpÂ\Å·BàÁÆîñªKvÈçÎA Section 2.4 ðQƾ³¢B
PAM LDAP ÅFØðs¤½ßÉAÍ OpenLDAP <http://www.openldap.org> ð
CXg[µA/etc/ldap.conf ÉȺÌÝèðs¢Üµ½B
¡¢
# Your LDAP server. Must be resolvable without using LDAP.
host itc.musc.edu
# The distinguished name of the search base.
base dc=musc,dc=edu
ssl no
¤£
Ⱥɰét@CÍALDAP FØðs¤æ¤ PAM ðÝè·éÌÉgp³ê
ܵ½B±êçÌt@CÍARed Hat ÌÝè[eBeBÉæ趬³ê
ܵ½B
/etc/pam.d/system-auth ªì¬³êAȺÌæ¤ÈàeÉÈèܵ½B
¡¢
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account [default=ok user_unknown=ignore service_err=ignore system_err=ignore]
/lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
¤£
ܽAÈºÌ /etc/pam.d/sshd t@Cªì¬³êܵ½B
¡¢
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
#this line is added for firewall rule insertion upon login
session required /lib/security/pam_iptables.so debug
session optional /lib/security/pam_console.so
¤£
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
3.5. DNS ÌÝè
ÍARed Hat 7.1 É¢ī½ftHgo[WÌ Bind ÆLbV
Ol[T[o RPM ðCXg[µÜµ½BDHCP T[oÍAöJlbg
[NãÌ}Vªl[T[oƵÄQ[gEFCðp·éæ¤ÝèµÄ¢
Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
4. FØQ[gEFCÌp
FØQ[gEFCðp·é½ßÉÍANCAgÉ DHCP ðgp·éæ¤
ÉÝèµÄ¾³¢B»Ì}VÉ SSH NCAgðCXg[µÄAQ
[gEFCÉ SSH ÅOCµÄ¾³¢BêUOC·êÎAàlbg
[NÉANZXªs¦éæ¤ÉÈèÜ·BȺÍAunix x[XÌNCA
gɨ¯éZbVáÅ·B
¡¢
bash>ssh zornnh@10.0.1.1
zornnh's Password:
gateway>
¤£
OCµ½óÔÅ éÀèAANZXªÂ\Å·BOAEgµÄµÜ¤Æ
AANZXÅ«ÈÈèÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
5. IíèÉ
E ±Ì¶Å¦³êéZL
eBè@ÍA³ülbg[NR~
jeB
Éæèñ³êéZL
eBÉ˶µÜ¹ñB³ülbg[NS̪
ÀSÅÈÄàAܽ»Ì³ülbg[Nª ȽÌǺÉÈÄà
«¿ñÆ@\µÜ·B
E Q[gEFCÍAgtBbNðûµÜ¹ñB»ÌwãÉ élbg
[NÖÌANZXð·龯ŷBàµÃ»àFØàKvÈçÎ
AVPN ðp·×«Å·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
6. ÇÁÌîñ¹
E NASA ɨ¯éFØQ[gEFCÌÀÉ¢Äྵ½¶ <http://
www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html>B
E Ao[^åwɨ¢ÄFØQ[gEFCð쬵½û@ðLqµ½
<http://www.ualberta.ca/~beck/authgw.html>B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
7. ¿âƦ
±±ÍA¸¢½¿â̤¿A½ÌlBª¯¶æ¤É^âðø¾ë¤Æví
êéàÌðWßÄ¢êÅ·B{ɽÌtB[hobN𸯽ÈçA
{ÌÓ¡ÌFAQɵĢ«Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
8. ú{êóÉ¢Ä
ú{êóÍ Linux Japanese FAQ Project ªs¢Üµ½B|óÉÖ·é²Ó©
Í JF vWFNg <JF@linux.or.jp> ¶ÉAµÄ¾³¢B
0.03j
|ó:
yomoyomo <ymgrtq@ma.neweb.ne.jp>
Z³:
office ³ñ <office@ukky.net>
²ìr³ñ <kgh12351@nifty.ne.jp>
´S³ñ <arms405@jade.dti.ne.jp>
ìm³ñ <cz@hykw.tv>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
e74e806c1a2640e922856d7eb69d1420
>
files
>
5
