Sophie

Sophie

distrib > Mandriva > 9.1 > ppc > by-pkgid > 18b2ae22eb3867679548a0553132f659 > files > 129

howto-text-zh-9.0-1mdk.noarch.rpm


                         ¦p¦ó³]¸m¡§µêÀÀ¨p¦³ºô¸ô(VPN)¡¨
                                       
§@ªÌ: Arpad Magosanyi <mag@bunuel.tii.matav.hu>
ĶªÌ: ½±¤j°¶ <dawei@sinica.edu.tw>

   v0.2, 7 August 1997 ½Ķ§¹¦¨¤é´Á: 20 Feb 1999
     _________________________________________________________________
   
   ¦p¦ó«Ø¥ßµêÀÀ¨p¦³ºô¸ô(Virtual Private Network)¡C
     _________________________________________________________________
   
1. §ó¥¿

2. ±À¯ò¼s§i

     * 2.1 ª©ÅvÁn©ú
     * 2.2 §K³dÁn©ú
     * 2.3 ¾G­«Án©ú
     * 2.4 ¥\³Ò
     * 2.5 ¥»¤åªº²{ªp
     * 2.6 ¬ÛÃö¤å¥ó
       
3. ¤¶²Ð

     * 3.1 ©R¦WºD¨Ò
       
4. ¶}©l«Ø¸m

     * 4.1 ³W¹º
     * 4.2 ·j¶°¤u¨ã
     * 4.3 ½sĶ»P¦w¸Ë
     * 4.4 ¨ä¥¦¤l¨t²Îªº³]©w
     * 4.5 ³]©w VPN ªº¨Ï¥ÎªÌ±b¤á
     * 4.6 ¬° master ±b¤á¡A²£¥Í¤@­Ó ssh key 
     * 4.7 ¬° slave ±b¤á¡A³]¸m¦Û°Êªº ssh µn¤JÀô¹Ò¡C
     * 4.8 ¥[±j ssh ¦b bastion ¥D¾÷¤Wªº¦w¥þ©Ê¡C
     * 4.9 ¤¹³\ ppp ªº°õ¦æ¡A©M³o¨â­Ó±b¤áªº¸ô¥Ñ¡C
     * 4.10 ¼¶¼g©R¥O½Zµ{¦¡
       
5. Åý§Ú­ÌÀ˵ø°õ¦æªºµ²ªG¡G

6. µÛ¤â°õ¦æ¡C

     * 6.1 µn¤J
     * 6.2 ±Ò°Ê ppp 
     * 6.3 ¤@¦¸§¹¦¨¨â­Ó°Ê§@
     * 6.4 Pty ªº­«¾É¥\¯à
     * 6.5 ³o­Ó¸Ë¸m¤W­±¡A·|¦³¨Ç¤°»òªF¦è¡H
     * 6.6 ³]©w¸ô¥Ñ
       
7. ½Õ¾ã

     * 7.1 ³]©wªº½Õ¾ã
     * 7.2 ÀW¼e»P¦w¥þ½Ö­«­n
       
8. ¤ÀªR©ö¨ü§ðÀ»ªº®zÂI
     _________________________________________________________________
   
1. §ó¥¿

   'no controlling tty problem' -> -o 'BatchMode yes' ¬O¥Ñ Zot O'Connor
   <zot@crl.com> ©Ò§ó¥¿¡C
   
   ®Ö¤ß 2.0.30 ªºÄµ§i°T®§¡A¬O¥Ñ mag ©Ò§ó¥¿¡C
   
2. ±À¯ò¼s§i

   ³o¥÷¤å¥ó¬O Linux VPN howto¡A¥¦¦¬¶°¤F¦p¦ó¦b Linux (¥H¤Î¤@¯ëªº UNIX) ¤W«Ø
   ¥ß ¤@­ÓµêÀÀ«OÅ@¦¡ºô¸ôªº¬ÛÃö¸ê°T¡C
   
2.1 ª©ÅvÁn©ú

   ³o¥÷¤å¥ó¬O Linux HOWTO ­p¹ºªº¤@³¡¤À¡C¥¦ªºª©ÅvÁn©ú¦p¤U¡G°£«D¯S§O»¡©ú
   ¡ALinux HOWTO ¤å¥óªºª©ÅvÂkÄÝ¥L­Ì¦U¦Ûªº§@ªÌ©Ò¦³¡CLinux HOWTO ¤å¥óªº¥þ³¡
   ©Î³¡¤À¡A¥i¥H ¨Ï¥Î¥ô¦óª«²z©Î¹q¤l§Î¦¡ªº´CÅé¨Ó½Æ»s»P´²§G¡A¥u­n³o­Óª©ÅvÁn©ú
   ³Q«O¯d¦b¨C¥÷«þ¨© ¤¤¡C°Ó·~¦æ¬°ªº¦A´²§G¬O³Q¤¹³\¦Ó¥B¨üÅwªïªº¡F¦ý¬O¡A¥ô¦óªº
   ´²§G¦æ¬°§@ªÌ³£§Æ±æ¯à ³Q§iª¾¡C©Ò¦³Â½Ä¶¡N­l¥Íªº¤u§@¡N©Î¦X¨Ö¥ô¦ó Linux
   HOWTO ¤å¥óªº»E¶°¤u§@¡A³£¥²¶· ¨ü¨ì³o­Óª©ÅvÁn©úªº«OÅ@¡C¤]´N¬O»¡¡A§A¤£¥i¥H
   ±q HOWTO ­l¥Í¥X¤@¥÷¤å¥ó¡AµM«á¹ï³o ¥÷­l¥Í¤å¥óªº´²§G±j¥[¤W¨ä¥L­­¨î±ø¥ó¡C
   °£«D¦b¤@¨Ç¯S©wªºª¬ªp¤U¡A¤~·|¤¹¿Õ³o¨Ç­­¨î ±ø¥ó¡F½ÐÁpµ¸ Linux HOWTO ªº¨ó
   ½Õ¤H¡A¥Lªº¦a§}¦p¤U¡C²¦Ó¨¥¤§¡A§Ú­Ì§Æ±æ¯à°÷ºÉ¥i ¯à³z¹L¦UºØºÞ¹D¡A¨Ó±À°Ê³o
   ­Ó¸ê°Tªº´²§G¤u§@¡CµM¦Ó¡A§Ú­Ì¤]§Æ±æ«O¯d HOWTO ¤å¥óªº ª©Åv¡A¥H¤Î¦pªG¦³¥ô
   ¦ó¹ï HOWTOs ªº¦A´²§G­p¹º¤]§Æ±æ¯à°÷³Q³qª¾¨ì¡C¦pªG¦³¥ô¦óºÃ°Ý ¡A½ÐÁpµ¸
   Linux HOWTO ¨ó½Õ¤H Tim Bynum¡A¥Lªº¹q¤l¶l¥ó¦a§}¬O
   linux-howto@sunsite.unc.edu ¡C
   
2.2 §K³dÁn©ú

   ¤@¦p©¹±`¡G¥»¤å¹ï§A©Ò³y¦¨ªº¥ô¦ó¦M®`¡A§@ªÌ¤@·§¤£­t³d¥ô¡C¥¿½Tªº±ø¤å¡A½Ð°Ñ
   ¾\ GNU GPL 0.1.1 ªº¬ÛÃö³¡¤À¡C
   
2.3 ¾G­«Án©ú

   §Ú­Ì©Ò­±Á{ªº¬O¦w¥þ©Êªº°ÝÃD¡G¦pªG§A¨S¦³§Î¦¨¤@­Ó¦nªº¦w¥þµ¦²¤¡A¥H¤Î°µ¦n¬Û
   Ãöªº°t®M ±¹¬I¡A§A±NµLªkÀò±o¯u¥¿ªº¦w¥þ¡C
   
2.4 ¥\³Ò

   ·PÁ©Ҧ³´£¨Ñ¤u¨ãµ{¦¡µ¹¥»¤å¨Ï¥Îªº¤H¥K¡C
   
   ·PÁ Zot O'Connor <zot@crl.com> ¤£¶È«ü¥¿¡§no controlling tty¡¨ªº°ÝÃD¡A
   ¦Ó¥B ÁÙ´£¨Ñ¤F¸Ñ¨M¤èªk¡C
   
2.5 ¥»¤åªº²{ªp

   ¦b¾\Ū¥»¤å«e¡A§AÀ³¸Ó¤w¨ã³Æ§¹¾ãªº IP ºÞ²zª¾ÃÑ¡A¦Ü¤Ö­n¹ï¡§¨¾¤õ
   Àð(firewall)¡¨¡Nppp ¡N©M ssh ¡Aµ¥ª¾ÃÑ¡A¦³¤@¨ÇÁA¸Ñ¡C¦pªG§A­n³]©w¤@­Ó
   VPN Àô¹Ò¡AµL½×¦p¦ó¤@©w±oª¾¹D³o¨Ç ªF¦è¡C§Ú¥u¬O±N§Úªº¸gÅç¼g¤U¨Ó ¡A¥H§K¤é
   «á§Ñ°O¬ÛÃöªº¤º®e¡C©Ò¥H¡A§Ú¬Û«H¤@©w·|¦³¦w¥þ ªºº|¬}¦s¦b¡C¬°¤F²M·¡°_¨£¡A§Ú
   ¸ÕµÛ¥H¥D¾÷³]¸m¬°¸ô¥Ñ¾¹¤è¦¡¡A¦Ó¤£¬O¥H¨¾¤õÀ𪺤覡¡A¨Ó »¡©ú¾ã­Ó¤º®e¡A§Æ±æ
   ¤j®a»´»´ÃPÃP´N¯à°÷ÁA¸Ñ¥»¤å¡C
   
2.6 ¬ÛÃö¤å¥ó

     * ÀÉ®× /usr/doc/HOWTO/Firewall-HOWTO ¤Wªº Linux Firewall-HOWTO ¤å¥ó
     * ÀÉ®× /usr/doc/HOWTO/PPP-HOWTO.gz ¤Wªº Linux PPP-HOWTO ¤å¥ó
     * ¥Ø¿ý /usr/doc/ssh/* ¤¤ªº ssh ¤å¥ó
     * Linux ¡§ºô¸ôºÞ²z«ü¤Þ(Network Admins' Guide)¡¨
     * °ê®a¼Ð·Ç¤Î§Þ³N©e­û·| (National Institute Standards and Technology¡A
       ²¼g¬° NIST) ¦b¹q¸£¦w¥þ¤è­±ªº¥Xª©«~¡A½Ð°Ñ¦Òºô§}
       http://csrc.ncsl.nist.gov/nistpubs/
     * ¡§¨¾¤õÀð³q«H½×¾Â(Firewall list)¡¨ (majordomo@greatcircle.com)
       
3. ¤¶²Ð

   ¥Ñ©óºô¸ô¦w¥þ°ÝÃD¤é¯q¨ü¨ì­«µø¡A©Ò¥H¡A¨¾¤õÀ𪺧޳N¶V¨Ó¶V¼sªx¦a³QÀ³¥Î¦b¡A
   ºô»Úºô¸ô ©M¡§¤½¥q¤º³¡ºô¸ô(intranet)¡¨¤W¡A¨¾¤õÀð¯à¤OªºÀu¦H¡A¹ï VPN ªº¦w
   ¥þ©Ê¦³µÛÁ|¨¬»´­«ªº ¼vÅT¡C³o¥u¬O§Ú­Ó¤HªºÅé·|¡CÅwªï¤j®a´£¥X¦Û¤vªº¬Ýªk¡C
   
3.1 ©R¦WºD¨Ò

   §Ú±N·|¨Ï¥Î¨ì¡§¥D¨¾¤õÀð(master firewall)¡¨©M¡§¦¸¨¾¤õÀð(slave firewall)¡¨
   ³o¨â­Ó±M ¦³¦WºÙ¡AµM¦Ó¡AVPN ªº«Ø¸m»P¥D¹²¦¡¬[ºc¤§¶¡¨S¦³¥ô¦óÃöÁp©Ê¡C§Ú¥u¬O
   §â¥¦­Ì¬Ý¦¨¡A¨âºÝ¦b «Ø¥ß³s½u®É¡A¥¦¬O­Ó¥D°Êªº°Ñ»PªÌ©Î³Q°Êªº°Ñ»PªÌ¡Cµo°_«Ø
   ¥ß³s½uªº¥D¾÷¡A·|³Q·í§@¥D¨¾¤õ Àð¡FµM¦Ó¡A³Q°Êªº°Ñ»PªÌ¡A´N·|³Q·í§@¦¸¨¾¤õÀð
   ¡C
   
4. ¶}©l«Ø¸m

4.1 ³W¹º

   ¦b§A¶}©l³]©w¨t²Î«e¡A§AÀ³¸Ó­n¥ýÁA¸Ñ¤@¤Uºô¸ô³s±µªº²Ó¸`¡C²{¦b¡A§Ú°²©w§A¦³
   ¨â­Ó¨¾¤õÀð ¡A¦U«OÅ@¤@­Ó¤½¥q¤º³¡ºô¸ô¡C©Ò¥H¡A²{¦b¨C­Ó¨¾¤õÀðÀ³¸Ó·|¦³¨â­Óºô
   ¸ô¬É­±¡]¦Ü¤Ö¡^¡C®³¤@ ±i¯È¡A¼g¤U¥¦­Ìªº IP ¦ì§}©Mºô¸ô¾B¸n¡C¨C­Ó VPN ªº¨¾
   ¤õÀð¡A±N·|¨Ï¥Î¨ì¼Æ­Ó IP ¦ì§}°Ï ¬q¡C³o¨Ç IP ¦ì§}°Ï¬q¡AÀ³¸Ó³]©w¦b§A¤½¥q²{
   ¦³ªº¤lºô¸ôªº½d³ò¥H¥~¡C§Ú«Øij¨Ï¥Î¡§¨p¦³¡¨ IP ¦ì§}°Ï¬qªº½d³ò¡C¦p¤U©Ò¥Ü¡G
   
     * 10.0.0.0 - 10.255.255.255
     * 172.16.0.0 - 172.31.255.255
     * 192.168.0.0 - 192.168.255.255
       
   ¬°¤F»¡©ú¡A¦¹³B§ÚÁ|¤F¤@­Ó³]©wªº®×¨Ò¡G¦³¨â¥x bastion [Ķµù] ¥D¾÷¡A¤À§O³Q
   ºÙ¬° fellini ©M polanski¡C¥¦­Ì¦U¦³¤@­Ó¬É­±³s±µºô»Úºô¸ô (-out)¡A¤@­Ó¬É­±
   ³s±µ¤½¥q¤º³¡ºô¸ô (-in) ¡A¥H¤Î¡A¤@­Ó¬É­±³s±µ VPN (-vpn)¡C©Ò¦³ªº IP ¦ì§}
   ©Mºô¸ô¾B¸n¡A¦p¤U¡G
   
     * fellini-out: 193.6.34.12 255.255.255.0
     * fellini-in: 193.6.35.12 255.255.255.0
     * fellini-vpn: 192.168.0.1 ÂI¹ïÂI
     * polanski-out: 193.6.36.12 255.255.255.0
     * polanski-in: 193.6.37.12 255.255.255.0
     * polanski-vpn: 192.168.0.2 ÂI¹ïÂI
       
   Ķµù¡G bastion ¬O«ü¼ÉÅS¦b¤½¥qºô¸ô¥~³¡ªº¨¾¤õÀð¹h¹D¡C
   
   ©Ò¥H§Ú­Ì¦³­Ó­p¹º¡C
   
4.2 ·j¶°¤u¨ã

   §A±N·|»Ý­n
     * Linux ¨¾¤õÀð
     * ®Ö¤ß
     * «D±`¤Öªº³]©w
     * ipfwadm µ{¦¡
     * fwtk µ{¦¡
     * VPN ©Ò¨Ï¥Îªº¤u¨ã
     * ssh µ{¦¡
     * pppd µ{¦¡
     * sudo µ{¦¡
     * pty-redir µ{¦¡
       
   ¥Ø«e¨Ï¥Îªºª©¥»¡G
     * ®Ö¤ß¡G 2.0.29 ¡C½Ð¨Ï¥Îí©wªº®Ö¤ß¡A¦Ó¥B¡A¥²¶·¤ñ 2.0.20 ÁÙ·s¡A¦]¬°
       ping'o'death ªº¿ù»~¡C¦b¼¶¼g¥»¤å®É¡A³Ì«á¤@­Óí©wªº®Ö¤ß¬Oª©¥» 2.0.30
       ¡A¦ý¬O¥¦¦³¤@¨Ç¿ù»~¡C¦pªG ¡A§A·Q­n¨Ï¥Î³Ì·sª©®Ö¤ß©Ò´£¨Ñ¡A¬J§Ö¤S»Åªººô
       ¸ôµ{¦¡½X¡A§A¦Û¤v¥i¥H¹Á¸Õ¬Ý¬Ý¡Aª©¥» 2.0.30 ¹ï§Ú¦Ó¨¥¡A¤w¸g«Ü¦n¥Î¤F¡C
     * °ò¥»ªº§@·~¨t²Î¡G§Ú¤ñ¸û³ßÅw Debian ©Òµo¦æªºª©¥»¡C§Aµ´¹ï¨Ï¥Î¤£¨ì¥ô¦ó
       ¤j«¬ªº ³nÅé®M¥ó¡A·íµM¡A¤]¥]§t sendmail ¦b¤º¡C§A¤]µ´¹ï¤£¯à¹³¨ä¥¦ªº
       UNIX ¥D¾÷¤@¼Ë¡A¤¹³\ telnet¡Nftp¡N©M 'r' ©R¥O¡Aµ¥¥\¯àªº¨Ï¥Î¡C
     * ipfwadm µ{¦¡¡G §Ú¨Ï¥Îªº¬O 2.3.0¡C
     * fwtk µ{¦¡¡G §Ú¨Ï¥Îªº¬O 1.3¡C
     * ssh µ{¦¡¡G >= 1.2.20¡C¸ûªºª©¥»¡A¤U¼hªº¨ó©w·|¦³°ÝÃD¡C
     * pppd µ{¦¡¡G §Ú´ú¸Õªº¬O 2.2.0f¡A¦ý¬O§ÚµLªk½T©w¥¦¬O§_¦w¥þ¡A³o´N¬O¬°¤°
       »ò§Ú·| ±N¥¦ªº setuid ¦ì¤¸®³±¼¡A¨Ã³z¹L sudo ¨Ó°õ¦æ¥¦ªº­ì¦]¡C
     * sudo µ{¦¡¡G §Ú©Òª¾¹Dªº³Ì·sª©¥»¬O 1.5.2¡C
     * pty-redir µ{¦¡¡G ³o¬O§Ú¼g¡C½Ð¦Ü
       ftp://ftp.vein.hu/ssa/contrib/mag/pty-redir-0.1.tar.gz ¨ú±o¡C²{¦bªº
       ª©¥»¬O 0.1 ¡C¦pªG¨Ï¥Î¤W¦³¥ô¦ó°ÝÃD¡A½Ð¨Ó«H§iª¾¡C
       
4.3 ½sĶ»P¦w¸Ë

   §A²{¦bªº¤u§@¤£¬O½sĶ´N¬O¦w¸Ë©Ò·j¶°¨ìªº¤u¨ã¡C ¨Ã°Ñ¾\¨ä¡]¥H¤Î
   firewall-howto¡^ ¸Ô²Óªº»¡©ú¤å¥ó¡C²{¦b¡A§Ú­Ì¤w¸g¦w¸Ë¦n³o¨Ç¤u¨ã¤F¡C
   
4.4 ¨ä¥¦¤l¨t²Îªº³]©w

   ³]©w¨¾¤õÀð¥H¤Î¨ä¥¦ªº¶µ¥Ø¡C§A¥²¶·¦b¨â¥x¨¾¤õÀð¥D¾÷¤§¶¡¡A¤¹³\ ssh ¸ê®Æªº¬y
   ³q¡C³o ¬O«ü¡A¥D¨¾¤õÀð·|¦³ºô¸ô³s½u¨ì¦¸¨¾¤õÀ𪺰ð 22¡C¦b¦¸¨¾¤õÀð¤W±Ò°Ê
   sshd¡A¨ÓÅçµý¬O§_ ¤¹³\§A¡§µn¤J(login)¡¨¡C³o­Ó¨BÆJ©|¥¼´ú¸Õ¹L¡A½Ð§i¶D§Ú§A
   ªº´ú¸Õµ²ªG¡C
   
4.5 ³]©w VPN ªº¨Ï¥ÎªÌ±b¤á

   ¥H§A¤é±`¨Ï¥Îªº¤u¨ã¡]¨Ò¦p¡Avi¡Nmkdir¡Nchown¡Nchmod¡^¦b¦¸¨¾¤õÀð¤W«Ø¥ß¤@­Ó
   ¨Ï¥ÎªÌ±b ¤á¡A§A¤]¥i¥H¦b¥D¨¾¤õÀð¤W«Ø¥ß¤@­Ó¨Ï¥ÎªÌ±b¤á¡A¦ý¬O¡A§Ú»{¬°¦b¶}¾÷
   ¶¥¬q³]©w³s½u´N¥i¥H ¤F¡A©Ò¥H¡A¨Ï¥Î­ì©lªº root ±b¤á´N¤w¨¬°÷¡C¦³¥ô¦ó¤H¥i¥H
   ¬°§Ú­Ì»¡©ú¤@¤U¡A¦b¥D¨¾¤õÀð¤W ¨Ï¥Î root ±b¤á¡A·|¦³¤°»ò¦MÀI©Ê¡H
   
4.6 ¬° master ±b¤á¡A²£¥Í¤@­Ó ssh key

   §A¥i¥H¨Ï¥Î ssh-keygen µ{¦¡¡C¦pªG¡A§A­n¦Û°Ê³]¸m VPN¡A§A¥i¥H³]©w¤@­Ó¨S¦³
   ±K½Xªº ¡§¨p¤HÆ_°Í(private key)¡¨¡C
   
4.7 ¬° slave ±b¤á¡A³]¸m¦Û°Êªº ssh µn¤JÀô¹Ò¡C

   ¦b¦¸¨¾¤õÀ𤤡A½Æ»s§A­è¤~²£¥Íªº¡§¤½¦@Æ_°Í(public key)¡¨¨ì¡A¨Ï¥ÎªÌ±b¤á
   slave ¤¤ ªº .ssh/authorized_keys Àɮ׸̡A¨Ã¥B¡A³]©wÀɮתº¨Ï¥ÎÅv­­¡A¦p¤U
   ¡G
   
drwx------ 2 slave slave 1024 Apr 7 23:49 ./
drwx------ 4 slave slave 1024 Apr 24 14:05 ../
-rwx------ 1 slave slave 328 Apr 7 03:04 authorized_keys
-rw------- 1 slave slave 660 Apr 14 15:23 known_hosts
-rw------- 1 slave slave 512 Apr 21 10:03 random_seed

   ¨ä¤¤¡A²Ä¤@¦æ¬O ~slave/.ssh¡A²Ä¤G¦æ¬O ~slave¡C
   
4.8 ¥[±j ssh ¦b bastion ¥D¾÷¤Wªº¦w¥þ©Ê¡C

   ½Ð«ö·Ó§Ú¦b sshd_conf ¤Wªº³]©w¡G
   
PermitRootLogin no
IgnoreRhosts yes
StrictModes yes
QuietMode no
FascistLogging yes
KeepAlive yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no

   ±K½X»{ÃÒ(PasswordAuthentication)³QÃö³¬¤F¡A©Ò¥H¡A§A¥u¦³¨Ï¥Î±ÂÅv¹Lªº key
   ¡A¤~¯à°÷ §¹¦¨µn¤Jªº°Ê§@¡C¡]·íµM¡A§A¤]¤w¸gÃö³¬¤F¡Atelnet »P 'r' ©R¥O¡^¡C
   
4.9 ¤¹³\ ppp ªº°õ¦æ¡A©M³o¨â­Ó±b¤áªº¸ô¥Ñ¡C

   ·í§Aªº master ±b¤á¬O root ®É¡]¥H§Úªº¨Ò¤l¦Ó¨¥¡^¡A§A¤£¥²°µ¥ô¦ó¨Æ±¡¡C¦Ü©ó
   slave ±b¤á¡A«h·|¦b§Aªº /etc/sudoers ªºÀɮפ¤¥X²{¤@¦æ¡G
   
Cmnd_Alias VPN=/usr/sbin/pppd,/usr/local/vpn/route
slave ALL=NOPASSWD: VPN

   ¥¿¦p§A©Ò¬Ý¨ìªº¡A§Ú¦b¦¸¨¾¤õÀð¥D¾÷¤W¡A¨Ï¥Î¤F¤@¨Ç©R¥O½Z(scripts)¡A¨Ó³]©w
   ppp ©M¸ô¥Ñªí¡C
   
4.10 ¼¶¼g©R¥O½Zµ{¦¡

   ¦b¥D¨¾¤õÀð¥D¾÷¤W¡A§Ú¨Ï¥Î¤F¤@­Ó¦¨¼ôªº±Ò©l©R¥O½Z¡G
#! /bin/sh
# µ{¦¡¬[ºc  ³o­ÓÀɮ׬O­Ó«Ø¥ß¦b /etc/init.d/ ¥Ø¿ý¤Uªº©R¥O½Z¹ê¨Ò¡C
#               §AÀ³¸Ó¦b /etc/init.d ¥Ø¿ý¤U¨Ï¥Î³o­Ó©R¥O½Z¡C
#
#               §@ªÌ Miquel van Smoorenburg <miquels@cistron.nl>.
#               Debian GNU/Linux ­×­qª©§@ªÌ
#               Ian Murdock <imurdock@gnu.ai.mit.edu>.
#
# ª©¥»:               @(#)skeleton  1.6  11-Nov-1996  miquels@cistron.nl
#

PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11/:
PPPAPP=/home/slave/ppp
ROUTEAPP=/home/slave/route
PPPD=/usr/sbin/pppd
NAME=VPN
REDIR=/usr/local/bin/pty-redir
SSH=/usr/bin/ssh
MYPPPIP=192.168.0.1
TARGETIP=192.168.0.2
TARGETNET=193.6.37.0
MYNET=193.6.35.0
SLAVEWALL=polanski-out
SLAVEACC=slave

test -f $PPPD || exit 0

set -e

case "$1" in
  start)
        echo setting up vpn
        $REDIR $SSH -o 'Batchmode yes' -t -l $SLAVEACC $SLAVEWALL sudo $PPPAPP
>/tmp/device
        TTYNAME=`cat /tmp/device`
echo tty is $TTYNAME
        sleep 10s
        if [ ! -z $TTYNAME ]
        then
        $PPPD $TTYNAME ${MYPPPIP}:${TARGETIP}
        else
                echo FAILED!
                logger "vpn setup failed"
        fi
        sleep 5s
        route add -net $TARGETNET gw $TARGETIP
        $SSH -o 'Batchmode yes' -l $SLAVEACC $SLAVEWALL sudo $ROUTEAPP
    ;;
  stop)
        ps -ax | grep "ssh -t -l $SLAVEACC " | grep -v grep | awk '{print $1}'
| xargs kill
    ;;
  *)
    # echo "Usage: /etc/init.d/$NAME {start|stop|reload}"
    echo "Usage: /etc/init.d/$NAME {start|stop}"
    exit 1
    ;;
esac

exit 0

   slave ±b¤á¥i¥H¨Ï¥Î©R¥O½Z¨Ó³]©w¸ô¥Ñ (/usr/local/vpn/route)¡G
#!/bin/bash
/sbin/route add -net 193.6.35.0 gw 192.168.0.1

   ¦Ó¨ä .ppprc ªº¤º®e¡A¦p¤U¡G
passive

5. Åý§Ú­ÌÀ˵ø°õ¦æªºµ²ªG¡G

   master ·|µn¤J¨ì slave ±b¤á¸Ì¡N±Ò°Ê pppd¡N¥H¤Î¡A±N©Ò¦³ªº¸ê®Æ­«¾É¦Ü¥»¾÷ªº
   pty¡] µêÀÀ²×ºÝ¾÷¡^¡C¾ã­Ó°õ¦æ¬yµ{¦p¤U¡G
   
     * °t¸m¤@­Ó·sªº pty
     * ³z¹L ssh µn¤J slave ±b¤á
     * ¦b slave ±b¤á¤¤°õ¦æ pppd
     * master ¦b¥»¾÷ªº pty °õ¦æ pppd
     * ¨Ã¥B¦b¥Î¤áºÝ³]©w¸ô¥Ñªí¡C
       
   ¦¹³B§Ú­Ì¦Ò¼{¨ì¤F®É§Çªº°ÝÃD¡]¤£¬O¤ÓÄY®æªº­n¨D¡^¡A³o´N¬O¬°¤°»ò§Ú­Ì·|¨Ï¥Î
   ¨ì 'sleep 10s' ³o­Ó±Ô­zªº­ì¦]¡C
   
6. µÛ¤â°õ¦æ¡C

6.1 µn¤J

   ²{¦b¡A§AÀ³¸Ó¤w¸g´ú¸Õ¹L ssh ¬O§_¯à°÷¥¿±`¦a¤u§@¡C¦pªG¡Aslave ©Úµ´§Aµn¤J¡A
   ½Ð¾\Ū °O¿ýÀÉ¡C¤]³\¬OÀɮרϥÎÅv­­©Î sshd ¡A¦b³]©w¤Wªº°ÝÃD¡C
   
6.2 ±Ò°Ê ppp

   µn¤J¨ì slave ±b¤á¡A¨Ã°õ¦æ¡G
sudo /usr/sbin/pppd passive

   ¦¹®É¡A¦pªG¤u§@¥¿±`§AÀ³¸Ó·|¬Ý¨ì¤@¨Ç¶Ã½X¡C°²³]¡A¨S¦³¥X²{¶Ã½X¡A¤£¬O sudo
   ´N¬O pppd ¦³°ÝÃD¡C½Ð°Ñ¦Ò¡A°O¿ýÀÉ¡N/etc/ppp/options ¡N©M .ppprc ¡Aµ¥ÀÉ®×
   ¡A¥H«K§ä¥X¬O¨º­Ó©R¥O¥X¤F°ÝÃD¡C°ÝÃD±Æ°£«á¡A±N 'passive' ³o­Ó¦r¼g¨ì
   .ppprc ¸Ì¡AµM «á¦A¸Õ¤@¦¸¡C¥HÀ£¤U enter¡N'~'¡N©M '^Z'µ¥«öÁ䪺¤è¦¡¡A²M°£
   ¿Ã¹õ¤Wªº¶Ã½X¡AÄ~Äò ¤u§@¡C²{¦b¡A§AÀ³¸Ó·|¬Ý¨ì master ªº¡§¿é¤J´£¥Ü²Å
   ¸¹(prompt)¡¨¡AµM«á°õ¦æ kill %1 ¡C¦pªG§A·Qª¾¹D§ó¦h¦³Ãö¡§¶h¥X¦r¤¸(escape
   character)¡¨ªº»¡©ú¡A½Ð°Ñ¾\¡§½Õ¾ã(tuning)¡¨ ¨º¤@¸`¡C
   
6.3 ¤@¦¸§¹¦¨¨â­Ó°Ê§@

   ·íµM¡A§A¤]¥i¥H³o»ò°µ
   
ssh -l slave polanski sudo /usr/sbin/pppd

   ¦pªG¤u§@¥¿±`¡A¥¦´N·|·íµÛ§Aªº­±¡A¶Ç°e¤@¨Ç¬Ý¦ü¶Ã½Xªº¸ê®Æ¡C
   
6.4 Pty ªº­«¾É¥\¯à

   ³o¦¸¡A§Ú­Ì¸ÕµÛ­«¾É¤W­±ªº°Ê§@¡G
/usr/local/bin/pty-redir /usr/bin/ssh -l slave polanski sudo /usr/sbin/pppd

   ¦nªøªº¥y¤l¡A¤£¬O¶Ü¡H§AÀ³¸Ó¨Ï¥Î ssh °õ¦æÀɪº§¹¥þ¸ô®|¦WºÙ¡A¬°¤F¦w¥þªº²z¥Ñ
   ¡Apty-redir µ{¦¡¥u¤¹³\§A¨Ï¥Î³oºØ¤è¦¡¡C²{¦b¡A§A·|³z¹L³o­Óµ{¦¡¨ú±o¤@­Ó¸Ë
   ¸m¦WºÙ¡C°²³]¡A§A¨ú±oªº ¬O /dev/ttyp0 ¡C§A¥i¥H¨Ï¥Î ps ©R¥O¨ÓÀ˵ø¥Ø«eªºª¬
   ªp¡C½Ð§ä´M 'p0' ³o­Ó¸Ë ¸mªº¬ÛÃö±Ô­z¡C
   
6.5 ³o­Ó¸Ë¸m¤W­±¡A·|¦³¨Ç¤°»òªF¦è¡H

   ¸ÕµÛ°õ¦æ
/usr/sbin/pppd /dev/ttyp0 local 192.168.0.1:192.168.0.2

   ¨Ó«Ø¥ß³s½u¡CµM«á¡AÀ˵ø ifconfig ©R¥Oªº¿é¥Xµ²ªG¡A¬Ý¬O§_¤w¸g«Ø¥ß¤F³o­Ó¸Ë
   ¸m¡AµM«á ¡A¨Ï¥Î ping ¨ÓÀˬd§AªºµêÀÀºô¸ô¡C
   
6.6 ³]©w¸ô¥Ñ

   °£¤F³]©w¥D¨¾¤õÀð¥D¾÷ªº¸ô¥Ñ¡A¦¸¨¾¤õÀð¥D¾÷¤]­n³]©w¡C²{¦b¡A§AÀ³¸Ó¯à°÷±q¤½
   ¥qªº¤@­Ó ¤º³¡ºô¸ô¤Wªº¥D¾÷¡Aping ¨ì¨ä¥¦¤º³¡ºô¸ô¤Wªº¥D¾÷¡C±µµÛ¡A³]©wÃB¥~
   ªº¨¾¤õÀð³W«h¡C²{ ¦b¡A§A¤w¸g¾Ö¦³¤F VPN ªºÀô¹Ò¡A§A¥i¥H³]©w¤½¥q¨â­Ó¤º³¡ºô
   ¸ô¤§¶¡ªº³s±µ³W«h¡C
   
7. ½Õ¾ã

7.1 ³]©wªº½Õ¾ã

   ¥¿¦p§Ú©Ò»¡ªº¡A³o¥÷¤å¥ó¥u¬O§Ú­Ó¤H³]©w VPN ªº³Æ§Ñ¿ý¦Ó¤w¡C³]©w¤¤¦³³¡¤Àªº¤º
   ®e¡A§ÚÁÙ ¥¼´ú¸Õ¹L¡Cµ¥¨ì§Ú´ú¸Õ¹L«á¡A·|µ¹¥¦­Ì¥¿½Tªº©w¦ì¡A©Î¦³¥ô¦ó¤H§i¶D§Ú
   ¡§¥¦¬O¦p¦ó¤u§@ªº¡¨ ¡C¦³­Ó³Ì­«­nªº¨Æ±¡¤j®a¥²¶·»Ê°O¦b¤ß¡Appp ºô¸ô³s½u©|¥¼
   ¨Ï¥Î 8-bit¡C§Ú¦Û¤v¤]ı±o ssh ©Î pty ªº³]©w¡A¤@©wÁÙ¦³­n¥[±jªº¦a¤è¡C¦b
   ssh ªº³]©w¤¤¡A¨Ï¥Î¤F¡§ÃE¤Æ²Å¸¹(tilde)¡¨ (~) ¦r¤¸°µ¬°¶h¥X¦r¤¸¡C¥¦¥i¥H°±
   ¤î©Î´î½w¨âºÝ¤§¶¡ªº³q°T¡A·í¥ô¦óªº¡§·s¦æ²Å¸¹- ÃE¤Æ²Å¸¹(newline-tilde)¡¨¶h
   ¥X¶¶§Çªº¥X²{¡A·|¨Ï±o ssh ¸õ¨ì¿é¤J´£¥Ü²Å¸¹ªº¼Ò¦¡¡Cssh ªº¤å¥ó¤W»¡¡G < ¦b
   ¤j³¡¤Àªº¨t²Î¤W¡A­Y³]©w¤£¨Ï¥Î¶h¥X¦r¤¸¡A«h´Nºâ¬O§A¨Ï¥Î¤F tty ¡A¤]·|³y¦¨³q
   °T¹ï¸Üªº³z³q¤Æ¡C> ³o­Ó¥\¯à¬Û¹ï©ó ssh ªº¿ï¶µ¼Ð°O¬O '-e' ¡A§A¤]¥i¥H¦b³]©w
   Àɤ¤³]©w¥¦¡C
   
7.2 ÀW¼e»P¦w¥þ½Ö­«­n

   ¤£½×«Ø¸m¥ô¦óªºµêÀÀºô¸ô¡A³£·|®ö¶O±¼¹ê»Ú¸ê·½¡CVPN ·|¦Y±¼ÀW¼e©M­pºâªº¸ê·½
   ¡C§Aªº¥Ø¼Ð À³¸Ó¬O¦p¦ó¨ú±oÂùĹªº§½­±¡C§A¥i¥H¨Ï¥Î '-C' ¶}Ãö©Î
   'CompressionLevel' ¿ï¶µ¡A¨Ó½Õ¾ã ¥¦¡C§A¤]¥H¹Á¸Õ¨Ï¥Î¥t¤@ºØ¥[±Kªk¡A¦ý¬O¡A
   §Ú¨Ã¤£«Øij³o»ò°µ¡C¤]½Ðª`·N¡A¦pªG§A¨Ï¥Î¶V°ª ªºÀ£ÁYµ¥¯Å¡A§A¶Ç°e¸ê®Æªº¨Ó¦^
   ®É¶¡´N¶Vªø¡CÅwªï´£¨Ñ¥ô¦ó¬ÛÃöªº´ú¸Õ³ø§i¡C
   
8. ¤ÀªR©ö¨ü§ðÀ»ªº®zÂI

   §Ú¸ÕµÛ¦b¦¹³B»¡©ú¤@¤U¡A³o­Ó¯S§Oªº³]©w©M VPNs ¤@¯ë¦³¨º¨Ç©ö¨ü§ðÀ»ªº®zÂI¡C
   ¼ö¸Û¦aÅwªï ¦U¦ìµoªí¥ô¦ó·N¨£¡C
     * sudo µ{¦¡¡G§Ú©Ó»{¡A§Ú¹L«×¦a¨Ï¥Î¤F sudo¡C§Ú²`«H¥Ø«e¥¦¤´µM¤ñ¨Ï¥Î
       setuid bits ÁÙ¦w¥þ¡CLinux ¤W¤´µM¨S¦³¦nªº¦s¨ú±±¨î¾÷¨î¡A¬O­Ó¤£ª§ªº¨Æ
       ¹ê¡C¥u¦³µ¥¨ì¬Û®e POSIX.6 ¼Ð·Çªº®Ö¤ß¥¿¦¡µo¦æ¤F<
       http://www.xarius.demon.co.uk/software/posix6/>¡C§ó ÁV¿|ªº¬O¡A§Ú©~
       µM³z¹L sudo ¨Ó©I¥s°õ¦æ shell ªº©R¥O½Zµ{¦¡¡C¹ê¦bÁV¿|³z¤F¡C§A¦³¥ô¦ó
       «Øij»ò¡H
     * pppd µ{¦¡¡G¥¦¤]·|¨Ï¥Î suid root (Ķµù) ªº°õ¦æ¤è¦¡¡C§A¥i¥H³z¹L¨Ï¥ÎªÌ
       ªº .ppprc ¨Ó³]©w¥¦¡C¯d¤ß¡A¥¦¥i¯à·|¦³¡§½w½Ä°Ï¶W­­¹BÂà(buffer
       overrun)¡¨ªºª¬ªpµo¥Í¡C©³­­¬O ¡GºÉ¥i¯à¦a«OÅ@§Aªº slave ±b¤áªº¦w¥þ©Ê
       ¡C
     * ssh µ{¦¡¡G·í¤ß¡Assh ¦b 1.2.20 ¥H«eªºª©¥»¦³¦w¥þªºº|¬}¡C§óÁV¿|ªº¬O¡A
       §Ú­Ìªº ³]©w¬O¡A·í§Ú­Ì¹ï master ±b¤áªº¦w¥þ©Ê°µ¥X¤FÅý¨B¡A¬Û¹ï¦a¡A¤]±ó
       ¦u¤F slave ±b¤áªº¦w ¥þ©³­­¡A¦Ó¥B¡A§Ú­Ì¨Ï¥Î¤F¨â­Ó³z¹L sudo ±Ò°Êªºµ{
       ¦¡¡A¤]¤j¶}¤F§ðÀ»¤§ªù¡C¨º¬O¦]¬°¡A¬° ¤F¯à°÷¦Û°Ê³]©w VPN¡A§Ú­Ì¿ï¾ÜÅý
       master ¨Ï¥Î¨S¦³±K½Xªº¡§¨p¤HÆ_°Í(secret key)¡¨¡C
     * firewall µ{¦¡¡G bastion ¥D¾÷¤Wªº¨¾¤õÀð¡A­Y³W«h³]©wªº¤£«ê·í¡A´Nµ¥©ó
       ¬O¤j¶}¤½ ¥q¤º³¡ºô¸ôªº¤è«K¤§ªù¡C§Ú«Øij¤j®a¨Ï¥Î IP¡§°°
       ¸Ë(Masquerading)¡¨ªº§Þ³N¡]¦¹®É¡A´Nºâ¬O ¸ô¥Ñ³]©w¤£¥¿½T¡A©Ò³y¦¨ªº¼vÅT
       ¤]¬O·L¤£¨¬¹Dªº¡^¡A¥H¤Î¡A¦b VPN ªº¬É­±¤W°µÄY®æªº±±¨î ¡C
       
   Ķµù¡G suid root ¬O«ü¥ô¦ó°õ¦æ¸Óµ{¦¡ªº¤H¡A¦b°õ¦æªº·í®É·|¨ú±o root ªºÅv­­
   ¡C¨ä¤¤¡Asuid¡] ³]©w¨Ï¥ÎªÌÃѧO¥N½X¡^¬O«ü³]©wÀÉ®×Äݩʪº²Ä 11 ­Ó¦ì¤¸¡AÅý°õ
   ¦æ¸ÓÀɮתº¤H¡A¦¨¬°Àɮתº ¾Ö¦³ªÌ¡C

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional