欢迎访问 生活随笔!
TAG聚合

生活随笔

当前位置: 首页 > 编程语言 > python >内容正文

python

python客户端调用freeradius实现认证授权功能

发布时间:2024/3/24 python 48 豆豆
生活随笔 收集整理的这篇文章主要介绍了 python客户端调用freeradius实现认证授权功能 小编觉得挺不错的,现在分享给大家,帮大家做个参考.

一、ubuntu系统安装freeradius作为radius服务器

apt install freeradius

二、radius服务器配置信息

1、允许访问的radius客户端信息
cat /etc/freeradius/3.0/clients.conf

# ipaddr是客户端ip地址 # secret是口令,客户端与服务器保持一致 client private {ipaddr = 127.0.0.1secret = testing123 } client 172.18.4.210 {ipaddr = 172.18.4.210secret = testing123require_message_authenticator = nonastype = other} client 172.18.4.211 {ipaddr = 172.18.4.211secret = testing123require_message_authenticator = nonastype = other}

2、保存用户登录信息的配置文件格式
cat /etc/freeradius/3.0/mods-config/files/authorize

# 自定义Reply-Message字段,回应客户端的请求消息 # user-admin1是使用admin权限的用户 user-admin1 Cleartext-Password := "123456"Service-Type = "Login-User",Reply-Message = "WY-MimicMr-admin" # user-viewer1是使用viewer权限的用户 user-viewer1 Cleartext-Password := "123456"Service-Type = "Login-User",Reply-Message = "WY-MimicMr-viewer"

三、客户端example

需要安装pyrad模块调用radius客户端python接口

# pip install pyrad from pyrad.client import Client from pyrad.dictionary import Dictionary import pyrad.packet ''' dictionary is file cat dictionary # Following are the proper new names. Use these. # ATTRIBUTE User-Name 1 string ATTRIBUTE User-Password 2 string ATTRIBUTE CHAP-Password 3 octets ATTRIBUTE NAS-IP-Address 4 ipaddr ATTRIBUTE NAS-Port 5 integer ATTRIBUTE Service-Type 6 integer ATTRIBUTE Framed-Protocol 7 integer ATTRIBUTE Framed-IP-Address 8 ipaddr ATTRIBUTE Framed-IP-Netmask 9 ipaddr ATTRIBUTE Framed-Routing 10 integer ATTRIBUTE Filter-Id 11 string ATTRIBUTE Framed-MTU 12 integer ATTRIBUTE Framed-Compression 13 integer ATTRIBUTE Login-IP-Host 14 ipaddr ATTRIBUTE Login-Service 15 integer ATTRIBUTE Login-TCP-Port 16 integer ATTRIBUTE Reply-Message 18 string ATTRIBUTE Callback-Number 19 string ATTRIBUTE Callback-Id 20 string ATTRIBUTE Framed-Route 22 string ATTRIBUTE Framed-IPX-Network 23 ipaddr ATTRIBUTE State 24 octets ATTRIBUTE Class 25 octets ATTRIBUTE Vendor-Specific 26 octets ATTRIBUTE Session-Timeout 27 integer ATTRIBUTE Idle-Timeout 28 integer ATTRIBUTE Termination-Action 29 integer ATTRIBUTE Called-Station-Id 30 string ATTRIBUTE Calling-Station-Id 31 string ATTRIBUTE NAS-Identifier 32 string ''' def radius_auth(UserName,passwd):try:srv = Client(server="172.18.4.211",authport=1812,secret=b"testing12",dict=Dictionary("/opt/mr/sshmgr/dictionary"),timeout=7)req = srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,User_Name=UserName)req["User-Password"] = req.PwCrypt(passwd)reply = srv.SendPacket(req)except Exception as e:print('111111111111m',e)return Noneif reply.code == pyrad.packet.AccessAccept:print("radius auth success.")else:return Noneif 'Reply-Message' not in reply.keys():return Noneif 'WY-MimicMr' not in reply['Reply-Message'][0]:return Nonereturn reply['Reply-Message'][0].split('-')[-1] print(radius_auth('radius_user1','123456')) print(radius_auth('radius_user2','123456')) print(radius_auth('user-admin1','123456')) print(radius_auth('user-viewer1','123456')) ''' root@MR-HEU:/opt/mr/sshmgr# python3 rad_test.py None None radius auth success. admin radius auth success. viewer root@MR-HEU:/opt/mr/sshmgr# '''

读配置文件的方式,支持多服务器认证

# radius auth by wsq 20220401 ''' cat /etc/sysctl.d/pam_radius_auth.conf # radius config file template by wsq 20220401 # server[:port] shared_secret timeout (s) 172.18.4.211:1812 testing123 7 172.18.4.212:1812 testing 7 ''' def radius_auth(UserName,passwd):conf_list = []try:with open('/etc/sysctl.d/pam_radius_auth.conf') as f:for config in f.readlines():if config[0] == '#':continueconf = [i.strip() for i in config.split(' ') if i]ip = conf[0].split(':')[0]port = int(conf[0].split(':')[1])secret = bytes(conf[1],encoding="utf8")timeout = int(conf[2])temp = [ip,port,secret,timeout]conf_list.append(temp)except Exception as e:logging.warning("open pam_radius_auth.conf fail. %s" % e)return Nonefor conf in conf_list:try:srv = Client(server=conf[0],authport=conf[1], secret=conf[2],dict=Dictionary("/opt/mr/sshmgr/dictionary"),timeout=conf[3])req = srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,User_Name=UserName)req["User-Password"] = req.PwCrypt(passwd)reply = srv.SendPacket(req)except Exception as e:logging.warning("radius server %s auth user %s fail." % (conf[0],UserName))continueelse:if reply.code == pyrad.packet.AccessAccept:logging.info("radius auth user %s success." % UserName)else:return Noneif 'Reply-Message' not in reply.keys():return Noneif 'WY-MimicMr' not in reply['Reply-Message'][0]:return Nonereturn reply['Reply-Message'][0].split('-')[-1] print(radius_auth('user-admin1','123456'))

四、Ubuntu14.04配置pam_radius_auth实现ssh和telnet登录认证

首先 安装libpam-radius-auth

apt-get install libpam-dev apt-get install libpam-radius-auth # 源码安装 # wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz # tar -xzvf pam_radius-1.4.0.tar.gz # cd pam_radius-release_1_4_0/ # ./configure # make

安装完成后,编译生成的pam_radius_auth.so,pam_radius_auth.conf分别放在
/lib/security/pam_radius_auth.so 和 /etc/pam_radius_auth.conf

在64位Ubuntu14.04以上版本下,
拷贝pam_radius_auth.so 到PAM模块库路径 /lib/x86_64-linux-gnu/security/

cp pam_radius_auth.so /lib/x86_64-linux-gnu/security/

拷贝pam_radius_auth.conf 到系统配置文件路径/etc/sysctl.d/

cp pam_radius_auth.conf /etc/sysctl.d/

设置pam_radius_auth.conf 权限为0600

cd /etc/sysctl.d/;chmod 0600 pam_radius_auth.conf

在pam_radius_auth.conf中配置radius客户端pam_radius和radius服务器用于交互的初始化信息,包括:
①radius 服务器IP(必须配置)
②radius 服务器PORT(可以省略,默认是1812<认证、授权>或1813<计费>)
③shared_secret(必须配置)
④timeout(必须配置)

注意:其中共享秘钥shared_secret 域与radius服务器上客户端配置文件/etc/raddb/clients.conf 中的secret域必须严格一致

vim pam_radius_auth.conf

⑴ 配置telnet远程登录身份验证使用radius验证
注意:Ubuntu14.04没有关于telnet的PAM配置文件/etc/pam.d/remote,只能配置在/etc/pam.d/login内,如下图所示。

vim /etc/pam.d/login

增加黄色框里的部分,位置保持固定,不要随意改变。

⑵ 配置ssh远程登录身份验证使用radius验证

vim /etc/pam.d/sshd


增加黄色框里的两个部分,位置保持固定,不要随意改变。

总结

以上是生活随笔为你收集整理的python客户端调用freeradius实现认证授权功能的全部内容,希望文章能够帮你解决所遇到的问题。

如果觉得生活随笔网站内容还不错,欢迎将生活随笔推荐给好友。