展滔科技大厦A座1909:OpenVPN使用User/Pass验证登录

来源:百度文库 编辑:中财网 时间:2024/04/27 14:56:59
OpenVPN使用User/Pass验证登录

在之前的OpenVPN+CA中已经介绍了使用CA验证登录的方式,详见:
http://bbs.chinaunix.net/forum/viewtopic.php?t=503434&show_type=new

本文主要介绍使用Username/Password方式验证登录VPN的方法,虽然使用的是User/Pass
方式登录,但是在Server端仍然需要证书,这样的VPN和web的HTTPs方式有点类似(不能等同),
只需Server端有证书,Client可以不提供自己的证书,Client只需验证Server的合法性即可,
所以Client端只需ca.crt(根证书)即可。当然,由于Client不是使用证书验证的,所以安全
性方面必然有所下降,但是省去了烦琐的CA管理,我们可以通过用户名和密码来登录VPN,
这样使得VPN可以很容易和论坛、邮件系统或者其他统一验证系统结合,使用现成的管理界面。

关于VPN的一些初步认识,可以从下面这个URL获得:(E文的)
http://blog.chinaunix.net/resserver.php?blogId=2389&resource=OpenVPN%20and%20the%20SSL%20VPN%20Revolution.pdf
原文出自:
http://www.giac.org/certified_professionals/practicals/gsec/3985.php
文中觉得很有意义的语句是: A VPN is a site-to-site tunnel. Let me say that one more time, a VPN is a site-to-site tunnel.
这篇文章介绍了OpenVPN1.x,也简单介绍了OpenVPN 2.x的一些新特性,同时也简单的介绍了
其他VPN以及不同方式实现的VPN产品、软件,有时间看看是很有必要的。

关于VPN比较通俗的理解,在OpenVPN的FAQ中找到的:
Imagine you had a direct physical wire (i.e. a long cable) connecting two computers (A and B) at different locations. On each computer there would be a /dev/longcable which would be a network device. You could route IP traffic over it, and do everything you could normally do with a network device.

下面开始介绍VPN的安装和配置:

环境:
OS: FC2 (在公司网络出口处,作路由或者是NAT设备使用)
eth0: 61.1.1.2 (外网地址,直接与Internet相连)
eth1: 192.168.0.1 (内网地址,连接公司内部,假设公司内部使用192.168.0.0/22这4个C地址)

Client端硬件及网络环境配置:
OS: Windown 2000 XP 为主,部分Linux (配置文件通用)
单网卡,IP地址不固定

需要达到的目的:
VPN Client可以随处通过User/Pass登录VPN,访问内网资源。

Server端配置

首先检查pam-devel包是否安装,否则从系统盘安装改软件包
[root@vpn ~]# rpm -qa | grep pam
pam_smb-1.1.7-3.1
pam-0.77-40
pam_krb5-2.0.10-1
pam-devel-0.77-40
[root@vpn ~]#

检查Mysql是否安装,确认mysql-devel包已经安装,否则从系统盘安装改软件包
[root@vpn ~]# rpm -qa | grep mysql
mysql-3.23.58-9
mysql-server-3.23.58-9
mysql-devel-3.23.58-9
[root@vpn ~]#


检查lzo包是否有安装,如果没有,可以到http://rpmfind.net去找
[root@vpn ~]# rpm -qa | grep lzo
[root@vpn ~]# wget ftp://rpmfind.net/linux/dag/fedora/2/en/i386/dag/RPMS/lzo-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# rpm -ivh lzo-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# wget ftp://rpmfind.net/linux/dag/fedora/2/en/i386/dag/RPMS/lzo-devel-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# rpm -ivh lzo-devel-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# rpm -qa | grep lzo
lzo-devel-1.08-3.1.fc2.dag
lzo-1.08-3.1.fc2.dag
[root@vpn ~]#

下面开始编译安装OpenVPN
[root@vpn ~]# wget http://mesh.dl.sourceforge.net/sourceforge/openvpn/openvpn-2.0_rc16.tar.gz
[root@vpn ~]# rpmbuild -tb openvpn-2.0_rc16.tar.gz
[root@vpn ~]# cd /usr/src/redhat/RPMS/i386/
[root@vpn /usr/src/redhat/RPMS/i386]# rpm -ivh openvpn-2.0_rc6-1.i386.rpm

为了能使用OpenVPN的PAM验证插件,我们安装pam_mysql使用MySQL数据库存储用户数据,其它数据库可以找相应的PAM验证模块
[root@vpn ~]# wget http://internap.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.5.tar.gz
[root@vpn ~]# tar -zxvf pam_mysql-0.5.tar.gz
[root@vpn ~]# cd pam_mysql
[root@vpn ~]# make
[root@vpn ~]# cp pam_mysql.so /lib/security/

配置数据库
以管理员身份登录数据库:
mysql>; create database vpn;
mysql>; GRANT ALL ON vpn.* TO vpn@localhost IDENTIFIED BY 'vpn123';
mysql>; flush privileges;
mysql>; use vpn;
mysql>; CREATE TABLE vpnuser (
->; name char(20) NOT NULL,
->; password char(128) default NULL,
->; active int(10) NOT NULL DEFAULT 1,
->; PRIMARY KEY (name)
->; );
mysql>; insert into vpnuser (name,password) values('elm',password('elm'));

#创建vpn用户,对vpn这个database有所有操作权限,密码为vpn123
#active不为1,无权使用VPN
#增加用户 用户名:elm 密码:elm

配置pam_mysql模块
创建/etc/pam.d/openvpn文件,文件内容如下:
===================CUT Here================
auth sufficient pam_mysql.so user=vpn passwd=vpn123 host=localhost db=vpn \
table=vpnuser usercolumn=name passwdcolumn=password \
where=active=1 sqllog=0 crypt=2
account required pam_mysql.so user=vpn passwd=vpn123 host=localhost db=vpn \
table=vpnuser usercolumn=name passwdcolumn=password \
where=active=1 sqllog=0 crypt=2
==================Cut Here=================
crypt(0) -- Used to decide to use MySQL's PASSWORD() function or crypt()
0 = No encryption. Passwords in database in plaintext. NOT recommended!
1 = Use crypt
2 = Use MySQL PASSWORD() function

下面可以测试pam_mysql是否工作正常,先检查saslauthd是否安装:
[root@vpn ~]# rpm -qa | grep sasl
cyrus-sasl-plain-2.1.18-2
cyrus-sasl-md5-2.1.18-2
cyrus-sasl-devel-2.1.18-2
cyrus-sasl-2.1.18-2
[root@vpn ~]#

有cyrus-sasl-2.1.18-2应该就可以了,如果没有请安装相应的软件包,不安装也行,可以通过其它方法测试

[root@vpn ~]# saslauthd -a pam
[root@vpn ~]# testsaslauthd -u elm -p elm -s openvpn
0: OK "Success."
[root@vpn ~]#

恭喜,pam_mysql工作正常了,下面可以开始配置OpenVPN服务器了。

配置VPN Server:
[root@vpn /usr/src/redhat/RPMS/i386]# cd
[root@vpn ~]# cp -r /usr/share/openvpn/easy-rsa/ /etc/openvpn/
[root@vpn ~]# cd /etc/openvpn/easy-rsa/
[root@vpn /etc/openvpn/easy-rsa]# vi vars
修改vars 文件
-----------------------------------------
# 定义你所在的国家,2个字符
export KEY_COUNTRY=CN
# 你所在的省份
export KEY_PROVINCE=Liaoning
# 你所在的城市
export KEY_CITY=Shenyang
# 你所在的组织
export KEY_ORG="ELM OpenVPN ORG"
# 你的邮件地址
export KEY_EMAIL="[email]elm@elm.freetcp.com[/email]"
-----------------------------------------

#使修改的环境变量生效

[root@vpn /etc/openvpn/easy-rsa]# . vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

#初始化keys目录

[root@vpn /etc/openvpn/easy-rsa]# ./clean-all

#生成Root CA证书,用于签发Server和Client证书,请保护好keys/ca.key文件。

[root@vpn /etc/openvpn/easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
........................++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: #如果无需修改,直接回车
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) []: OpenVPN Service
Common Name (eg, your name or your server's hostname) []:OpenVPN Root CA
Email Address [[email]elm@elm.freetcp.com[/email]]:

#查看生成的keys

[root@vpn /etc/openvpn/easy-rsa]# ls keys
ca.crt ca.key index.txt serial

#我们可以看到ca.crt ca.key文件已经生成了。
#面我们为服务器生成 Diffie-Hellman 文件
#TLS server 需要使用的一个文件

[root@vpn /etc/openvpn/easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+..............................................................+.................
...................................................+....+........+.........+.......
.............................................+.+...................................
...................................................................................
............................................+......................................
.+.................................+.............+.................................
................................................+..................................
.....................+.............................++*++*++*

#创建并签发VPN Server使用的CA
# `server' 为创建后的文件名,分别为server.crt server.key

[root@vpn /etc/openvpn/easy-rsa]# ./build-key-server server
Generating a 1024 bit RSA private key
......................++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) []:OpenVPN Service
Common Name (eg, your name or your server's hostname) []:Server No.1
Email Address [[email]elm@elm.freetcp.com[/email]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Liaoning'
localityName :PRINTABLE:'Shenyang'
organizationName :PRINTABLE:'ELM OpenVPN ORG'
organizationalUnitName:PRINTABLE:'OpenVPN Service'
commonName :PRINTABLE:'Server No.1'
emailAddress :IA5STRING:'[email]elm@elm.freetcp.com[/email]'
Certificate is to be certified until Feb 26 14:43:44 2015 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

#为防止恶意攻击(如DOS、UDP port flooding),我们生成一个"HMAC firewall"

[root@vpn /etc/openvpn/easy-rsa]# openvpn --genkey --secret keys/ta.key

#Server使用的配置文件server.conf
----------------CUT Here-------------
port 1194
;proto tcp
proto udp
;dev tap
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
;client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0
plugin ./openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
;log /var/log/openvpn.log
;log-append openvpn.log
verb 4
;mute 20
--------------Cut Here-----------------

;client-to-client #如果让Client之间可以相互看见,去掉本行的注释掉,否则Client之间无法相互访问
;duplicate-cn #是否允许一个User同时登录多次,去掉本行注释后可以使用同一个用户名登录多次
plugin ./openvpn-auth-pam.so openvpn #说明使用的插件,openvpn为插件的参数,使用pam的servicesname
client-cert-not-required #不请求客户的CA证书,使用User/Pass验证
username-as-common-name #使用客户提供的UserName作为Common Name

把server.conf文件保存到/etc/opennvpn目录中,并把使用easy-rsa下的脚本什成的key都复制到/etc/openvpn目录下,命令如下:
[root@vpn /etc/openvpn/easy-rsa]# cp keys/ca.crt ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/server.crt ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/server.key ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/dh1024.pem ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/ta.key ../
[root@vpn /etc/openvpn/easy-rsa]# cp /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so ../

#立即启动openenvpn
[root@vpn /etc/openvpn/easy-rsa]# /etc/init.d/openvpn start

#接下来配置客户端的配置文件client.conf:
#Linux或Unix下使用扩展名为.conf Windows下使用的是.ovpn,并把需要使用的文件复制到配置文件所在目录ca.crt ta.key
-------------Cut Here---------------------
client
;dev tap
dev tun
;proto tcp
proto udp
remote 61.1.1.2 1194
;remote my-server-2 1194
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
ns-cert-type server
tls-auth ta.key 1
route 192.168.0.0 255.255.252.0
comp-lzo
verb 4
;mute 20
------------Cut Here-----------------------

auth-user-pass #询问用户名和密码

Linux下Client的OpenVPN的安装方法一样,只是配置文件和keys上的不同,只要把client.conf ca.crt ta.key复制到/etc/openvpn目录即可启动VPN。
Win下OpenVPN的安装,WIN下有图形界面的OpenVPN-GUI程序,下载地址http://openvpn.se

这里使用的是TUN设备,主要考虑到Client客户多,VPN的效率和广播的问题,选用TUN设备,因为客户端可能是
Windows系统,Win系统TUN设备获得的IP地址将会是/30的地址,所以有3*Client个地址浪费,所以地址池设置得比较大。

这样你每次使用VPN登录的时候,程序会自动询问你得用户名和密码,输入正确后就可以连接上VPN了,
连接VPN后所有访问内网(192.168.0.0/22)的数据都从VPN经过。
如果Win的Client比较多,可以试着把ca.crt ta.key client.ovpn打包到安装包程序里,具体操作方法参见:

http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html

然后发布改软件包即可,最好小心保管ta.key文件(防止Dos攻击)。

#首先要把系统的Forward打开
[root@vpn /etc]# vi sysctl.conf
修改
# Controls IP packet forwarding
net.ipv4.ip_forward = 1

#IPTABLES的配置文件
[root@vpn /etc/sysconfig]# cat iptables
# Generated by iptables-save v1.2.1a on Tue Nov 6 19:50:51 2001
*nat
:PREROUTING ACCEPT [0]
:POSTROUTING ACCEPT [0]
:OUTPUT ACCEPT [0]
-A POSTROUTING -s 192.168.0.0/255.255.252.0 -o eth0 -j SNAT --to-source 61.1.1.2
COMMIT
*filter
:INPUT DROP [0]
:FORWARD ACCEPT [0]
:OUTPUT ACCEPT [0]
:BLOCK - [0]
:ANTIVIRUS - [0]
# block internal ip address
-A INPUT -i lo -j ACCEPT
-A INPUT -j BLOCK
-A INPUT -j ANTIVIRUS

-A BLOCK -s 192.168.0.0/16 -d 0/0 -j RETURN
-A BLOCK -s 172.16.0.0/12 -d 0/0 -j REJECT
-A BLOCK -s 10.0.0.0/8 -d 0/0 -j RETURN
-A BLOCK -s 127.0.0.0/8 -d 0/0 -j REJECT
-A BLOCK -s 0.0.0.0/8 -d 0/0 -j REJECT
-A BLOCK -s 169.254.0.0/16 -d 0/0 -j REJECT
-A BLOCK -s 192.0.2.0/24 -d 0/0 -j REJECT
-A BLOCK -s 204.152.64.0/23 -d 0/0 -j REJECT
-A BLOCK -s 224.0.0.0/3 -d 0/0 -j REJECT

-A INPUT -p icmp -j ACCEPT

# OSPFD
-A INPUT -d 224.0.0.0/24 -j ACCEPT

# sync time
-A INPUT -p udp -m udp --sport 123 -j ACCEPT

# accept dns
-A INPUT -p udp -m udp --sport 53 -j ACCEPT

# accept ssh from any
-A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT

# accept dhcp request
-A INPUT -p udp -m udp --dport 67 -j ACCEPT

# OpenVPN 1194_UDP
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT

# www
-A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT

# keep stats
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP

# Reject all packet to me
-A INPUT -p tcp -m tcp --syn -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp -j REJECT

-A FORWARD -j ANTIVIRUS

-A ANTIVIRUS -p tcp -m tcp --dport 135:139 -j DROP
-A ANTIVIRUS -p tcp -m tcp --dport 445 -j DROP
-A ANTIVIRUS -p udp -m udp --dport 69 -j DROP
-A ANTIVIRUS -p udp -m udp --dport 135:139 -j DROP
-A ANTIVIRUS -p udp -m udp --dport 1434 -j DROP

COMMIT
[root@vpn /etc/sysconfig]#


本文是本人在实验+一字一句的敲上去,如果转载,麻烦注明出处,谢谢
Blog: http://elm.blog.edu.cn
http://blog.chinaunix.net/index.php?blogId=2389

--ELM
于沈阳 05'消费者权益日

[ 本帖最后由 wenzk 于 2006-9-27 19:33 编辑 ]


gouya 回复于:2005-03-16 10:53:04

哥们在呀,先支持一下~~~~~~~~~~~`

wenzk 回复于:2005-03-16 11:07:59

呵呵,我在呀

昨天赶出来的,不知道有没有疏漏

gouya 回复于:2005-03-16 13:28:16

谢谢。

gouya 回复于:2005-03-16 13:31:41

Wed Mar 16 13:30:28 2005 us=105890 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=CN/ST=JL/L=CC/O=GOUYA_PLAY_GAME/CN=ROOT_CA/emailAddress=gouya08@163.com
Wed Mar 16 13:30:28 2005 us=106028 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Mar 16 13:30:28 2005 us=106046 TLS Error: TLS object ->; incoming plaintext read error
Wed Mar 16 13:30:28 2005 us=106057 TLS Error: TLS handshake failed
Wed Mar 16 13:30:28 2005 us=106209 TCP/UDP: Closing socket
Wed Mar 16 13:30:28 2005 us=106311 SIGUSR1[soft,tls-error] received, process restarting
Wed Mar 16 13:30:28 2005 us=106328 Restart pause, 2 second(s)

gouya 回复于:2005-03-16 14:15:01

[root@Linux bin]# rpm -qa | grep pam
pam-0.75-48
pam_krb5-1.60-1
pam-devel-0.75-48
pam_smb-1.1.6-7
[root@Linux bin]# rpm -qa | grep mysql
mysql-3.23.54a-11
mysql-server-3.23.54a-11
php-mysql-4.2.2-17
mysql-devel-3.23.54a-11
[root@Linux bin]# rpm -qa | grep sasl
cyrus-sasl-md5-2.1.10-4
cyrus-sasl-devel-2.1.10-4
cyrus-sasl-2.1.10-4
cyrus-sasl-plain-2.1.10-4
[root@Linux pam.]#cat openvpn
auth sufficient pam_mysql.so user=vpn passwd=vpn123 host=localhost db=v
pn table=vpnuser usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=2
account required pam_mysql.so user=vpn passwd=vpn123 host=localhost db=v
pn table=vpnuser usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=2

数据库:

# phpMyAdmin MySQL-Dump
# version 2.3.2
# http://www.phpmyadmin.net/ (download page)
#
# 主机: localhost
# 建立日期: Mar 16, 2005 at 06:36 AM
# 伺服机版本: 3.23.54
# PHP 版本: 4.2.2
# 数据库 : `vpn`
# --------------------------------------------------------

#
# 数据表的结构 `vpnuser`
#

CREATE TABLE vpnuser (
name char(20) NOT NULL default '',
password char(128) default NULL,
active int(10) NOT NULL default '1',
PRIMARY KEY (name)
) TYPE=MyISAM;

#
# 导出下面的数据库内容 `vpnuser`
#

INSERT INTO vpnuser VALUES ('elm', 'elm', 1);

呵呵。。。。。谢谢。

gouya 回复于:2005-03-16 14:35:35

好象是pam_mysql没好用。。。。

REDHAT9。0下用什么命令测试。。。。pam_mysql。

wenzk 回复于:2005-03-16 15:07:50

Wed Mar 16 13:30:28 2005 us=105890 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=CN/ST=JL/L=CC/O=GOUYA_PLAY_GAME/CN=ROOT_CA/emailAddress=gouya08@163.com

这应该是client端的错误吧,确定client的ca.crt和server的一致,server所用的证书是由ca.crt签发的

wenzk 回复于:2005-03-16 15:08:54

引用:原帖由 "gouya" 发表:
好象是pam_mysql没好用。。。。

REDHAT9。0下用什么命令测试。。。。pam_mysql。


也可以安装saslauthd来检测pam是否工作正常

wenzk 回复于:2005-03-16 15:22:32

引用:原帖由 "gouya" 发表:
好象是pam_mysql没好用。。。。

REDHAT9。0下用什么命令测试。。。。pam_mysql。


Mar 16 14:24:55 vpn openvpn: pam_sm_authenticate called.
Mar 16 14:24:55 vpn openvpn: dbuser changed.
Mar 16 14:24:55 vpn openvpn: dbpasswd changed.
Mar 16 14:24:55 vpn openvpn: host changed.
Mar 16 14:24:55 vpn openvpn: database changed.
Mar 16 14:24:55 vpn openvpn: table changed.
Mar 16 14:24:55 vpn openvpn: usercolumn changed.
Mar 16 14:24:55 vpn openvpn: passwdcolumn changed.
Mar 16 14:24:55 vpn openvpn: where changed.
Mar 16 14:24:55 vpn openvpn: sqllog changed.
Mar 16 14:24:55 vpn openvpn: crypt changed.
Mar 16 14:24:55 vpn openvpn: db_connect called.
Mar 16 14:24:55 vpn openvpn: returning 0 .
Mar 16 14:24:55 vpn openvpn: db_checkpasswd called.
Mar 16 14:24:55 vpn openvpn: pam_mysql: where clause = active=1
Mar 16 14:24:55 vpn openvpn: SELECT password FROM vpnuser WHERE name='elm' AND (active=1)
Mar 16 14:24:55 vpn openvpn: sqlLog called.
Mar 16 14:24:55 vpn openvpn: returning 0 .
Mar 16 14:24:55 vpn openvpn: returning 0.
Mar 16 14:24:55 vpn openvpn: pam_mysql: acct_mgmt called but not implemented. Dont panic though :)

这是pam_mysql验证成功/var/log/message中的日志。如果失败(口令错了)

日志:

Mar 16 15:01:00 vpn ntpdate[17646]: adjust time server 202.118.1.81 offset 0.333700 sec
Mar 16 15:21:00 vpn openvpn: pam_sm_authenticate called.
Mar 16 15:21:00 vpn openvpn: dbuser changed.
Mar 16 15:21:00 vpn openvpn: dbpasswd changed.
Mar 16 15:21:00 vpn openvpn: host changed.
Mar 16 15:21:00 vpn openvpn: database changed.
Mar 16 15:21:00 vpn openvpn: table changed.
Mar 16 15:21:00 vpn openvpn: usercolumn changed.
Mar 16 15:21:00 vpn openvpn: passwdcolumn changed.
Mar 16 15:21:00 vpn openvpn: where changed.
Mar 16 15:21:00 vpn openvpn: sqllog changed.
Mar 16 15:21:00 vpn openvpn: crypt changed.
Mar 16 15:21:00 vpn openvpn: db_connect called.
Mar 16 15:21:00 vpn openvpn: returning 0 .
Mar 16 15:21:00 vpn openvpn: db_checkpasswd called.
Mar 16 15:21:00 vpn openvpn: pam_mysql: where clause = active=1
Mar 16 15:21:00 vpn openvpn: SELECT password FROM vpnuser WHERE name='elm' AND (active=1)
Mar 16 15:21:00 vpn openvpn: returning 7 .
Mar 16 15:21:00 vpn openvpn: returning 7 after db_checkpasswd.

gouya 回复于:2005-03-16 15:25:02

root@Linux bin]# rpm -qa | grep sasl
cyrus-sasl-md5-2.1.10-4
cyrus-sasl-devel-2.1.10-4
cyrus-sasl-2.1.10-4
cyrus-sasl-plain-2.1.10-4
有这个但没有testsaslauthd

gouya 回复于:2005-03-16 15:26:48

mysql>; insert into vpnuer (name,password) values('elm',password('elm'));
我是用phpmyadmin添加的“ELM”帐号。

wenzk 回复于:2005-03-16 15:29:14

引用:原帖由 "gouya"]root@Linux bin 发表:
# rpm -qa | grep sasl
cyrus-sasl-md5-2.1.10-4
cyrus-sasl-devel-2.1.10-4
cyrus-sasl-2.1.10-4
cyrus-sasl-plain-2.1.10-4
有这个但没有testsaslauthd


看看路径是否有问题

[root@vpn ~]# rpm -qa | grep sasl
cyrus-sasl-plain-2.1.18-2
cyrus-sasl-md5-2.1.18-2
cyrus-sasl-devel-2.1.18-2
cyrus-sasl-2.1.18-2
[root@vpn ~]# rpm -ql cyrus-sasl-2.1.18-2 | grep test
/usr/sbin/testsaslauthd
[root@vpn ~]#

gouya 回复于:2005-03-16 15:33:35

Last login: Wed Mar 16 07:36:52 2005
[root@Linux root]# rpm -ql cyrus-sasl-2.1.18-2 | grep test
[root@Linux root]#

gouya 回复于:2005-03-16 15:37:09

呵呵~~~~~~~~~~~``

wenzk 回复于:2005-03-16 15:38:31

引用:原帖由 "gouya"]ux root]#
发表:


root@Linux bin]# rpm -qa | grep sasl
cyrus-sasl-md5-2.1.10-4
cyrus-sasl-devel-2.1.10-4
cyrus-sasl-2.1.10-4
cyrus-sasl-plain-2.1.10-4

你的应该是
rpm -ql cyrus-sasl-2.1.10-4 | grep test

wenzk 回复于:2005-03-16 15:39:35

引用:原帖由 "gouya"]呵呵~~~~~~~~~~~``
发表:


没有必要,检查日志,看看问题出现在什么地方

这样才能找到根本的原因

gouya 回复于:2005-03-16 16:47:45

Mar 16 15:21:00 vpn openvpn: pam_mysql: where clause = active=1
Mar 16 15:21:00 vpn openvpn: SELECT password FROM vpnuser WHERE name='elm' AND (active=1)
Mar 16 15:21:00 vpn openvpn: returning 7 .
Mar 16 15:21:00 vpn openvpn: returning 7 after db_checkpasswd.

呵呵~~~~~~~~~~~

这个肯定是密码错误吗?

可密码没错呀。

wenzk 回复于:2005-03-16 16:50:38

引用:原帖由 "gouya" 发表:
Mar 16 15:21:00 vpn openvpn: pam_mysql: where clause = active=1
Mar 16 15:21:00 vpn openvpn: SELECT password FROM vpnuser WHERE name='elm' AND (active=1)
Mar 16 15:21:00 vpn openvpn: returning 7 ...........


想办法测试一下pam验证是否 有问题,一步一步排除

实在不行去下载sasl的源代码自己编译,那样肯定 有testsaslauthd了

gouya 回复于:2005-03-16 16:59:07

谢谢。。。。。。。。。。

wenzk 回复于:2005-03-16 17:01:13

兄弟,刚看到:

INSERT INTO vpnuser VALUES ('elm', 'elm', 1);

不能这么写,应该是
INSERT INTO vpnuser VALUES ('elm', password('elm'), 1);

密码我是用mysql的password函数加密过的

insert into vpnuer (name,password) values('elm',password('elm'));
最好手动输入,我没有用过mysqlphpadmin,不知道是否可以正确使用password函数加密字符串

[root@vpn ~]# mysql -u vpn -p -D vpn;
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1543 to server version: 3.23.58

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>; select * from vpnuser;
+------+------------------+--------+
| name | password | active |
+------+------------------+--------+
| elm | 7bb6299c215b282b | 1 |
| wzk | 687c6752296a7c8b | 1 |
+------+------------------+--------+
2 rows in set (0.00 sec)

mysql>; \q
Bye
[root@vpn ~]#

看看你的password字串是否经过加密

gouya 回复于:2005-03-16 17:44:23

感谢你陪我度过无聊的下午。。。。。。

在XP上已经可以了,但在2000上不行。。。。。。。呵呵~~~~~~~~~~`
在问几个问题:

1、在2000下和在XP下有什么区别吗?
2、能不能不使用加密的密码?
3、怎么做成系统服务让机器启动后,自动启动VPN服务。


哥们的精神是我们永远学不完,在次表示谢。哥们的外语一定非常好,能否介绍点学外语的方法。。。。。。

我已经准备报个英语班,开学英语。。。。。。。呵呵~~~~~~~~~ :P

wenzk 回复于:2005-03-16 21:13:57

1 没有区别的,可能是其它的什么问题,我都是在2000下试验的
2 可以,把/etc/pam.d/openvpn 文件中的crypt=1 改成 crypt=0就可以了
3 在服务下可以找到OpenVPN服务的,直接设置成自动启动就OK了,默认是手动启动的


兄弟,多谢夸奖,兄弟我就英语最差,对于计算机的英语,我觉得多看几边就可以理解了

gouya 回复于:2005-03-16 23:47:12

太谦虚了。......

将服务改成自动启动,那密码到哪去读取呀?我试了,根本就不提示输入密码....

wenzk 回复于:2005-03-17 00:46:02

--auth-user-pass [up]
Authenticate with server using username/password. up is a file containing username/password on 2 lines.

If up is omitted, username/password will be prompted from the console.

呵呵;)

gouya 回复于:2005-03-17 00:57:56

Wed Mar 16 13:30:28 2005 us=105890 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=CN/ST=JL/L=CC/O=GOUYA_PLAY_GAME/CN=ROOT_CA/emailAddress=gouya08@163.com
Wed Mar 16 13:30:28 2005 us=106028 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Mar 16 13:30:28 2005 us=106046 TLS Error: TLS object ->; incoming plaintext read error
Wed Mar 16 13:30:28 2005 us=106057 TLS Error: TLS handshake failed
Wed Mar 16 13:30:28 2005 us=106209 TCP/UDP: Closing socket
Wed Mar 16 13:30:28 2005 us=106311 SIGUSR1[soft,tls-error] received, process restarting
Wed Mar 16 13:30:28 2005 us=106328 Restart pause, 2 second

同样文件COPY到有一台XP系统下一切正常工作......

可是在我自己用的这台机器上什么系统也不好用,做CA的时候也有类似的问题,后来知道怎么就好了。能不能和硬件或者系统的版本有关系呀...我用的2000是professional+SP3的.

命苦呀。~~~~~~~~~`
呵呵~~~~~~~~~~`

能不能跟版本有关系呀,...........

gouya 回复于:2005-03-17 01:15:07

引用:原帖由 "wenzk" 发表:
Authenticate with server using username/password. up is a file containing username/password on 2 lines.

If up is omitted, username/password will be prompted from the console.

呵呵;)

auth-user-pass user.txt


user.txt

elm
elm
在两行.

也不好用......

wenzk 回复于:2005-03-17 09:10:16

呵呵,看到了:)

2004.12.05 -- Version 2.0-beta20

* The ability to read --askpass and --auth-user-pass
passwords from a file has been disabled by default.
To re-enable, use ./configure --enable-password-save.

兄弟,要自己编译OpenVPN了,win下没有自己编译过:(

gouya 回复于:2005-03-17 10:22:04

呵呵。。。。。。。
1、真的要在WIN下编译才能实现,自动启动吗?
2、关于2000的问题,我测试的结果是,server下没问题,但在professional下怎么也上不去。补丁从SP2一直打到SP4,wenzk 有时间帮忙查资料是不上有这个问题。。。。有没有解决的方案。

gouya 回复于:2005-03-17 10:29:57

引用:原帖由 "gouya" 发表:
呵呵。。。。。。。
1、真的要在WIN下编译才能实现,自动启动吗?
2、关于2000的问题,我测试的结果是,server下没问题,但在professional下怎么也上不去。补丁从SP2一直打到SP4,wenzk 有时间帮忙查资料是不上有?.........


在采用CA认证中不存在2000 professional上不去的问题。

wenzk 回复于:2005-03-17 11:51:24

你换太机器试试
我测试的另一台机器就是2000 pro
没有问题的

gouya 回复于:2005-03-17 11:59:18

光盘我也换了两个,机器也换了两台,真他妈。。。。。闹挺。。。。一会我让别人在外网试试。。。。。


对了。。。用户名和密码除了编译有没有别的办法。我用的是。。。openvpn-2.0_rc16

wenzk 回复于:2005-03-17 14:29:03

那就只能手动输入了,呵呵

gouya 回复于:2005-03-17 19:52:32

辛苦了。。。。

有机会谢谢你。。。。。。。。。。。

gouya 回复于:2005-03-17 20:03:07

也不知道为什么放了。。。。24小时就好了。。。。

奇怪。。。。没有原因。

1、openvpn这东西每个客户端不知道能占用多少CPU和内存。
2、客户端这个服务器通信的是时候,能不能在服务器捕捉到客户端的信息,我才用的UDP协议。

wenzk 回复于:2005-03-17 21:00:58

引用:原帖由 "gouya" 发表:
也不知道为什么放了。。。。24小时就好了。。。。

奇怪。。。。没有原因。

1、openvpn这东西每个客户端不知道能占用多少CPU和内存。
2、客户端这个服务器通信的是时候,能不能在服务器捕捉到客户端的信息,我..........


呵呵:)

1 相对我pptpd来说,CPU使用率好像低很多。
2 tcpdump -i tun0 -n就可以看到了

gouya 回复于:2005-03-17 21:45:43

我的PPTPD在LAN内只能有一个连接,怎么解决呀。。。。。

wenzk 回复于:2005-03-17 21:56:56

听说可以打补丁,后来OpenVPN可以支持用户名密码验证我就放弃pptpd了

gouya 回复于:2005-03-19 08:05:56

我没什么事来看看,,,你呵呵~~~~~~~~~~~

gouya 回复于:2005-03-19 22:57:43

不知道TUN模式的VPN能不能防止“冲击波”一类的病毒攻击服务器

wenzk 回复于:2005-03-20 12:54:28

TUN不是万能的,Tun是IP层的一个虚拟设备

gouya 回复于:2005-03-20 12:59:52

谢谢。。。。

wenzk 回复于:2005-03-20 22:26:35

引用:原帖由 "gouya"]谢谢。。。。
发表:


不用客气

http://blog.chinaunix.net/resserver.php?blogId=2389&resource=openvpn.exe

支持从文件中读取User/Pass的OpenVPN 2.0_rc17,覆盖原来的文件即可

由于是自己编译的,不知道为什么自己编译后的程序比官方的大了不少

gouya 回复于:2005-03-20 22:44:47

tun模式的openvpn不知道,类似“冲击波”的病毒能不能攻击到VPN服务器。。。

wenzk 回复于:2005-03-20 23:12:15

那些病毒是攻击win主机的吧,这个与机器上是否安装OpenVPN没有关系

gouya 回复于:2005-03-21 09:43:45

引用:原帖由 "wenzk"]那些病毒是攻击win主机的吧,这个与机器上是否安装OpenVPN没有关系
发表:


客户端当然是WIN,客户和服务器接通后,类似于“冲击波”这些蠕虫,病毒疯狂的向服务器发包。我用SOCKS5的时候是有这种显现的。

在一个问题是能不能让OPENVPN快速更新状态文件“openvpn-status.log”默认好象要5分钟左右。例如:一个用户断线要5分钟才能,更新这个文件。。。

wenzk 回复于:2005-03-21 23:31:21

引用:原帖由 "gouya" 发表:


客户端当然是WIN,客户和服务器接通后,类似于“冲击波”这些蠕虫,病毒疯狂的向服务器发包。我用SOCKS5的时候是有这种显现的。

在一个问题是能不能让OPENVPN快速更新状态文件“openvpn-status.log”默认好象?..........


这个是没有办法用VPN来防止的


--status file [n]
Write operational status to file every n seconds.

Status can also be written to the syslog by sending a SIGUSR2
signal.

--status-version [n]
Choose the status file format version number. Currently n can
be 1 or 2 and defaults to 1.

victorchang 回复于:2005-06-14 16:33:16

我在FC3 /MYSQL 3。58 /上已经测试成功了,CA方式和USNAME/PASS方式,只是有一个问题。
如果客户端每台都要安装OPENVPN的客户端程序也太麻烦了,能不能通过HTTPS的方式,再登录后,客户端只需输入用户名和口令即可以登录VPN网络,可以访问局域网内的资源呢?
谢谢 :( [size=18][/size]

wenzk 回复于:2005-06-14 20:16:18

这个是不行的,可以参考他们的ssl explorer

victorchang 回复于:2005-06-16 08:58:17

wenzk 发表于: 2005-06-14 20:16 发表主题:

--------------------------------------------------------------------------------

这个是不行的,可以参考他们的ssl explorer
————————————————————————————————

SSL EXPLORER我没有找到相关的资料,不知道能否帮助查找一下,谢谢。

wenzk 回复于:2005-06-16 20:31:30

我对这个不了解:(

ucdos2003 回复于:2006-01-27 10:35:24

insert into vpnuer (name,password) values('elm',password('elm'));
这里的vpnuer应该为vpnuser,请楼主改一下哦

huangyong191 回复于:2006-04-15 22:14:46

请问,我按照您的方法操作到验证pam_mysql是否正常的时候,提示size read failed ,我到日志里看到
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/pam_mysql.so)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/pam_mysql.so: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/pam_mysql.so
Apr 15 20:09:28 adsl saslauthd[6245]: PAM (openvpn) illegal module type: crypt(0)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM pam_parse: expecting return value; [...--]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/Used)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/Used: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/Used
Apr 15 20:09:28 adsl saslauthd[6245]: PAM (openvpn) illegal module type: 0
Apr 15 20:09:28 adsl saslauthd[6245]: PAM pam_parse: expecting return value; [...=]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/No)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/No: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/No
Apr 15 20:09:28 adsl saslauthd[6245]: PAM (openvpn) illegal module type: 1
Apr 15 20:09:28 adsl saslauthd[6245]: PAM pam_parse: expecting return value; [...=]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/Use)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/Use: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/Use
它是什么文件找不到呢,麻烦帮我看看!谢谢!

wenzk 回复于:2006-04-17 01:54:54

没有这个文件 /lib/security/pam_mysql.so
首先检查是否已经安装pam_mysql,如果安装了
看看是否在/usr/lib下或者其他什么地方,cp过去就OK了

huangyong191 回复于:2006-04-17 14:09:31

谢谢您的回答,我看了,/lib/security/目录里有pam_mysql.so这个文件,编译这个文件的时候有些警告,没有错误提示,编译出来后我就cp到/lib/security/里了,但就是验证不成功,我用的是redhat AS4 U1 ,不知道哪个文件找不到!谢谢你!

wenzk 回复于:2006-04-17 22:36:46

看看message文件,看什么错误

huangyong191 回复于:2006-04-18 09:49:21

Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/pam_mysql.so)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/pam_mysql.so: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/pam_mysql.so
Apr 15 20:09:28 adsl saslauthd[6245]: PAM (openvpn) illegal module type: crypt(0)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM pam_parse: expecting return value; [...--]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/Used)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/Used: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/Used
Apr 15 20:09:28 adsl saslauthd[6245]: PAM (openvpn) illegal module type: 0
Apr 15 20:09:28 adsl saslauthd[6245]: PAM pam_parse: expecting return value; [...=]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/No)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/No: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/No
Apr 15 20:09:28 adsl saslauthd[6245]: PAM (openvpn) illegal module type: 1
Apr 15 20:09:28 adsl saslauthd[6245]: PAM pam_parse: expecting return value; [...=]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM unable to dlopen(/lib/security/Use)
Apr 15 20:09:28 adsl saslauthd[6245]: PAM [dlerror: /lib/security/Use: cannot open shared object file: No such file or directory]
Apr 15 20:09:28 adsl saslauthd[6245]: PAM adding faulty module: /lib/security/Use


这就是messages日志里的记录,麻烦帮我看看,谢谢!

wenzk 回复于:2006-04-19 15:21:10

$ ldd /lib/security/pam_mysql.so
libz.so.1 => /usr/lib/libz.so.1 (0x00792000)
libmysqlclient.so.10 => /usr/lib/mysql/libmysqlclient.so.10 (0x00b1c000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00b54000)
libc.so.6 => /lib/tls/libc.so.6 (0x007b4000)
libnsl.so.1 => /lib/libnsl.so.1 (0x009c9000)
libm.so.6 => /lib/tls/libm.so.6 (0x00997000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x003d4000)
$


把这个结果帖出来

huangyong191 回复于:2006-04-19 15:31:23

[root@adsl security]# ldd pam_mysql.so
libz.so.1 => /usr/lib/libz.so.1 (0x00b06000)
libmysqlclient.so.14 => /usr/lib/mysql/libmysqlclient.so.14 (0x00824000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00111000)
libc.so.6 => /lib/tls/libc.so.6 (0x00508000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00675000)
libm.so.6 => /lib/tls/libm.so.6 (0x0015c000)
libssl.so.4 => /lib/libssl.so.4 (0x00e1c000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x00b8e000)
/lib/ld-linux.so.2 (0x001aa000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0031f000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x001c1000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x00dfe000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00638000)
libresolv.so.2 => /lib/libresolv.so.2 (0x0013f000)
libdl.so.2 => /lib/libdl.so.2 (0x00ff4000)
有少文件吗?谢谢!

tqbhit 回复于:2006-04-30 09:33:17

使用crypt=0好用 而用其他的crypt=1,crypt=2都不好用
crypt=0 时的帐户是未加密的,crypt=2时的帐户是加密的
crypt=2的log为
Apr 30 09:23:49 debian openvpn[3567]: pam_mysql - SELECT password FROM vpnuser WHERE name = 'elmk' AND (active=1)
pam_mysql - pam_mysql_sql_log() called.
pam_mysql - pam_mysql_sql_log() returning 0.
pam_mysql - pam_mysql_check_passwd() returning 6.
pam_mysql - pam_sm_authenticate() returning 7.
pam_mysql - pam_mysql_release_ctx() called.
pam_mysql - pam_mysql_destroy_ctx() called.
pam_mysql - pam_mysql_close_db() called.
pam_mysql - option verbose is set to "1"
pam_mysql - pam_mysql_close_db() called.
pam_mysql - pam_sm_authenticate() called.
pam_mysql - pam_mysql_converse() called.
pam_mysql - pam_mysql_open_db() called.
pam_mysql - pam_mysql_open_db() returning 0.
pam_mysql - pam_mysql_check_passwd() called.
pam_mysql - pam_mysql_format_string() called
pam_mysql - pam_mysql_quick_escape() called.

[ 本帖最后由 tqbhit 于 2006-4-30 09:38 编辑 ]

wenzk 回复于:2006-05-02 13:45:37

crypt (plain)

The method to encrypt the user's password:

0 (or "plain") = No encryption. Passwords stored in plaintext.
HIGHLY DISCOURAGED.

1 (or "Y") = Use crypt(3) function.

2 (or "mysql") = Use MySQL PASSWORD() function. It is possible
that the encryption function used by PAM-MySQL
is different from that of the MySQL server, as
PAM-MySQL uses the function defined in MySQL's
C-client API instead of using PASSWORD() SQL function
in the query.

3 (or "md5") = Use plain hex MD5.

4 (or "sha1") = Use plain hex SHA1.


函数不一样

Jedliu 回复于:2006-09-16 11:27:12

在我按照wenzk 做法在做的时候,开始的时候我使用testsaslauthd测试,没有成功,我因为pam_mysql模块的问题,因为在编译的时候报如下的错误: 

mkdir -p ./dynamic
gcc -O2 -Dlinux -DLINUX_PAM -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wshadow -pedantic -fPIC -DPAM_DYNAMIC  -c pam_mysql.c -o dynamic/pam_mysql.o
pam_mysql.c: In function `breakArgs':
pam_mysql.c:157: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `parseArgs':
pam_mysql.c:233: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `db_connect':
pam_mysql.c:391: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `db_close':
pam_mysql.c:420: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `db_checkpasswd':
pam_mysql.c:429: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `converse':
pam_mysql.c:613: warning: traditional C rejects ISO C style function definitions
pam_mysql.c:617: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c: In function `saltify':
pam_mysql.c:636: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `updatePasswd':
pam_mysql.c:675: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `askForPassword':
pam_mysql.c:800: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `sqlLog':
pam_mysql.c:839: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `pam_sm_authenticate':
pam_mysql.c:982: warning: traditional C rejects ISO C style function definitions
pam_mysql.c:1009: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c:1014: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c: In function `pam_sm_acct_mgmt':
pam_mysql.c:1047: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `pam_sm_setcred':
pam_mysql.c:1057: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `pam_sm_chauthtok':
pam_mysql.c:1069: warning: traditional C rejects ISO C style function definitions
pam_mysql.c:1113: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c:1120: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c:1147: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c:1158: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c:1173: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c:1180: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_mysql.c: In function `pam_sm_open_session':
pam_mysql.c:1201: warning: traditional C rejects ISO C style function definitions
pam_mysql.c: In function `pam_sm_close_session':
pam_mysql.c:1211: warning: traditional C rejects ISO C style function definitions
gcc -shared -Xlinker -x -L/usr/lib/mysql -lz -o pam_mysql.so dynamic/pam_mysql.o  -lmysqlclient -lcrypt

我的网络上找相关的资料,但是没有找到解决的办法,却在http://bbs.chinaunix.net/viewthread.php?tid=818254的帖子中发现password加密的长度的问题,在wenzk建表中,password设置的是char(12),于是我重新设置password字段的长度,问题解决0: OK "Success."

在那个帖子中提到password的长度是41位,但是我用select LENGTH(PASSWOR('test'))得出的却是16,而wenzk设置的是12,不知道这其中的缘由....

[ 本帖最后由 Jedliu 于 2006-9-16 11:38 编辑 ]

wenzk 回复于:2006-09-25 11:59:58

引用:原帖由 Jedliu 于 2006-9-16 11:27 发表
在我按照wenzk 做法在做的时候,开始的时候我使用testsaslauthd测试,没有成功,我因为pam_mysql模块的问题,因为在编译的时候报如下的错误: 

mkdir -p ./dynamic
gcc -O2 -Dlinux -DLINUX_PAM -ansi - ...



呵呵,刚才查了一下,由于发表文章的时候没有把表情符号禁用,原先设置是128的,后来只能看到12,目前已经将原帖的表情符号禁用了

多谢提醒

[ 本帖最后由 wenzk 于 2006-9-27 19:35 编辑 ]

zhangshoug 回复于:2006-12-14 23:20:25

我想要同时使用CA认证和USER\pass认证,应该怎么配置?就像l2tp\ipsec的配置先ipsec用CA认证,成功后l2tp用USER\pass认证。也就是要经过两次认证均成功才能连通vpn.

wenzk 回复于:2006-12-15 10:29:26

引用:原帖由 zhangshoug 于 2006-12-14 23:20 发表
我想要同时使用CA认证和USER\pass认证,应该怎么配置?就像l2tp\ipsec的配置先ipsec用CA认证,成功后l2tp用USER\pass认证。也就是要经过两次认证均成功才能连通vpn.

可以实现的

ioiioi 回复于:2006-12-18 09:39:19

openvpn可以结合ldap验证用户吗?
如果能和win AD就更好了,可以吗?

zhangshoug 回复于:2007-01-06 22:13:09

plugin ./openvpn-auth-pam.so openvpn
openvpn-auth-pam.so这个文件在什么地方,我的机器上怎么没有这个文件?

wenzk 回复于:2007-01-08 00:29:26

rpm -ql `rpm -qa | grep openvpn` | grep auth

zhangshoug 回复于:2007-01-09 11:37:21

我是自己从源码编译安装的openvpn,使用的是openvpn-2.0.9.tar.gz

wenzk 回复于:2007-01-10 08:48:28

引用:原帖由 zhangshoug 于 2007-1-9 11:37 发表
我是自己从源码编译安装的openvpn,使用的是openvpn-2.0.9.tar.gz


到源代码目录找

zhangshoug 回复于:2007-01-10 18:22:39

# cd /usr/local/src/openvpn-2.0.9
# find . -print|grep openvpn-auth-pam.so
没有返回任何结果.

wenzk 回复于:2007-01-10 20:45:12

引用:原帖由 zhangshoug 于 2007-1-10 18:22 发表
# cd /usr/local/src/openvpn-2.0.9
# find . -print|grep openvpn-auth-pam.so
没有返回任何结果.


bash-2.05b# pwd
/root/openvpn-2.0.5
bash-2.05b# find . -name "*pam*"
./plugin/auth-pam
./plugin/auth-pam/auth-pam.c
./plugin/auth-pam/pamdl.c
./plugin/auth-pam/pamdl.h
./plugin/auth-pam/auth-pam.o
./plugin/auth-pam/pamdl.o
./plugin/auth-pam/openvpn-auth-pam.so
./sample-scripts/auth-pam.pl
bash-2.05b#

如果没有就
cd plugin/auth-pam
make

[ 本帖最后由 wenzk 于 2007-1-10 20:46 编辑 ]

zhy0414 回复于:2007-05-23 17:38:34

请问我在testsaslauthd -u elm -p elm -s openvpn
时候也是显示:
size read failed

为啥?
我的password长的写的是128啊

zhy0414 回复于:2007-05-23 17:53:02

现在显示connect() : Connection refused

在 testsaslauthd -u elm -p elm -s openvpn时候
为什吗?
所有设置都是按照文档进行的
mysql不是很熟悉,请指点一下,谢谢

wenzk 回复于:2007-05-24 00:18:47

saslauthd没有启动吧

zhy0414 回复于:2007-05-24 09:07:42

多谢指点,确实是没有启动,万分感激

zhy0414 回复于:2007-05-24 09:19:24

现在提示0: NO "authentication failed"
是哪里的问题?
谢谢

wenzk 回复于:2007-05-25 09:22:37

把password字段的加密取消试试

jessewan 回复于:2007-05-28 00:16:27

好帖子
感谢

cjc108 回复于:2007-06-04 01:16:10

wenzk 版主:
您好,我按照您的文章试着在Slackware 11 Linux 下实践了一下,我从网上弄了个openvpn-2.0.9-i486.tgz的包,直接installpkg openvpn-2.0.9-i486.tgz后,chmod +x /etc/rc.d/rc.openvpn 再在rc.M中增加启动rc.openvpn的语句,然后reboot,奇怪的是居然提示openvpn启动成功了,而我还没有做任何配置的 ?!
由于从源码编译pam_mysql,./configure时总提示什么 cpp 错误的,所以我就抓个pam_mysql-0.6.2.i386.rpm回来, 装了后/lib/security/下也发现有了pam_mysql.so ,还有我无法测试pam_mysql是否成功,因为我的saslauthd启动不了!然后生成证书等,都很正常,但到后来#find / -name "openvpv-auth-pam.so"根本就没有,[难道是openvpn的版本问题 ?] 无奈下,我直接从一个openvpn-2.1-0.19.rc4.fc7.i386.rpm中提取了一个openvpv-auth-pam.so出来
放到了/etc/openvpn/下,也把server.conf ,证书等放到了/etc/openvpn/下
这时候reboot,不幸的是openvpn好象启动了,但提示something is wrong !


#!/bin/sh
#
# openvpn       This shell script takes care of starting and stopping
#               openvpn on RedHat or other chkconfig-based system.
#
# chkconfig: 345 24 76
#
# description: OpenVPN is a robust and highly flexible tunneling application that
#              uses all of the encryption, authentication, and certification features
#              of the OpenSSL library to securely tunnel IP networks over a single
#              UDP port.
#

# Contributed to the OpenVPN project by
# Douglas Keller 
# 2002.05.15

# Location of openvpn binary
openvpn=""
openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"
for location in $openvpn_locations
do
  if [ -f "$location" ]
  then
    openvpn=$location
  fi
done

# Lockfile
lock="/var/lock/subsys/openvpn"

# PID directory
piddir="/var/run/openvpn"

# Our working directory
work=/etc/openvpn

# Check that binary exists
if ! [ -f  $openvpn ] 
then
  echo "openvpn binary not found"
  exit 0
fi

# See how we were called.
case "$1" in
  start)
        echo -n $"Starting openvpn: "

#       /sbin/modprobe tun >/dev/null 2>&1

        # From a security perspective, I think it makes
        # sense to remove this, and have users who need
        # it explictly enable in their --up scripts or
        # firewall setups.

        #echo 1 > /proc/sys/net/ipv4/ip_forward

        # Run startup script, if defined
        if [ -f $work/openvpn-startup ]; then
            $work/openvpn-startup
        fi

        if [ ! -d  $piddir ]; then
            mkdir $piddir
        fi

        if [ -f $lock ]; then
            # we were not shut down correctly
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
              if [ -s $pidf ]; then
                kill `cat $pidf` >/dev/null 2>&1
              fi
              rm -f $pidf
            done
            rm -f $lock
            sleep 2
        fi

        rm -f $piddir/*.pid
        cd $work

        # Start every .conf in $work and run .sh if exists
        errors=0
        successes=0
        for c in `/bin/ls *.conf 2>/dev/null`; do
            bn=${c%%.conf}
            if [ -f "$bn.sh" ]; then
                . $bn.sh
            fi
            rm -f $piddir/$bn.pid
            $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work
            if [ $? = 0 ]; then
                successes=1
            else
                errors=1
            fi
        done

        if [ $errors = 1 ]; then
            echo "Something is wrong"
        else
            echo "All done"
        fi

        if [ $successes = 1 ]; then
            touch $lock
        fi
        ;;
  stop)
        echo -n $"Shutting down openvpn: "
        for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
          if [ -s $pidf ]; then
            kill `cat $pidf` >/dev/null 2>&1
          fi
          rm -f $pidf
        done

        # Run shutdown script, if defined
        if [ -f $work/openvpn-shutdown ]; then
            $work/openvpn-shutdown
        fi

        rm -f $lock
        ;;
  restart)
        $0 stop
        sleep 2
        $0 start
        ;;
  reload)
        if [ -f $lock ]; then
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
                if [ -s $pidf ]; then
                    kill -HUP `cat $pidf` >/dev/null 2>&1
                fi
            done
        else
            echo "openvpn: service not started"
            exit 1
        fi
        ;;
  reopen)
        if [ -f $lock ]; then
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
                if [ -s $pidf ]; then
                    kill -USR1 `cat $pidf` >/dev/null 2>&1
                fi
            done
        else
            echo "openvpn: service not started"
            exit 1
        fi
        ;;
  condrestart)
        if [ -f $lock ]; then
            $0 stop
            # avoid race
            sleep 2
            $0 start
        fi
        ;;
  status)
        if [ -f $lock ]; then
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
                if [ -s $pidf ]; then
                    kill -USR2 `cat $pidf` >/dev/null 2>&1
                fi
            done
            echo "Status written to /var/log/messages"
        else
            echo "openvpn: service not started"
            exit 1
        fi
        ;;
  *)
        echo "Usage: openvpn {start|stop|restart|condrestart|reload|reopen|status}"
        exit 1
        ;;
esac
exit 0



怎么办 ?我还用不了openvpn :em16: !!

[ 本帖最后由 cjc108 于 2007-6-4 01:18 编辑 ]

wenzk 回复于:2007-06-05 11:04:00

不太清楚那些系统,所以他们的包里面有什么东西也不好说
嘿嘿,我现在没有办法解决哦

cjc108 回复于:2007-06-06 00:52:50

大哥,可以帮分析下什么问题么 ?

[ 本帖最后由 cjc108 于 2007-6-8 19:10 编辑 ]

wenzk 回复于:2007-06-07 11:43:44

日志太少

改成verb 4然后贴全日志

cjc108 回复于:2007-06-07 18:24:48

唉,通过在linuxpackages.net下一个Linux-PAM ,install后,重新编译那2个.so,有趣的是,OpenVPN竟然可以启动起来了!
/var/log/openvpn.log

Fri Jun  8 17:50:51 2007 us=322166 Current Parameter Settings:
Fri Jun  8 17:50:51 2007 us=323164   config = 'server.conf'
Fri Jun  8 17:50:51 2007 us=323208   mode = 1
Fri Jun  8 17:50:51 2007 us=323363   persist_config = DISABLED
Fri Jun  8 17:50:51 2007 us=323408   persist_mode = 1
Fri Jun  8 17:50:51 2007 us=323436   show_ciphers = DISABLED
Fri Jun  8 17:50:51 2007 us=323464   show_digests = DISABLED
Fri Jun  8 17:50:51 2007 us=323491   show_engines = DISABLED
Fri Jun  8 17:50:51 2007 us=323519   genkey = DISABLED
Fri Jun  8 17:50:51 2007 us=323547   key_pass_file = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=323574   show_tls_ciphers = DISABLED
Fri Jun  8 17:50:51 2007 us=323602   proto = 0
Fri Jun  8 17:50:51 2007 us=323630   local = '199.199.199.68'
Fri Jun  8 17:50:51 2007 us=323660   remote_list = NULL
Fri Jun  8 17:50:51 2007 us=323728   remote_random = DISABLED
Fri Jun  8 17:50:51 2007 us=323760   local_port = 1194
Fri Jun  8 17:50:51 2007 us=323787   remote_port = 1194
Fri Jun  8 17:50:51 2007 us=323815   remote_float = DISABLED
Fri Jun  8 17:50:51 2007 us=323842   ipchange = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=323870   bind_local = ENABLED
Fri Jun  8 17:50:51 2007 us=323898   dev = 'tap'
Fri Jun  8 17:50:51 2007 us=323925   dev_type = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=323953   dev_node = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=323981   tun_ipv6 = DISABLED
Fri Jun  8 17:50:51 2007 us=324008   ifconfig_local = '10.5.0.1'
Fri Jun  8 17:50:51 2007 us=324052   ifconfig_remote_netmask = '255.255.255.0'
Fri Jun  8 17:50:51 2007 us=324083   ifconfig_noexec = DISABLED
Fri Jun  8 17:50:51 2007 us=324111   ifconfig_nowarn = DISABLED
Fri Jun  8 17:50:51 2007 us=324138   shaper = 0
Fri Jun  8 17:50:51 2007 us=324166   tun_mtu = 1500
Fri Jun  8 17:50:51 2007 us=324193   tun_mtu_defined = ENABLED
Fri Jun  8 17:50:51 2007 us=324221   link_mtu = 1500
Fri Jun  8 17:50:51 2007 us=324249   link_mtu_defined = DISABLED
Fri Jun  8 17:50:51 2007 us=324276   tun_mtu_extra = 32
Fri Jun  8 17:50:51 2007 us=324304   tun_mtu_extra_defined = ENABLED
Fri Jun  8 17:50:51 2007 us=324332   fragment = 0
Fri Jun  8 17:50:51 2007 us=324490   mtu_discover_type = -1
Fri Jun  8 17:50:51 2007 us=324521   mtu_test = 0
Fri Jun  8 17:50:51 2007 us=324549   mlock = DISABLED
Fri Jun  8 17:50:51 2007 us=324638   keepalive_ping = 10
Fri Jun  8 17:50:51 2007 us=324666   keepalive_timeout = 120
Fri Jun  8 17:50:51 2007 us=324694   inactivity_timeout = 0
Fri Jun  8 17:50:51 2007 us=324722   ping_send_timeout = 10
Fri Jun  8 17:50:51 2007 us=324749   ping_rec_timeout = 240
Fri Jun  8 17:50:51 2007 us=324777   ping_rec_timeout_action = 2
Fri Jun  8 17:50:51 2007 us=324805   ping_timer_remote = DISABLED
Fri Jun  8 17:50:51 2007 us=324833   remap_sigusr1 = 0
Fri Jun  8 17:50:51 2007 us=324875   explicit_exit_notification = 0
Fri Jun  8 17:50:51 2007 us=324903   persist_tun = ENABLED
Fri Jun  8 17:50:51 2007 us=324931   persist_local_ip = DISABLED
Fri Jun  8 17:50:51 2007 us=324959   persist_remote_ip = DISABLED
Fri Jun  8 17:50:51 2007 us=324986   persist_key = ENABLED
Fri Jun  8 17:50:51 2007 us=325014   mssfix = 1450
Fri Jun  8 17:50:51 2007 us=325041   passtos = DISABLED
Fri Jun  8 17:50:51 2007 us=325069   resolve_retry_seconds = 1000000000
Fri Jun  8 17:50:51 2007 us=325097   connect_retry_seconds = 5
Fri Jun  8 17:50:51 2007 us=325125   username = 'nobody'
Fri Jun  8 17:50:51 2007 us=325153   groupname = 'nobody'
Fri Jun  8 17:50:51 2007 us=325180   chroot_dir = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=325208   cd_dir = '/etc/openvpn'
Fri Jun  8 17:50:51 2007 us=325236   writepid = '/var/run/openvpn/server.pid'
Fri Jun  8 17:50:51 2007 us=325264   up_script = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=325291   down_script = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=325318   down_pre = DISABLED
Fri Jun  8 17:50:51 2007 us=325346   up_restart = DISABLED
Fri Jun  8 17:50:51 2007 us=325373   up_delay = DISABLED
Fri Jun  8 17:50:51 2007 us=325401   daemon = ENABLED
Fri Jun  8 17:50:51 2007 us=325429   inetd = 0
Fri Jun  8 17:50:51 2007 us=328809   log = ENABLED
Fri Jun  8 17:50:51 2007 us=328907   suppress_timestamps = DISABLED
Fri Jun  8 17:50:51 2007 us=329122   nice = 0
Fri Jun  8 17:50:51 2007 us=329155   verbosity = 4
Fri Jun  8 17:50:51 2007 us=329183   mute = 0
Fri Jun  8 17:50:51 2007 us=329211   gremlin = 0
Fri Jun  8 17:50:51 2007 us=329239   status_file = 'openvpn-status.log'
Fri Jun  8 17:50:51 2007 us=329267   status_file_version = 1
Fri Jun  8 17:50:51 2007 us=329295   status_file_update_freq = 60
Fri Jun  8 17:50:51 2007 us=329323   occ = ENABLED
Fri Jun  8 17:50:51 2007 us=329351   rcvbuf = 65536
Fri Jun  8 17:50:51 2007 us=329379   sndbuf = 65536
Fri Jun  8 17:50:51 2007 us=329408   socks_proxy_server = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=329436   socks_proxy_port = 0
Fri Jun  8 17:50:51 2007 us=329464   socks_proxy_retry = DISABLED
Fri Jun  8 17:50:51 2007 us=329548   fast_io = DISABLED
Fri Jun  8 17:50:51 2007 us=329576   comp_lzo = ENABLED
Fri Jun  8 17:50:51 2007 us=329604   comp_lzo_adaptive = ENABLED
Fri Jun  8 17:50:51 2007 us=329632   route_script = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=329660   route_default_gateway = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=329688   route_noexec = DISABLED
Fri Jun  8 17:50:51 2007 us=329716   route_delay = 0
Fri Jun  8 17:50:51 2007 us=329744   route_delay_window = 30
Fri Jun  8 17:50:51 2007 us=329772   route_delay_defined = DISABLED
Fri Jun  8 17:50:51 2007 us=329800   management_addr = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=329828   management_port = 0
Fri Jun  8 17:50:51 2007 us=329856   management_user_pass = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=329884   management_log_history_cache = 250
Fri Jun  8 17:50:51 2007 us=329913   management_echo_buffer_size = 100
Fri Jun  8 17:50:51 2007 us=329941   management_query_passwords = DISABLED
Fri Jun  8 17:50:51 2007 us=329969   management_hold = DISABLED
Fri Jun  8 17:50:51 2007 us=330001   plugin[0] ./openvpn-auth-pam.so 'openvpn'
Fri Jun  8 17:50:51 2007 us=330031   shared_secret_file = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=330059   key_direction = 1
Fri Jun  8 17:50:51 2007 us=330088   ciphername_defined = ENABLED
Fri Jun  8 17:50:51 2007 us=330116   ciphername = 'BF-CBC'
Fri Jun  8 17:50:51 2007 us=330144   authname_defined = ENABLED
Fri Jun  8 17:50:51 2007 us=330172   authname = 'SHA1'
Fri Jun  8 17:50:51 2007 us=330199   keysize = 0
Fri Jun  8 17:50:51 2007 us=330227   engine = DISABLED
Fri Jun  8 17:50:51 2007 us=330255   replay = ENABLED
Fri Jun  8 17:50:51 2007 us=330299   mute_replay_warnings = DISABLED
Fri Jun  8 17:50:51 2007 us=330328   replay_window = 64
Fri Jun  8 17:50:51 2007 us=330355   replay_time = 15
Fri Jun  8 17:50:51 2007 us=330383   packet_id_file = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=330411   use_iv = ENABLED
Fri Jun  8 17:50:51 2007 us=330438   test_crypto = DISABLED
Fri Jun  8 17:50:51 2007 us=330542   tls_server = ENABLED
Fri Jun  8 17:50:51 2007 us=330574   tls_client = DISABLED
Fri Jun  8 17:50:51 2007 us=330602   key_method = 2
Fri Jun  8 17:50:51 2007 us=330629   ca_file = 'ca.crt'
Fri Jun  8 17:50:51 2007 us=330657   dh_file = 'dh1024.pem'
Fri Jun  8 17:50:51 2007 us=330685   cert_file = 'server.crt'
Fri Jun  8 17:50:51 2007 us=330713   priv_key_file = 'server.key'
Fri Jun  8 17:50:51 2007 us=330741   pkcs12_file = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=330768   cipher_list = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=330796   tls_verify = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=330824   tls_remote = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=330851   crl_file = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=330879   ns_cert_type = 0
Fri Jun  8 17:50:51 2007 us=330907   tls_timeout = 2
Fri Jun  8 17:50:51 2007 us=330935   renegotiate_bytes = 0
Fri Jun  8 17:50:51 2007 us=330963   renegotiate_packets = 0
Fri Jun  8 17:50:51 2007 us=330991   renegotiate_seconds = 3600
Fri Jun  8 17:50:51 2007 us=331020   handshake_window = 60
Fri Jun  8 17:50:51 2007 us=331047   transition_window = 3600
Fri Jun  8 17:50:51 2007 us=331095   single_session = DISABLED
Fri Jun  8 17:50:51 2007 us=331124   tls_exit = DISABLED
Fri Jun  8 17:50:51 2007 us=331152   tls_auth_file = 'ta.key'
Fri Jun  8 17:50:51 2007 us=331188   server_network = 10.5.0.0
Fri Jun  8 17:50:51 2007 us=331506   server_netmask = 255.255.255.0
Fri Jun  8 17:50:51 2007 us=331547   server_bridge_ip = 0.0.0.0
Fri Jun  8 17:50:51 2007 us=331577   server_bridge_netmask = 0.0.0.0
Fri Jun  8 17:50:51 2007 us=331606   server_bridge_pool_start = 0.0.0.0
Fri Jun  8 17:50:51 2007 us=331636   server_bridge_pool_end = 0.0.0.0
Fri Jun  8 17:50:51 2007 us=331664   push_list = 'route-gateway 10.5.0.1,ping 10,ping-restart 120'
Fri Jun  8 17:50:51 2007 us=331693   ifconfig_pool_defined = ENABLED
Fri Jun  8 17:50:51 2007 us=331722   ifconfig_pool_start = 10.5.0.2
Fri Jun  8 17:50:51 2007 us=331751   ifconfig_pool_end = 10.5.0.254
Fri Jun  8 17:50:51 2007 us=331780   ifconfig_pool_netmask = 255.255.255.0
Fri Jun  8 17:50:51 2007 us=331809   ifconfig_pool_persist_filename = 'ipp.txt'
Fri Jun  8 17:50:51 2007 us=331837   ifconfig_pool_persist_refresh_freq = 600
Fri Jun  8 17:50:51 2007 us=331865   ifconfig_pool_linear = DISABLED
Fri Jun  8 17:50:51 2007 us=331945   n_bcast_buf = 256
Fri Jun  8 17:50:51 2007 us=331973   tcp_queue_limit = 64
Fri Jun  8 17:50:51 2007 us=332001   real_hash_size = 256
Fri Jun  8 17:50:51 2007 us=332029   virtual_hash_size = 256
Fri Jun  8 17:50:51 2007 us=332057   client_connect_script = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=332085   learn_address_script = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=332114   client_disconnect_script = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=332142   client_config_dir = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=332170   ccd_exclusive = DISABLED
Fri Jun  8 17:50:51 2007 us=332197   tmp_dir = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=332225   push_ifconfig_defined = DISABLED
Fri Jun  8 17:50:51 2007 us=332359   push_ifconfig_local = 0.0.0.0
Fri Jun  8 17:50:51 2007 us=332398   push_ifconfig_remote_netmask = 0.0.0.0
Fri Jun  8 17:50:51 2007 us=332427   enable_c2c = ENABLED
Fri Jun  8 17:50:51 2007 us=332455   duplicate_cn = DISABLED
Fri Jun  8 17:50:51 2007 us=332482   cf_max = 0
Fri Jun  8 17:50:51 2007 us=332511   cf_per = 0
Fri Jun  8 17:50:51 2007 us=332539   max_clients = 1024
Fri Jun  8 17:50:51 2007 us=332568   max_routes_per_client = 256
Fri Jun  8 17:50:51 2007 us=332596   client_cert_not_required = ENABLED
Fri Jun  8 17:50:51 2007 us=332624   username_as_common_name = ENABLED
Fri Jun  8 17:50:51 2007 us=332749   auth_user_pass_verify_script = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=332780   auth_user_pass_verify_script_via_file = DISABLED
Fri Jun  8 17:50:51 2007 us=332808   client = DISABLED
Fri Jun  8 17:50:51 2007 us=332835   pull = DISABLED
Fri Jun  8 17:50:51 2007 us=332863   auth_user_pass_file = '[UNDEF]'
Fri Jun  8 17:50:51 2007 us=332930 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] built on Jun  6 2007
Fri Jun  8 17:50:51 2007 us=440021 PLUGIN_INIT: POST ./openvpn-auth-pam.so 'openvpn' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Fri Jun  8 17:50:51 2007 us=589419 Diffie-Hellman initialized with 1024 bit key
Fri Jun  8 17:50:51 2007 us=771246 WARNING: file 'server.key' is group or others accessible
Fri Jun  8 17:50:51 2007 us=859250 WARNING: This configuration may accept clients which do not present a certificate
Fri Jun  8 17:50:51 2007 us=863360 WARNING: file 'ta.key' is group or others accessible
Fri Jun  8 17:50:51 2007 us=863502 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Jun  8 17:50:51 2007 us=874085 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun  8 17:50:51 2007 us=874264 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun  8 17:50:51 2007 us=875250 TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Jun  8 17:50:52 2007 us=439336 TUN/TAP device tap0 opened
Fri Jun  8 17:50:52 2007 us=463410 TUN/TAP TX queue length set to 100
Fri Jun  8 17:50:52 2007 us=469671 /sbin/ifconfig tap0 10.5.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.5.0.255
Fri Jun  8 17:50:52 2007 us=649895 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Jun  8 17:50:52 2007 us=681399 GID set to nobody
Fri Jun  8 17:50:52 2007 us=682098 UID set to nobody
Fri Jun  8 17:50:52 2007 us=682683 Socket Buffers: R=[107520->131072] S=[107520->131072]
Fri Jun  8 17:50:52 2007 us=683364 UDPv4 link local (bound): 199.199.199.68:1194
Fri Jun  8 17:50:52 2007 us=683582 UDPv4 link remote: [undef]
Fri Jun  8 17:50:52 2007 us=706233 MULTI: multi_init called, r=256 v=256
Fri Jun  8 17:50:52 2007 us=741811 IFCONFIG POOL: base=10.5.0.2 size=253
Fri Jun  8 17:50:52 2007 us=742355 IFCONFIG POOL LIST
Fri Jun  8 17:50:52 2007 us=742424 dcmserp,10.5.0.2
Fri Jun  8 17:50:52 2007 us=742451 test,10.5.0.3
Fri Jun  8 17:50:52 2007 us=743034 Initialization Sequence Completed
Fri Jun  8 17:52:06 2007 us=979737 MULTI: multi_create_instance called
Fri Jun  8 17:52:07 2007 us=420 199.199.199.69:1074 Re-using SSL/TLS context
Fri Jun  8 17:52:07 2007 us=925 199.199.199.69:1074 LZO compression initialized
Fri Jun  8 17:52:07 2007 us=42159 199.199.199.69:1074 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Jun  8 17:52:07 2007 us=42322 199.199.199.69:1074 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Jun  8 17:52:07 2007 us=42607 199.199.199.69:1074 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Jun  8 17:52:07 2007 us=42637 199.199.199.69:1074 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Jun  8 17:52:07 2007 us=42826 199.199.199.69:1074 Local Options hash (VER=V4): '360696c5'
Fri Jun  8 17:52:07 2007 us=42867 199.199.199.69:1074 Expected Remote Options hash (VER=V4): '13a273ba'
Fri Jun  8 17:52:07 2007 us=51583 199.199.199.69:1074 TLS: Initial packet from 199.199.199.69:1074, sid=5e99d9e4 38e34a9e
AUTH-PAM: BACKGROUND: user 'test' failed to authenticate: Permission denied
Fri Jun  8 17:52:07 2007 us=319935 199.199.199.69:1074 PLUGIN_CALL: POST ./openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Jun  8 17:52:07 2007 us=320160 199.199.199.69:1074 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: ./openvpn-auth-pam.so
Fri Jun  8 17:52:07 2007 us=320225 199.199.199.69:1074 TLS Auth Error: Auth Username/Password verification failed for peer
Fri Jun  8 17:52:07 2007 us=349989 199.199.199.69:1074 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Fri Jun  8 17:52:07 2007 us=350137 199.199.199.69:1074 [] Peer Connection Initiated with 199.199.199.69:1074
Fri Jun  8 17:52:07 2007 us=729243 199.199.199.69:1074 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jun  8 17:52:07 2007 us=729444 199.199.199.69:1074 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Fri Jun  8 17:52:07 2007 us=729481 199.199.199.69:1074 Delayed exit in 5 seconds
Fri Jun  8 17:52:12 2007 us=59767 199.199.199.69:1074 SIGTERM[soft,delayed-exit] received, client-instance exiting
Fri Jun  8 17:55:29 2007 us=722226 MULTI: multi_create_instance called
Fri Jun  8 17:55:29 2007 us=728957 199.199.199.69:1076 Re-using SSL/TLS context
Fri Jun  8 17:55:29 2007 us=729151 199.199.199.69:1076 LZO compression initialized
Fri Jun  8 17:55:29 2007 us=729375 199.199.199.69:1076 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Jun  8 17:55:29 2007 us=729413 199.199.199.69:1076 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Jun  8 17:55:29 2007 us=729526 199.199.199.69:1076 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Jun  8 17:55:29 2007 us=729554 199.199.199.69:1076 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Jun  8 17:55:29 2007 us=729595 199.199.199.69:1076 Local Options hash (VER=V4): '360696c5'
Fri Jun  8 17:55:29 2007 us=729628 199.199.199.69:1076 Expected Remote Options hash (VER=V4): '13a273ba'
Fri Jun  8 17:55:29 2007 us=729917 199.199.199.69:1076 TLS: Initial packet from 199.199.199.69:1076, sid=27aa5a3f 0e60ea37
AUTH-PAM: BACKGROUND: user 'elm' failed to authenticate: Permission denied
Fri Jun  8 17:55:29 2007 us=909524 199.199.199.69:1076 PLUGIN_CALL: POST ./openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Jun  8 17:55:29 2007 us=909646 199.199.199.69:1076 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: ./openvpn-auth-pam.so
Fri Jun  8 17:55:29 2007 us=909695 199.199.199.69:1076 TLS Auth Error: Auth Username/Password verification failed for peer
Fri Jun  8 17:55:29 2007 us=929730 199.199.199.69:1076 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Fri Jun  8 17:55:29 2007 us=929869 199.199.199.69:1076 [] Peer Connection Initiated with 199.199.199.69:1076
Fri Jun  8 17:55:30 2007 us=409389 199.199.199.69:1076 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jun  8 17:55:30 2007 us=409602 199.199.199.69:1076 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Fri Jun  8 17:55:30 2007 us=409636 199.199.199.69:1076 Delayed exit in 5 seconds
Fri Jun  8 17:55:35 2007 us=658938 199.199.199.69:1076 SIGTERM[soft,delayed-exit] received,


[ 本帖最后由 cjc108 于 2007-6-10 09:46 编辑 ]



VPVserver_ifconfig


cjc108 回复于:2007-06-08 18:53:45

接上边的 . . .

client-instance exiting
Fri Jun  8 17:55:43 2007 us=479334 MULTI: multi_create_instance called
Fri Jun  8 17:55:43 2007 us=479546 199.199.199.69:1077 Re-using SSL/TLS context
Fri Jun  8 17:55:43 2007 us=479663 199.199.199.69:1077 LZO compression initialized
Fri Jun  8 17:55:43 2007 us=479879 199.199.199.69:1077 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Jun  8 17:55:43 2007 us=479918 199.199.199.69:1077 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Jun  8 17:55:43 2007 us=480030 199.199.199.69:1077 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Jun  8 17:55:43 2007 us=480058 199.199.199.69:1077 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Jun  8 17:55:43 2007 us=480100 199.199.199.69:1077 Local Options hash (VER=V4): '360696c5'
Fri Jun  8 17:55:43 2007 us=480133 199.199.199.69:1077 Expected Remote Options hash (VER=V4): '13a273ba'
Fri Jun  8 17:55:43 2007 us=480211 199.199.199.69:1077 TLS: Initial packet from 199.199.199.69:1077, sid=3e3e8f19 b380fd26
AUTH-PAM: BACKGROUND: user 'vpn' failed to authenticate: Permission denied
Fri Jun  8 17:55:43 2007 us=635556 199.199.199.69:1077 PLUGIN_CALL: POST ./openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Jun  8 17:55:43 2007 us=635753 199.199.199.69:1077 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: ./openvpn-auth-pam.so
Fri Jun  8 17:55:43 2007 us=635803 199.199.199.69:1077 TLS Auth Error: Auth Username/Password verification failed for peer
Fri Jun  8 17:55:43 2007 us=649129 199.199.199.69:1077 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Fri Jun  8 17:55:43 2007 us=649269 199.199.199.69:1077 [] Peer Connection Initiated with 199.199.199.69:1077
Fri Jun  8 17:55:44 2007 us=9208 199.199.199.69:1077 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jun  8 17:55:44 2007 us=9353 199.199.199.69:1077 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Fri Jun  8 17:55:44 2007 us=9384 199.199.199.69:1077 Delayed exit in 5 seconds
Fri Jun  8 17:55:49 2007 us=168986 199.199.199.69:1077 SIGTERM[soft,delayed-exit] received, client-instance exiting

但在 客户端怎么也连接不成功,老弹出用户/密码 登陆 !图标为黄色 !!

client.log为 :


Fri Jun 08 18:02:46 2007 us=601905 Current Parameter Settings:
Fri Jun 08 18:02:46 2007 us=601984   config = 'client.ovpn'
Fri Jun 08 18:02:46 2007 us=601997   mode = 0
Fri Jun 08 18:02:46 2007 us=602010   show_ciphers = DISABLED
Fri Jun 08 18:02:46 2007 us=602021   show_digests = DISABLED
Fri Jun 08 18:02:46 2007 us=602033   show_engines = DISABLED
Fri Jun 08 18:02:46 2007 us=602044   genkey = DISABLED
Fri Jun 08 18:02:46 2007 us=602056   key_pass_file = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602067   show_tls_ciphers = DISABLED
Fri Jun 08 18:02:46 2007 us=602079   proto = 0
Fri Jun 08 18:02:46 2007 us=602090   local = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602103   remote_list[0] = {'199.199.199.68', 1194}
Fri Jun 08 18:02:46 2007 us=602114   remote_random = DISABLED
Fri Jun 08 18:02:46 2007 us=602126   local_port = 1194
Fri Jun 08 18:02:46 2007 us=602155   remote_port = 1194
Fri Jun 08 18:02:46 2007 us=602167   remote_float = DISABLED
Fri Jun 08 18:02:46 2007 us=602178   ipchange = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602189   bind_local = DISABLED
Fri Jun 08 18:02:46 2007 us=602200   dev = 'tap'
Fri Jun 08 18:02:46 2007 us=602211   dev_type = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602223   dev_node = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602235   tun_ipv6 = DISABLED
Fri Jun 08 18:02:46 2007 us=602247   ifconfig_local = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602259   ifconfig_remote_netmask = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602272   ifconfig_noexec = DISABLED
Fri Jun 08 18:02:46 2007 us=602284   ifconfig_nowarn = DISABLED
Fri Jun 08 18:02:46 2007 us=602296   shaper = 0
Fri Jun 08 18:02:46 2007 us=602308   tun_mtu = 1500
Fri Jun 08 18:02:46 2007 us=602320   tun_mtu_defined = ENABLED
Fri Jun 08 18:02:46 2007 us=602332   link_mtu = 1500
Fri Jun 08 18:02:46 2007 us=602344   link_mtu_defined = DISABLED
Fri Jun 08 18:02:46 2007 us=602357   tun_mtu_extra = 32
Fri Jun 08 18:02:46 2007 us=602369   tun_mtu_extra_defined = ENABLED
Fri Jun 08 18:02:46 2007 us=602381   fragment = 0
Fri Jun 08 18:02:46 2007 us=602392   mtu_discover_type = -1
Fri Jun 08 18:02:46 2007 us=602404   mtu_test = 0
Fri Jun 08 18:02:46 2007 us=602416   mlock = DISABLED
Fri Jun 08 18:02:46 2007 us=602428   keepalive_ping = 0
Fri Jun 08 18:02:46 2007 us=602441   keepalive_timeout = 0
Fri Jun 08 18:02:46 2007 us=602453   inactivity_timeout = 0
Fri Jun 08 18:02:46 2007 us=602465   ping_send_timeout = 0
Fri Jun 08 18:02:46 2007 us=602477   ping_rec_timeout = 120
Fri Jun 08 18:02:46 2007 us=602489   ping_rec_timeout_action = 2
Fri Jun 08 18:02:46 2007 us=602503   ping_timer_remote = DISABLED
Fri Jun 08 18:02:46 2007 us=602515   remap_sigusr1 = 0
Fri Jun 08 18:02:46 2007 us=602527   explicit_exit_notification = 0
Fri Jun 08 18:02:46 2007 us=602539   persist_tun = ENABLED
Fri Jun 08 18:02:46 2007 us=602552   persist_local_ip = DISABLED
Fri Jun 08 18:02:46 2007 us=602564   persist_remote_ip = DISABLED
Fri Jun 08 18:02:46 2007 us=602576   persist_key = ENABLED
Fri Jun 08 18:02:46 2007 us=602589   mssfix = 1450
Fri Jun 08 18:02:46 2007 us=602601   resolve_retry_seconds = 1000000000
Fri Jun 08 18:02:46 2007 us=602614   connect_retry_seconds = 5
Fri Jun 08 18:02:46 2007 us=602626   username = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602639   groupname = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602651   chroot_dir = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602664   cd_dir = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602678   writepid = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602690   up_script = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602703   down_script = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=602715   down_pre = DISABLED
Fri Jun 08 18:02:46 2007 us=602728   up_restart = DISABLED
Fri Jun 08 18:02:46 2007 us=602740   up_delay = DISABLED
Fri Jun 08 18:02:46 2007 us=602753   daemon = DISABLED
Fri Jun 08 18:02:46 2007 us=602765   inetd = 0
Fri Jun 08 18:02:46 2007 us=602777   log = DISABLED
Fri Jun 08 18:02:46 2007 us=602790   suppress_timestamps = DISABLED
Fri Jun 08 18:02:46 2007 us=602802   nice = 0
Fri Jun 08 18:02:46 2007 us=602814   verbosity = 4
Fri Jun 08 18:02:46 2007 us=742106   mute = 0
Fri Jun 08 18:02:46 2007 us=742131   gremlin = 0
Fri Jun 08 18:02:46 2007 us=742142   status_file = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=742154   status_file_version = 1
Fri Jun 08 18:02:46 2007 us=742166   status_file_update_freq = 60
Fri Jun 08 18:02:46 2007 us=742177   occ = ENABLED
Fri Jun 08 18:02:46 2007 us=742189   rcvbuf = 0
Fri Jun 08 18:02:46 2007 us=742201   sndbuf = 0
Fri Jun 08 18:02:46 2007 us=742213   socks_proxy_server = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=742234   socks_proxy_port = 0
Fri Jun 08 18:02:46 2007 us=742246   socks_proxy_retry = DISABLED
Fri Jun 08 18:02:46 2007 us=742257   fast_io = DISABLED
Fri Jun 08 18:02:46 2007 us=742268   comp_lzo = ENABLED
Fri Jun 08 18:02:46 2007 us=742279   comp_lzo_adaptive = ENABLED
Fri Jun 08 18:02:46 2007 us=742290   route_script = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=742302   route_default_gateway = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=742313   route_noexec = DISABLED
Fri Jun 08 18:02:46 2007 us=772224   route_delay = 0
Fri Jun 08 18:02:46 2007 us=772335   route_delay_window = 30
Fri Jun 08 18:02:46 2007 us=772350   route_delay_defined = ENABLED
Fri Jun 08 18:02:46 2007 us=772373   route 10.5.0.0/255.255.255.0/nil/nil
Fri Jun 08 18:02:46 2007 us=772385   management_addr = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=772397   management_port = 0
Fri Jun 08 18:02:46 2007 us=772407   management_user_pass = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=772420   management_log_history_cache = 250
Fri Jun 08 18:02:46 2007 us=772435   management_echo_buffer_size = 100
Fri Jun 08 18:02:46 2007 us=772447   management_query_passwords = DISABLED
Fri Jun 08 18:02:46 2007 us=772459   management_hold = DISABLED
Fri Jun 08 18:02:46 2007 us=772470   shared_secret_file = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=772483   key_direction = 2
Fri Jun 08 18:02:46 2007 us=772494   ciphername_defined = ENABLED
Fri Jun 08 18:02:46 2007 us=772506   ciphername = 'BF-CBC'
Fri Jun 08 18:02:46 2007 us=804173   authname_defined = ENABLED
Fri Jun 08 18:02:46 2007 us=804200   authname = 'SHA1'
Fri Jun 08 18:02:46 2007 us=804211   keysize = 0
Fri Jun 08 18:02:46 2007 us=804223   engine = DISABLED
Fri Jun 08 18:02:46 2007 us=804235   replay = ENABLED
Fri Jun 08 18:02:46 2007 us=804247   mute_replay_warnings = DISABLED
Fri Jun 08 18:02:46 2007 us=804358   replay_window = 64
Fri Jun 08 18:02:46 2007 us=804369   replay_time = 15
Fri Jun 08 18:02:46 2007 us=804380   packet_id_file = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=804391   use_iv = ENABLED
Fri Jun 08 18:02:46 2007 us=804401   test_crypto = DISABLED
Fri Jun 08 18:02:46 2007 us=804413   tls_server = DISABLED
Fri Jun 08 18:02:46 2007 us=804424   tls_client = ENABLED
Fri Jun 08 18:02:46 2007 us=804435   key_method = 2
Fri Jun 08 18:02:46 2007 us=804446   ca_file = 'ca.crt'
Fri Jun 08 18:02:46 2007 us=804457   dh_file = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=833878   cert_file = 'client.crt'
Fri Jun 08 18:02:46 2007 us=833905   priv_key_file = 'client.key'
Fri Jun 08 18:02:46 2007 us=833916   pkcs12_file = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=833928   cryptoapi_cert = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=833940   cipher_list = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=833951   tls_verify = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=833962   tls_remote = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=833973   crl_file = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=833983   ns_cert_type = 64
Fri Jun 08 18:02:46 2007 us=833994   tls_timeout = 2
Fri Jun 08 18:02:46 2007 us=834005   renegotiate_bytes = 0
Fri Jun 08 18:02:46 2007 us=834015   renegotiate_packets = 0
Fri Jun 08 18:02:46 2007 us=834026   renegotiate_seconds = 3600
Fri Jun 08 18:02:46 2007 us=834038   handshake_window = 60
Fri Jun 08 18:02:46 2007 us=834049   transition_window = 3600
Fri Jun 08 18:02:46 2007 us=834063   single_session = DISABLED
Fri Jun 08 18:02:46 2007 us=872043   tls_exit = DISABLED
Fri Jun 08 18:02:46 2007 us=872107   tls_auth_file = 'ta.key'
Fri Jun 08 18:02:46 2007 us=872138   server_network = 0.0.0.0
Fri Jun 08 18:02:46 2007 us=872152   server_netmask = 0.0.0.0
Fri Jun 08 18:02:46 2007 us=872165   server_bridge_ip = 0.0.0.0
Fri Jun 08 18:02:46 2007 us=872178   server_bridge_netmask = 0.0.0.0
Fri Jun 08 18:02:46 2007 us=872191   server_bridge_pool_start = 0.0.0.0
Fri Jun 08 18:02:46 2007 us=872204   server_bridge_pool_end = 0.0.0.0
Fri Jun 08 18:02:46 2007 us=872216   ifconfig_pool_defined = DISABLED
Fri Jun 08 18:02:46 2007 us=872239   ifconfig_pool_start = 0.0.0.0
Fri Jun 08 18:02:46 2007 us=872254   ifconfig_pool_end = 0.0.0.0
Fri Jun 08 18:02:46 2007 us=872269   ifconfig_pool_netmask = 0.0.0.0
Fri Jun 08 18:02:46 2007 us=872282   ifconfig_pool_persist_filename = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=872295   ifconfig_pool_persist_refresh_freq = 600
Fri Jun 08 18:02:46 2007 us=872306   ifconfig_pool_linear = DISABLED
Fri Jun 08 18:02:46 2007 us=904842   n_bcast_buf = 256
Fri Jun 08 18:02:46 2007 us=904869   tcp_queue_limit = 64
Fri Jun 08 18:02:46 2007 us=904887   real_hash_size = 256
Fri Jun 08 18:02:46 2007 us=904898   virtual_hash_size = 256
Fri Jun 08 18:02:46 2007 us=904910   client_connect_script = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=904922   learn_address_script = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=904934   client_disconnect_script = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=904945   client_config_dir = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=904956   ccd_exclusive = DISABLED
Fri Jun 08 18:02:46 2007 us=904967   tmp_dir = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=904978   push_ifconfig_defined = DISABLED
Fri Jun 08 18:02:46 2007 us=904994   push_ifconfig_local = 0.0.0.0
Fri Jun 08 18:02:46 2007 us=905007   push_ifconfig_remote_netmask = 0.0.0.0
Fri Jun 08 18:02:46 2007 us=905019   enable_c2c = DISABLED
Fri Jun 08 18:02:46 2007 us=933310   duplicate_cn = DISABLED
Fri Jun 08 18:02:46 2007 us=933337   cf_max = 0
Fri Jun 08 18:02:46 2007 us=933348   cf_per = 0
Fri Jun 08 18:02:46 2007 us=933359   max_clients = 1024
Fri Jun 08 18:02:46 2007 us=933371   max_routes_per_client = 256
Fri Jun 08 18:02:46 2007 us=933383   client_cert_not_required = DISABLED
Fri Jun 08 18:02:46 2007 us=933395   username_as_common_name = DISABLED
Fri Jun 08 18:02:46 2007 us=933406   auth_user_pass_verify_script = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=933418   auth_user_pass_verify_script_via_file = DISABLED
Fri Jun 08 18:02:46 2007 us=933430   client = ENABLED
Fri Jun 08 18:02:46 2007 us=933440   pull = ENABLED
Fri Jun 08 18:02:46 2007 us=933451   auth_user_pass_file = 'stdin'
Fri Jun 08 18:02:46 2007 us=933468   show_net_up = DISABLED
Fri Jun 08 18:02:46 2007 us=933479   route_method = 0
Fri Jun 08 18:02:46 2007 us=933491   ip_win32_defined = DISABLED
Fri Jun 08 18:02:46 2007 us=933501   ip_win32_type = 3
Fri Jun 08 18:02:46 2007 us=965830   dhcp_masq_offset = 0
Fri Jun 08 18:02:46 2007 us=965859   dhcp_lease_time = 31536000
Fri Jun 08 18:02:46 2007 us=965870   tap_sleep = 0
Fri Jun 08 18:02:46 2007 us=965883   dhcp_options = DISABLED
Fri Jun 08 18:02:46 2007 us=965894   dhcp_renew = DISABLED
Fri Jun 08 18:02:46 2007 us=965905   dhcp_pre_release = DISABLED
Fri Jun 08 18:02:46 2007 us=965916   dhcp_release = DISABLED
Fri Jun 08 18:02:46 2007 us=965926   domain = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=965937   netbios_scope = '[UNDEF]'
Fri Jun 08 18:02:46 2007 us=965949   netbios_node_type = 0
Fri Jun 08 18:02:46 2007 us=965960   disable_nbt = DISABLED
Fri Jun 08 18:02:46 2007 us=965985 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Fri Jun 08 18:02:48 2007 us=796658 ERROR: could not read Auth username from stdin
Fri Jun 08 18:02:48 2007 us=796686 Exiting



cjc108 回复于:2007-06-08 19:00:01

VPN server的配置文件/etc/openvpn/server.conf文件为:

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
local 199.199.199.68

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 1194
;port 1575

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap" if you are ethernet bridging.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.  On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys. 
dh dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.5.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.  There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
#     group, and firewall the TUN/TAP interface
#     for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
#     modify the firewall in response to access
#     from different clients.  See man
#     page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel.  Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret
plugin ./openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name 
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody 

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
log /var/log/openvpn.log
;log-append  openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20



[ 本帖最后由 cjc108 于 2007-6-10 10:10 编辑 ]

cjc108 回复于:2007-06-08 19:02:21

winXP客户端的client.ovpn文件为:

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 199.199.199.68 1194
;remote 199.199.199.68 1575
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key
auth-user-pass
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
route 10.5.0.0 255.255.255.0
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 4
;redirect-gateway

# Silence repeating messages
;mute 20
请问,如何不使用虚拟HUB或者OpenVPN来实现cmwap来上网可以保存COOKIES? user权限如何使用扫描仪 access中的pass-through使用问题 怎么使用net user 命令啊? 怎么使用net user 命令啊? 如何让pass使用得不露痕迹 poker trick NBA系列游戏中的Direct pass如何使用? 校内网怎么使用验证码验证 使用power user登陆winxp无法使用宽带拨号。 if trim(user)&"x"="x" or trim(pass)&"x"="x" then …… 如何验证继电器使用功能 如何使用php验证代理服务器 为什么user组的用户没有办法使用金山词霸啊? 金山网镖6User用户无法使用 怎么正确使用DreamMail收发user@gmail.com邮件? 校园网内,user用户不能使用锐捷认证 关于POWER USER账号使用出的毛病 pass是什么意思? PASS求学 PASS SNIFFER pass & past VF6.0在管理员帐户下可以使用,在USER帐户下就不能使用!!! VF6.0在管理员帐户下可以使用, 在USER帐户下就不能使用!!! VF6.0在管理员帐户下可以使用, 在USER帐户下就不能使用???