1.进入openssl-1.0.0b目录,按照下面的命令安装openssl 文件。可以查阅http://www.cgicentral.net/400CS/Docs/openssl/INSTALL.openssl.html,
这个过程需要点时间
$ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
$ make
$ make test
$ make install
2. 进入srp2.1.2 目录
./configure --with-openssl=../openssl-1.0.0b/ --with-pam
3 make ; make install 这样srp和openssl就安装成功了。
如果第一步安装openssl不先运行,在make 和 make install的时候出现下面的错误。原因是t_client.h 引用了t_sha.h,接着又引用了openssl-1.0.0b/inlcude/openssl下面的库文件,但是却没有找到。继续运行下去,还会遇到cannot find -lcrypto的错误。错误信息如下:
ot@localhost srp-2.1.2]# make;
Making all in libsrp
make[1]: Entering directory `/home/bryan/srp-2.1.2/libsrp'
gcc -DHAVE_CONFIG_H -I. -I. -I. -I../openssl-1.0.0b//include -fPIC -O -c
t_client.c
In file included from t_client.h:33,
from t_client.c:33:
t_sha.h:37:25: openssl/sha.h: No such file or directory
In file included from t_client.h:33,
from t_client.c:33:
t_sha.h:39: parse error before "SHA1_CTX"
t_sha.h:39: warning: data definition has no type or storage class
In file included from t_client.c:33:
t_client.h:52: parse error before "SHA1_CTX"
t_client.h:52: warning: no semicolon at end of struct or union
t_client.h:61: parse error before '}' token
t_client.c: In function `t_clientopen':
t_client.c:48: parse error before "ctxt"
t_client.c:91: sizeof applied to an incomplete type
诸如cannot find -lcrypto 这样的错误,查阅相关资料后,需要先安装openssl。。
ot@localhost srp-2.1.2]# make ; make install
Making all in libsrp
make[1]: Entering directory `/home/bryan/srp-2.1.2/libsrp'
gcc -fPIC -O -o tconf tconf.o libsrp.a -L../openssl-1.0.0b//lib -L../openssl-1.0.0b/ -lcrypto -ldl -lnsl
/usr/bin/ld: cannot find -lcrypto
collect2: ld returned 1 exit status
make[1]: *** [tconf] Error 1
make[1]: Leaving directory `/home/bryan/srp-2.1.2/libsrp'
make: *** [all-recursive] Error 1
Making install in libsrp
make[1]: Entering directory `/home/bryan/srp-2.1.2/libsrp'
gcc -fPIC -O -o tconf tconf.o libsrp.a -L../openssl-1.0.0b//lib -L../openssl-1.0.0b/ -lcrypto -ldl -lnsl
/usr/bin/ld: cannot find -lcrypto
collect2: ld returned 1 exit status
make[1]: *** [tconf] Error 1
make[1]: Leaving directory `/home/bryan/srp-2.1.2/libsrp'
make: *** [install-recursive] Error 1
4.安装好openssl和srp 后,就可以配置srp ftp server了。首先需要拷贝pam模块到Linux /lib/security 中:
cd srp-2.1.2/base/pam_eps
install -m 644 pam_eps_auth.so pam_eps_passwd.so /lib/security
使用命令:“/usr/local/bin/tconf”创建/etc/tpasswd.conf文件。
5.进入/etc/pam.d,备份system-auth文件,并且修改内容如下:
auth required /lib/security/pam_Unix.so likeauth nullok md5 shadow
auth sufficIEnt /lib/security/pam_eps_auth.so
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_unix.so
account required /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so retry=3
password required /lib/security/pam_eps_passwd.so
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
6.修改/etc/pam.d/passwd文件如下形式:
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
7.建立Ftp客户端和服务器端文件,
cd /srp-2.1.2/ftp
make;make install
建立/etc/xinedd.d/srp-ftp service
service ftp {
socket_type = stream
wait = no
user = root
server = /usr/local/sbin/ftpd
log_on_success = DURATION USERID
log_on_failure = USERID
nice = 10
disable = no }
重起xinetd服务
killall -kill xinetd
service xinetd start
8.建立/etc/pam.d/telnet,内容如下:
#%PAM-1.0
auth required /lib/security/pam_listfile.so item=user \
sense=deny file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_stack.so service=srp-ftp
auth required /lib/security/pam_shells.so
account required /lib/security/pam_stack.so service=srp-ftp
session required /lib/security/pam_stack.so service=srp-ftp
9.修改/etc/pam.d/system-auth文件,之前的用户名和密码将不能用于登陆系统,
需要使用passwd <<username>>来重置密码,将字符串更新到/etc/tpasswd和/etc/shadow中。在运行这个命令的时候得保证system-auth文件中每一行最后不能有空格,不然会出现 passwd: error in service module的错误,还有因为Linux和window处理回车的方式不同,如果出现错误module is unknown,需要将system-auth每一行最后的回车进行转换,运行下面的命令;
vi system-auth
命令模式下输入
:set fileformat=unix
:w
然后运行passwd更新密码字符串就没有问题了。在我们安装运行命令的时候,可以用tail -f /var/log/message 来捕捉相关的错误信息,做出正确的更正。
现在就可以使用ftp host来使用SRP FTP了。自己这个过程按照网上的配置,但是却遇到很多问题。现在做个记录,以备后用。
ftp 192.168.0.101
Connected to 192.168.0.101.
220 localhost FTP server (SRPftp 1.3) ready.
User (192.168.0.101:(none)): btong
331 Password required for btong.
Password:
230 User btong logged in.
ftp>
参考资料
http://www.ithov.com/Linux/Network/Ftp/83349_3.shtml
http://www.tekbar.net/network-construction/with---srp-to-establish-a-secure-linux-telnet-server.html