Authentication Gateway HOWTO Nathan Zorn zornnh@musc.edu yomoyomo - ú{êó ymgrtq@ma.neweb.ne.jp Revision History Revision 0.03 2001-12-06 Revised by: nhz Revision 0.02 2001-09-28 Revised by: KET Revision 0.01 2001-09-06 Revised by: nhz ³ülbg[NâA}Ùâ¾ÈÇÌöJANZXGAɨ¯éZL eBÉÍA½ÌOª èÜ·B»¤µ½OÍA»sÌZL eBÀÅÍðūܹñB»ÌñðôƵÄAFØQ[gEFCðp· éû@ª§³êīܵ½B±ÌQ[gEFCÍA[Uªlbg[Nð p·éÛÉFØð§·é±ÆÅAZL eBÉÖ·éOÉæèg ÞàÌÅ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª Table of Contents 1. ͶßÉ 1.1. ì îñ 1.2. ÆÓ 1.3. ÅVÅ 1.4. NWbg 1.5. tB[hobN 2. KvÈàÌ 2.1. Netfilter 2.2. Netfilter [p PAM 2.3. DHCP T[o 2.4. FØÌJjY 2.5. DNS T[o 3. Q[gEFCT[rXÌÝè 3.1. Netfilter ÌÝè 3.2. PAM iptables W [ 3.3. DHCP T[oÝè 3.4. FØè@ÌÝè 3.5. DNS ÌÝè 4. FØQ[gEFCÌp 5. IíèÉ 6. ÇÁÌîñ¹ 7. ¿âƦ 8. ú{êóÉ墀 1. ͶßÉ ³ülbg[NâöJANZXGAÉA³êÄÈ¢[UªANZX ·éÌÍÆÄàÈPÅ·B³êÄÈ¢[UÅàAÊMðTèA»ÌÊM ©çÚ±îñð¡æèÅ«Ü·B³êÄÈ¢[UªA}VðöJ^[ ~iÉÂȬAlbg[NÉANZX·é±ÆªÂ\ÈÌÅ·BZL eBª WEP ÈÇÅ®õ³êīĢܷªA±¤µ½àÌÉæéZL eB ÍAAirSnort ÈÇÌc[ÉæÁÄjçêéÂ\«ª èÜ·BÈãÌâèð ð·éAv[`ÌêÂƵÄA³üÌZL eB@\Éç¸Aãíè ɳülbg[NâöJANZXGAÌOÊÉFØQ[gEFCðÝuµ A[Uªlbg[Nðp·éOÉA»ÌQ[gEFCÉFØðó¯é± Æð§·éÆ¢¤Ìª èÜ·B±Ì HOWTO ÍALinux űÌQ[gEFC ð\z·éû@ðྷéàÌÅ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 1.1. ì îñ This document is copyrighted (c) 2001 Nathan Zorn. ±Ì¶Ì¡»Azz AC³ÍAFree Software Foundation ÉæèöJ³êÄ¢éA GNU Free Documentation License (Ⱥ GFDL) o[W 1.1AàµÍ»êÈ~Ìo [W̳ųêÜ·B½¾µA±Ì¶ÉÍ GFDL ÅKè³êÄ¢é uÏXsªvÍ èܹñµAܽ\eLXgâ \eLXgÈÇà èܹñB±ÌCZXÌRs[ÍAhttp://www.gnu.org/copyleft/ fdl.html ÅüèÂ\Å·B ½©¿âª êÎA<zornnh@musc.edu> ÉAµÄ¾³¢B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 1.2. ÆÓ ±Ì¶ÌàeÉÖµÄÍA½ÌÓCàÄܹñB²©gÌÓC̳ÅA± ̶ÌRZvgAáA»µÄ»Ì¼ÌàeðpµÄ¾³¢B±êÍ{ ¶ÌVÅÅ·ÌÅAëèâs³mÈLqðÜñÅ¢é©àµêܹñµA» êçÌëèâs³mÈLqÉæÁÄA ȽÌVXeÉíQð^¦éÂ\« àܽRȪç èÜ·BTdÉÇÝiñž³¢BÀÛɽç©ÌíQ ð¶¸éÆ¢Á½Â\«ÍÙÆñdz¢Í¸Å·ªA½Æ¦»¤µ½±ÆªN «ÄµÜÁ½ÆµÄàAÒ(B)ÍA»êÉ¢ĽÌÓCà¢Ü¹ñB ÁÉLqªÈ¢ÀèAì Í»ê¼êÌÛLÒÉA·éàÌƵܷBܽ ±Ì¶Ågp³êépêÍAe¤WÌÍÍÉïGµÈ¢àÌƵܷB Áè̤i¼âuh¼ð°½êÅàA»êçð§·éàÌÅÍ è ܹñB åvÈCXg[ðs¤OɲpÌVXeÌobNAbvðæèA»µ ÄobNAbvðèúIÉs¤±Æð¨©ßµÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 1.3. ÅVÅ ±êÍúöJÅÅ·B ±Ì¶ÌÅVÅÍA http://www.itlab.musc.edu/ ~nathan/ authentication_gateway/ <http://www.itlab.musc.edu/~nathan/ authentication_gateway/> É èÜ·BÖA·é HOWTO ¶ÍA Linux Documentation Project <http://www.linuxdoc.org/> z[y[Wũ¯ç êÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 1.4. NWbg Jamin W. Collins Kristin E Thomas ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 1.5. tB[hobN ±Ì¶ÉÖ·étB[hobNðAà¿ëñ½}µÜ·B Ƚª½ÌñÄ âÓ©ªÈ¯êÎA±Ì¶Í¶ÝµÈ©Á½Åµå¤BÇÁAá]A»µÄ á»ðȺÌdq[AhXÜŨ辳¢: <zornnh@musc.edu> ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2. KvÈàÌ ±ÌZNVÅÍAFØQ[gEFCÉKvÈàÌÉ¢ÄLqµÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.1. Netfilter FØQ[gEFCÍAt@CEH[ðÇ·éÌÉANetfilter Æ iptables ðpµÜ·B Netfi lter HOWTO <http://netfilter.samba.org/ unreliable-guides/packet-filtering-HOWTO/index.html> ðQƾ³¢B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.2. Netfilter [p PAM ±êÍ Nathan Zorn ÉæÁÄ©ê½vOÂ\FØW [(PAM)ÅA http://www.itlab.musc.edu/~nathan/pa m_iptables <http:// www.itlab.musc.edu/~nathan/pam_iptables/> ©çüèÅ«Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.3. DHCP T[o FØQ[gEFCÍAöJlbg[NÉεÄA®IzXgÝèvgR (DHCP)T[oÌððʽµÜ·B»êÍöJlbg[N©çÌ DHCP T[ rXvÉÌݵܷBÍ ISC DHCP Server <http://www.isc.org/ products/DHCP/> ðgpµÜµ½B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.4. FØÌJjY Q[gEFCÍAPAM ÌFØû@ÈçÇêÅàpÅ«Ü·BTEXJC iãåªgpµÄ¢éFØ@\Í LDAP Å·B LDAP ðFØÚIÉgpµÜ· ÌÅAQ[gEFCãÌ PAM W [ÍALDAP ðgp·éæ¤ÉÝè³ê ܵ½BàÁƽÌîñðA http://www.padl.com/pam_ldap.html ũ¯ é±ÆªÅ«Ü·BPAM ÉæèA½ÌFØèiðpÅ«éæ¤ÉÈèÜ· B¼Ìè@É¢ÄÌîñðàÁÆmè½¢êÍA PAM W [ÉÂ¢Ä Ì¶Í <http://www.kernel.org/pub/linux/libs/pam/modules.html> ðQƵ ľ³¢B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.5. DNS T[o Q[gEFCÍAöJlbg[NÉηé DNS T[oÌ@\àʽµÜ·B Í Bind <http://www.isc.org/products/BIND/> ðCXg[µA»êð LbVOl[T[oƵÄgpµÄ¢Ü·BLbVOT[o\zÉ Í Red Hat ɯ«³êÄ¢é caching-namserver Æ¢¤ RPM pbP[Wà pÂ\Å·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 3. Q[gEFCT[rXÌÝè ±ÌZNVÅÍAFØQ[gEFCÌeªÌÝèû@ðྵܷB± ±Ågp³êéáÍATulbgª 10.0.1.0 ÌvCx[göJlbg[ NÅ·Beth0 Íàlbg[NÉÚ±³êéAQ[gEFCÌC^tF[ XÅ·Beth1 ªöJlbg[NÉÚ±³êéC^tF[XÅ·B±ÌC ^tF[X¤Ì IP AhXÍ 10.0.1.1 Å·B±êçÌÝèÍA Ƚª pµÄ¢élbg[Nɤæ¤ÉÏXÂ\Å·BQ[gEFCÉÍ Red Hat 7.1 ðpµ½ÌÅA½Ì᪠Red Hat ÉÀè³êÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 3.1. Netfilter ÌÝè netfilter ðÝè·é½ßÉÍAnetfilter T|[gðÁ¦ÄJ[lðÄR pCµÈ¯êÎÈèܹñBJ[lÌÝèÆRpCÉ¢ÄàÁÆ îñªKvÈçA Kernel-HOWTO <http://www.linuxdoc.org/HOWTO/ Kernel-HOWTO.html> ðQƵľ³¢B ÌJ[lÝèÍAȺÌæ¤È´¶Å·B ¡¢ # # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK is not set CONFIG_NETFILTER=y CONFIG_NETFILTER_DEBUG=y CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_UNCLEAN=y CONFIG_IP_NF_MATCH_OWNER=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_MIRROR=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_TCPMSS=y ¤£ iptables ðCXg[·éKvª èÜ·Biptables ðCXg[·é ÉÍA²pÌfBXgr [Vɯ«³êÄ¢épbP[Wðp· é©A\[X©çCXg[µÄ¾³¢BãLÌIvVðÝèµVµ ¢J[lðì¬µÄ iptables ðCXg[µ½ãÉAÍȺÌæ¤É ftHgÌt@CEH[[ðÝèµÜµ½B ¡¢ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP iptables -I FORWARD -o eth0 -j DROP iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT ¤£ ãLÌR}hÍAT[oªÄN®·éÛÉN®·éæ¤ÉAinitscript Ì Éu±ÆàÅ«Ü·B[ªÇÁ³ê½±Æðm©ßé½ßÉAȺÌR }hðÀsµÄ¾³¢B ¡¢ iptables -v -t nat -L iptables -v -t filter -L ¤£ ÈãÌ[ðÛ¶·é½ßAÍ Red Hat Ì init XNvgðpµÜµ ½B ¡¢ /etc/init.d/iptables save /etc/init.d/iptables restart ¤£ [ªKØÉÝè³ê½çAȺÌR}hðÀsµÄA IP tH[fB OðLøɵľ³¢B ¡¢ echo 1 > /proc/sys/net/ipv4/ip_forward ¤£ }VÌÄN®É IP tH[fBOªmÀÉLøÉÈéæ¤ÉAÈºÌ sð /etc/sysctl.conf ÉÇÁµÄ¾³¢B ¡¢ net.ipv4.ip_forward = 1 ¤£ ±êÅQ[gEFCÍlbg[NAhXÏ·(NAT)ðs¦éæ¤ÉÈèÜ· ªAöJlbg[NÌ©çM³ê½Q[gEFC¶ÄÌpPbgÈOÍ AtH[fBOpPbgð·×ÄjüµÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 3.2. PAM iptables W [ ±ÌW [ÍAFسê½NCAgÌtH[fBOð·éÌ ÉKvÈAt@CEH[[ð}ü·é PAM ZbVW [Å· B±êðÈPÉZbgAbv·éÉÍAPÉ\[X <ftp:// ftp.itlab.musc.edu/pub/pam_iptables.tar.gz> ðüèµAȺÌR}hð 쮳¹ÄARpCðsÁľ³¢B ¡¢ gcc -fPIC -c pam_iptables.c ld -x --shared -o pam_iptables.so pam_iptables.o ¤£ ±êÅ pam_iptables.so Æ pam_iptables.o Æ¢¤¼OÌñÂÌoCiªÅ «é͸ŷBpam_iptables.so ð /lib/security/pam_iptables.so ÉRs[ µÄ¾³¢B ¡¢ cp pam_iptables.so /lib/security/pam_iptables.so ¤£ Q[gEFCÉIð³ê½FØNCAgÍ SSH ¾Á½ÌÅAȺÌsð / etc/pam.d/sshd ÉÇÁµÜµ½B ¡¢ session required /lib/security/pam_iptables.so ¤£ ±êÅ[UªSSHÅOC·êÎAt@CEH[[ªÇÁ³êéæ ¤ÉÈèÜ·B pam_iptables ÌftHgC^tF[XÍ eth0 Å·B±ÌftHgÝè ÍAC^tF[Xp[^ðÇÁ·é±ÆÅÏXÂ\Å·B ¡¢ session required /lib/security/pam_iptables.so interface=eth1 ¤£ ±ÌÝèÍAOlbg[NÉÚ±·éC^tF[X¼ª eth0 ÅÈ¢ê ÌÝKvÉÈèÜ·B pam_iptables W [ª®ìµÄ¢é©eXg·éÉÍAȺÌèðÀs µÄ¾³¢B 1. SSH ÅQ[gEFCÉOCB 2. [ªÇÁ³êÄ¢é©Aiptables -L ÅmFB 3. Q[gEFC©çOAEgµÄA»Ì[ªí³êÄ¢éÌðmF B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 3.3. DHCP T[oÝè ÍAÈºÌ dhcpd.conf ðp¢A DHCP ð±üµÜµ½B ¡¢ subnet 10.0.1.0 netmask 255.255.255.0 { # --- default gateway option routers 10.0.1.1; option subnet-mask 255.255.255.0; option broadcast-address 10.0.1.255; option domain-name-servers 10.0.1.1; range 10.0.1.3 10.0.1.254; option time-offset -5; # Eastern Standard Time default-lease-time 21600; max-lease-time 43200; } ¤£ DHCPT[oͱÌêAöJlbgÌC^tF[XÅ éAeth1 ¤ÉÎµÄ ì®³¹Üµ½B ¡¢ /usr/sbin/dhcpd eth1 ¤£ ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 3.4. FØè@ÌÝè OÌZNVÅq×½æ¤ÉAÍFØÉ LDAP ðgp·éæ¤Q[gEF CÌÝèðs¢Üµ½Bµ©µA Ƚª½Í PAM ªFØðe·éÇÌû@ ÅàpÂ\Å·BàÁÆîñªKvÈçÎA Section 2.4 ðQƾ³¢B PAM LDAP ÅFØðs¤½ßÉAÍ OpenLDAP <http://www.openldap.org> ð CXg[µA/etc/ldap.conf ÉȺÌÝèðs¢Üµ½B ¡¢ # Your LDAP server. Must be resolvable without using LDAP. host itc.musc.edu # The distinguished name of the search base. base dc=musc,dc=edu ssl no ¤£ Ⱥɰét@CÍALDAP FØðs¤æ¤ PAM ðÝè·éÌÉgp³ê ܵ½B±êçÌt@CÍARed Hat ÌÝè[eBeBÉæ趬³ê ܵ½B /etc/pam.d/system-auth ªì¬³êAȺÌæ¤ÈàeÉÈèܵ½B ¡¢ #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so ¤£ ܽAÈºÌ /etc/pam.d/sshd t@Cªì¬³êܵ½B ¡¢ #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth #this line is added for firewall rule insertion upon login session required /lib/security/pam_iptables.so debug session optional /lib/security/pam_console.so ¤£ ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 3.5. DNS ÌÝè ÍARed Hat 7.1 É¢ī½ftHgo[WÌ Bind ÆLbV Ol[T[o RPM ðCXg[µÜµ½BDHCP T[oÍAöJlbg [NãÌ}Vªl[T[oƵÄQ[gEFCðp·éæ¤ÝèµÄ¢ Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 4. FØQ[gEFCÌp FØQ[gEFCðp·é½ßÉÍANCAgÉ DHCP ðgp·éæ¤ ÉÝèµÄ¾³¢B»Ì}VÉ SSH NCAgðCXg[µÄAQ [gEFCÉ SSH ÅOCµÄ¾³¢BêUOC·êÎAàlbg [NÉANZXªs¦éæ¤ÉÈèÜ·BȺÍAunix x[XÌNCA gɨ¯éZbVáÅ·B ¡¢ bash>ssh zornnh@10.0.1.1 zornnh's Password: gateway> ¤£ OCµ½óÔÅ éÀèAANZXªÂ\Å·BOAEgµÄµÜ¤Æ AANZXÅ«ÈÈèÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 5. IíèÉ E ±Ì¶Å¦³êéZL eBè@ÍA³ülbg[NR~ jeB Éæèñ³êéZL eBÉ˶µÜ¹ñB³ülbg[NS̪ ÀSÅÈÄàAܽ»Ì³ülbg[Nª ȽÌǺÉÈÄà «¿ñÆ@\µÜ·B E Q[gEFCÍAgtBbNðûµÜ¹ñB»ÌwãÉ élbg [NÖÌANZXð·龯ŷBàµÃ»àFØàKvÈçÎ AVPN ðp·×«Å·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 6. ÇÁÌîñ¹ E NASA ɨ¯éFØQ[gEFCÌÀÉ¢Äྵ½¶ <http:// www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html>B E Ao[^åwɨ¢ÄFØQ[gEFCð쬵½û@ðLqµ½ <http://www.ualberta.ca/~beck/authgw.html>B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 7. ¿âƦ ±±ÍA¸¢½¿â̤¿A½ÌlBª¯¶æ¤É^âðø¾ë¤Æví êéàÌðWßÄ¢êÅ·B{ɽÌtB[hobN𸯽ÈçA {ÌÓ¡ÌFAQɵĢ«Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 8. ú{êóÉ墀 ú{êóÍ Linux Japanese FAQ Project ªs¢Üµ½B|óÉÖ·é²Ó© Í JF vWFNg <JF@linux.or.jp> ¶ÉAµÄ¾³¢B 0.03j |ó: yomoyomo <ymgrtq@ma.neweb.ne.jp> Z³: office ³ñ <office@ukky.net> ²ìr³ñ <kgh12351@nifty.ne.jp> ´S³ñ <arms405@jade.dti.ne.jp> ìm³ñ <cz@hykw.tv>