1. 安装SS5:
# tar -zxvf ss5-3.6.4-3.tar.gz
# cd ss5-3.6.4-3
# ./configure
# make
# make install
# cp conf/ss5.conf conf/ss5.passwd /etc/opt/ss5/
# vi /etc/init.d/ss5
原启动教本有误,请修改第34行的“if”为“elif”。
2. 配置SS5:
# vi /etc/opt/ss5/ss5.conf
============+============+============
#实现用户认证并限制带宽:
set SS5_DNSORDER
set SS5_PAM_AUTH
auth 0.0.0.0/0 - u
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - 10240 -
#如果要实现不同用户认证并分别限制带宽,在/etc/opt/ss5目录创建user和file两个文件,该文件中含有要认证的用户名:
permit - 0.0.0.0/0 - 0.0.0.0/0 - - user 10240 -
permit - 0.0.0.0/0 - 0.0.0.0/0 - - file 102400 -
============+============+============
3. 配置PAM认证:
# vi /etc/pam.d/ss5
============+============+============
auth optional /usr/lib/security/pam_mysql.so user=ss5 \
passwd=121212 host=localhost db=ss5 table=user \
usercolumn=username passwdcolumn=passwd crypt=2
account required /usr/lib/security/pam_mysql.so user=ss5 \
passwd=121212 host=localhost db=ss5 table=user \
usercolumn=username passwdcolumn=passwd crypt=2
============+============+============
4. 安装PAM_MYSQL:
# tar -zxvf pam_mysql-0.7RC1.tar.gz
# cd pam_mysql-0.7RC1
# ./configure --with-openssl --with-mysql=/usr/local/mysql
# make
# make install
# echo "/usr/lib/security" >> /etc/ld.so.conf
# ldconfig
5. 创建数据库:
# mysqladmin -u root -pmysqldbserver create ss5
# mysql -u root -pmysqldbserver
mysql> use ss5;
mysql> GRANT ALL PRIVILEGES ON ss5.* TO IDENTIFIED BY '121212';
mysql> CREATE TABLE user (ID int not null auto_increment,USERNAME varchar(64), PASSWD varchar(255), primary key(ID) );
6. 添加测试用户:
mysql> insert into user (username,passwd) values ('test',password('1234'));
7. 附录:
Example 3, a case study
In the following case, ss5 works with:
1. PAM authentication using pam_winbind.so
2. Directory authorization with multiple userstore (Active Directory)
3. Authentication cache enable
4. Authorization cache enable
5. Netbios domain support
6. Proxy upstream through other socks server
7. Traffic dump to file
auth 0.0.0.0/0 - u
# Enable PAM authentication
set SS5_PAM_AUTH
# Set session timeout
set SS5_STIMEOUT 3600
# Enable Cache for authentication for 600 seconds
# set SS5_AUTHCACHEAGE 600
# Enable Cache for authorization for 600 seconds
# set SS5_AUTHOCACHEAGE 600
# Enable directory authorization with filter mode
set SS5_LDAP_FILTER
# Enable netbios domain mapping with directory
( socks username in the form: domainA\user1 )
set SS5_NETBIOS_DOMAIN
# Dump traffic data to file for connections through an Oracle db server
dump 182.10.10.20/32 1521 1
# Upstream proxy for 162.10.10.0 network
proxy 162.10.10.0/24 - 10.10.10.20 1080 -
# Permit http access to user who belong to WEB group into Active Directory
#Auth SHost SPort DHost DPort Fixup Group Band
permit u 0.0.0.0/0 - 182.10.0.0/16 80 - CN=WEB,CN=Users,DC=subDomainA,DC=DomainA,DC=it -
permit u 0.0.0.0/0 - 182.10.0.0/16 80 - CN=WEB,CN=Users,DC=subDomainB,DC=DomainB,DC=it -
# Netbios domain (in case of MSdomainA\userA)
ldap_profile_ip 162.10.20.1
ldap_profile_port 389
ldap_profile_base DC=subDomainA,DC=DomainA,DC=it
ldap_profile_filter cn
ldap_profile_attribute MemberOf
ldap_profile_dn CN=userReader,cn=Users,DC=subDomainA,DC=DomainA,DC=it
ldap_profile_pass password
ldap_netbios_domain MSDomainA
# Netbios domain (in case of MSdomainB\userB)
ldap_profile_ip 162.10.30.1
ldap_profile_port 389
ldap_profile_base DC=subDomainB,DC=DomainB,DC=it
ldap_profile_filter cn
ldap_profile_attribute MemberOf
ldap_profile_dn CN=userReader,cn=Users,DC=subDomainB,DC=DomainB,DC=it
ldap_profile_pass password
ldap_netbios_domain MSdomainB
使用密码文件认证:
# vi /etc/opt/ss5/ss5.passwd
test 123456
llzqq 123456
阅读(1719) | 评论(3) | 转发(0) |
