- 论坛徽章:
- 15
|
因为用通常的方式设置swat, root的密码在网上是明码传送,不够安全。 所以要考虑用HTTPS方式访问, 我参考了一些资料,有些比较简单,有些有问题。所以我自己写了个详细的指导。里面的英文应该还算简单,搞unix 的应该都能读懂。 如果有任何疑问,请提出。
samba, openssl, tcp_wrappers, gcc, make 都是直接去sunfreeware下载安装的,唯独没有stunnel 4, 只能单独编译. 大家觉得好的,不要忘了顶一下。
Setting up SWAT using Stunnel (HTTPS) in Solaris
Configuring SWAT
The built in SWAT (Samba Web Administration Tool) utility can be used for basic configuration of the Samba installation, but because it may be inconvenient, undesirable or perhaps even impossible to gain access to the console, BLFS recommends setting up access to SWAT using Stunnel. Without Stunnel, the root password is transmitted in clear text over the wire, and is considered an unacceptable security risk.
Setting up SWAT using Stunnel
1. Install SAMBA 3.0.X
2. Install openssl-0.9.8b (do not install lower version), tcp_wrappers
3. Install gcc, make (if you haven\'t the compiler environment)
4. install patch 112438 (for solaris  , 112439 (for solaris 8 x86), needn\'t for solaris 9 and above.
After patch install, if you still can\'t see the file (/dev/random, and /dev/urandom), restart your machine. If after restart your machine, you still can\'t see the files, link them manully:
ln -s /devices/pseudo/random@0:random /dev/random
ln -s /devices/pseudo/random@0:urandom /dev/urandom
6. install stunnel-4.15 (configure, make, make install). My stunnel install path is /usr/local/stunnel
Just for notes: below step can be ignore, because after stunnel install, the file stunnel.pem have been generated. Only use it if the stunnel.pem is not generated.
***************************
Generate certificate and private key.
root# /usr/local/ssl/bin/openssl req -new -x509 -days 365 -nodes \\
-out /usr/local/stunnel/etc/stunnel/stunnel.pem -keyout /usr/local/stunnel/etc/stunnel/stunnel.pem
*****************************
7. Setting stunnel config file.
My stunnel config the file is at /usr/local/stunnel/etc/stunnel/stunnel.conf
cat >> /etc/stunnel/stunnel.conf << \"EOF\"
[swat]
accept = 901
connect = 902
TIMEOUTclose = 1
EOF
8. Remove SWAT entry from [x]inetd,/etc/inetd.conf, /etc/services , and restart the inetd daemon.
ps -ef |grep inetd
kill -HUP \"inetd_pid\"
9. Start Stunnel.
/usr/local/stunnel/sbin/stunnel3 -p /usr/local/stunnel/etc/stunnel/stunnel.pem -d 901 -l /usr/local/samba/sbin/swat swat
Notes: after stunnel installed, there are two stunnel under /usr/local/stunnel/sbin: stunnel and stunnel3. I can\'t set swat by stunnel, and only succesfully by stunnel3.
10. Afterwards simply contact swat by using the URL \"https://localhost:901\", accept the certificate and the SSL connection is up.
Reference:
1. http://www.linuxfromscratch.org/blfs/view/svn/server/samba3.html
I get most reference from the page, but in the part of \"Configuring SWAT\", it introduces another way to Set up SWAT using Stunnel, I test and think it is not security enough.
by its way, I can access swat by https://localhost:901 and http://localhost:902, by second URL, the root password is still transmitted in clear text over the network.
2. http://fi.samba.org/docs/swat_ssl.html |
|
免费注册
发表于 2006-07-12 07:34