Authentication Gateway HOWTO

Nathan Zorn

           zornnh@musc.edu
        

yomoyomo - {

ymgrtq@ma.neweb.ne.jp

Revision History                                                       
Revision 0.03            2001-12-06         Revised by: nhz            
Revision 0.02            2001-09-28         Revised by: KET            
Revision 0.01            2001-09-06         Revised by: nhz            

lbg[NA}ق◾Ȃǂ̌JANZXGAɂZL
eBɂ́ǍO܂BÓAs̃ZL
eBł͉ł܂B̉ƂāAF؃Q[gEFC𗘗p
@Ă܂B̃Q[gEFĆA[Ulbg[N
pۂɔF؂邱ƂŁAZLeBɊւ錜OɎg
ނ̂łB



Table of Contents
1. ͂߂
   
    1.1. 쌠
    1.2. Ɛ
    1.3. ŐV
    1.4. NWbg
    1.5. tB[hobN
   
2. KvȂ
   
    2.1. Netfilter
    2.2. Netfilter [p PAM
    2.3. DHCP T[o
    2.4. F؂̃JjY
    2.5. DNS T[o
   
3. Q[gEFCT[rX̐ݒ
   
    3.1. Netfilter ̐ݒ
    3.2. PAM iptables W[
    3.3. DHCP T[oݒ
    3.4. F؎@̐ݒ
    3.5. DNS ̐ݒ
   
4. F؃Q[gEFC̗p
5. I
6. ǉ̏
7. Ɠ
8. {ɂ

1. ͂߂

lbg[NJANZXGAɁAĂȂ[UANZX
̂͂ƂĂȒPłBĂȂ[UłAʐMTA̒ʐM
ڑł܂BĂȂ[UA}VJ^[
~iɂȂAlbg[NɃANZX邱Ƃ\Ȃ̂łBZL
eB WEP ȂǂŐĂĂ܂ÂɂZLeB
́AAirSnort Ȃǂ̃c[ɂĔj\܂Bȏ̖
Av[`̈ƂāÃZLeB@\ɗ炸A
ɖlbg[NJANZXGȂOʂɔF؃Q[gEFCݒu
A[Ulbg[N𗘗pOɁÃQ[gEFCɔF؂󂯂邱
ƂƂ̂܂B HOWTO ́ALinux ł̃Q[gEFC
\z@̂łB



1.1. 쌠

This document is copyrighted (c) 2001 Nathan Zorn. ̕̕Azz
AĆAFree Software Foundation ɂJĂA GNU Free
Documentation License (ȉ GFDL) o[W 1.1A͂ȍ~̃o
[W̌ŋ܂BA̕ɂ GFDL ŋK肳Ă
uύXsv͂܂񂵁A܂\eLXg◠\eLXgȂǂ
܂B̃CZX̃Rs[́Ahttp://www.gnu.org/copyleft/
fdl.html œ\łB

₪΁A<zornnh@musc.edu> ɘAĂB



1.2. Ɛ

̓̕eɊւẮA̐ӔCĂ܂Bg̐ӔČŁA
̃̕RZvgAAĂ̑̓e𗘗pĂB͖{
̐Vłł̂ŁAsmȋLq܂ł邩܂񂵁A
̌smȋLqɂāAȂ̃VXeɔQ^\
܂RȂ炠܂BTdɓǂݐiłBۂɉ炩̔Q
𐶂Ƃ\͂قƂǖ͂łAƂƂN
Ă܂ƂĂA(B)́Aɂĉ̐ӔC܂B

ɋLqȂA쌠͂ꂼۗ̕L҂ɋÂƂ܂B܂
̕ŎgpṕAeW͈̔͂ɒGȂ̂Ƃ܂B

̏iuhꍇłA𐄏̂ł͂
܂B

vȃCXg[sOɂp̃VXẽobNAbvA
ăobNAbvIɍsƂ߂܂B



1.3. ŐV

͏JłłB

̍̕ŐVł́A http://www.itlab.musc.edu/ ~nathan/
authentication_gateway/ <http://www.itlab.musc.edu/~nathan/
authentication_gateway/> ɂ܂B֘A HOWTO ́A Linux
Documentation Project <http://www.linuxdoc.org/> z[y[WŌ
܂B



1.4. NWbg

Jamin W. Collins

Kristin E Thomas



1.5. tB[hobN

̕ɊւtB[hobNA񊽌}܂BȂ̒
ӌȂ΁A݂͑̕Ȃł傤BǉA]A
ᔻȉ̓dq[AhX܂ł肭: <zornnh@musc.edu>



2. KvȂ

̃ZNVł́AF؃Q[gEFCɕKvȂ̂ɂċLq܂B



2.1. Netfilter

F؃Q[gEFĆAt@CEH[Ǘ̂ɁANetfilter 
iptables 𗘗p܂B Netfi lter HOWTO <http://netfilter.samba.org/
unreliable-guides/packet-filtering-HOWTO/index.html> QƂB



2.2. Netfilter [p PAM

 Nathan Zorn ɂďꂽvO\F؃W[(PAM)ŁA 
http://www.itlab.musc.edu/~nathan/pa m_iptables <http://
www.itlab.musc.edu/~nathan/pam_iptables/> ł܂B



2.3. DHCP T[o

F؃Q[gEFĆAJlbg[Nɑ΂āAIzXgݒvgR
(DHCP)T[o̖ʂ܂B͌Jlbg[N DHCP T[
rXvɂ̂݉܂B ISC DHCP Server <http://www.isc.org/
products/DHCP/> gp܂B



2.4. F؂̃JjY

Q[gEFĆAPAM ̔Fؕ@Ȃǂłpł܂BTEXJC
i傪gpĂF؋@\ LDAP łB LDAP FؖړIɎgp܂
̂ŁAQ[gEFC PAM W[́ALDAP gp悤ɐݒ肳
܂BƑ̏A http://www.padl.com/pam_ldap.html Ō
邱Ƃł܂BPAM ɂA̔F؎i𗘗pł悤ɂȂ܂
B̎@ɂĂ̏ƒm肽ꍇ́A PAM W[ɂ
̕ <http://www.kernel.org/pub/linux/libs/pam/modules.html> QƂ
ĂB



2.5. DNS T[o

Q[gEFĆAJlbg[Nɑ΂ DNS T[ő@\ʂ܂B
 Bind <http://www.isc.org/products/BIND/> CXg[A
LbVOl[T[oƂĎgpĂ܂BLbVOT[o\z
 Red Hat ɓĂ caching-namserver Ƃ RPM pbP[W
p\łB



3. Q[gEFCT[rX̐ݒ

̃ZNVł́AF؃Q[gEFC̊e̐ݒ@܂B
ŎgṕATulbg 10.0.1.0 ̃vCx[gJlbg[
NłBeth0 ͓lbg[NɐڑAQ[gEFC̃C^tF[
XłBeth1 Jlbg[NɐڑC^tF[XłB̃C
^tF[X IP AhX 10.0.1.1 łB̐ݒ́AȂ
pĂlbg[Nɍ悤ɕύX\łBQ[gEFCɂ Red
Hat 7.1 𗘗p̂ŁA̗Ⴊ Red Hat Ɍ肳܂B



3.1. Netfilter ̐ݒ

netfilter ݒ肷邽߂ɂ́Anetfilter T|[găJ[lăR
pCȂ΂Ȃ܂BJ[l̐ݒƃRpCɂĂ
񂪕KvȂA Kernel-HOWTO <http://www.linuxdoc.org/HOWTO/
Kernel-HOWTO.html> QƂĂB

̃J[lݒ́Aȉ̂悤ȊłB

   #                                                                
   # Networking options                                             
   #                                                                
   CONFIG_PACKET=y                                                  
   # CONFIG_PACKET_MMAP is not set                                  
   # CONFIG_NETLINK is not set                                      
   CONFIG_NETFILTER=y                                               
   CONFIG_NETFILTER_DEBUG=y                                         
   CONFIG_FILTER=y                                                  
   CONFIG_UNIX=y                                                    
   CONFIG_INET=y                                                    
   CONFIG_IP_MULTICAST=y                                            
   # CONFIG_IP_ADVANCED_ROUTER is not set                           
   # CONFIG_IP_PNP is not set                                       
   # CONFIG_NET_IPIP is not set                                     
   # CONFIG_NET_IPGRE is not set                                    
   # CONFIG_IP_MROUTE is not set                                    
   # CONFIG_INET_ECN is not set                                     
   # CONFIG_SYN_COOKIES is not set                                  
                                                                    
                                                                    
   #   IP: Netfilter Configuration                                  
   #                                                                
   CONFIG_IP_NF_CONNTRACK=y                                         
   CONFIG_IP_NF_FTP=y                                               
   CONFIG_IP_NF_IPTABLES=y                                          
   CONFIG_IP_NF_MATCH_LIMIT=y                                       
   CONFIG_IP_NF_MATCH_MAC=y                                         
   CONFIG_IP_NF_MATCH_MARK=y                                        
   CONFIG_IP_NF_MATCH_MULTIPORT=y                                   
   CONFIG_IP_NF_MATCH_TOS=y                                         
   CONFIG_IP_NF_MATCH_TCPMSS=y                                      
   CONFIG_IP_NF_MATCH_STATE=y                                       
   CONFIG_IP_NF_MATCH_UNCLEAN=y                                     
   CONFIG_IP_NF_MATCH_OWNER=y                                       
   CONFIG_IP_NF_FILTER=y                                            
   CONFIG_IP_NF_TARGET_REJECT=y                                     
   CONFIG_IP_NF_TARGET_MIRROR=y                                     
   CONFIG_IP_NF_NAT=y                                               
   CONFIG_IP_NF_NAT_NEEDED=y                                        
   CONFIG_IP_NF_TARGET_MASQUERADE=y                                 
   CONFIG_IP_NF_TARGET_REDIRECT=y                                   
   CONFIG_IP_NF_NAT_FTP=y                                           
   CONFIG_IP_NF_MANGLE=y                                            
   CONFIG_IP_NF_TARGET_TOS=y                                        
   CONFIG_IP_NF_TARGET_MARK=y                                       
   CONFIG_IP_NF_TARGET_LOG=y                                        
   CONFIG_IP_NF_TARGET_TCPMSS=y                                     
                                                                    


iptables CXg[Kv܂Biptables CXg[
ɂ́Ap̃fBXgr[VɓĂpbP[W𗘗p
邩A\[XCXg[ĂBL̃IvVݒ肵V
J[l쐬 iptables CXg[ɁA͈ȉ̂悤
ftHg̃t@CEH[[ݒ肵܂B


   iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE               
   iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP    
   iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP  
   iptables -I FORWARD -o eth0 -j DROP                                
   iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT           
                                                                      


L̃R}h́AT[oċNۂɋN悤ɁAinitscript ̒
ɒuƂł܂B[ǉꂽƂm߂邽߂ɁAȉ̃R
}hsĂB


   iptables -v -t nat -L                                            
   iptables -v -t filter -L                                         
                                                                    


ȏ̃[ۑ邽߁A Red Hat  init XNvg𗘗p܂
B


   /etc/init.d/iptables save                                        
   /etc/init.d/iptables restart                                     
                                                                    


[K؂ɐݒ肳ꂽAȉ̃R}hsāA IP tH[fB
OLɂĂB


   echo 1 > /proc/sys/net/ipv4/ip_forward                           
                                                                    


}V̍ċN IP tH[fBOmɗLɂȂ悤ɁAȉ
s /etc/sysctl.conf ɒǉĂB


   net.ipv4.ip_forward = 1                                          
                                                                    


ŃQ[gEFC̓lbg[NAhXϊ(NAT)s悤ɂȂ܂
AJlbg[N̒瑗MꂽQ[gEFCẴpPbgȊO
AtH[fBOpPbgׂĔj܂B



3.2. PAM iptables W[

̃W[́AF؂ꂽNCAg̃tH[fBO
ɕKvȁAt@CEH[[} PAM ZbVW[ł
BȒPɃZbgAbvɂ́APɃ\[X <ftp://
ftp.itlab.musc.edu/pub/pam_iptables.tar.gz> 肵Aȉ̃R}h
쓮āARpCsĂB


   gcc -fPIC -c pam_iptables.c                                      
   ld -x --shared -o pam_iptables.so pam_iptables.o                 
                                                                    


 pam_iptables.so  pam_iptables.o ƂO̓̃oCi
͂łBpam_iptables.so  /lib/security/pam_iptables.so ɃRs[
ĂB


   cp pam_iptables.so /lib/security/pam_iptables.so                 
                                                                    


Q[gEFCɑIꂽF؃NCAg SSH ̂ŁAȉ̍s /
etc/pam.d/sshd ɒǉ܂B


   session    required     /lib/security/pam_iptables.so            
                                                                    


Ń[USSHŃOC΁At@CEH[[ǉ
ɂȂ܂B

pam_iptables ̃ftHgC^tF[X eth0 łB̃ftHgݒ
́AC^tF[Xp[^ǉ邱ƂŕύX\łB


   session required /lib/security/pam_iptables.so interface=eth1    
                                                                    


̐ݒ́AOlbg[NɐڑC^tF[X eth0 łȂ
̂ݕKvɂȂ܂B

pam_iptables W[삵Ă邩eXgɂ́Aȉ̎菇s
ĂB

 1. SSH ŃQ[gEFCɃOCB
   
 2. [ǉĂ邩Aiptables -L ŊmFB
   
 3. Q[gEFC烍OAEgāÃ[폜Ă̂mF
    B
   


3.3. DHCP T[oݒ

́Aȉ dhcpd.conf pA DHCP 𓱓܂B


   subnet 10.0.1.0 netmask 255.255.255.0 {                              
   # --- default gateway                                                
        option routers                  10.0.1.1;                       
        option subnet-mask              255.255.255.0;                  
        option broadcast-address        10.0.1.255;                     
                                                                        
        option domain-name-servers       10.0.1.1;                      
        range   10.0.1.3 10.0.1.254;                                    
        option time-offset              -5;     # Eastern Standard Time 
                                                                        
        default-lease-time 21600;                                       
        max-lease-time 43200;                                           
                                                                        
    }                                                                   
                                                                        


DHCPT[o͂̏ꍇAJlbg̃C^tF[XłAeth1 ɑ΂
쓮܂B


    /usr/sbin/dhcpd eth1                                            
                                                                    



3.4. F؎@̐ݒ

ÕZNVŏqׂ悤ɁA͔F؂ LDAP gp悤Q[gEF
C̐ݒs܂BAȂ PAM F؂eǂ̕@
łp\łBƏ񂪕KvȂ΁A Section 2.4 QƂB

PAM LDAP ŔF؂s߂ɁA OpenLDAP <http://www.openldap.org> 
CXg[A/etc/ldap.conf Ɉȉ̐ݒs܂B


   # Your LDAP server. Must be resolvable without using LDAP.       
   host itc.musc.edu                                                
                                                                    
   # The distinguished name of the search base.                     
   base dc=musc,dc=edu                                              
   ssl no                                                           
                                                                    


ȉɋt@ĆALDAP F؂s悤 PAM ݒ肷̂Ɏgp
܂B̃t@ĆARed Hat ̐ݒ胆[eBeBɂ萶
܂B

/etc/pam.d/system-auth 쐬Aȉ̂悤ȓeɂȂ܂B
   
    
       #%PAM-1.0                                                                          
       # This file is auto-generated.                                                     
       # User changes will be destroyed the next time authconfig is run.                  
       auth        required      /lib/security/pam_env.so                                 
       auth        sufficient    /lib/security/pam_unix.so likeauth nullok                
       auth        sufficient    /lib/security/pam_ldap.so use_first_pass                 
       auth        required      /lib/security/pam_deny.so                                
                                                                                          
       account     required      /lib/security/pam_unix.so                                
       account     [default=ok user_unknown=ignore service_err=ignore system_err=ignore]  
    /lib/security/pam_ldap.so                                                             
                                                                                          
       password    required      /lib/security/pam_cracklib.so retry=3                    
       password    sufficient    /lib/security/pam_unix.so nullok use_authtok             
       password    sufficient    /lib/security/pam_ldap.so use_authtok                    
       password    required      /lib/security/pam_deny.so                                
                                                                                          
       session     required      /lib/security/pam_limits.so                              
       session     required      /lib/security/pam_unix.so                                
       session     optional      /lib/security/pam_ldap.so                                
                                                                                          
    
   
܂Aȉ /etc/pam.d/sshd t@C쐬܂B
   
    
       #%PAM-1.0                                                              
       auth       required     /lib/security/pam_stack.so service=system-auth 
       auth       required     /lib/security/pam_nologin.so                   
       account    required     /lib/security/pam_stack.so service=system-auth 
       password   required     /lib/security/pam_stack.so service=system-auth 
       session    required     /lib/security/pam_stack.so service=system-auth 
       #this line is added for firewall rule insertion upon login             
       session    required     /lib/security/pam_iptables.so debug            
       session    optional     /lib/security/pam_console.so                   
                                                                              
    
   


3.5. DNS ̐ݒ

́ARed Hat 7.1 ɂĂftHgo[W Bind ƃLbV
Ol[T[o RPM CXg[܂BDHCP T[óAJlbg
[Ñ}Vl[T[oƂăQ[gEFC𗘗p悤ݒ肵Ă
܂B



4. F؃Q[gEFC̗p

F؃Q[gEFC𗘗p邽߂ɂ́ANCAg DHCP gp悤
ɐݒ肵ĂB̃}V SSH NCAgCXg[āAQ
[gEFC SSH ŃOCĂBUOC΁Albg
[NɃANZXs悤ɂȂ܂Bȉ́Aunix x[X̃NCA
gɂZbVłB


 bash>ssh zornnh@10.0.1.1                                           
 zornnh's Password:                                                 
                                                                    
 gateway>                                                           
                                                                    


OCԂłAANZX\łBOAEgĂ܂
AANZXłȂȂ܂B



5. I

 E ̕ŎZLeB@́Albg[NR~jeB
    ɂ񋟂ZLeBɈˑ܂Blbg[NŜ
    SłȂĂA܂̖lbg[NȂ̊ǗɂȂĂ
    Ƌ@\܂B
   
 E Q[gEFĆAgtBbNÍ܂B̔wɂlbg
    [Nւ̃ANZX邾łBÍF؂KvȂ
    AVPN 𗘗pׂłB
   


6. ǉ̏

 E NASA ɂF؃Q[gEFC̎ɂĐ <http://
    www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html>B
   
 E Ao[^wɂĔF؃Q[gEFC쐬@Lq
    <http://www.ualberta.ca/~beck/authgw.html>B
   


7. Ɠ

́ÂA̐lB悤ɋ^낤Ǝv
̂W߂ĂꏊłB{ɑ̃tB[hobN𒸂ȂA
{̈ӖFAQɂĂ܂B



8. {ɂ

{ Linux Japanese FAQ Project s܂B|Ɋւ邲ӌ
 JF vWFNg <JF@linux.or.jp> ɘAĂB

0.03j

|:
   
    yomoyomo <ymgrtq@ma.neweb.ne.jp>
   
Z:
   
      office  <office@ukky.net>
       
      앐r <kgh12351@nifty.ne.jp>
       
      S <arms405@jade.dti.ne.jp>
       
      m <cz@hykw.tv>
       
