| Server IP : 62.109.13.187 / Your IP : 216.73.216.11 [ Web Server : Apache/2.4.6 (CentOS) mpm-itk/2.4.7-04 OpenSSL/1.0.2k-fips PHP/8.2.28 System : Linux robothost.ru 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64 User : mosrembit ( 6064) PHP Version : 8.2.28 Disable Function : NONE Domains : 0 Domains MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /usr/share/doc/ppp-2.4.5/ |
Upload File : |
EAP-TLS authentication support for PPP
======================================
1. Intro
The Extensible Authentication Protocol (EAP; RFC 3748) is a
security protocol that can be used with PPP. It provides a means
to plug in multiple optional authentication methods.
Transport Level Security (TLS; RFC 2246) provides for mutual
authentication, integrity-protected ciphersuite negotiation and
key exchange between two endpoints. It also provides for optional
MPPE encryption.
EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets,
allowing TLS mutual authentication to be used as a generic EAP
mechanism. It also provides optional encryption using the MPPE
protocol.
This patch provide EAP-TLS support to pppd.
This authentication method can be used in both client or server
mode.
2. Building
To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org)
is required. Any version from 0.9.7 should work.
Configure, compile, and install as usual.
3. Configuration
On the client side there are two ways to configure EAP-TLS:
1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters
2. edit the /etc/ppp/eaptls-client file.
Insert a line for each system with which you use EAP-TLS.
The line is composed of this fields separated by tab:
- Client name
The name used by the client for authentication, can be *
- Server name
The name of the server, can be *
- Client certificate file
The file containing the certificate chain for the
client in PEM format
- Server certificate file
If you want to specify the certificate that the
server is allowed to use, put the certificate file name.
Else put a dash '-'.
- CA certificate file
The file containing the trusted CA certificates in PEM
format.
- Client private key file
The file containing the client private key in PEM format.
On the server side edit the /etc/ppp/eaptls-server file.
Insert a line for each system with which you use EAP-TLS.
The line is composed of this fields separated by tab:
- Client name
The name used by the client for authentication, can be *
- Server name
The name of the server, can be *
- Client certificate file
If you want to specify the certificate that the
client is allowed to use, put the certificate file name.
Else put a dash '-'.
- Server certificate file
The file containing the certificate chain for the
server in PEM format
- CA certificate file
The file containing the trusted CA certificates in PEM
format.
- Client private key file
The file containing the server private key in PEM format.
- addresses
A list of IP addresses the client is allowed to use.
OpenSSL engine support is included starting with v0.95 of this patch.
Currently the only engine tested is the 'pkcs11' engine (hardware token
support). To use the 'pksc11' engine:
- Use a special private key fileiname in the /etc/ppp/eaptls-client file:
<engine>:<identifier>
e.g.
pkcs11:123456
- The certificate can also be loaded from the 'pkcs11' engine using
a special client certificate filename in the /etc/ppp/eaptls-client file:
<engine>:<identifier>
e.g.
pkcs11:123456
- Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior
to starting 'pppd'. A sample openssl.cnf file is
openssl_conf = openssl_def
[ openssl_def ]
engines = engine_section
[ engine_section ]
pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib64/libeTPkcs11.so
init = 0
- There are two ways to specify a password/PIN for the PKCS11 engine:
- inside the openssl.cnf file using
PIN = your-secret-pin
Note The keyword 'PIN' is case sensitive!
- Using the 'password' in the ppp options file.
From v0.97 of the eap-tls patch the password can also be supplied
using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c
for an example).
4. Options
These pppd options are available:
ca <ca-file>
Use the CA public certificate found in <ca-file> in PEM format
cert <cert-file>
Use the client public certificate found in <cert-file> in PEM format
or in engine:engine_id format
key <key-file>
Use the client private key found in <key-file> in PEM format
or in engine:engine_id format
crl-dir <dir>
Use CRL files from dir. It contains CRL files in PEM
format and each file contains a CRL. The files are looked up
by the issuer name hash value. Use the c_rehash utility
to create necessary links.
need-peer-eap
If the peer doesn't ask us to authenticate or doesn't use eap
to authenticate us, disconnect.
Note:
password-encrypted certificates can be used as of v0.94 of this
patch. The password for the eap-tls.key file is specified using
the regular
password ....
statement in the ppp options file, or by using the appropriate
plugin which supplies a 'eaptls_passwd_hook' routine.
5. Connecting
If you're setting up a pppd server, edit the EAP-TLS configuration file
as written above and then run pppd with the 'auth' option to authenticate
the client. The EAP-TLS method will be used if the other eap methods can't
be used (no secrets).
If you're setting up a client, edit the configuration file and then run
pppd with 'remotename' option to specify the server name. Add the
'need-peer-eap' option if you want to be sure the peer ask you to
authenticate (and to use eap) and to disconnect if it doesn't.
6. Notes
This is experimental code.
Send suggestions and comments to Jan Just Keijser <janjust@nikhef.nl>