· KLDP.org · KLDP.net · KLDP Wiki · KLDP BBS ·
Docbook Sgml/Authentication-Gateway-HOWTO

Authentication Gateway HOWTO

Authentication Gateway HOWTO

Zorn Nathan

           
        

ÐÝí­ æÚÞÈ

¹«¼± ³×Æ®¿öÅ©¿Í °ø°øÀå¼Ò¿¡¼­ÀÇ Á¢¼Ó, À̸¦ Å×¸é µµ¼­°üÀ̳ª ±â¼÷»ç °°Àº °÷¿¡¼­ÀÇ º¸¾È¿¡ ´ëÇÑ ¸¹Àº °ü½ÉÀÌ ÀÖ¾ú´Ù. ÇöÀç±îÁö ±¸ÇöµÈ º¸¾È¹æ¹ýÀ¸·Î´Â ÀÌ¿¡ ´ëÇÑ °ü½É°ú ºÎÇÕµÇÁö ¾Ê´Â´Ù. ÀÎÁõ°ÔÀÌÆ®¿þÀ̸¦ »ç¿ëÇÏ´Â ¹æ¹ýÀÌ Á¦¾ÈµÇ°ï Çß´Ù. ÀÎÁõ°ÔÀÌÆ®¿þÀÌ´Â, »ç¿ëÀÚ°¡ ³×Æ®¿öÅ©¸¦ »ç¿ëÇÏ°íÀÚÀÚ ÇÒ °æ¿ì °­Á¦·Î ÀÎÁõÀ» ¹Þ°Ô ÇÔÀ¸·Î½á º¸¾È¿¡ ´ëÇÑ °ü½ÉÀ» °íÁ¶½ÃÅ°°íÀÚ ÇÏ´Â °ÍÀÌ´Ù.

고친 과정
고침 0.01-kr2001-02-08고친이 kenji
0.03À» ±â¹ÝÀ¸·Î ¹ø¿ª
고침 0.032001-12-06고친이 nhz
고침 0.022001-09-28고친이 KET
고침 0.012001-09-06고친이 nhz

1. ¼­·Ð

¹«¼± ³×Æ®¿öÅ©³ª °ø°øÀå¼Ò¿¡¼­ÀÇ ³×Æ®¿öÅ© Á¢¼ÓÀÇ °æ¿ì, ºñÀΰ¡ µÈ »ç¿ëÀÚ°¡ ¸Å¿ì ½±°Ô ³×Æ®¿öÅ©¿¡ Á¢¼ÓÇÒ ¼ö ÀÖÀ¸¸ç, ºñÀΰ¡ »ç¿ëÀÚ´Â ½ÅÈ£¸¦ °üÂûÇÏ°í ±× ½ÅÈ£·ÎºÎÅÍ Á¢¼ÓÁ¤º¸¸¦ °¡·Î ç ¼ö ÀÖ´Ù. ºñÀΰ¡ »ç¿ëÀÚµéÀº °ø¿ëÅ͹̳ο¡ ÀڽŵéÀÇ ¸Ó½ÅÀ» ¿¬°áÇÏ°í ³×Æ®¿öÅ© Á¢¼ÓÀ» ȹµæÇÒ ¼ö ÀÖ´Ù. º¸¾ÈÀº WEP°ú °°Àº °÷¿¡ Àû¿ëÀÌ µÇ¾úÁö¸¸, AirSnort °°Àº Åø·Î ¶Õ¸± ¼ö ÀÖ´Ù. ÀÌ·¯ÇÑ ¹®Á¦¸¦ ÇØ°áÇÏ´Â ¹æ¹ý Áß ÇÑ°¡Áö´Â ¹«¼± º¸¾ÈÀåÄ¡¿¡ ÀÇÁ¸ÇÏÁö ¸»°í, ¹«¼± ³×Æ®¿öÅ© ¶Ç´Â °ø¿ë Á¢¼ÓÀå¼ÒÀÇ ¼±´Ü¿¡ ÀÎÁõ°ÔÀÌÆ®¿þÀ̸¦ ¼³Ä¡ÇÏ¿© »ç¿ëÀÚµéÀÌ ³×Æ®¿öÅ©¸¦ »ç¿ëÇϱâ Àü¿¡ °­Á¦ÀûÀ¸·Î ÀÎÁõÀ» ¹Þµµ·Ï ÇÏ´Â °ÍÀÌ´Ù. º» HOWTO¿¡¼­´Â ¸®´ª½º¸¦ ÀÌ¿ëÇÏ¿© ÀÌ¿Í °°Àº ÀÎÁõ°ÔÀÌÆ®¿þÀ̸¦ ¼³Á¤ÇÏ´Â ¹æ¹ýÀ» ±â¼úÇÏ°íÀÚ ÇÑ´Ù.


1.1. ÀúÀÛ±Ç Á¤º¸

º» ¹®¼­ÀÇ ÀúÀÛ±ÇÀº Nathan Zorn¿¡°Ô ÀÖ´Ù. Free Software Fecundation¿¡¼­ ¾ð±ÞÇÏ´Â GNU Free Documentation License ¹öÀü 1.1 ȤÀº ±× ÀÌ»óÀÇ Á¶°ÇÇÏ¿¡¼­ º¹»ç, Àç¹èÆ÷ ¶Ç´Â ¼öÁ¤À» Çã¶ôÇÑ´Ù. ¶óÀ̼±½º´Â http://www.gnu.org/copyleft/fdl.html¿¡¼­ ±¸ÇÒ ¼ö ÀÖ´Ù.

Áú¹®ÀÌ ÀÖ´Â ºÐµéÀº ·Î ¿¬¶ôÇϱ⠹ٶõ´Ù.


1.2. Ã¥ÀÓ ÇÑ°è

ÇÊÀÚ´Â ÀÌ ¹®¼­ÀÇ ³»¿ë¿¡ ´ëÇÑ ±× ¾î¶°ÇÑ Ã¥ÀÓµµ ¹Þ¾ÆµéÀÏ ¼ö ¾ø½À´Ï´Ù. º» ¹®¼­ÀÇ °³³ä, ¿¹Á¦ ±×¸®°í ±âŸ ³»¿ë¿¡ ´ëÇÑ »ç¿ëÀº ¸ðµÎ ¿©·¯ºÐÀÇ Ã¥ÀÓÀÔ´Ï´Ù. ÀÌ °ÍÀÌ º» ¹®¼­ÀÇ °¡Àå ÃÖ½ÅÆÇÀ̶óµµ, ¿À·ù³ª Ʋ¸° Á¡ÀÌ ÀÖÀ» °ÍÀÌ°í, ±×·Î ÀÎÇØ ¿©·¯ºÐÀÇ ½Ã½ºÅÛÀÌ ¼Õ»óÀ» ¹ÞÀ» ¼öµµ ÀÖ½À´Ï´Ù. ¾Õ¼­ÀÇ °æ°í¸¦ ¸í½ÉÇÏ°í ½ÅÁßÇÏ°Ô ÁøÇàÇϱ⸦ ¹Ù¶ó¸ç, ±×´ÙÁö ¹Ù¶÷Á÷ÇÏÁö ¾ÊÁö¸¸, ÇÊÀÚ´Â ±× °á°ú¿¡ ´ëÇÑ Ã¥ÀÓÀ» ÁöÁö ¾Ê½À´Ï´Ù.

Ưº°ÇÑ ¸í½Ã°¡ ¾ø´Â ÇÑ, ¸ðµç ÀúÀÛ±ÇÀº °¢°¢ÀÇ ¼ÒÀ¯ÀÚ¿¡°Ô ±Í¼ÓµÈ´Ù. º» ¹®¼­¿¡¼­ »ç¿ëÇÑ ¿ë¾î´Â ¾î¶°ÇÑ Æ®·¹À̵帶ũ³ª ¼­ºñ½º¸¶Å©ÀÇ À¯È¿¼º¿¡ ¿µÇâÀ» ÁÖÁö ¾Ê´Â´Ù.

ƯÁ¤ Á¦Ç° ¶Ç´Â »óÇ¥¿¡ ´ëÇÑ ¾ð±ÞÀº ÇÏÁö ¾Ê¾Ò½À´Ï´Ù.

ÀÏ»óÁÖ±â·Î Àü¸éÀûÀÎ ¼³Ä¡¿Í ¹é¾÷Çϱâ Àü¿¡ ¿©·¯ºÐ ½Ã½ºÅÛÀÇ ¹é¾÷À» ¹Þ¾Æ ³õ±â¸¦ °­·ÂÈ÷ ±ÇÀ¯ÇÕ´Ï´Ù.


1.3. ½Å ¹öÀü

ÀÌ ¹®¼­´Â Ãʱâ¹öÀüÀÌ´Ù.

ÃֽŠ¹®¼­´Â http://www.itlab.musc.edu/~nathan/authentication_gateway/¿¡ ÀÖ´Ù. ÀÌ¿Í °ü·ÃµÈ HOWTO´Â Linux Documentation Project ȨÆäÀÌÁö¿¡µµ ÀÖ´Ù.


1.4. Credits

Jamin W. Collins

Kristin E Thomas


1.5. Feedback

ÀÌ ¹®¼­¿¡ À־ °¡Àå ȯ¿µ¹Þ´Â ºÎºÐÀÌ ¹Ù·Î Çǵå¹éÀÌ´Ù. ¿©·¯ºÐµéÀÇ µµ¿òÀÌ ¾øÀÌ´Â ÀÌ ¹®¼­´Â Á¸ÀçÇÏÁöµµ ¸ø ÇÒ °ÍÀÌ´Ù. ¿©·¯ºÐµéÀÇ Ãß°¡³»¿ë, ÀÇ°ß ¶Ç´Â ºñÆòÀ» ´ÙÀ½ email·Î º¸³»Áֱ⠹ٶõ´Ù. : .


2. ÇÊ¿ä »çÇ×

ÀÌ Àý¿¡¼­´Â ÀÎÁõ°ÔÀÌÆ®¿þÀÌ¿¡ ÇÊ¿äÇÑ °ÍÀ» ¼³¸íÇÑ´Ù.


2.1. Netfilter

ÀÎÁõ°ÔÀÌÆ®¿þÀÌ´Â ¹æÈ­º®À» °ü¸®Çϱâ À§ÇØ Netfilter¿Í iptables¸¦ »ç¿ëÇÑ´Ù. Netfilter HOWTO¸¦ Âü°íÇϱ⠹ٶõ´Ù.


2.2. PAM for Netfilter rules.

Nathan ZornÀÌ ÀÛ¼ºÇÑ PAM(pluggable authentication module)Àº http://www.itlab.musc.edu/~nathan/pam_iptables¿¡¼­ ±¸ÇÒ ¼ö ÀÖ´Ù.


2.3. DHCP ¼­¹ö

ÀÎÁõ°ÔÀÌÆ®¿þÀÌ´Â °ø¿ë ³×Æ®¿öÅ©¿¡ ´ëÇØ DHCP(dynamic host configuration protocol) ¼­¹ö·Î µ¿ÀÛÀ» ÇÏ°Ô µÇ¸ç, ÇÊÀÚ´Â ISC DHCP Server¸¦ »ç¿ëÇÑ´Ù.


2.4. ÀÎÁõ ¸ÞÄ¿´ÏÁò

°ÔÀÌÆ®¿þÀÌ´Â ¾î¶°ÇÑ ¹æ¹ýÀÇ PAM ÀÎÁõÀÌ¶óµµ »ç¿ëÇÒ ¼ö ÀÖ´Ù. South Carolina ÀÇ°ú´ëÇб³ÀÇ ÀÎÁõ ¸ÞÄ¿´ÏÁòÀº LDAPÀÌ´Ù. LDAP¸¦ ÀÎÁõ¹æ½ÄÀ¸·Î »ç¿ëÇÏ¿´±â ¶§¹®¿¡, °ÔÀÌÆ®¿þÀÌ ¹Ú½ºÀÇ pam ¸ðµâÀº LDAP¸¦ »ç¿ëÇϵµ·Ï ¼³Á¤ÇÏ¿´´Ù. º¸´Ù ÀÚ¼¼ÇÑ Á¤º¸´Â http://www.padl.com/pam_ldap.html¸¦ Âü°íÇϱ⠹ٶõ´Ù. PAMÀº ´Ù¾çÇÑ ÀÎÁõ¹æ¹ýÀ» »ç¿ëÇÒ ¼ö ÀÖµµ·Ï ÇÑ´Ù. »ç¿ëÇÏ°íÀÚ ÇÏ´Â PAM ¸ðµâ¿¡ ´ëÇÑ ¹®¼­¸¦ Âü°íÇϱ⠹ٶó¸ç, ´Ù¸¥ ¹æ¹ý¿¡ ´ëÇÑ Á¤º¸¸¦ ¾ò°íÀÚ ÇÏ´Â ºÐµéÀº pam modules¸¦ Âü°íÇϱ⠹ٶõ´Ù.


2.5. DNS ¼­¹ö

°ø¿ë ³×Æ®¿öÅ©¿¡ À־ °ÔÀÌÆ®¿þÀÌ ¹Ú½º´Â DNS ¼­¹ö·Îµµ µ¿ÀÛÇÑ´Ù. ÇÊÀÚ´Â Bind¸¦ ¼³Ä¡ÇßÀ¸¸ç, À̸¦ ij½³ ³×ÀÓ¼­¹ö·Î ¼³Á¤ÇÏ¿´´Ù. ·¹µåÇÞ ÆÐÅ°Áö¿¡ ´Þ·Á¿À´Â caching-nameserver RPM ÆÐÅ°Áö¸¦ »ç¿ëÇÏ¿´´Ù.


3. °ÔÀÌÆ®¿þÀÌ ¼­ºñ½º ¼³Á¤

ÀÌ ÀýÀº ÀÎÁõ°ÔÀÌÆ®¿þÀÌÀÇ °¢ ´Ü°èº° ¼³Á¤¹æ¹ýÀ» ±â¼úÇÑ´Ù. »ç¿ëµÈ ¿¹´Â ¼­ºê³Ý 10.0.1.0ÀÇ ºñ°øÀÎ ip¸¦ ´ë»óÀ¸·Î ÇÏ¿´À¸¸ç, eth0´Â ³»ºÎ³×Æ®¿öÅ©¿Í ¿¬°áµÈ NICÀÌ°í, °ø¿ë ³×Æ®¿öÅ©¿Í ¿¬°áµÈ ÀåÄ¡´Â eth1ÀÌ´Ù. eth1¿¡ ´ëÇÏ¿© »ç¿ëµÈ IP ÁÖ¼Ò´Â 10.0.1.1ÀÌÁö¸¸, ¿©·¯ºÐµéÀÇ È¯°æ¿¡ µû¶ó ÀûÀýÈ÷ ¼³Á¤Çϱ⠹ٶõ´Ù. °ÔÀÌÆ®¿þÀÌ ¹Ú½º·Î ·¹µåÇÞ 7.1ÀÌ »ç¿ëÇ߱⠶§¹®¿¡, ¿¹Á¦ÀÇ »ó´ç ºÎºÐÀº ·¹µåÇÞÀ» Áß½ÉÀ¸·Î ¼³¸íÇÏ¿´´Ù.


3.1. Netfilter ¼³Ä¡

netfilter¸¦ ¼³Ä¡Çϱâ À§Çؼ­´Â Ä¿³ÎÀÌ ³ÝÇÊÅ͸¦ Áö¿øÇϵµ·Ï ¹Ýµå½Ã »õ·Î ÄÄÆÄÀÏÇؾßÇÑ´Ù. Ä¿³ÎÀ» ±¸¼ºÇÏ°í »õ·Î ÄÄÆÄÀÏÇÏ´Â ¹æ¹ýÀº Kernel-HOWTO¸¦ Âü°íÇϱ⠹ٶõ´Ù.

´ÙÀ½Àº ÇÊÀÚÀÇ Ä¿³Î ±¸¼ºÁß ÀϺθ¦ º¸ÀÎ °ÍÀÌ´Ù.

   #
   # Networking options
   #
   CONFIG_PACKET=y
   # CONFIG_PACKET_MMAP is not set
   # CONFIG_NETLINK is not set
   CONFIG_NETFILTER=y
   CONFIG_NETFILTER_DEBUG=y
   CONFIG_FILTER=y
   CONFIG_UNIX=y
   CONFIG_INET=y
   CONFIG_IP_MULTICAST=y
   # CONFIG_IP_ADVANCED_ROUTER is not set
   # CONFIG_IP_PNP is not set
   # CONFIG_NET_IPIP is not set
   # CONFIG_NET_IPGRE is not set
   # CONFIG_IP_MROUTE is not set
   # CONFIG_INET_ECN is not set
   # CONFIG_SYN_COOKIES is not set


   #   IP: Netfilter Configuration
   #   
   CONFIG_IP_NF_CONNTRACK=y
   CONFIG_IP_NF_FTP=y
   CONFIG_IP_NF_IPTABLES=y
   CONFIG_IP_NF_MATCH_LIMIT=y
   CONFIG_IP_NF_MATCH_MAC=y
   CONFIG_IP_NF_MATCH_MARK=y
   CONFIG_IP_NF_MATCH_MULTIPORT=y
   CONFIG_IP_NF_MATCH_TOS=y
   CONFIG_IP_NF_MATCH_TCPMSS=y
   CONFIG_IP_NF_MATCH_STATE=y
   CONFIG_IP_NF_MATCH_UNCLEAN=y
   CONFIG_IP_NF_MATCH_OWNER=y
   CONFIG_IP_NF_FILTER=y
   CONFIG_IP_NF_TARGET_REJECT=y
   CONFIG_IP_NF_TARGET_MIRROR=y
   CONFIG_IP_NF_NAT=y
   CONFIG_IP_NF_NAT_NEEDED=y
   CONFIG_IP_NF_TARGET_MASQUERADE=y
   CONFIG_IP_NF_TARGET_REDIRECT=y
   CONFIG_IP_NF_NAT_FTP=y
   CONFIG_IP_NF_MANGLE=y
   CONFIG_IP_NF_TARGET_TOS=y
   CONFIG_IP_NF_TARGET_MARK=y
   CONFIG_IP_NF_TARGET_LOG=y
   CONFIG_IP_NF_TARGET_TCPMSS=y
   

iptables¸¦ ¼³Ä¡ÇؾßÇϸç, ¹èÆ÷¹ÝÀÇ ÆÐÅ°Áö·Î ¼³Ä¡Çϰųª ¼Ò½º·Î ¼³Ä¡¸¦ Çصµ ¹«¹æÇÏ´Ù. ÀÏ´Ü À§ÀÇ ¿É¼ÇÀ¸·Î »õ·Î¿î Ä¿³ÎÀ» ÄÄÆÄÀÏÇÏ°í iptables¸¦ ¼³Ä¡ÇÑ ÈÄ, ÇÊÀÚ´Â ´ÙÀ½À» ¹æÈ­º® ±âº»·ê·Î ¼³Á¤ÇÏ¿´´Ù.

   iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP
   iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
   iptables -I FORWARD -o eth0 -j DROP
   iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT
   

¼­¹ö°¡ ºÎÆÃÇÒ ¶§ À§ÀÇ ½ºÅ©¸³Æ®°¡ µ¿ÀÛÇϵµ·Ï ÇÏ·Á¸é init ½ºÅ©¸³Æ®¿¡ À§ÀÇ ¸í·ÉÀ» Æ÷ÇÔ½ÃÄѵµ µÈ´Ù. ·êÀÌ Ãß°¡ µÇ¾ú´ÂÁö È®ÀÎÇÏ·Á¸é ´ÙÀ½°ú °°Àº ¸í·ÉÀ» ½ÇÇà½ÃÅ°¸é µÈ´Ù:

   iptables -v -t nat -L
   iptables -v -t filter -L
   

ÀÌ·¯ÇÑ ·êÀ» ÀúÀåÇÏ°íÀÚ ÇÒ °æ¿ì, ÇÊÀÚ´Â ·¹µåÇÞÀÇ init ½ºÅ©¸³Æ®¸¦ »ç¿ëÇß´Ù.

   /etc/init.d/iptables save
   /etc/init.d/iptables restart
   

·êÀÌ Ãß°¡µÇ¾úÀ¸¸é, ´ÙÀ½°ú °°Àº ¸í·ÉÀ» ¼öÇàÇÏ¿© IP forwardingÀ» °¡´ÉÇÏ°Ô ÇÑ´Ù.

   echo 1 > /proc/sys/net/ipv4/ip_forward
   

¸Ó½ÅÀÌ ¸®ºÎÆÃÇÒ ¶§ ip forwardingÀÌ °¡´ÉÇϵµ·Ï ÇÏ·Á¸é, /etc/sysctl.conf¿¡ ´ÙÀ½ ¶óÀÎÀ» Ãß°¡ÇÏ¸é µÈ´Ù.

   net.ipv4.ip_forward = 1
   

ÀÌÁ¦ °ÔÀÌÆ®¿þÀÌ ¹Ú½º´Â NAT¸¦ ÇÒ ¼ö ÀÖÁö¸¸, °ø¿ë ³×Æ®¿öÅ© ³»ºÎ¿Í °ÔÀÌÆ®¿þÀÌ·Î ÇâÇÏ¿© µé¾î¿À´Â forwarding ÆÐŶÀ» Á¦¿ÜÇÑ ¸ðµç forwarding ÆÐŶÀ» ¹ö¸± °ÍÀÌ´Ù(DROP).


3.2. PAM iptables Module

¹æÈ­º® ·êÀ» Ãß°¡ÇÏ´Â PAM ¼¼¼Ç ¸ðµâ·Î, ÀÎÁõµÈ Ŭ¶óÀ̾ðÆ®¿¡ ´ëÇÏ¿© forwardingÀ» Çã¿ëÇϱâ À§ÇØ ÇÊ¿äÇÏ´Ù. À̸¦ ¼³Á¤ÇÏ°íÀÚ ÇÏ´Â °æ¿ì´Â ´Ü¼øÈ÷ ¼Ò½º¸¦ ±¸ÇÏ¿© ´ÙÀ½ ¸í·ÉÀ» ÀÌ¿ëÇÏ¿© ÄÄÆÄÀÏÇÏ¸é µÈ´Ù.

   gcc -fPIC -c pam_iptables.c
   ld -x --shared -o pam_iptables.so pam_iptables.o
   

ÀÌÁ¦ pam_iptables.so°ú pam_iptables.oÀ̶ó°í ÇÏ´Â ¹ÙÀ̳ʸ® ÆÄÀÏÀÌ »ý°åÀ» °ÍÀÌ´Ù. pam_iptables.soÀ» /lib/security/pam_iptables.soÀ¸·Î º¹»çÇϱ⠹ٶõ´Ù.

   cp pam_iptables.so /lib/security/pam_iptables.so
   

°ÔÀÌÆ®¿þÀÌ¿¡ ´ëÇÏ¿© ÀÎÁõ Ŭ¶óÀ̾ðÆ®·Î ¼±ÅÃµÈ °ÍÀº sshÀÌ°í µû¶ó¼­ ÇÊÀÚ´Â ´ÙÀ½ ¶óÀÎÀ» /etc/pam.d/sshd¿¡ Ãß°¡ÇÏ¿´´Ù.

   session    required     /lib/security/pam_iptables.so 
   

ÀÌÁ¦´Â, »ç¿ëÀÚ°¡ ssh¸¦ ÀÌ¿ëÇÏ¿© ·Î±×ÀÎÇÒ °æ¿ì, ¹æÈ­º® ·êÀÌ Ãß°¡µÉ °ÍÀÌ´Ù.

pam_iptables¿¡ ´ëÇÑ ±âº» ÀÎÅÍÆäÀ̽º´Â eth0ÀÌÁö¸¸, ÀÎÅÍÆäÀ̽º ÆĶó¹ÌÅ͸¦ Ãß°¡ÇÏ¿© ±âº»¼³Á¤°ªÀ» º¯°æÇÒ ¼ö ÀÖ´Ù.

   session required /lib/security/pam_iptables.so interface=eth1
   

ÀÌ °æ¿ì´Â ¿ÜºÎ ³×Æ®¿öÅ©¿Í ¿¬°áµÈ ÀÎÅÍÆäÀ̽º À̸§ÀÌ eth0°¡ ¾Æ´Ñ °æ¿ì¿¡¸¸ ÇÊ¿äÇÏ´Ù.

pam_iptables ¸ðµâÀÌ Àß µ¿ÀÛÇÏ°í ÀÖ´Â Áö È®ÀÎÇÏ·Á¸é ´ÙÀ½°ú °°Àº ´Ü°è¸¦ ¼öÇàÇÏ¸é µÈ´Ù.

  1. ssh¸¦ ÀÌ¿ëÇÏ¿© °ÔÀÌÆ®¿þÀÌ ¹Ú½º¿¡ ·Î±×ÀÎ ÇÑ´Ù.

  2. `iptables -L'À» ÀÌ¿ëÇÏ¿© ·êÀÌ Ãß°¡ µÇ¾ú´ÂÁö È®ÀÎ ÇÑ´Ù.

  3. ·êÀÌ Á¦°ÅµÇµµ·Ï ÇϱâÀ§ÇØ °ÔÀÌÆ®¿þÀÌ ¹Ú½º·ÎºÎÅÍ ·Î±×¾Æ¿ô ÇÑ´Ù.


3.3. DHCP Server ¼³Á¤

ÇÊÀÚ´Â ´ÙÀ½°ú °°Àº dhcpd.conf ÆÄÀÏÀ» ÀÌ¿ëÇÏ¿© DHCP¸¦ ¼³Á¤ÇÏ¿´´Ù.

   subnet 10.0.1.0 netmask 255.255.255.0 {
   # --- default gateway
        option routers                  10.0.1.1;
        option subnet-mask              255.255.255.0;
        option broadcast-address        10.0.1.255;

        option domain-name-servers       10.0.1.1;      
        range   10.0.1.3 10.0.1.254;
        option time-offset              -5;     # Eastern Standard Time

        default-lease-time 21600;
        max-lease-time 43200;

    } 
    

¼­¹ö´Â °ø¿ë ³×Æ®¿öÅ©¿Í ¿¬°áµÈ eth1À» ÀÌ¿ëÇÏ¿© µ¿ÀÛÇÏ¿´´Ù.

    /usr/sbin/dhcpd eth1
    

3.4. ÀÎÁõ¹æ¹ý ¼³Á¤

¾Õ Àý¿¡¼­µµ ¼³¸íÇÏ¿´Áö¸¸, ÇÊÀÚ´Â ÀÎÁõÀ¸·Î LDAP¸¦ »ç¿ëÇϵµ·Ï °ÔÀÌÆ®¿þÀ̸¦ ¼³Á¤ÇÏ¿´´Ù. ÇÏÁö¸¸, ¿©·¯ºÐµéÀº PAMÀÌ Çã¿ëÇÏ´Â ¾î¶°ÇÑ ÀÎÁõ¹æ¹ýÀ» »ç¿ëÇصµ ¹«¹æÇÏ´Ù. ´õ ¸¹Àº Á¤º¸¸¦ ¾òÀ¸·Á¸é 2.4절¸¦ º¸±â ¹Ù¶õ´Ù.

PAM LDAPÀ¸·Î ÀÎÁõÀ» ±¸ÇöÇϱâ À§ÇÏ¿©, ÇÊÀÚ´Â OpenLDAPÀ» ¼³Ä¡ÇÏ°í /etc/ldap.conf¿¡ ´ÙÀ½°ú °°Àº ³»¿ëÀ¸·Î ±¸¼ºÇÏ¿´´Ù.

   # Your LDAP server. Must be resolvable without using LDAP.
   host itc.musc.edu

   # The distinguished name of the search base.
   base dc=musc,dc=edu
   ssl no
   

´ÙÀ½¿¡ º¸ÀÌ´Â ÆÄÀÏÀº LDAP ÀÎÁõÀ» Çϵµ·Ï PAMÀ» ±¸¼ºÇϱâ À§ÇØ »ç¿ëÇÏ¿´À¸¸ç, ÀÌ ÆÄÀϵéÀº ·¹µåÇÞÀÇ configuration À¯Æ¿¸®Æ¼·Î »ý¼ºµÈ °ÍÀÌ´Ù.

/etc/pam.d/system-auth ´ÙÀ½°ú °°ÀÌ »ý¼ºµÈ´Ù.

   #%PAM-1.0
   # This file is auto-generated.
   # User changes will be destroyed the next time authconfig is run.
   auth        required      /lib/security/pam_env.so
   auth        sufficient    /lib/security/pam_unix.so likeauth nullok
   auth        sufficient    /lib/security/pam_ldap.so use_first_pass
   auth        required      /lib/security/pam_deny.so

   account     required      /lib/security/pam_unix.so
   account     [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

   password    required      /lib/security/pam_cracklib.so retry=3
   password    sufficient    /lib/security/pam_unix.so nullok use_authtok
   password    sufficient    /lib/security/pam_ldap.so use_authtok
   password    required      /lib/security/pam_deny.so

   session     required      /lib/security/pam_limits.so
   session     required      /lib/security/pam_unix.so
   session     optional      /lib/security/pam_ldap.so
       

´ÙÀ½°ú °°Àº /etc/pam.d/sshd ÆÄÀÏÀÌ »ý¼ºµÈ´Ù.

   #%PAM-1.0
   auth       required     /lib/security/pam_stack.so service=system-auth
   auth       required     /lib/security/pam_nologin.so
   account    required     /lib/security/pam_stack.so service=system-auth
   password   required     /lib/security/pam_stack.so service=system-auth
   session    required     /lib/security/pam_stack.so service=system-auth
   #this line is added for firewall rule insertion upon login
   session    required     /lib/security/pam_iptables.so debug
   session    optional     /lib/security/pam_console.so
      


3.5. DNS ¼³Á¤

·¹µåÇÞ 7.1¿¡ Æ÷ÇÔµÈ BIND¸¦ ¼³Ä¡Çß°í, caching-nameserver RPMÀ» °°ÀÌ ¼³Ä¡Çß´Ù. DHCP ¼­¹ö´Â °ø¿ë ³×Æ®¿öÅ©»óÀÇ ¸Ó½®µéÀÌ °ÔÀÌÆ®¿þÀÌ ¹Ú½º¸¦ ³×ÀÓ¼­¹ö·Î »ç¿ëÇϵµ·Ï ¾Ë¸®´Â ¿ªÇÒÀ» ÇÑ´Ù.


4. ÀÎÁõ°ÔÀÌÆ®¿þÀÌ »ç¿ë

ÀÎÁõ°ÔÀÌÆ®¿þÀ̸¦ »ç¿ëÇϱâ À§Çؼ­´Â, ¿©·¯ºÐµéÀÇ Å¬¶óÀ̾ðÆ® ¸Ó½®ÀÌ DHCP¸¦ »ç¿ëÇϵµ·Ï ¼³Á¤ÇؾßÇÑ´Ù. °¢°¢ÀÇ ¸Ó½®¿¡ ssh Ŭ¶óÀ̾ðÆ®¸¦ ¼³Ä¡ÇÏ°í °ÔÀÌÆ®¿þÀÌ·Î ssh Á¢¼ÓÀ» ÇÑ´Ù. ÀÏ´Ü ·Î±×ÀÎ µÇ¸é, ³»ºÎ ³×Æ®¿öÅ©¿¡ Á¢±ÙÇÒ ¼ö ÀÖ°Ô µÈ´Ù. ´ÙÀ½ ¿¹´Â À¯´Ð½º ±â¹ÝÀÇ Å¬¶óÀ̾ðÆ®¿¡ ´ëÇÑ ¼¼¼ÇÀÌ´Ù.

 bash>ssh zornnh@10.0.1.1
 zornnh's Password:
 
 gateway>
 

¿©·¯ºÐµéÀÌ ·Î±×ÀÎÇØ ÀÖ´Â ÇÑ, Á¢±Ù±ÇÇÑÀº °è¼Ó À¯ÁöµÉ °ÍÀÌ´Ù. ¸¸ÀÏ ·Î±×¾Æ¿ôÇϸé, Á¢±Ù ±ÇÇÑÀ» ÀÒ°Ô µÈ´Ù.


5. °á·Ð

  • º» HOWTO¿¡¼­ ¼Ò°³ÇÑ º¸¾È¹æ¹ýÀº ¹«¼±³×Æ®¿öÅ© Ä¿¹Â´ÏƼ¿¡¼­ Á¦°øÇÏ´Â º¸¾È¹æ¹ý¿¡ ÀÇÁ¸ÇÏÁö ¾Ê´Â´Ù. ÀÌ´Â Àüü ³×Æ®¿öÅ©°¡ ºÒ¾ÈÀüÇÏ°í ¿©·¯ºÐÀÇ ³×Æ®¿öÅ© ¿ÜºÎ¿¡ Á¸ÀçÇÑ´Ù°í °¡Á¤ÇÑ´Ù.

  • °ÔÀÌÆ®¿þÀÌ´Â Àü¼Ûµ¥ÀÌÅ͸¦ ¾ÏȣȭÇÏÁö ¾Ê°í, ´ÜÁö °ÔÀÌÆ®¿þÀÌ µÚÂÊ¿¡ ÀÖ´Â »ç¿ëÀÚ°¡ ³×Æ®¿öÅ©¿¡ Á¢±ÙÇÒ ¼ö ÀÖµµ·Ï ¸¸ ÇÑ´Ù. ¾Ïȣȭ ¹× ÀÎÁõÀÌ ¿ä±¸µÇ´Â »óȲÀ̶ó¸é VPNÀ» »ç¿ëÇÏ´Â °ÍÀÌ ÁÁ´Ù.


6. º°µµÀÇ ¸®¼Ò½º

  • NASA¿¡¼­ ±¸ÇöÇÑ ÀÎÁõ°ÔÀÌÆ®¿þÀ̸¦ ¼³¸íÇÑ ¹®¼­.

  • University of Alberta¿¡¼­ ÀÎÁõ°ÔÀÌÆ®¿þÀ̸¦ °³¹ßÇÑ ¹æ¹ýÀ» ±â¼úÇÑ ¹é¼­.


7. Áú¹®°ú ´äº¯

ÇÊÀÚ »ý°¢¿¡ ´Ù¸¥ »ç¶÷µéÀÌ ±Ã±ÝÇØ ÇÒ ¸¸ÇÑ °¡Àå Æò¹üÇÑ Áú¹®À» ¸ð¾Æ ³õÀº °Í¿¡ ºÒ°úÇÏ´Ù. ÇÊÀÚ¿¡°Ô ´õ ¸¹Àº Çǵå¹éÀ» Áֽøé, ÀÌ ÀýÀ» ³¡³»ÁÖ´Â FAQ·Î ¸¸µé¾î º¸°Ú½À´Ï´Ù.


ID
Password
Join
You have an ability to sense and know higher truth.


sponsored by andamiro
sponsored by cdnetworks
sponsored by HP

Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2003-08-10 11:52:29
Processing time 0.0063 sec