本文共 27796 字,大约阅读时间需要 92 分钟。
过程 1.1. 安装NIS服务器
ypserv
# yum install ypserv -y
/etc/hosts
[root@nis ~]# hostname nis.example.com [root@nis ~]# echo "192.168.3.5 nis.example.com" >> /etc/hosts[root@nis ~]# cat /etc/hosts# Do not remove the following line, or various programs# that require network functionality will fail.127.0.0.1 datacenter.example.com datacenter localhost.localdomain localhost::1 localhost6.localdomain6 localhost6127.0.0.1 kerberos.example.com192.168.3.5 nis.example.com
设置NIS域名
# nisdomainname example.com# nisdomainnameexample.com
加入 /etc/rc.local 开机脚本
# echo '/bin/nisdomainname example.com' >> /etc/rc.local# echo 'NISDOMAIN=example.com' >> /etc/sysconfig/network
设置/etc/ypserv.conf主配置文件
# vim /etc/ypserv.conf127.0.0.0/255.255.255.0 : * : * : none192.168.3.0/255.255.255.0 : * : * : none* : * : * : deny
创建 /var/yp/securenets 文件
securenets 安全配置文件
# vim /var/yp/securenetshost 127.0.0.1255.255.255.0 192.168.3.0
启动NIS服务器
NIS服务器需要portmap服务的支持,并且需要启动ypserv和yppasswdd两个服务
[root@nis ~]# service portmap statusportmap (pid 2336)is running...[root@nis ~]# service ypserv startStarting YPserver services: [ OK ][root@nis ~]# service yppasswdd startStarting YP passwd service: [ OK ]
构建NIS数据库
32bit: /usr/lib/yp/ypinit -m
64bit: /usr/lib64/yp/ypinit -m
[root@nis ~]# /usr/lib64/yp/ypinit -mAt this point, we have to construct a list of the hosts which will run NISservers. nis.example.com is in the list of NIS server hosts. Please continue to addthe names for the other hosts, one per line. When you are done with thelist, type a. next host to add: nis.example.com next host to add: next host to add:The current list of NIS servers looks like this:nis.example.comIs this correct? [y/n: y]We need a few minutes to build the databases...Building /var/yp/example.com/ypservers...Running /var/yp/Makefile...gmake[1]: Entering directory `/var/yp/example.com'Updating passwd.byname...Updating passwd.byuid...Updating group.byname...Updating group.bygid...Updating hosts.byname...Updating hosts.byaddr...Updating rpc.byname...Updating rpc.bynumber...Updating services.byname...Updating services.byservicename...Updating netid.byname...Updating protocols.bynumber...Updating protocols.byname...Updating mail.aliases...gmake[1]: Leaving directory `/var/yp/example.com'nis.example.com has been set up as a NIS master server.Now you can run ypinit -s nis.example.com on all slave server.
检查
# ls /var/yp/binding example.com Makefile nicknames securenets ypservers
Service
[root@datacenter ~]# chkconfig --list | grep ypypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:offyppasswdd 0:off 1:off 2:off 3:off 4:off 5:off 6:offypserv 0:off 1:off 2:off 3:off 4:off 5:off 6:offypxfrd 0:off 1:off 2:off 3:off 4:off 5:off 6:off[root@nis ~]# chkconfig ypserv on[root@nis ~]# chkconfig yppasswdd on
Now you can run ypinit -s nis.example.com on all slave server.
# ypinit -s nis.example.com
过程 1.2. 安装NIS客户端软件
NIS客户机需要安装ypbind和yp-tools两个软件包
# yum install ypbind yp-tools -y
NIS域名
# nisdomainname example.com
/etc/hosts
192.168.3.5 nis.example.com
/etc/yp.conf
# vim /etc/yp.confdomain example.com server nis.example.com
/etc/nsswitch.conf
# vim /etc/nsswitch.confpasswd: files nisshadow: files nisgroup: files nishosts: files nis dns
启动ypbind服务程序
[root@test ~]# service portmap statusportmap is stopped[root@test ~]# service portmap startStarting portmap: [ OK ][root@test ~]# service ypbind startTurning on allow_ypbind SELinux booleanBinding to the NIS domain: [ OK ]Listening for an NIS domain server..
yp-tools 测试工具
yptest 命令可对NIS服务器进行自动测试
# yptest
ypwhich 命令可显示NIS客户机所使用的NIS服务器的主机名称和数据库文件列表
# ypwhich# ypwhich -x
ypcat命令显示数据库文件列表和指定数据库的内容
# ypcat -x# ypcat passwd
NIS Client Service
# chkconfig ypbind on
# authconfig-tui
Use NIS
┌────────────────┤ Authentication Configuration ├─────────────────┐ │ │ │ User Information Authentication │ │ [ ] Cache Information [*] Use MD5 Passwords │ │ [ ] Use Hesiod [*] Use Shadow Passwords │ │ [ ] Use LDAP [ ] Use LDAP Authentication │ │ [*] Use NIS [ ] Use Kerberos │ │ [ ] Use Winbind [ ] Use SMB Authentication │ │ [ ] Use Winbind Authentication │ │ [ ] Local authorization is sufficient │ │ │ │ ┌────────┐ ┌──────┐ │ │ │ Cancel │ │ Next │ │ │ └────────┘ └──────┘ │ │ │ │ │ └─────────────────────────────────────────────────────────────────┘
NIS Settings
┌─────────────────┤ NIS Settings ├─────────────────┐ │ │ │ Domain: example.com_____________________________ │ │ Server: nis.example.com_________________________ │ │ │ │ ┌──────┐ ┌────┐ │ │ │ Back │ │ Ok │ │ │ └──────┘ └────┘ │ │ │ │ │ └──────────────────────────────────────────────────┘
nis server:
在NIS服务器上创建一个test用户
# adduser test# passwd test# /usr/lib64/yp/ypinit -m
nis client
使用test用户登录到客户机
ssh test@client.example.com
测试
[root@test ~]# yptestTest 1: domainnameConfigured domainname is "example.com"Test 2: ypbindUsed NIS server:nis.example.comTest 3: yp_matchWARNING: No such key in map (Mappasswd.byname, key nobody)Test 4: yp_firstneoneo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bashTest 5: yp_nexttesttest:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bashsvnroot svnroot:!!:501:501::/home/svnroot:/bin/bashTest 6: yp_masternis.example.comTest 7: yp_order1271936660Test 8: yp_maplistrpc.bynameprotocols.bynumberypserverspasswd.bynamehosts.bynamerpc.bynumbergroup.bygidservices.byservicenamemail.aliasespasswd.byuidservices.bynamenetid.bynameprotocols.bynamegroup.bynamehosts.byaddrTest 9: yp_allneoneo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bashtesttest:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bashsvnroot svnroot:!!:501:501::/home/svnroot:/bin/bash1 tests failed
更改密码
$ yppasswdChanging NIS account information for test on nis.example.com.Please enter old password:Changing NIS password for test onnis.example.com.Please enter new password:Please retype new password:The NIS password has been changed on nis.example.com.
-bash-3.2$ ypcat hosts 127.0.0.1 localhost.localdomain localhost 127.0.0.1 kerberos.example.com192.168.3.5 nis.example.com-bash-3.2$ ypcat passwdneo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bashtest:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bashsvnroot:!!:501:501::/home/svnroot:/bin/bash
-bash-3.2$ypwhichnis.example.comypwhich -xUse "ethers" for map "ethers.byname"Use "aliases" for map "mail.aliases"Use "services" for map "services.byname"Use "protocols" for map "protocols.bynumber"Use "hosts" for map "hosts.byname"Use "networks" for map "networks.byaddr"Use "group" for map "group.byname"Use "passwd" for map "passwd.byname"
在NIS服务器中将“/home”输出为NFS共享目录
# vi /etc/exports/home 192.168.3.0/24(sync,rw,no_root_squash)
重启NFS服务
# service nfs restart
在NIS客户端中挂载“/home”目录
# vi /etc/fstab192.168.1.10:/home/ /home nfs defaults 0 0
mount home volume
# mount /home
First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:
sudo apt-get install slapd ldap-utils
By default the directory suffix will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be dc=example,dc=com. If you require a different suffix, the directory can be reconfigured using dpkg-reconfigure. Enter the following in a terminal prompt:
sudo dpkg-reconfigure slapd
example.com.ldif
dn: ou=people,dc=example,dc=comobjectClass: organizationalUnitou: peopledn: ou=groups,dc=example,dc=comobjectClass: organizationalUnitou: groupsdn: uid=john,ou=people,dc=example,dc=comobjectClass: inetOrgPersonobjectClass: posixAccountobjectClass: shadowAccountuid: johnsn: DoegivenName: Johncn: John DoedisplayName: John DoeuidNumber: 1000gidNumber: 10000userPassword: passwordgecos: John DoeloginShell: /bin/bashhomeDirectory: /home/johnshadowExpire: -1shadowFlag: 0shadowWarning: 7shadowMin: 8shadowMax: 999999shadowLastChange: 10877mail: john.doe@example.compostalCode: 31000l: Toulouseo: Examplemobile: +33 (0)6 xx xx xx xxhomePhone: +33 (0)5 xx xx xx xxtitle: System AdministratorpostalAddress: initials: JDdn: cn=example,ou=groups,dc=example,dc=comobjectClass: posixGroupcn: examplegidNumber: 10000
To add the entries to the LDAP directory use the ldapadd utility:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif
We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search of the LDAP directory:
ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cndn: uid=john,ou=people,dc=example,dc=comcn: John Doesn: DoegivenName: John
Just a quick explanation:
-x: will not use SASL authentication method, which is the default.
-LLL: disable printing LDIF schema information.
libnss-ldap
sudo apt-get install libnss-ldap
reconfigure ldap-auth-config
sudo dpkg-reconfigure ldap-auth-config
auth-client-config
sudo auth-client-config -t nss -p lac_ldap
pam-auth-update.
sudo pam-auth-update
sudo apt-get install ldapscripts
/etc/ldapscripts/ldapscripts.conf
SERVER=localhostBINDDN='cn=admin,dc=example,dc=com'BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"SUFFIX='dc=example,dc=com'GSUFFIX='ou=Groups'USUFFIX='ou=People'MSUFFIX='ou=Computers'GIDSTART=10000UIDSTART=10000MIDSTART=10000
Now, create the ldapscripts.passwd file to allow authenticated access to the directory:
sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd
http://web.mit.edu/Kerberos/
kerberos是由MIT开发的提供网络认证服务的系统,很早就听说过它的大名,但一直没有使用过它。 它可用来为网络上的各种server提供认证服务,使得口令不再是以明文方式在网络上传输,并且联接之间通讯是加密的; 它和PKI认证的原理不一样,PKI使用公钥体制(不对称密码体制),kerberos基于私钥体制(对称密码体制)。
获得krb5的安装包
yum search krb5[root@centos ~]# yum search krb5========================================== Matched: krb5 ===========================================krb5-auth-dialog.x86_64 : Kerberos 5 authentication dialogkrb5-devel.i386 : Development files needed to compile Kerberos 5 programs.krb5-devel.x86_64 : Development files needed to compile Kerberos 5 programs.krb5-libs.i386 : The shared libraries used by Kerberos 5.krb5-libs.x86_64 : The shared libraries used by Kerberos 5.krb5-server.x86_64 : The KDC and related programs for Kerberos 5.krb5-workstation.x86_64 : Kerberos 5 programs for use on workstations.pam_krb5.i386 : A Pluggable Authentication Module for Kerberos 5.pam_krb5.x86_64 : A Pluggable Authentication Module for Kerberos 5.
安装
yum install krb5-server.i386[root@centos ~]# yum install krb5-serverSetting up Install ProcessResolving Dependencies--> Running transaction check---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated--> Finished Dependency ResolutionDependencies Resolved==================================================================================================== Package Arch Version Repository Size====================================================================================================Installing: krb5-server x86_64 1.6.1-36.el5_4.1 updates 914 kTransaction Summary====================================================================================================Install 1 Package(s)Update 0 Package(s)Remove 0 Package(s)Total download size: 914 kIs this ok [y/N]: yDownloading Packages:krb5-server-1.6.1-36.el5_4.1.x86_64.rpm | 914 kB 00:01Running rpm_check_debugRunning Transaction TestFinished Transaction TestTransaction Test SucceededRunning Transaction Installing : krb5-server 1/1Installed: krb5-server.x86_64 0:1.6.1-36.el5_4.1Complete![root@datacenter ~]#Setting up Install ProcessResolving Dependencies--> Running transaction check---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated--> Finished Dependency ResolutionDependencies Resolved==================================================================================================== Package Arch Version Repository Size====================================================================================================Installing: krb5-server x86_64 1.6.1-36.el5_4.1 updates 914 kTransaction Summary====================================================================================================Install 1 Package(s)Update 0 Package(s)Remove 0 Package(s)Total download size: 914 kIs this ok [y/N]: yDownloading Packages:krb5-server-1.6.1-36.el5_4.1.x86_64.rpm | 914 kB 00:01Running rpm_check_debugRunning Transaction TestFinished Transaction TestTransaction Test SucceededRunning Transaction Installing : krb5-server 1/1Installed: krb5-server.x86_64 0:1.6.1-36.el5_4.1Complete!yum install krb5-workstation
[root@centos ~]# yum install krb5-workstationyum install krb5-libs
过程 1.3. installation
$ sudo apt-get install krb5-admin-server
Configuring
┌──────────────────────────────┤ Configuring krb5-admin-server ├───────────────────────────────┐ │ │ │ Setting up a Kerberos Realm │ │ │ │ This package contains the administrative tools required to run the Kerberos master server. │ │ │ │ However, installing this package does not automatically set up a Kerberos realm. This can │ │ be done later by running the "krb5_newrealm" command. │ │ │ │ Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the administration guide │ │ found in the krb5-doc package. │ │ │ ││ │ │ └──────────────────────────────────────────────────────────────────────────────────────────────┘
OK
┌───────────────────────────────┤ Configuring krb5-admin-server ├───────────────────────────────┐ │ │ │ Kadmind serves requests to add/modify/remove principals in the Kerberos database. │ │ │ │ It is required by the kpasswd program, used to change passwords. With standard setups, this │ │ daemon should run on the master KDC. │ │ │ │ Run the Kerberos V5 administration daemon (kadmind)? │ │ │ ││ │ │ └───────────────────────────────────────────────────────────────────────────────────────────────┘
Yes
过程 1.4. Kerberos Server 配置步骤
Create the Database
创建Kerberos的本地数据库
kdb5_util create -r EXAMPLE.COM -s[root@datacenter ~]# kdb5_util create -r EXAMPLE.COM -sLoading random dataInitializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',master key name 'K/M@EXAMPLE.COM'You will be prompted for the database Master Password.It is important that you NOT FORGET this password.Enter KDC database master key:Re-enter KDC database master key to verify:
/etc/krb5.conf
# cp /etc/krb5.conf /etc/krb5.conf.old# vim /etc/krb5.conf[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes[realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com }[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } 检查下面配置文件 /var/kerberos/krb5kdc/kadm5.acl
[root@datacenter ~]# cat /var/kerberos/krb5kdc/kadm5.acl*/admin@EXAMPLE.COM *
格式
The format of the file is: Kerberos_principal permissions [target_principal] [restrictions]
Add Administrators to the Kerberos Database
创建账号
[root@datacenter ~]# kadmin.localAuthenticating as principal root/admin@EXAMPLE.COM with password.kadmin.local: addprinc admin/admin@EXAMPLE.COMWARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policyEnter password for principal "admin/admin@EXAMPLE.COM":Re-enter password for principal "admin/admin@EXAMPLE.COM":Principal "admin/admin@EXAMPLE.COM" created.kadmin.local:
也同样可以使用下面命令
kadmin.local -q "addprinc username/admin"[root@datacenter ~]# kadmin.local -q "addprinc krbuser"Authenticating as principal admin/admin@EXAMPLE.COM with password.WARNING: no policy specified for krbuser@EXAMPLE.COM; defaulting to no policyEnter password for principal "krbuser@EXAMPLE.COM":Re-enter password for principal "krbuser@EXAMPLE.COM":Principal "krbuser@EXAMPLE.COM" created.
Create a kadmind Keytab
[root@datacenter ~]# kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab => kadmin/admin kadmin/changepw"Authenticating as principal admin/admin@EXAMPLE.COM with password.kadmin.local: Principal => does not exist.Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Start the Kerberos Daemons on the Master KDC
启动 Kerberos进程
[root@datacenter ~]# sudo /etc/init.d/krb524 startStarting Kerberos 5-to-4 Server: [ OK ][root@datacenter ~]# sudo /etc/init.d/krb5kdc restartStopping Kerberos 5 KDC: [ OK ]Starting Kerberos 5 KDC: [ OK ][root@datacenter ~]# sudo /etc/init.d/kadmin startStarting Kerberos 5 Admin Server: [ OK ]
Log 文件
[root@datacenter ~]# cat /var/log/krb5kdc.log[root@datacenter ~]# cat /var/log/krb5libs.log[root@datacenter ~]# cat /var/log/kadmind.log
过程 1.5. Kerberos Client 配置步骤
Ticket Management
Obtaining Tickets with kinit
[root@datacenter ~]# kinit admin/adminPassword for admin/admin@EXAMPLE.COM:
Viewing Your Tickets with klist
[root@datacenter ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: admin/admin@EXAMPLE.COMValid starting Expires Service principal03/25/10 16:15:18 03/26/10 16:15:18 krbtgt/EXAMPLE.COM@ZEXAMPLECOMKerberos 4 ticket cache: /tmp/tkt0klist: You have no tickets cached
Destroying Your Tickets with kdestroy
[root@datacenter ~]# kdestroy[root@datacenter ~]# klistklist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)Kerberos 4 ticket cache: /tmp/tkt0klist: You have no tickets cached
Password Management
Changing Your Password
[root@datacenter ~]# kpasswdPassword for admin/admin@EXAMPLE.COM:Enter new password:Enter it again:Password changed.
[root@datacenter ~]# ktutilktutil: rkt /var/kerberos/krb5kdc/kadm5.keytabktutil: lslot KVNO Principal---- ---- --------------------------------------------------------------------- 1 3 kadmin/admin@EXAMPLE.COM 2 3 kadmin/admin@EXAMPLE.COM 3 3 kadmin/changepw@EXAMPLE.COM 4 3 kadmin/changepw@EXAMPLE.COMktutil: q
[root@datacenter ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: admin/admin@EXAMPLE.COMValid starting Expires Service principal03/25/10 16:53:02 03/26/10 16:53:02 krbtgt/EXAMPLE.COM@EXAMPLE.COM03/25/10 17:02:10 03/26/10 16:53:02 host/172.16.0.8@Kerberos 4 ticket cache: /tmp/tkt0klist: You have no tickets cached
[root@datacenter ~]# kinit admin/adminPassword for admin/admin@EXAMPLE.COM:[root@datacenter ~]# kadmin.local -q "addprinc -randkey host/172.16.0.8"Authenticating as principal admin/admin@EXAMPLE.COM with password.WARNING: no policy specified for host/172.16.0.8@EXAMPLE.COM; defaulting to no policyPrincipal "host/172.16.0.8@EXAMPLE.COM" created.[root@datacenter ~]# kadmin.local -q " ktadd -k /var/kerberos/krb5kdc/kadm5.keytab host/172.16.0.8"Authenticating as principal admin/admin@EXAMPLE.COM with password.Entry for principal host/172.16.0.8 with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.Entry for principal host/172.16.0.8 with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.[root@datacenter ~]# ktutilktutil: rkt /var/kerberos/krb5kdc/kadm5.keytabktutil: lslot KVNO Principal---- ---- --------------------------------------------------------------------- 1 3 kadmin/admin@EXAMPLE.COM 2 3 kadmin/admin@EXAMPLE.COM 3 3 kadmin/changepw@EXAMPLE.COM 4 3 kadmin/changepw@EXAMPLE.COM 5 3 host/172.16.0.8@EXAMPLE.COM 6 3 host/172.16.0.8@EXAMPLE.COMktutil: q[root@datacenter ~]#
/etc/ssh/sshd_config
KerberosAuthentication yes
I want to authorize Wi-Fi Protected Access with freeradius for Wi-Fi Route.
http://freeradius.org/
debian/ubuntu
FreeRADIUS
D-Link DI-624+A
some package of freeradius.
netkiller@shenzhen:~$ apt-cache search freeradiusfreeradius - a high-performance and highly configurable RADIUS serverfreeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS serverfreeradius-iodbc - iODBC module for FreeRADIUS serverfreeradius-krb5 - kerberos module for FreeRADIUS serverfreeradius-ldap - LDAP module for FreeRADIUS serverfreeradius-mysql - MySQL module for FreeRADIUS server
install
netkiller@shenzhen:~$ sudo apt-get install freeradius
OK, we have installed let's quickly test it. the '******' is your password.
netkiller@shenzhen:~$ radtest netkiller ****** localhost 0 testing123Sending Access-Request of id 237 to 127.0.0.1 port 1812 User-Name = "netkiller" User-Password = "******" NAS-IP-Address = 255.255.255.255 NAS-Port = 0rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=237, length=20
if you can see 'Access-Accept', you have succeed
let me to input an incorrect password.
netkiller@shenzhen:~$ radtest netkiller ****** localhost 0 testing123Sending Access-Request of id 241 to 127.0.0.1 port 1812 User-Name = "netkiller" User-Password = "******" NAS-IP-Address = 255.255.255.255 NAS-Port = 0Re-sending Access-Request of id 241 to 127.0.0.1 port 1812 User-Name = "netkiller" User-Password = "******" NAS-IP-Address = 255.255.255.255 NAS-Port = 0rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=241, length=20
you will see 'Access-Reject'.
默认你只能通过localhost访问radius, 如需其他网络访问需要在配置文件中添加类似下面配置,配置文件在 /etc/freeradius/clients.conf
# vim /etc/freeradius/clients.confclient 172.16.0.0/24 { secret = testing123 shortname = freeradius.example.com} CentOS与Ubuntu安装包有所不同,配置文件在 /etc/raddb下面
过程 1.6. 安装步骤
yum 安装
yum install -y freeradius
# yum install freeradius freeradius-utils
设置启动文件
chkconfig radiusd onservice radiusd start
配置 radiusd
cp /etc/raddb/clients.conf{,.original}cp /etc/raddb/users{,.original}cp /etc/raddb/sites-enabled/default{,.original} cat >> /etc/raddb/clients.conf <
/etc/raddb/users
guest Cleartext-Password := "test"
/etc/raddb/sites-enabled/default
测试 radiusd
$ radtest guest test 192.168.2.1 1812 testing123Sending Access-Request of id 223 to 192.168.2.1 port 1812 User-Name = "guest" User-Password = "test" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000rad_recv: Access-Accept packet from host 192.168.2.1 port 1812, id=223, length=20
WRT54G
原文出处:Netkiller 系列 手札
本文作者:陈景峯 转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。