昨天我在配置 mysql 验证的 OpenVPN 时遇到了 pam-mysql 的验证 bug,当时使用的是
export LD_PRELOAD=/lib/libpam.so.0
这个 walk around。今天继续 Google 后,发现网上已经有可用的 patch,步骤如下:
cd /usr/src wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz tar zxvf pam_mysql-0.7RC1.tar.gz cd pam_mysql-0.7RC1 vi patch.in
内容如下
--- Makefile.in.chold 2008-07-14 10:25:53.000000000 +0200
+++ Makefile.in 2008-07-14 10:26:06.000000000 +0200
@@ -110,7 +110,7 @@
CPPFLAGS = @CPPFLAGS@
LDFLAGS = @LDFLAGS@
LIBS = @LIBS@
-pam_mysql_la_LIBADD =
+pam_mysql_la_LIBADD = -lpam
pam_mysql_la_OBJECTS = pam_mysql.lo
CFLAGS = @CFLAGS@
COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
有读者反应直接复制上面代码 patch 时候报错,我试了试还真是,有问题的下载下面这个附件然后改名成 patch.in 吧:
打 patch,编译安装
patch -p0 < patch.in ./configure make make install /etc/init.d/openvpn restart
重新测试连接 OpenVPN,工作正常!
PS:如果你的系统是 Debian 的话,squeeze 的 testing 源里面已经有了加入这个 patch 的新版 libpam-mysql,版本号为 0.7~RC1-4
参考:
Pingback: 使用 Mysql 验证 OpenVPN 用户笔记 | gkp's post
Pingback: Tweets that mention pam-mysql 验证 bug 的最佳解决方案 | gkp's post -- Topsy.com
hi.出现如下错误:
luckypoem:/usr/src/pam_mysql-0.7RC1# nano patch.in
luckypoem:/usr/src/pam_mysql-0.7RC1# patch p0 < patch.in
-bash: patch: command not found
没有 patch 包,aptitude install patch 先
我安装了patch,在/usr/src/pam_mysql-0.7RC1里面明明有patch.in,怎么提示No such file or directory?
luckypoem:/usr/src/pam_mysql-0.7RC1# ls
COPYING NEWS config.log missing pkg.m4
CREDITS README config.sub mkinstalldirs stamp-h.in
ChangeLog acinclude.m4 configure pam_mysql.c
INSTALL aclocal.m4 configure.in pam_mysql.spec
Makefile.am config.guess install-sh pam_mysql.spec.in
Makefile.in config.h.in ltmain.sh patch.in
luckypoem:/usr/src/pam_mysql-0.7RC1# patch p0 < patch.in
patch: **** Can't find file p0 : No such file or directory
汗,是patch -p0 < patch.in,之前文章里面的"-"好像被 wp 自动转义了。。。错误提示里面的 no such file 提示的是 p0。。。 用正确的命令行再试试看?原文也改了。
又出现错误:
luckypoem:/usr/src/pam_mysql-0.7RC1# patch -p0 < patch.in
patching file Makefile.in
Hunk #1 FAILED at 110.
1 out of 1 hunk FAILED — saving rejects to file Makefile.in.rej
luckypoem:/usr/src/pam_mysql-0.7RC1#
试了下还真不行,好像还是 wordpress 的问题,怎么复制都不对。。。我存成 txt 附件上传了,直接下载吧。WP 这个转义问题真是头疼啊。
我没看见txt附件的地址啊
哦,看到patch.txt了。不过运行./configure时,出现问题:
luckypoem:/usr/src/pam_mysql-0.7RC1# nano patch.in
luckypoem:/usr/src/pam_mysql-0.7RC1# patch -p0 < patch.in
patching file Makefile.in
luckypoem:/usr/src/pam_mysql-0.7RC1# ./configure
checking for a BSD-compatible install… /usr/bin/install -c
checking whether build environment is sane… yes
checking whether make sets $(MAKE)… no
checking for working aclocal-1.4… missing
checking for working autoconf… missing
checking for working automake-1.4… missing
checking for working autoheader… missing
checking for working makeinfo… missing
checking whether to enable maintainer-specific portions of Makefiles… no
checking for bison… no
checking for byacc… no
checking for g++… no
checking for c++… no
checking for gpp… no
checking for aCC… no
checking for CC… no
checking for cxx… no
checking for cc++… no
checking for cl… no
checking for FCC… no
checking for KCC… no
checking for RCC… no
checking for xlC_r… no
checking for xlC… no
checking for C++ compiler default output file name… configure: error: C++ comp iler cannot create executables
See `config.log' for more details.
似乎是我的vps没装很多东西?告诉我还要再装哪些东西,谢谢
这个我的原文里面提到了。。。仔细看看吧
hi.以下做完了:
patch -p0 8192] S=[8192->8192]
Mon Aug 23 12:47:45 2010 UDPv4 link local: [undef]
Mon Aug 23 12:47:45 2010 UDPv4 link remote: 67.202.105.135:443
Mon Aug 23 12:47:45 2010 TLS: Initial packet from 67.202.105.135:443, sid=5608f5f6 f47007a3
Mon Aug 23 12:47:45 2010 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
Mon Aug 23 12:47:46 2010 VERIFY OK: depth=1, /C=cn/ST=gd/L=sz/O=luckypoem/OU=sales/CN=ym/emailAddress=luckypoem@gmail.com
Mon Aug 23 12:47:46 2010 VERIFY OK: nsCertType=SERVER
Mon Aug 23 12:47:46 2010 VERIFY OK: depth=0, /C=cn/ST=gd/L=sz/O=luckypoem/OU=sales/CN=ym/emailAddress=luckypoem@gmail.com
Mon Aug 23 12:48:45 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Aug 23 12:48:45 2010 TLS Error: TLS handshake failed
Mon Aug 23 12:48:45 2010 TCP/UDP: Closing socket
Mon Aug 23 12:48:45 2010 SIGUSR1[soft,tls-error] received, process restarting
提示TLS key negotiation failed。我用证书连接则一切正常。谢谢回复
配置文件没做相应的修改。。。建议你从头到尾好好读读文章再。。。
此文:http://www.chinaunix.net/jh/50/513004.html里的server.conf的一部分内容:
tls-auth ta.key 0 是干什么用的?我以前配置openvpn证书连接时,根本不需要tls-auth ta.key 0,现在是否一定要搞tls-auth ta.key 0?如何生成ta.key呢?
http://www.openvpn.net/index.php/open-source/documentation/howto.html
tls-auth
The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS.