python客户端调用freeradius实现认证授权功能
一、ubuntu系统安装freeradius作为radius服务器
apt install freeradius
二、radius服务器配置信息
1、允许访问的radius客户端信息
cat /etc/freeradius/3.0/clients.conf
# ipaddr是客户端ip地址
# secret是口令,客户端与服务器保持一致
client private {
ipaddr = 127.0.0.1
secret = testing123
}
client 172.18.4.210 {
ipaddr = 172.18.4.210
secret = testing123
require_message_authenticator = no
nastype = other
}
client 172.18.4.211 {
ipaddr = 172.18.4.211
secret = testing123
require_message_authenticator = no
nastype = other
}
2、保存用户登录信息的配置文件格式
cat /etc/freeradius/3.0/mods-config/files/authorize
# 自定义Reply-Message字段,回应客户端的请求消息
# user-admin1是使用admin权限的用户
user-admin1 Cleartext-Password := "123456"
Service-Type = "Login-User",
Reply-Message = "WY-MimicMr-admin"
# user-viewer1是使用viewer权限的用户
user-viewer1 Cleartext-Password := "123456"
Service-Type = "Login-User",
Reply-Message = "WY-MimicMr-viewer"
三、客户端example
需要安装pyrad模块调用radius客户端python接口
# pip install pyrad
from pyrad.client import Client
from pyrad.dictionary import Dictionary
import pyrad.packet
'''
dictionary is file
cat dictionary
# Following are the proper new names. Use these.
#
ATTRIBUTE User-Name 1 string
ATTRIBUTE User-Password 2 string
ATTRIBUTE CHAP-Password 3 octets
ATTRIBUTE NAS-IP-Address 4 ipaddr
ATTRIBUTE NAS-Port 5 integer
ATTRIBUTE Service-Type 6 integer
ATTRIBUTE Framed-Protocol 7 integer
ATTRIBUTE Framed-IP-Address 8 ipaddr
ATTRIBUTE Framed-IP-Netmask 9 ipaddr
ATTRIBUTE Framed-Routing 10 integer
ATTRIBUTE Filter-Id 11 string
ATTRIBUTE Framed-MTU 12 integer
ATTRIBUTE Framed-Compression 13 integer
ATTRIBUTE Login-IP-Host 14 ipaddr
ATTRIBUTE Login-Service 15 integer
ATTRIBUTE Login-TCP-Port 16 integer
ATTRIBUTE Reply-Message 18 string
ATTRIBUTE Callback-Number 19 string
ATTRIBUTE Callback-Id 20 string
ATTRIBUTE Framed-Route 22 string
ATTRIBUTE Framed-IPX-Network 23 ipaddr
ATTRIBUTE State 24 octets
ATTRIBUTE Class 25 octets
ATTRIBUTE Vendor-Specific 26 octets
ATTRIBUTE Session-Timeout 27 integer
ATTRIBUTE Idle-Timeout 28 integer
ATTRIBUTE Termination-Action 29 integer
ATTRIBUTE Called-Station-Id 30 string
ATTRIBUTE Calling-Station-Id 31 string
ATTRIBUTE NAS-Identifier 32 string
'''
def radius_auth(UserName,passwd):
try:
srv = Client(server="172.18.4.211",authport=1812,secret=b"testing12",
dict=Dictionary("/opt/mr/sshmgr/dictionary"),timeout=7)
req = srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,
User_Name=UserName)
req["User-Password"] = req.PwCrypt(passwd)
reply = srv.SendPacket(req)
except Exception as e:
print('111111111111m',e)
return None
if reply.code == pyrad.packet.AccessAccept:
print("radius auth success.")
else:
return None
if 'Reply-Message' not in reply.keys():
return None
if 'WY-MimicMr' not in reply['Reply-Message'][0]:
return None
return reply['Reply-Message'][0].split('-')[-1]
print(radius_auth('radius_user1','123456'))
print(radius_auth('radius_user2','123456'))
print(radius_auth('user-admin1','123456'))
print(radius_auth('user-viewer1','123456'))
'''
root@MR-HEU:/opt/mr/sshmgr# python3 rad_test.py
None
None
radius auth success.
admin
radius auth success.
viewer
root@MR-HEU:/opt/mr/sshmgr#
'''
读配置文件的方式,支持多服务器认证
# radius auth by wsq 20220401
'''
cat /etc/sysctl.d/pam_radius_auth.conf
# radius config file template by wsq 20220401
# server[:port] shared_secret timeout (s)
172.18.4.211:1812 testing123 7
172.18.4.212:1812 testing 7
'''
def radius_auth(UserName,passwd):
conf_list = []
try:
with open('/etc/sysctl.d/pam_radius_auth.conf') as f:
for config in f.readlines():
if config[0] == '#':
continue
conf = [i.strip() for i in config.split(' ') if i]
ip = conf[0].split(':')[0]
port = int(conf[0].split(':')[1])
secret = bytes(conf[1],encoding="utf8")
timeout = int(conf[2])
temp = [ip,port,secret,timeout]
conf_list.append(temp)
except Exception as e:
logging.warning("open pam_radius_auth.conf fail. %s" % e)
return None
for conf in conf_list:
try:
srv = Client(server=conf[0],authport=conf[1], secret=conf[2],
dict=Dictionary("/opt/mr/sshmgr/dictionary"),timeout=conf[3])
req = srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,
User_Name=UserName)
req["User-Password"] = req.PwCrypt(passwd)
reply = srv.SendPacket(req)
except Exception as e:
logging.warning("radius server %s auth user %s fail." % (conf[0],UserName))
continue
else:
if reply.code == pyrad.packet.AccessAccept:
logging.info("radius auth user %s success." % UserName)
else:
return None
if 'Reply-Message' not in reply.keys():
return None
if 'WY-MimicMr' not in reply['Reply-Message'][0]:
return None
return reply['Reply-Message'][0].split('-')[-1]
print(radius_auth('user-admin1','123456'))
四、Ubuntu14.04配置pam_radius_auth实现ssh和telnet登录认证
首先 安装libpam-radius-auth
apt-get install libpam-dev
apt-get install libpam-radius-auth
# 源码安装
# wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz
# tar -xzvf pam_radius-1.4.0.tar.gz
# cd pam_radius-release_1_4_0/
# ./configure
# make
安装完成后,编译生成的pam_radius_auth.so,pam_radius_auth.conf分别放在
/lib/security/pam_radius_auth.so 和 /etc/pam_radius_auth.conf
在64位Ubuntu14.04以上版本下,
拷贝pam_radius_auth.so 到PAM模块库路径 /lib/x86_64-linux-gnu/security/
cp pam_radius_auth.so /lib/x86_64-linux-gnu/security/
拷贝pam_radius_auth.conf 到系统配置文件路径/etc/sysctl.d/
cp pam_radius_auth.conf /etc/sysctl.d/
设置pam_radius_auth.conf 权限为0600
cd /etc/sysctl.d/;chmod 0600 pam_radius_auth.conf
在pam_radius_auth.conf中配置radius客户端pam_radius和radius服务器用于交互的初始化信息,包括:
①radius 服务器IP(必须配置)
②radius 服务器PORT(可以省略,默认是1812<认证、授权>或1813<计费>)
③shared_secret(必须配置)
④timeout(必须配置)
注意:其中共享秘钥shared_secret 域与radius服务器上客户端配置文件/etc/raddb/clients.conf 中的secret域必须严格一致
vim pam_radius_auth.conf
⑴ 配置telnet远程登录身份验证使用radius验证
注意:Ubuntu14.04没有关于telnet的PAM配置文件/etc/pam.d/remote,只能配置在/etc/pam.d/login内,如下图所示。
vim /etc/pam.d/login
增加黄色框里的部分,位置保持固定,不要随意改变。
⑵ 配置ssh远程登录身份验证使用radius验证
vim /etc/pam.d/sshd
增加黄色框里的两个部分,位置保持固定,不要随意改变。