openvpn怎样使用密码+证书双重认证?

1、server文件增加

auth-user-pass-verify /usr/local/openvpn/etc/checkpsw.sh via-env
# client-cert-not-required
username-as-common-name
script-security 3
备注如果加上client-cert-not-required则代表只使用用户名密码方式验证登录,如果不加,则代表需要证书和用户名密码双重验证登录! 

2、创建checkpsw.sh脚本文件

[root@openvpnservice openvpn]# vim checkpsw.sh
 !/bin/sh
 #
 checkpsw.sh (C) 2004 Mathias Sundman mathias@openvpn.se
 #
 This script will authenticate OpenVPN users against
 a plain text file. The passfile should simply contain
 one row per user with the username first followed by
 one or more space(s) or tab(s) and then the password.
 PASSFILE="/etc/openvpn/psw-file"
 LOG_FILE="/var/log/openvpn-password.log"
 TIME_STAMP=date "+%Y-%m-%d %T"
 #
 if [ ! -r "${PASSFILE}" ]; then
   echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
   exit 1
 fi
 CORRECT_PASSWORD=awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}
 if [ "${CORRECT_PASSWORD}" = "" ]; then
   echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
   exit 1
 fi
 if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
   echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
   exit 0
 fi
 echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
 exit 1

脚本下载地址:http://od.mrtom.club/SHELL/checkpsw.sh

创建用户

vim psw-file
# 用户名和密码
wangxuejin   Aa123

权限设置

[root@openvpnservice openvpn]# chmod 777 
[root@openvpnservice openvpn]# chmod 400 psw-file
[root@openvpnservice openvpn]# chown openvpn.openvpn psw-file
[root@openvpnservice openvpn]# chmod 777 checkpsw.sh

客户端中加入

auth-user-pass

重启服务

 [root@openvpnservice openvpn]# systemctl restart openvpn@server

发表评论

登录... 后才能评论