我有一个运行在 Ubuntu Precise 12.04 上的 OpenSSH 5.9p1 服务器,它接受来自内部网络和互联网的连接。我想要求对来自 Internet 的连接进行公钥身份验证,但对来自内部网络的连接接受公钥或密码身份验证。我可以配置 OpenSSH 来实现这个吗?
我想删除在 CentOS 6 中启动内核时默认使用的rhgb和quiet内核参数,但我希望这适用于所有当前安装的内核以及将来安装的任何内核。我需要从脚本执行此操作,因此手动编辑文件不是一种选择,任何文件更改都应尽可能干净地完成。
在 Debian/Ubuntu 中,我会更改GRUB_CMDLINE_LINUX_DEFAULTin/etc/default/grub然后运行update-grub. /etc/sysconfig/grub我在or中找不到这样的设置/etc/sysconfig/kernel,也没有update-grub脚本。
我在 Ubuntu 10.04.4 上使用 FreeRADIUS 2.1.8 与 OpenLDAP 进行了 WPA2 802.11x EAP 身份验证设置,并且可以使用 PEAP/MSCHAPv2、TTLS/MSCHAPv2 和 TTLS/PAP(均通过 AP 和使用eapol_test)成功进行身份验证。我现在正在尝试根据用户所属的 LDAP 组限制对特定 SSID 的访问。
我已经/etc/freeradius/modules/ldap像这样配置了组成员身份检查:
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=posixGroup)(memberUid=%{User-Name}))(&(objectClass=posixGroup)(uniquemember=%{User-Name})))"
并且我已经根据Mac Auth wiki 页面配置了将 SSID 从 Called-Station-Id 提取到 Called-Station-SSID 中。我启用了将属性从外部隧道复制到内部隧道,并在/etc/freeradius/eap.conf外部隧道中使用内部隧道响应(对于 PEAP 和 TTLS)。但是,在更改这些选项之前,我有相同的行为。
copy_request_to_tunnel = yes
use_tunneled_reply = yes
我eapol_test像这样运行来测试设置:
eapol_test -c peap-mschapv2.conf -a 172.16.0.16 -s testing123 -N 30:s:01-23-45-67-89-01:Example-EAP
使用以下peap-mschapv2.conf文件:
network={
ssid="Example-EAP"
key_mgmt=WPA-EAP
eap=PEAP
identity="mgorven"
anonymous_identity="anonymous"
password="foobar"
phase2="autheap=MSCHAPV2"
}
在以下内容中/etc/freeradius/users:
DEFAULT Ldap-Group == "employees"
并运行freeradius-Xx,我可以看到 LDAP 组检索有效,并且提取了 SSID。
Debug: [ldap] performing search in dc=example,dc=com, with filter (&(cn=employees)(|(&(objectClass=posixGroup)(memberUid=mgorven))(&(objectClass=posixGroup)(uniquemember=mgorven))))
Debug: rlm_ldap::ldap_groupcmp: User found in group employees
...
Info: expand: %{7} -> Example-EAP
接下来我尝试只允许employees组中的用户访问(不管 SSID 是什么),所以我将以下内容放入/etc/freeradius/users:
DEFAULT Ldap-Group == "employees"
DEFAULT Auth-Type := Reject
但这会立即拒绝外部隧道中的访问请求,因为anonymous用户不在employees组中。所以我将其修改为仅匹配内部隧道请求,如下所示:
DEFAULT Ldap-Group == "employees"
DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1"
Auth-Type := Reject, Reply-Message = "User does not belong to any groups which may access this SSID."
现在组中的用户已employees通过身份验证,但不在employees组中的用户也已通过身份验证。我看到拒绝条目被匹配,并且设置了回复消息,但客户端收到了一个访问接受。
Debug: rlm_ldap::ldap_groupcmp: Group employees not found or user is not a member.
Info: [files] users: Matched entry DEFAULT at line 209
Info: ++[files] returns ok
...
Auth: Login OK: [mgorven] (from client test port 0 cli 02-00-00-00-00-01 via TLS tunnel)
Info: WARNING: Empty section. Using default return values.
...
Info: [peap] Got tunneled reply code 2
Auth-Type := Reject
Reply-Message = "User does not belong to any groups which may access this SSID."
...
Info: [peap] Got tunneled reply RADIUS code 2
Auth-Type := Reject
Reply-Message = "User does not belong to any groups which may access this SSID."
...
Info: [peap] Tunneled authentication was successful.
Info: [peap] SUCCESS
Info: [peap] Saving tunneled attributes for later
...
Sending Access-Accept of id 11 to 172.16.2.44 port 60746
Reply-Message = "User does not belong to any groups which may access this SSID."
User-Name = "mgorven"
和eapol_test报告:
RADIUS message: code=2 (Access-Accept) identifier=11 length=233
Attribute 18 (Reply-Message) length=64
Value: 'User does not belong to any groups which may access this SSID.'
Attribute 1 (User-Name) length=9
Value: 'mgorven'
...
SUCCESS
为什么请求没有被拒绝,这是实现它的正确方法吗?
我在 LVM LV 之上的 LUKS 之上有一个 500GiB 的 ext4 文件系统。我想将 LV 的大小调整为 100GiB。我知道如何在 LVM LV 之上调整 ext4 的大小,但我该如何处理 LUKS 卷?
mgorven@moab:~% sudo lvdisplay /dev/moab/backup
--- Logical volume ---
LV Name /dev/moab/backup
VG Name moab
LV UUID nQ3z1J-Pemd-uTEB-fazN-yEux-nOxP-QQair5
LV Write Access read/write
LV Status available
# open 1
LV Size 500.00 GiB
Current LE 128000
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 2048
Block device 252:3
mgorven@moab:~% sudo cryptsetup status backup
/dev/mapper/backup is active and is in use.
type: LUKS1
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/mapper/moab-backup
offset: 3072 sectors
size: 1048572928 sectors
mode: read/write
mgorven@moab:~% sudo tune2fs -l /dev/mapper/backup
tune2fs 1.42 (29-Nov-2011)
Filesystem volume name: backup
Last mounted on: /srv/backup
Filesystem UUID: 63877e0e-0549-4c73-8535-b7a81eb363ed
Filesystem magic number: 0xEF53
Filesystem revision #: 1 (dynamic)
Filesystem features: has_journal ext_attr resize_inode dir_index filetype extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize
Filesystem flags: signed_directory_hash
Default mount options: (none)
Filesystem state: clean with errors
Errors behavior: Continue
Filesystem OS type: Linux
Inode count: 32768000
Block count: 131071616
Reserved block count: 0
Free blocks: 112894078
Free inodes: 32044830
First block: 0
Block size: 4096
Fragment size: 4096
Reserved GDT blocks: 992
Blocks per group: 32768
Fragments per group: 32768
Inodes per group: 8192
Inode blocks per group: 512
RAID stride: 128
RAID stripe width: 128
Flex block group size: 16
Filesystem created: Sun Mar 11 19:24:53 2012
Last mount time: Sat May 19 13:29:27 2012
Last write time: Fri Jun 1 11:07:22 2012
Mount count: 0
Maximum mount count: 100
Last checked: Fri Jun 1 11:03:50 2012
Check interval: 31104000 (12 months)
Next check after: Mon May 27 11:03:50 2013
Lifetime writes: 118 GB
Reserved blocks uid: 0 (user root)
Reserved blocks gid: 0 (group root)
First inode: 11
Inode size: 256
Required extra isize: 28
Desired extra isize: 28
Journal inode: 8
Default directory hash: half_md4
Directory Hash Seed: 383bcbc5-fde9-4720-b98e-2d6224713ecf
Journal backup: inode blocks