diff --git a/ocserv.conf b/ocserv.conf index 20da17f..b0982e6 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -1,35 +1,102 @@ # User authentication method. Could be set multiple times and in # that case all should succeed. To enable multiple methods use -# multiple auth directives. Available options: certificate, -# plain, pam, radius[configfile,groupconfig]. +# multiple auth directives. Available options: certificate, +# plain, pam, radius, gssapi. +# +# Note that authentication methods cannot be changed with reload. # certificate: # This indicates that all connecting users must present a certificate. # # pam[gid-min=1000]: -# The gid-min option is used by auto-select-group option, in order to -# select the minimum valid group ID. +# This enabled PAM authentication of the user. The gid-min option is used +# by auto-select-group option, in order to select the minimum valid group ID. # -# plain[/etc/ocserv/ocpasswd] +# plain[passwd=/etc/ocserv/ocpasswd] # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" # One entry must be listed per line, and 'ocpasswd' should be used # to generate password entries. # -# radius[/etc/radiusclient/radiusclient.conf,groupconfig]: +# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: # The radius option requires specifying freeradius-client configuration # file. If the groupconfig option is set, then config-per-user will be overriden, # and all configuration will be read from radius. The supported atributes for # radius configuration are: # Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address, # Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server +# +# gssapi[keytab=/etc/key.tab,require-local-user-map=false] +# The gssapi option allows to use authentication methods supported by GSSAPI, +# such as Kerberos tickets with ocserv. It should be best used as an alternative +# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with +# tickets and without tickets to login. The default value for require-local-user-map +# is true. -#auth = "certificate" auth = "pam" #auth = "pam[gid-min=1000]" -#auth = "plain[/etc/ocserv/ocpasswd]" -#auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]" +#auth = "plain[passwd=./sample.passwd]" +#auth = "certificate" +#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" + +# Specify alternative authentication methods that are sufficient +# for authentication. That is, if set, any of the methods enabled +# will be sufficient to login. +#enable-auth = certificate +#enable-auth = gssapi +#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true]" + +# Accounting methods available: +# pam: can only be combined with PAM authentication method, it provides +# a session opened using PAM. +# +# radius: can be combined with any authentication method, it provides +# radius accounting to available users (see also stats-report-time). +# +# Only one accounting method can be specified. +#acct = "pam" +#acct = "radius[config=/etc/radiusclient/radiusclient.conf]" + +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. +#listen-host = [IP|HOSTNAME] + +# When the server has a dynamic DNS address (that may change), +# should set that to true to ask the client to resolve again on +# reconnects. +#listen-host-is-dyndns = true + +# TCP and UDP port number +tcp-port = 443 +udp-port = 443 + +# Accept connections using a socket file. It accepts HTTP +# connections (i.e., without SSL/TLS unlike its TCP counterpart), +# and uses it as the primary channel. That option cannot be +# combined with certificate authentication. +#listen-clear-file = /var/run/ocserv-conn.socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = ocserv +run-as-group = ocserv + +# socket file used for IPC with occtl. You only need to set that, +# if you use more than a single servers. +#occtl-socket-file = /var/run/occtl.socket + +# socket file used for server IPC (worker-main), will be appended with .PID +# It must be accessible within the chroot environment (if any), so it is best +# specified relatively to the chroot directory. +socket-file = ocserv.sock + +# The default server directory. Does not require any devices present. +chroot-dir = /var/lib/ocserv + + +### All configuration options below this line are reloaded on a SIGHUP. +### The options above, will remain unchanged. # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of # system calls allowed to a worker process, in order to reduce damage from a @@ -44,32 +111,18 @@ isolate-workers = true #max-clients = 1024 max-clients = 16 -# Limit the number of client connections to one every X milliseconds -# (X is the provided value). Set to zero for no limit. -#rate-limit-ms = 100 - # Limit the number of identical clients (i.e., users connecting # multiple times). Unset or set to zero for unlimited. max-same-clients = 2 -# Use listen-host to limit to specific IPs or to the IPs of a provided -# hostname. -#listen-host = [IP|HOSTNAME] - # When the server has a dynamic DNS address (that may change), # should set that to true to ask the client to resolve again on # reconnects. #listen-host-is-dyndns = true -# TCP and UDP port number -tcp-port = 443 -udp-port = 443 - -# Accept connections using a socket file. It accepts HTTP -# connections (i.e., without SSL/TLS unlike its TCP counterpart), -# and uses it as the primary channel. That option cannot be -# combined with certificate authentication. -#listen-clear-file = /var/run/ocserv-conn.socket +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 # Stats report time. The number of seconds after which each # worker process will report its usage statistics (number of @@ -140,7 +193,7 @@ ca-cert = /etc/pki/ocserv/cacerts/ca.crt # certificate. The object identifier should be part of the certificate's DN # Useful OIDs are: # CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 -#cert-user-oid = 0.9.2342.19200300.100.1.1 +cert-user-oid = 0.9.2342.19200300.100.1.1 # The object identifier that will be used to read the user group in the # client certificate. The object identifier should be part of the certificate's @@ -165,7 +218,17 @@ ca-cert = /etc/pki/ocserv/cacerts/ca.crt # as there are no openconnect (and possibly anyconnect clients) using # that protocol. The string below does not enforce perfect forward # secrecy, in order to be compatible with legacy clients. -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0" +# +# Note that the most performant ciphersuites are the moment are the ones +# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and +# in addition require no padding, thus taking full advantage of the MTU. +# For that to be taken advantage of, the openconnect client must be +# used, and the server must be compiled against GnuTLS 3.2.7 or later. +# Use "gnutls-cli --benchmark-tls-ciphers", to see the performance +# difference with AES_128_CBC_SHA1 (the default for anyconnect clients) +# in your system. + +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" tls-priorities = "@SYSTEM" # More combinations in priority strings are available, check @@ -188,7 +251,28 @@ auth-timeout = 40 # The time (in seconds) that a client is not allowed to reconnect after # a failed authentication attempt. -#min-reauth-time = 2 +min-reauth-time = 300 + +# Banning clients in ocserv works with a point system. IP addresses +# that get a score over that configured number are banned for +# min-reauth-time seconds. By default a wrong password attempt is 10 points, +# a KKDCP POST is 1 point, and a connection is 1 point. Note that +# due to difference processes being involved the count of points +# will not be real-time precise. +# +# Score banning cannot be reliably used when receiving proxied connections +# locally from an HTTP server (i.e., when listen-clear-file is used). +# +# Set to zero to disable. +max-ban-score = 50 + +# The time (in seconds) that all score kept for a client is reset. +ban-reset-time = 300 + +# In case you'd like to change the default points. +#ban-points-wrong-password = 10 +#ban-points-connection = 1 +#ban-points-kkdcp = 1 # Cookie timeout (in seconds) # Once a client is authenticated he's provided a cookie with @@ -237,30 +321,14 @@ rekey-method = ssl # UTMP # Register the connected clients to utmp. This will allow viewing # the connected clients using the command 'who'. -use-utmp = true +#use-utmp = true # Whether to enable support for the occtl tool (i.e., either through D-BUS, # or via a unix socket). use-occtl = true -# socket file used for IPC with occtl. You only need to set that, -# if you use more than a single servers. -#occtl-socket-file = /var/run/occtl.socket - # PID file. It can be overriden in the command line. -#pid-file = /var/run/ocserv.pid - -# The default server directory. Does not require any devices present. -chroot-dir = /var/lib/ocserv - -# socket file used for server IPC (worker-main), will be appended with .PID -# It must be accessible within the chroot environment (if any) -socket-file = ocserv.sock - -# The user the worker processes will be run as. It should be -# unique (no other services run as this user). -run-as-user = ocserv -run-as-group = ocserv +pid-file = /var/run/ocserv.pid # Set the protocol-defined priority (SO_PRIORITY) for packets to # be sent. That is a number from 0 to 6 with 0 being the lowest @@ -288,7 +356,7 @@ predictable-ips = true default-domain = example.com # The pool of addresses that leases will be given from. If the leases -# are given via Radius, or via explicit-ip? per-user config option then +# are given via Radius, or via the explicit-ip? per-user config option then # these network values should contain a network with at least a single # address that will remain under the full control of ocserv (that is # to be able to assign the local part of the tun device address). @@ -341,10 +409,15 @@ ping-leases = false # comment out all routes from the server, or use the special keyword # 'default'. -#route = 192.168.1.0/255.255.255.0 -#route = 192.168.5.0/255.255.255.0 +#route = 10.10.10.0/255.255.255.0 +#route = 192.168.0.0/255.255.0.0 #route = fef4:db8:1000:1001::/64 +# Subsets of the routes above that will not be routed by +# the server. + +#no-route = 192.168.5.0/255.255.255.0 + # Groups that a client is allowed to select from. # A client may belong in multiple groups, and in certain use-cases # it is needed to switch between them. For these cases the client can @@ -366,7 +439,7 @@ ping-leases = false # or the groupname. # The options allowed in the configuration files are dns, nbns, # ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, -# net-priority, deny-roaming, no-udp, user-profile, require-cert, and cgroup. +# net-priority, deny-roaming, no-udp, user-profile, and cgroup. # # Note that the 'iroute' option allows to add routes on the server # based on a user or group. The syntax depends on the input accepted @@ -388,14 +461,28 @@ ping-leases = false # The following example is from linux systems. %R should be something # like 192.168.2.0/24 (the argument of iroute). -route-add-cmd = "ip route add %{R} dev %{D}" -route-del-cmd = "ip route delete %{R} dev %{D}" +#route-add-cmd = "ip route add %{R} dev %{D}" +#route-del-cmd = "ip route delete %{R} dev %{D}" # This option allows to forward a proxy. The special keywords '%{U}' # and '%{G}', if present will be replaced by the username and group name. #proxy-url = http://example.com/ #proxy-url = http://example.com/%{U}/ +# This option allows you to specify a URL location where a client can +# post using MS-KKDCP, and the message will be forwarded to the provided +# KDC server. That is a translation URL between HTTP and Kerberos. +# In MIT kerberos you'll need to add in realms: +# EXAMPLE.COM = { +# kdc = https://ocserv.example.com/kerberos +# http_anchors = FILE:/etc/ocserv-ca.pem +# } +# This option is available if ocserv is compiled with GSSAPI support. + +#kkdcp = SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT +#kkdcp = /kerberos EXAMPLE.COM udp@127.0.0.1:88 +#kkdcp = /kerberos-tcp EXAMPLE.COM tcp@127.0.0.1:88 + # # The following options are for (experimental) AnyConnect client # compatibility. diff --git a/ocserv.spec b/ocserv.spec index ac9b730..8552839 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -30,6 +30,8 @@ BuildRequires: systemd-devel BuildRequires: autogen-libopts-devel BuildRequires: protobuf-c-devel BuildRequires: libnl3-devel +BuildRequires: krb5-devel +BuildRequires: libtasn1-devel BuildRequires: readline-devel BuildRequires: autogen BuildRequires: gperf