Authentication Gateway HOWTO

Nathan Zorn

           zornnh@musc.edu
        

yomoyomo - {

ymgrtq@ma.neweb.ne.jp

Revision History                                                       
Revision 0.06            2002-11-05         Revised by: nhz            
Revision 0.05            2002-05-10         Revised by: nhz            
Revision 0.04            2002-02-28         Revised by: nhz            
Revision 0.03            2001-09-28         Revised by: nhz            
Revision 0.02            2001-09-28         Revised by: KET            
Revision 0.01            2001-09-06         Revised by: nhz            

  lbg[NA}ق◾Ȃǂ̌JANZXGAɂZL
eBɂ́ǍO܂BÓAs̃ZL
eBł͉ł܂B̉ƂāAF؃Q[gEFC𗘗p
@Ă܂B̃Q[gEFĆA[Ulbg[N
𗘗pۂɔF؂邱ƂŁAZLeBɊւ錜OɎ
gނ̂łB

 

Table of Contents
1. ͂߂
   
    1.1. 쌠
    1.2. Ɛ
    1.3. ŐV
    1.4. NWbg
    1.5. tB[hobN
   
2. KvȂ
   
    2.1. Netfilter
    2.2. I Netfilter [ɑΉ\tgEFA
    2.3. DHCP T[o
    2.4. F؂̃JjY
    2.5. DNS T[o
   
3. Q[gEFCT[rX̐ݒ
   
    3.1. Netfilter̐ݒ
    3.2. I Netfilter [
    3.3. DHCP T[oݒ
    3.4. F؎@̐ݒ
    3.5. DNS ̐ݒ
   
4. F؃Q[gEFC̗p
5. I
6. ǉ̏
7. Ɠ
8. {ɂ

1. ͂߂

  lbg[NJANZXGAɁAĂȂ[UANZ
X̂͂ƂĂȒPłBĂȂ[UłAʐMTA̒
Mڑł܂BĂȂ[UA}VJ^
[~iɂȂAlbg[NɃANZX邱Ƃ\Ȃ̂łBZL
eB WEP ȂǂŐĂĂ܂ÂɂZLeB
́AAirSnort Ȃǂ̃c[ɂĔj\܂Bȏ̖
Av[`̈ƂāÃZLeB@\ɗ炸A
ɖlbg[NJANZXGȂOʂɔF؃Q[gEFCݒu
A[Ulbg[N𗘗pOɁÃQ[gEFCɔF؂󂯂邱
ƂƂ̂܂B HOWTO ́ALinux ł̃Q[gEFC
\z@̂łB

 

1.1. 쌠

  This document is copyrighted (c) 2001 Nathan Zorn. Permission is
granted to copy, distribute and/or modify this document under the terms
of the GNU Free Documentation License, Version 1.1 or any later version
published by the Free Software Foundation; with no Invariant Sections,
with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the
license is available at http://www.gnu.org/copyleft/fdl.html

  ({) This document is copyrighted (c) 2001 Nathan Zorn. ̕
̕AzzAĆAFree Software Foundation ɂJĂA
GNU Free Documentation License (ȉ GFDL) o[W 1.1A͂
ȍ~̃o[W̌ŋ܂BA̕ɂ GFDL ŋK肳
ĂuύXsv͂܂񂵁A܂\eLXg◠\eLX
gȂǂ܂B̃CZX̃Rs[́Ahttp://www.gnu.org/
copyleft/fdl.html œ\łB

₪΁A<zornnh@musc.edu> ɘAĂB

 

1.2. Ɛ

  ̓̕eɊւẮA̐ӔCĂ܂Bg̐ӔČŁA
̃̕RZvgAAĂ̑̓e𗘗pĂB
{̐Vłł̂ŁAsmȋLq܂ł邩܂񂵁A
̌smȋLqɂāAȂ̃VXeɔQ^\
܂RȂ炠܂BTdɓǂݐiłBۂɉ炩̔
Q𐶂Ƃ\͂قƂǖ͂łAƂƂ
NĂ܂ƂĂA(B)́Aɂĉ̐ӔC܂B

  ɋLqȂA쌠͂ꂼۗ̕L҂ɋÂƂ܂B
̕ŎgpṕAeW͈̔͂ɒGȂ̂Ƃ܂B

  ̏iuhꍇłA𐄏̂ł͂
܂B

vȃCXg[sOɂp̃VXẽobNAbvA
ăobNAbvIɍsƂ߂܂B

 

1.3. ŐV

̍̕ŐVł́A http://www.itlab.musc.edu/~nathan/
authentication_gateway/ <http://www.itlab.musc.edu/~nathan/
authentication_gateway/> ɂ܂B֘A HOWTO ́A Linux
Documentation Project <http://www.linuxdoc.org/> z[y[WŌ
܂B

 

1.4. NWbg

Jamin W. Collins

Kristin E Thomas

Logu (visolve.com)

 

1.5. tB[hobN

̕ɊւtB[hobNA񊽌}܂BȂ̒
ӌȂ΁A݂͑̕Ȃł傤BǉA]A
ᔻȉ̓dq[AhX܂ł肭: <zornnh@musc.edu>

 

2. KvȂ

̃ZNVł́AF؃Q[gEFCɕKvȂ̂ɂċLq܂B

 

2.1. Netfilter

F؃Q[gEFĆAt@CEH[Ǘ̂ɁANetfilter 
iptables 𗘗p܂B Netfilter HOWTO <http://netfilter.samba.org/
unreliable-guides/packet-filtering-HOWTO/index.html> QƂB

 

2.2. I Netfilter [ɑΉ\tgEFA

Netfilter [𓮓Iɑ}A폜ïɁA pam_iptables ̗
p܂B Nathan Zorn ɂďꂽvO\F؃W[
(PAM)ŁA http://www.itlab.musc.edu/~nathan/pam_iptables <http://
www.itlab.musc.edu/~nathan/pam_iptables/> ł܂B PAM 
W[ɂA[U̓Q[gEFCŔF؂sA ssh  telnet 𗘗p
ł悤ɂȂ܂B

Netfilter [𓮓IɒǉA폜̎iƂāA NocatAuth
̗p܂BNocatAuth ́A http://nocat.net ł܂B
NocatAuth ɂAEFuNCAgQ[gEFC̔F؂s悤
ɂȂ܂B

 

2.3. DHCP T[o

  F؃Q[gEFĆAJlbg[Nɑ΂āAIzXgݒvgR
 (DHCP)T[o̖ʂ܂B͌Jlbg[N DHCP T
[rXvɂ̂݉܂B ISC DHCP Server <http://www.isc.org/
products/DHCP/> gp܂B

 

2.4. F؂̃JjY

Q[gEFĆAPAM ̔Fؕ@Ȃǂłpł܂BTEXJC
i傪gpĂF؋@\ LDAP łB LDAP ͔FؖړIɎg
ŁAQ[gEFC@ PAM W[́ALDAP gp悤ɐݒ肳
܂BƑ̏A http://www.padl.com/pam_ldap.html <http://
www.padl.com/pam_ldap.html> Ō邱Ƃł܂BPAM ɂA
̔F؎i𗘗pł悤ɂȂ܂B̎@ɂĂ̏ƒm
肽ꍇ́A PAM W[ɂĂ̕ <http://www.kernel.org/pub/
linux/libs/pam/modules.html> QƂĂB

NocatAuth 𗘗pɂ́AF؃T[rX\zKv܂B
NocatAuth F؃T[rX́ALDAP, RADIUS, MySQL, ăpX[ht@C
𗘗pF؋@\x܂B http://nocat.net/download/NoCatAuth/
<http://nocat.net/download/NoCatAuth/> ɂƑ̏񂪂܂B

 

2.5. DNS T[o

Q[gEFĆAJlbg[Nɑ΂ DNS T[ő@\ʂ܂B
 Bind <http://www.isc.org/products/BIND/> CXg[A
LbVOl[T[oƂĎgpĂ܂BLbVOT[o\z
 Red Hat ɓĂ caching-namserver Ƃ RPM pbP[W
p\łB

 

3. Q[gEFCT[rX̐ݒ

̃ZNVł́AF؃Q[gEFC̊e̐ݒ@܂B
ŎgṕATulbg 10.0.1.0 ̃vCx[gJlbg[
NłBeth0 ͓lbg[NɐڑAQ[gEFC̃C^tF[
XłBeth1 Jlbg[NɐڑC^tF[XłB̃C
^tF[X IP AhX 10.0.1.1 łB̐ݒ́AȂ
pĂlbg[Nɍ悤ɕύX\łBQ[gEFC@ɂ Red
Hat 7.1 𗘗p̂ŁA̗Ⴊ Red Hat Ɍ肳܂B

 

3.1. Netfilter̐ݒ

  netfilter ݒ肷邽߂ɂ́Anetfilter T|[găJ[l
RpCȂ΂Ȃ܂BJ[l̐ݒƃRpCɂĂ
Ə񂪕KvȂA Kernel-HOWTO <http://www.linuxdoc.org/HOWTO/
Kernel-HOWTO.html> QƂĂB

̃J[lݒ́Aȉ̂悤ȊłB

   #                                                                
   # Networking options                                             
   #                                                                
   CONFIG_PACKET=y                                                  
   # CONFIG_PACKET_MMAP is not set                                  
   # CONFIG_NETLINK is not set                                      
   CONFIG_NETFILTER=y                                               
   CONFIG_NETFILTER_DEBUG=y                                         
   CONFIG_FILTER=y                                                  
   CONFIG_UNIX=y                                                    
   CONFIG_INET=y                                                    
   CONFIG_IP_MULTICAST=y                                            
   # CONFIG_IP_ADVANCED_ROUTER is not set                           
   # CONFIG_IP_PNP is not set                                       
   # CONFIG_NET_IPIP is not set                                     
   # CONFIG_NET_IPGRE is not set                                    
   # CONFIG_IP_MROUTE is not set                                    
   # CONFIG_INET_ECN is not set                                     
   # CONFIG_SYN_COOKIES is not set                                  
                                                                    
                                                                    
   #   IP: Netfilter Configuration                                  
   #                                                                
   CONFIG_IP_NF_CONNTRACK=y                                         
   CONFIG_IP_NF_FTP=y                                               
   CONFIG_IP_NF_IPTABLES=y                                          
   CONFIG_IP_NF_MATCH_LIMIT=y                                       
   CONFIG_IP_NF_MATCH_MAC=y                                         
   CONFIG_IP_NF_MATCH_MARK=y                                        
   CONFIG_IP_NF_MATCH_MULTIPORT=y                                   
   CONFIG_IP_NF_MATCH_TOS=y                                         
   CONFIG_IP_NF_MATCH_TCPMSS=y                                      
   CONFIG_IP_NF_MATCH_STATE=y                                       
   CONFIG_IP_NF_MATCH_UNCLEAN=y                                     
   CONFIG_IP_NF_MATCH_OWNER=y                                       
   CONFIG_IP_NF_FILTER=y                                            
   CONFIG_IP_NF_TARGET_REJECT=y                                     
   CONFIG_IP_NF_TARGET_MIRROR=y                                     
   CONFIG_IP_NF_NAT=y                                               
   CONFIG_IP_NF_NAT_NEEDED=y                                        
   CONFIG_IP_NF_TARGET_MASQUERADE=y                                 
   CONFIG_IP_NF_TARGET_REDIRECT=y                                   
   CONFIG_IP_NF_NAT_FTP=y                                           
   CONFIG_IP_NF_MANGLE=y                                            
   CONFIG_IP_NF_TARGET_TOS=y                                        
   CONFIG_IP_NF_TARGET_MARK=y                                       
   CONFIG_IP_NF_TARGET_LOG=y                                        
   CONFIG_IP_NF_TARGET_TCPMSS=y                                     
                                                                    


[ݒ肳ꂽAȉ̃R}hsāA IP tH[fBO
LɂĂB


   echo 1 > /proc/sys/net/ipv4/ip_forward                           
                                                                    


}V̍ċN IP tH[fBOmɗLɂȂ悤ɁAȉ
s /etc/sysctl.conf ɒǉĂB


   net.ipv4.ip_forward = 1                                          
                                                                    


 NocatAuth 𗘗pĂȂA NoCatAuth Q[gEFCݒZNV
܂œǂݔ΂Ă܂܂B

iptables CXg[Kv܂Biptables CXg[
ɂ́Ap̃fBXgr[VɓĂpbP[W𗘗p
邩A\[XCXg[ĂBL̃IvVݒ肵V
J[l쐬 iptables CXg[ɁA͈ȉ̂悤
ftHg̃t@CEH[[ݒ肵܂B


   iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE               
   iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP    
   iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP  
   iptables -I FORWARD -o eth0 -j DROP                                
   iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT           
                                                                      


  L̃R}h́AT[oċNۂɋN悤ɁAinitscript 
ɒuƂł܂B[ǉꂽƂm߂邽߂ɁAȉ
R}h𔭍sĂB


   iptables -v -t nat -L                                            
   iptables -v -t filter -L                                         
                                                                    


ȏ̃[ۑ邽߁A Red Hat  init XNvg𗘗p܂
B


   /etc/init.d/iptables save                                        
   /etc/init.d/iptables restart                                     
                                                                    


ŃQ[gEFC̓lbg[NAhXϊ(NAT)s悤ɂȂ܂
AJlbg[N̒瑗MꂽQ[gEFCẴpPbgȊO
AtH[fBOpPbgׂĔj܂B

 

3.2. I Netfilter [

̃ZNVł́AQ[gEFC Netfilter [𓮓IɒǉA폜
̂ɕKvȃ\tgEFA̐ݒ@܂B

 

3.2.1. PAM iptables W[

t@CEH[[} PAM ZbVW[AF؂ꂽ
NCAĝ߂ɃtH[fBOs悤ɂ̂ɕKvɂȂ
BȒPɃZbgAbvɂ́APɃ\[X <ftp://
ftp.itlab.musc.edu/pub/pam_iptables.tar.gz> 肵Aȉ̃R}h
쓮āARpCsĂB


     gcc -fPIC -c pam_iptables.c                                    
     ld -x --shared -o pam_iptables.so pam_iptables.o               
                                                                    


 pam_iptables.so  pam_iptables.o ƂO̓̃oCi
͂łBpam_iptables.so  /lib/security/pam_iptables.so ɃRs[
ĂB


     cp pam_iptables.so /lib/security/pam_iptables.so               
                                                                    


 /usr/local/auth-gw Ƀt@CEH[̃XNvggݍ݂܂
B


     mkdir /usr/local/auth-gw                                       
     cp insFwall /usr/local/auth-gw                                 
                                                                    


Q[gEFCɑIꂽF؃NCAg SSH ̂ŁAȉ̍s /
etc/pam.d/sshd ɒǉ܂B


     session    required     /lib/security/pam_iptables.so          
                                                                    


Ń[USSHŃOC΁At@CEH[[ǉ
ɂȂ܂B

pam_iptables W[삵Ă邩eXgɂ́Aȉ̎菇s
ĂB

 1. SSH ŃQ[gEFCɃOCB
   
 2. [ǉĂ邩Aiptables -L -v ŊmFB
   
 3. Q[gEFC烍OAEgāÃ[폜Ă̂mF
    B
   
 

3.2.2. NoCatAuth Q[gEFC

̃ZNVł́ANoCatAuth Q[gEFC\zvZX
BNocatAuth Q[gEFC\zɂ́A\[X <http://nocat.net/
download/NoCatAuth/> _E[hAȉ̎菇ŃCXg[Ă
B

gpgv CXg[Ă邩m߂ĂB gpgv ́APGP ؖ
҂łB gnupg ̈ꕔłA http://www.gnupg.org/download.html
<http://www.gnupg.org/download.html> ɂ܂B

NocatAuth  tar t@CWJB

     tar xvzf NocatAuth-x.xx.tar.gz                                 
                                                                    


 NoCatAuth  /usr/local/nocat fBNgɒuȂȂA
Makefile ҏWAINST_PATH Ȃ NoCatAuth 풓fB
NgɕύXĂB

ɃQ[gEFC\z܂B

     cd NoCatAuth-x.xx                                              
     make gateway                                                   
                                                                    


/usr/local/nocat.conf t@CҏW܂Bconf t@CɕKvȐݒ
ẮAڂ INSTALL hLgQƂĂBƂȂ
conf t@C͈ȉ̂悤ȊɂȂ܂B


                                                                    
     ###### gateway.conf -- NoCatAuth Gateway Configuration.        
     #                                                              
     # Format of this file is: Directive Value, one per             
     # line. Trailing and leading whitespace is ignored. Any        
     # line beginning with a punctuation character is assumed to    
     # be a comment.                                                
                                                                    
     Verbosity       10                                             
     #we are behind a NAT so put the gateway in passive mode        
     GatewayMode     Passive                                        
     GatewayLog      /usr/local/nocat/nocat.log                     
     LoginTimeout    300                                            
                                                                    
     ######Open Portal settings.                                    
     HomePage        http://www.itlab.musc.edu/                     
     DocumentRoot    /usr/local/nocat/htdocs                        
     SplashForm      splash.html                                    
     ###### Active/Passive Portal settings.                         
     TrustedGroups Any                                              
     AuthServiceAddr egon.itlab.musc.edu                            
     AuthServiceURL  https://$AuthServiceAddr/cgi-bin/login         
     LogoutURL       https://$AuthServiceAddr/forms/logout.html     
     ###### Other Common Gateway Options.                           
     AllowedWebHosts egon.itlab.musc.edu                            
     ResetCmd        initialize.fw                                  
     PermitCmd       access.fw permit $MAC $IP $Class               
     DenyCmd         access.fw deny $MAC $IP $Class                 
                                                                    


ŃQ[gEFCNł悤ɂȂ͂łB肪
AWJ NoCatAuth fBNgɂ INSTALL hLgmF
Bȉ̃R}hɂAQ[gEFCN܂B

     /usr/local/nocat/bin/gateway                                   
                                                                    


 

3.3. DHCP T[oݒ

́Aȉ dhcpd.conf pA DHCP 𓱓܂B


   subnet 10.0.1.0 netmask 255.255.255.0 {                              
   # --- default gateway                                                
        option routers                  10.0.1.1;                       
        option subnet-mask              255.255.255.0;                  
        option broadcast-address        10.0.1.255;                     
                                                                        
        option domain-name-servers       10.0.1.1;                      
        range   10.0.1.3 10.0.1.254;                                    
        option time-offset              -5;     # Eastern Standard Time 
                                                                        
        default-lease-time 21600;                                       
        max-lease-time 43200;                                           
                                                                        
    }                                                                   
                                                                        


  DHCP T[o͂̏ꍇAJlbg̃C^tF[XłAeth1 ɑ
č쓮܂B


    /usr/sbin/dhcpd eth1                                            
                                                                    

 

3.4. F؎@̐ݒ

PAM ɂF؂ NoCatAuth F؃T[rXɂĉs܂BƂ
Ƃ LDAP 𗘗p܂BLDAP ȊO̔F؎ip\łBPAM 
NoCatAuth ̃hLgǂ݁Aʂ̔F؎i𗘗p邽߂̎菇𗝉
ĂB

 

3.4.1. PAM LDAP

  ÕZNVŏqׂ悤ɁA͔F؂ LDAP gp悤Q[gE
FC̐ݒs܂BAȂ PAM F؂eǂ̕
@łp\łBƏ񂪕KvȂ΁A Section 2.4 QƂ
B

PAM LDAP ŔF؂s߂ɁA OpenLDAP <http://www.openldap.org> 
CXg[A/etc/ldap.conf Ɉȉ̐ݒs܂B


     # Your LDAP server. Must be resolvable without using LDAP.     
     host itc.musc.edu                                              
                                                                    
     # The distinguished name of the search base.                   
     base dc=musc,dc=edu                                            
     ssl no                                                         
                                                                    


ȉɋt@ĆALDAP F؂s悤 PAM ݒ肷̂Ɏgp
܂B̃t@ĆARed Hat ̐ݒ胆[eBeBɂ萶
܂B

/etc/pam.d/system-auth 쐬Aȉ̂悤ȓeɂȂ܂B
   
    
          #%PAM-1.0                                                                                                   
          # This file is auto-generated.                                                                              
          # User changes will be destroyed the next time authconfig is run.                                           
          auth        required      /lib/security/pam_env.so                                                          
          auth        sufficient    /lib/security/pam_unix.so likeauth nullok                                         
          auth        sufficient    /lib/security/pam_ldap.so use_first_pass                                          
          auth        required      /lib/security/pam_deny.so                                                         
                                                                                                                      
          account     required      /lib/security/pam_unix.so                                                         
          account     [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so 
                                                                                                                      
          password    required      /lib/security/pam_cracklib.so retry=3                                             
          password    sufficient    /lib/security/pam_unix.so nullok use_authtok                                      
          password    sufficient    /lib/security/pam_ldap.so use_authtok                                             
          password    required      /lib/security/pam_deny.so                                                         
                                                                                                                      
          session     required      /lib/security/pam_limits.so                                                       
          session     required      /lib/security/pam_unix.so                                                         
          session     optional      /lib/security/pam_ldap.so                                                         
                                                                                                                      
    
   
܂Aȉ /etc/pam.d/sshd t@C쐬܂B
   
    
           #%PAM-1.0                                                              
           auth       required     /lib/security/pam_stack.so service=system-auth 
           auth       required     /lib/security/pam_nologin.so                   
           account    required     /lib/security/pam_stack.so service=system-auth 
           password   required     /lib/security/pam_stack.so service=system-auth 
           session    required     /lib/security/pam_stack.so service=system-auth 
           #this line is added for firewall rule insertion upon login             
           session    required     /lib/security/pam_iptables.so debug            
           session    optional     /lib/security/pam_console.so                   
                                                                                  
    
   
 

3.4.2. NoCatAuth T[rX

Q[gEFCȊO̕ʂ̃T[oɁANoCatAuth T[rXCXg[邱
Ƃ߂܂Bʂ̃T[oAl̗ɂėp܂B
NoCatAuth T[rX\zɂ́Aȉ̃\tgEFAKvɂȂ܂B

 1. SSL LꂽEFuT[oBSSL ؖo^Ă̂]
    B́AApache  mod_ssl ̑gݍ킹gp܂B
   
 2. Perl 5 (5.6 ȍ~]܂)
   
 3. Net::LDAP, Digest::MD5, DBI,  DBD::MySQL perl W[ (
     CPAN 擾Ă)BKvȃW[́AǂȔF؎
    i𗘗p肩ƂƂŕςĂ܂Bl̗ł́AF؎
    iƂ Net::LDAP 𗘗p܂B
   
 4. Gnu Privacy Guard (gnupg 1.0.6 ȍ~)B http://www.gnupg.org/
    download.html œ\B
   
CXg[邽߂ɁAtar t@CWJB

    $ tar zvxf NoCatAuth-x.xx.tar.gz                                
                                                                    


NoCatAuth 풓pXύXꍇ́AMakefile ҏWA
INST_PATH ]fBNgɕύXĂB

ɁA make authserv R}hs܂BŁA/usr/local/nocat 
AȂ INST_PATH ̒lύXƂɂׂĂCXg[܂
B

 make pgpkey s܂Bݒ̂܂܂ŁA̗prɎg
łBdv: pXt[Y͂Ȃ! ͂Ă܂ƁAF؃T[
rXbZ[WÍ邽߂ɑ݂Ȃ tty pXt[Yǂ
ƂāAȃbZ[Wo͂Ă܂܂B

Ȃ̊ɍ悤ɁA/usr/local/nocat/nocat.conf ҏWĂ
Bȉɗ܂B

    ###### authserv.conf -- NoCatAuth Authentication Service Configuration.                                                                                   
    #                                                                                                                                                         
    # Format of this file is: Directive Value, one per                                                                                                        
    #   line. Trailing and leading whitespace is ignored. Any                                                                                                 
    #   line beginning with a punctuation character is assumed to                                                                                             
    #   be a comment.                                                                                                                                         
                                                                                                                                                              
    Verbosity       10                                                                                                                                        
    HomePage        http://www.itlab.musc.edu/                                                                                                                
    DocumentRoot    /usr/local/nocat/htdocs                                                                                                                   
    # LDAP source                                                                                                                                             
    DataSource LDAP                                                                                                                                           
    LDAPHost authldap.musc.edu                                                                                                                                
    LDAPBase dc=musc,dc=edu                                                                                                                                   
                                                                                                                                                              
    UserTable       Member                                                                                                                                    
    UserIDField     User                                                                                                                                      
    UserPasswdField Pass                                                                                                                                      
    UserAuthField   Status                                                                                                                                    
    UserStampField  Created                                                                                                                                   
                                                                                                                                                              
    GroupTable      Network                                                                                                                                   
    GroupIDField    Network                                                                                                                                   
    GroupAdminField Admin                                                                                                                                     
    MinPasswdLength 8                                                                                                                                         
                                                                                                                                                              
    # LocalGateway -- If you run auth service on the same subnet                                                                                              
    #   (or host) as the gateway you need to specify the hostname                                                                                             
    #   of the gateway. Otherwise omit it.  (Requires Net::Netmask)                                                                                           
    #                                                                                                                                                         
    # LocalGateway    192.168.1.7                                                                                                                             
                                                                                                                                                              
    LoginForm       login.html                                                                                                                                
    LoginOKForm     login_ok.html                                                                                                                             
    FatalForm       fatal.html                                                                                                                                
    ExpiredForm     expired.html                                                                                                                              
    RenewForm       renew.html                                                                                                                                
    PassiveRenewForm renew_pasv.html                                                                                                                          
    RegisterForm    register.html                                                                                                                             
    RegisterOKForm  register_ok.html                                                                                                                          
    RegisterFields  Name URL Description                                                                                                                      
                                                                                                                                                              
    UpdateForm      update.html                                                                                                                               
    UpdateFields    URL Description                                                                                                                           
                                                                                                                                                              
    ###### Auth service user messages. Should be self-explanatory.                                                                                            
    #                                                                                                                                                         
    LoginGreeting   Greetings! Welcome to the Medical University of SC's Network.                                                                             
    LoginMissing    Please fill in all fields!                                                                                                                
    LoginBadUser    That e-mail address is unknown. Please try again.                                                                                         
    LoginBadPass    That e-mail and password do not match. Please try again.                                                                                  
    LoginBadStatus  Sorry, you are not a registered co-op member.                                                                                             
                                                                                                                                                              
    RegisterGreeting    Welcome! Please enter the following information to register.RegisterMissing     Name, E-mail, and password fields must be filled in.  
    RegisterUserExists  Sorry, that e-mail address is already taken. Are you already registered?                                                              
    RegisterBadUser     The e-mail address provided appears to be invalid. Did you spell it correctly?                                                        
    RegisterInvalidPass All passwords must be at least six characters long.                                                                                   
    RegisterPassNoMatch The passwords you provided do not match. Please try again.                                                                            
    RegisterSuccess     Congratulations, you have successfully registered.                                                                                    
                                                                                                                                                              
    UpdateGreeting      Enter your E-mail and password to update your info.                                                                                   
    UpdateBadUser       That e-mail address is unknown. Please try again.                                                                                     
    UpdateBadPass       That e-mail and password do not match. Please try again.                                                                              
    UpdateInvalidPass   New passwords must be at least eight characters long.                                                                                 
    UpdatePassNoMatch   The new passwords you provided do not match. Please try again.                                                                        
    UpdateSuccess       Congratulations, you have successfully updated your account.                                                                          
                                                                                                                                                              
                                                                                                                                                              


/usr/local/nocat/pgp EFuT[õ[UɏLĂ邩m߂Ă
(܂Anobody  www-data ɂȂĂ邩ǂ)B

Apache  httpd.conf t@C etc/authserv.conf ǉĂB

 Include /usr/local/nocat/etc/authserv.conf                         


  /usr/local/nocat/trustedkeys.pgp Q[gEFCɃRs[ĂB
Apache ċNAĂ݂ĂBƑ̏񂪕Kvȏꍇ́A
NoCatAuth ̃hLgQƂBhLǵANoCatAuth W
JfBNg docs/ zɂ܂B

 

3.5. DNS ̐ݒ

  ́ARed Hat 7.1 ɂĂftHgo[W Bind ƃLbV
Ol[T[o RPM CXg[܂BDHCP T[óAJlbg
[Ñ}Vl[T[oƂăQ[gEFC𗘗p悤ݒ肵
܂B

 

4. F؃Q[gEFC̗p

F؃Q[gEFC𗘗p邽߂ɂ́ANCAg DHCP gp悤
ɐݒ肵ĂB̃}V SSH NCAgCXg[āAQ
[gEFC SSH ŃOCĂBUOC΁Albg
[NɃANZXs悤ɂȂ܂Bȉ́Aunix x[X̃NCA
gɂZbVłB


 bash>ssh zornnh@10.0.1.1                                           
 zornnh's Password:                                                 
                                                                    
 gateway>                                                           
                                                                    


  OCԂłAANZX\łBOAEgĂ܂
ƁAANZXłȂȂ܂B

  F؃Q[gEFC NoCatAuth CXg[ėpɂ́ANCA
g@ DHCP 𗘗p悤ɐݒ肵ĂB Mozilla Ȃǂ̃EFuu
EUCXg[ĂBẴEFuuEUNĂ
BuEÚAF؉ʂɃ_CNg͂łB

Figure 1. Nocat ̃OC

[nocat_auth]

[UƃpX[h͂ƁA|bvAbvXN[܂B
ɂ͂Ȃlbg[NɔF؂ꂽƁAF؂ꂽԂۂɂ
̃EBhEJ܂܂ɂĂƁAĂ͂łBZ
bVIɂ̓OAEgNbN邩ÃEBhE
܂B

Figure 2. F؃EBhE

[nocat_auth]

 

5. I

 E ̕ŎZLeB@́Albg[NR~jeB
    ɂ񋟂ZLeBɈˑ܂Blbg[NŜ
    SłȂĂA܂̖lbg[NȂ̊ǗɂȂĂ
    Ƌ@\܂B
   
 E Q[gEFĆAgtBbNÍ܂B̔wɂlbg
    [Nւ̃ANZX邾łBÍF؂KvȂ
    AVPN 𗘗pׂłB
   
 

6. ǉ̏

 E NASA ɂF؃Q[gEFC̎ɂĐ <http://
    www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html>B
   
 E Ao[^wɂĔF؃Q[gEFC쐬@Lq
    <http://www.ualberta.ca/~beck/authgw.html>B
   
 E Nocat.net <http://nocat.net> ɂ́Albg[Np̔F؃Q[gE
    FC܂B̃\tgEFÁAEFux[X̃NCAgɂ
    ܂B
   
 E Horatio: Authenticated Network Access <http://www.cs.utexas.edu/
    users/mcguire/software/horatio/> ́At@CEH[pF؃c[
    Bp̑O: K̃[U̓bvgbv}V₻̑̃o
    C[lbg[NɂȂƂ邪AZLeB̂߁AK
    ̃[ÚASȃlbg[NɃANZX̂hAʂ
    C^[lbgp̂hKvꍇB
   
 

7. Ɠ

́ÂA̐lB悤ɋ^낤Ǝv
̂W߂ĂꏊłB{ɑ̃tB[hobN𒸂ȂA
{̈ӖFAQɂĂ܂B

 1. ȂAiptables ̃[́ANCAg telnet EBhE
    ƂɃtbVȂ̂ł傤? NCAg telnet ZbV
    OAEgꍇAiptables ̃[͋@\܂B SSH ̏
    ƁASSH EBhEꍇłA iptables ̃[̓tb
    V܂B
   
    ́A̖ɑ΂K؂ȓltĂ܂B Logu
    A̖ pam_iptables ₻̑̃c[̏Cv
    Ă܂B̃c[́A contrib <http://www.itlab.musc.edu
    /~nathan/pam_iptables/contrib> fBNg pam_iptables ƈꏏ
    uĂ܂B
   
 2. IE6  NoCat ܂? F؂͍sĂ悤ł
    At@CEH[̃[Ȃ̂łB
   
    NoCat o HTML Ɏ̃^^O܂܂Ă邱Ƃm߂Ă
    : < meta http-equiv="Refresh" content="$redirect" />
   
    ̃^^O܂ނׂ HTML t@ĆA login_ok.html, renew.html,
     renew_pasv.html łB
   
 

8. {ɂ

{ Linux Japanese FAQ Project s܂B|Ɋւ邲ӌ
 JF vWFNg <JF@linux.or.jp> ɘAĂB

0.06j

|:
   
    yomoyomo <ymgrtq@ma.neweb.ne.jp>
   
Z:
   
      office  <office@ukky.net>
       
      앐r <kgh12351@nifty.ne.jp>
       
      S <arms405@jade.dti.ne.jp>
       
      m <cz@hykw.tv>
       
       <mizuhara@acm.org>
       
