在使用Open***的過程中,最安全的就是通過證書形式認證比較安全,但是不易於管理,因此大部分都是採用用戶名密碼的形式來做認證。
Open***的安裝與配置詳見http://fengwan.blog.51cto.com/508652/1404435
1.使用文本的形式來做認證
只需要在Open***的配置文件中添加
script-security 3 username-as-common-name auth-user-pass-verify /usr/local/open***/conf/scripts/checkpsw.sh via-env client-cert-not-required
/usr/local/open***/conf/scripts/checkpsw.sh的文件內容如下:
#!/bin/bash PASSFILE="/usr/local/open***/conf/passwd" LOG_FILE="/usr/local/open***/logs/open***-password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1
其實按照上面我們可以看出,腳本輸入${username},${password}兩個變量,只要腳本返回0就是認證成功,否則認證失敗,按照這個思路,我們就可以利用MySQL來進行認證
/usr/local/open***/conf/passwd文件的內容是
user1 pass1 user2 pass2
這樣就是2個用戶了user1和user2
2.使用MySQL數據庫來進行認證,於是/usr/local/open***/conf/scripts/checkpsw.sh的內容可以改爲如下:
#!/bin/bash HOST="localhost" DB="open***" DBUSER="open***" DBPASS="123456" DBTABLE='open***_user' user=`echo ${username}|sed "s#'\|;\|=\|%##g"` MYSQL="/usr/bin/mysql -h${HOST} -u${DBUSER} -p${DBPASS} " result=`$MYSQL << EOF |tail -n +2 select count(1) from ${DB}.${DBTABLE} WHERE is_enabled='1' AND is_***='1' AND password=md5('${password}') AND username='${user}'; EOF` if [ $result -eq 1 ];then exit 0; else exit 1; fi
數據庫的表結構就是
create database open***; use open***; create table open***_user (id int(11) not null primary key auto_increment,username varchar(64) not null,password char(64) not null,is_*** tinyint(1) default 1,is_enabled tinyint(1) default 1); grant all on open***.* to 'open***'@'localhost' identified by '123456'; flush privileges;