482 lines
9.3 KiB
HTML
482 lines
9.3 KiB
HTML
|
<HTML
|
|||
|
><HEAD
|
|||
|
><TITLE
|
|||
|
>Configure the Server</TITLE
|
|||
|
><META
|
|||
|
NAME="GENERATOR"
|
|||
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
|
|||
|
"><LINK
|
|||
|
REL="HOME"
|
|||
|
TITLE="VPN PPP-SSH Mini-HOWTO"
|
|||
|
HREF="index.html"><LINK
|
|||
|
REL="PREVIOUS"
|
|||
|
TITLE="Software Installation"
|
|||
|
HREF="installation.html"><LINK
|
|||
|
REL="NEXT"
|
|||
|
TITLE="Configure the Client"
|
|||
|
HREF="configclient.html"></HEAD
|
|||
|
><BODY
|
|||
|
CLASS="SECT1"
|
|||
|
BGCOLOR="#FFFFFF"
|
|||
|
TEXT="#000000"
|
|||
|
LINK="#0000FF"
|
|||
|
VLINK="#840084"
|
|||
|
ALINK="#0000FF"
|
|||
|
><DIV
|
|||
|
CLASS="NAVHEADER"
|
|||
|
><TABLE
|
|||
|
WIDTH="100%"
|
|||
|
BORDER="0"
|
|||
|
CELLPADDING="0"
|
|||
|
CELLSPACING="0"
|
|||
|
><TR
|
|||
|
><TH
|
|||
|
COLSPAN="3"
|
|||
|
ALIGN="center"
|
|||
|
>VPN PPP-SSH Mini-HOWTO</TH
|
|||
|
></TR
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
WIDTH="10%"
|
|||
|
ALIGN="left"
|
|||
|
VALIGN="bottom"
|
|||
|
><A
|
|||
|
HREF="installation.html"
|
|||
|
>Prev</A
|
|||
|
></TD
|
|||
|
><TD
|
|||
|
WIDTH="80%"
|
|||
|
ALIGN="center"
|
|||
|
VALIGN="bottom"
|
|||
|
></TD
|
|||
|
><TD
|
|||
|
WIDTH="10%"
|
|||
|
ALIGN="right"
|
|||
|
VALIGN="bottom"
|
|||
|
><A
|
|||
|
HREF="configclient.html"
|
|||
|
>Next</A
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
><HR
|
|||
|
ALIGN="LEFT"
|
|||
|
WIDTH="100%"></DIV
|
|||
|
><DIV
|
|||
|
CLASS="SECT1"
|
|||
|
><H1
|
|||
|
CLASS="SECT1"
|
|||
|
><A
|
|||
|
NAME="CONFIGSERVER"
|
|||
|
>4. Configure the Server</A
|
|||
|
></H1
|
|||
|
><P
|
|||
|
>We need to set up the server to respond to the client's request
|
|||
|
to bring up the tunnel.</P
|
|||
|
><DIV
|
|||
|
CLASS="SECT2"
|
|||
|
><H2
|
|||
|
CLASS="SECT2"
|
|||
|
><A
|
|||
|
NAME="AEN237"
|
|||
|
>4.1. Create a VPN User</A
|
|||
|
></H2
|
|||
|
><P
|
|||
|
>The incoming SSH VPN requests must be directed to a particular user
|
|||
|
on the server. For security and accountability, I recommend you
|
|||
|
use a dedicated user to field VPN requests. The following steps will
|
|||
|
set up a system user named "vpn" to do just that.</P
|
|||
|
><P
|
|||
|
></P
|
|||
|
><OL
|
|||
|
TYPE="1"
|
|||
|
><LI
|
|||
|
><P
|
|||
|
>First, we create the user's account. Accounts come in two ranges:
|
|||
|
the system range (typically 100-999) and the regular user range (1000+).
|
|||
|
"--system" tells adduser to add the user in the system range and
|
|||
|
to give him /bin/false for the login shell. "--group"
|
|||
|
tells adduser to also create a group of the same name as the user,
|
|||
|
and to add the user to the group.
|
|||
|
</P
|
|||
|
><TABLE
|
|||
|
BORDER="1"
|
|||
|
BGCOLOR="#E0E0E0"
|
|||
|
WIDTH="90%"
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
><FONT
|
|||
|
COLOR="#000000"
|
|||
|
><PRE
|
|||
|
CLASS="SCREEN"
|
|||
|
>server# adduser --sytem --group vpn</PRE
|
|||
|
></FONT
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
></LI
|
|||
|
><LI
|
|||
|
><P
|
|||
|
>Since the vpn user needs to log in via ssh, change vpn's shell from
|
|||
|
/bin/false to /bin/bash in the /etc/passwd file. You can simply
|
|||
|
edit /etc/passwd using vi or any other decent text editor.</P
|
|||
|
></LI
|
|||
|
><LI
|
|||
|
><P
|
|||
|
>Create a password for the vpn user. It can (and should) be very
|
|||
|
complex, since you'll only type it a few times while setting up the
|
|||
|
VPN. After that, you'll never type it again.</P
|
|||
|
><TABLE
|
|||
|
BORDER="1"
|
|||
|
BGCOLOR="#E0E0E0"
|
|||
|
WIDTH="90%"
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
><FONT
|
|||
|
COLOR="#000000"
|
|||
|
><PRE
|
|||
|
CLASS="SCREEN"
|
|||
|
>server# passwd vpn
|
|||
|
Enter new UNIX password:
|
|||
|
Retype new UNIX password:
|
|||
|
passwd: password updated successfully</PRE
|
|||
|
></FONT
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
></LI
|
|||
|
><LI
|
|||
|
><P
|
|||
|
>Now, try connecting to the server to ensure that you've created the account properly.</P
|
|||
|
><TABLE
|
|||
|
BORDER="1"
|
|||
|
BGCOLOR="#E0E0E0"
|
|||
|
WIDTH="90%"
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
><FONT
|
|||
|
COLOR="#000000"
|
|||
|
><PRE
|
|||
|
CLASS="SCREEN"
|
|||
|
>client% ssh eldivino.domain.com -l vpn
|
|||
|
vpn@eldivino's password:
|
|||
|
Linux eldivino 2.2.19 #6 Mon Jun 4 10:32:19 PDT 2001 i686 unknown
|
|||
|
No mail.
|
|||
|
vpn@eldivino:~$</PRE
|
|||
|
></FONT
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
><P
|
|||
|
>It may take a while for ssh to connect if
|
|||
|
you don't have reverse DNS set up properly. You can fix that whenever
|
|||
|
you want. It will only delay bringing up the VPN -- it won't prevent it
|
|||
|
from working.</P
|
|||
|
><P
|
|||
|
>If it just stalls, then the ssh protocol is probably
|
|||
|
being dropped by a firewall between the two machines.
|
|||
|
Have a look at section <A
|
|||
|
HREF="installation.html#SSHFIREWALL"
|
|||
|
>Section 3.5</A
|
|||
|
> again.</P
|
|||
|
></LI
|
|||
|
></OL
|
|||
|
></DIV
|
|||
|
><DIV
|
|||
|
CLASS="SECT2"
|
|||
|
><H2
|
|||
|
CLASS="SECT2"
|
|||
|
><A
|
|||
|
NAME="AEN255"
|
|||
|
>4.2. Set up Authenticated Login</A
|
|||
|
></H2
|
|||
|
><P
|
|||
|
>It would be terrible to have to type in a password every time you
|
|||
|
wanted to bring the VPN link up, so we'll set up SSH's RSA
|
|||
|
authentication. Skip this section if you truly don't mind
|
|||
|
typing a password every time.</P
|
|||
|
><P
|
|||
|
></P
|
|||
|
><OL
|
|||
|
TYPE="1"
|
|||
|
><LI
|
|||
|
><P
|
|||
|
>Ensure that the root account on the client machine has a public
|
|||
|
key in root's home directory (~/root/.ssh/identity.pub). If this
|
|||
|
file doesn't exist, then you must create it. As root, run ssh-keygen:
|
|||
|
</P
|
|||
|
><TABLE
|
|||
|
BORDER="1"
|
|||
|
BGCOLOR="#E0E0E0"
|
|||
|
WIDTH="90%"
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
><FONT
|
|||
|
COLOR="#000000"
|
|||
|
><PRE
|
|||
|
CLASS="SCREEN"
|
|||
|
># ssh-keygen
|
|||
|
Generating public/private rsa1 key pair.
|
|||
|
Enter file in which to save the key (/root/.ssh/identity):
|
|||
|
Enter passphrase (empty for no passphrase):
|
|||
|
Enter same passphrase again:
|
|||
|
Your identification has been saved in /root/.ssh/identity.
|
|||
|
Your public key has been saved in /root/.ssh/identity.pub.
|
|||
|
The key fingerprint is:
|
|||
|
15:61:57:7e:5c:26:91:09:5c:e6:10:b7:a1:74:bd:25 root@paradis</PRE
|
|||
|
></FONT
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
></LI
|
|||
|
><LI
|
|||
|
><P
|
|||
|
>Now, copy identity.pub to the vpn account's authorized_keys file
|
|||
|
on the server.
|
|||
|
You will almost certainly have to create this. As
|
|||
|
root, perform the following commands on the server:</P
|
|||
|
><TABLE
|
|||
|
BORDER="1"
|
|||
|
BGCOLOR="#E0E0E0"
|
|||
|
WIDTH="90%"
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
><FONT
|
|||
|
COLOR="#000000"
|
|||
|
><PRE
|
|||
|
CLASS="SCREEN"
|
|||
|
>server# cd ~vpn
|
|||
|
server# mkdir .ssh
|
|||
|
server# chown root.vpn .ssh
|
|||
|
server# chmod 755 .ssh
|
|||
|
server# cd .ssh</PRE
|
|||
|
></FONT
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
><P
|
|||
|
>Now, copy th the client's /root/.ssh/identity.pub file
|
|||
|
(it's only one line) to
|
|||
|
the server's ~vpn/.ssh/authorized_keys file.
|
|||
|
You can add more lines to authorized_keys, one for each client,
|
|||
|
if you want to allow multiple clients to connect.</P
|
|||
|
><TABLE
|
|||
|
BORDER="1"
|
|||
|
BGCOLOR="#E0E0E0"
|
|||
|
WIDTH="90%"
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
><FONT
|
|||
|
COLOR="#000000"
|
|||
|
><PRE
|
|||
|
CLASS="SCREEN"
|
|||
|
>server# chown root.vpn authorized_keys
|
|||
|
server# chmod 644 authorized_keys</PRE
|
|||
|
></FONT
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
></LI
|
|||
|
><LI
|
|||
|
><P
|
|||
|
>Now, become root on the client, and try SSHing to the server.
|
|||
|
You may or may not need to use the -P option, depending on how your
|
|||
|
client's firewall is set up. If port 22 is blocked on your client
|
|||
|
(not a bad idea if it's not running an SSH server),
|
|||
|
then -P tells ssh to use an unprivileged port even though it's
|
|||
|
running as a priveleged user.
|
|||
|
</P
|
|||
|
><TABLE
|
|||
|
BORDER="1"
|
|||
|
BGCOLOR="#E0E0E0"
|
|||
|
WIDTH="90%"
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
><FONT
|
|||
|
COLOR="#000000"
|
|||
|
><PRE
|
|||
|
CLASS="SCREEN"
|
|||
|
>client# ssh -P eldivino.domain.com -l vpn
|
|||
|
Linux eldivino 2.2.19 #6 Mon Jun 4 11:03:22 PDT 2001 i686 unknown
|
|||
|
No mail.
|
|||
|
vpn@eldivino:~$</PRE
|
|||
|
></FONT
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
><P
|
|||
|
>There, we were just RSA-authenticated. Keep your private key
|
|||
|
(the client's ~root/.ssh/identity file) private! Anyone who
|
|||
|
has access to this file can log into the VPN account on the
|
|||
|
server.</P
|
|||
|
></LI
|
|||
|
></OL
|
|||
|
></DIV
|
|||
|
><DIV
|
|||
|
CLASS="SECT2"
|
|||
|
><H2
|
|||
|
CLASS="SECT2"
|
|||
|
><A
|
|||
|
NAME="AEN271"
|
|||
|
>4.3. Set Up sudo</A
|
|||
|
></H2
|
|||
|
><P
|
|||
|
>pppd needs to run as root. However, on the server, we're running
|
|||
|
everything as the "vpn" user. How can the vpn user run pppd?</P
|
|||
|
><P
|
|||
|
>There are a number of ways of solving this problem. One is to use
|
|||
|
the suid bit, and arrange permissions by groups. However, this can get
|
|||
|
confusing and difficult to administer pretty fast, leading to unintentional
|
|||
|
security holes. Personally,
|
|||
|
I find the sudo utility to be a much better solution.</P
|
|||
|
><P
|
|||
|
>sudo gives ordinary users superuser powers,
|
|||
|
but only for a very limited set of commands.
|
|||
|
The system administrator gets to decide what commands are allowed
|
|||
|
and how much logging to perform. In this case, we want to
|
|||
|
allow the user "vpn" to run pppd with superuser privilege, but
|
|||
|
not be allowed to do anything else.</P
|
|||
|
><P
|
|||
|
></P
|
|||
|
><OL
|
|||
|
TYPE="1"
|
|||
|
><LI
|
|||
|
><P
|
|||
|
>We need to edit sudo's configuration file, /etc/sudoers.
|
|||
|
To use proper locking, hopefully preventing accidents and race conditions,
|
|||
|
use the visudo command to edit /etc/sudoers.
|
|||
|
If you're not faimiliar with vi, see the <A
|
|||
|
HREF="http://www.linuxdoc.org/HOWTO/Vim-HOWTO.html"
|
|||
|
TARGET="_top"
|
|||
|
>VIM HOWTO</A
|
|||
|
>.</P
|
|||
|
><TABLE
|
|||
|
BORDER="1"
|
|||
|
BGCOLOR="#E0E0E0"
|
|||
|
WIDTH="90%"
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
><FONT
|
|||
|
COLOR="#000000"
|
|||
|
><PRE
|
|||
|
CLASS="SCREEN"
|
|||
|
>server# visudo</PRE
|
|||
|
></FONT
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
><P
|
|||
|
>Add these two lines to the bottom of the file:</P
|
|||
|
><TABLE
|
|||
|
BORDER="1"
|
|||
|
BGCOLOR="#E0E0E0"
|
|||
|
WIDTH="90%"
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
><FONT
|
|||
|
COLOR="#000000"
|
|||
|
><PRE
|
|||
|
CLASS="SCREEN"
|
|||
|
>Cmnd_Alias VPN=/usr/sbin/pppd
|
|||
|
vpn ALL=NOPASSWD: VPN</PRE
|
|||
|
></FONT
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
></LI
|
|||
|
><LI
|
|||
|
><P
|
|||
|
>Now, verify that sudo is set up correctly. As the "vpn" user on the
|
|||
|
server, try running pppd using sudo:</P
|
|||
|
><TABLE
|
|||
|
BORDER="1"
|
|||
|
BGCOLOR="#E0E0E0"
|
|||
|
WIDTH="90%"
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
><FONT
|
|||
|
COLOR="#000000"
|
|||
|
><PRE
|
|||
|
CLASS="SCREEN"
|
|||
|
>server# su - vpn
|
|||
|
server$ sudo /usr/sbin/pppd noauth
|
|||
|
~9}#<23>Z}!}!} }9}"}k} }r} }'}%}zt2-<2D>}'}"}</PRE
|
|||
|
></FONT
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
><P
|
|||
|
>If you get a whole bunch of PPP garbage to the screen
|
|||
|
(like the last line above), this is
|
|||
|
good. It means that the vpn user is allowed to run pppd. You can
|
|||
|
now switch to another terminal to kill it off, or you can just
|
|||
|
let pppd finish on its own. It should give up trying to connect
|
|||
|
after 30 seconds or so.</P
|
|||
|
><P
|
|||
|
>However, if you get "bash: /usr/sbin/pppd: Permission denied"
|
|||
|
or some other sort of error,
|
|||
|
or it asks for a password, then sudo is probably not working.
|
|||
|
You'll need to try figure out what is going wrong. Verify
|
|||
|
that pppd is in /usr/sbin, and that you set up the sudoers
|
|||
|
file correctly.</P
|
|||
|
></LI
|
|||
|
></OL
|
|||
|
></DIV
|
|||
|
></DIV
|
|||
|
><DIV
|
|||
|
CLASS="NAVFOOTER"
|
|||
|
><HR
|
|||
|
ALIGN="LEFT"
|
|||
|
WIDTH="100%"><TABLE
|
|||
|
WIDTH="100%"
|
|||
|
BORDER="0"
|
|||
|
CELLPADDING="0"
|
|||
|
CELLSPACING="0"
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
WIDTH="33%"
|
|||
|
ALIGN="left"
|
|||
|
VALIGN="top"
|
|||
|
><A
|
|||
|
HREF="installation.html"
|
|||
|
>Prev</A
|
|||
|
></TD
|
|||
|
><TD
|
|||
|
WIDTH="34%"
|
|||
|
ALIGN="center"
|
|||
|
VALIGN="top"
|
|||
|
><A
|
|||
|
HREF="index.html"
|
|||
|
>Home</A
|
|||
|
></TD
|
|||
|
><TD
|
|||
|
WIDTH="33%"
|
|||
|
ALIGN="right"
|
|||
|
VALIGN="top"
|
|||
|
><A
|
|||
|
HREF="configclient.html"
|
|||
|
>Next</A
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
WIDTH="33%"
|
|||
|
ALIGN="left"
|
|||
|
VALIGN="top"
|
|||
|
>Software Installation</TD
|
|||
|
><TD
|
|||
|
WIDTH="34%"
|
|||
|
ALIGN="center"
|
|||
|
VALIGN="top"
|
|||
|
> </TD
|
|||
|
><TD
|
|||
|
WIDTH="33%"
|
|||
|
ALIGN="right"
|
|||
|
VALIGN="top"
|
|||
|
>Configure the Client</TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
></DIV
|
|||
|
></BODY
|
|||
|
></HTML
|
|||
|
>
|