在使用Open***的过程中，最安全的就是通过证书形式认证比较安全，但是不易于管理，因此大部分都是采用用户名密码的形式来做认证。

Open***的安装与配置详见http://fengwan.blog.51cto.com/508652/1404435

1.使用文本的形式来做认证

只需要在Open***的配置文件中添加

script-security 3

username-as-common-name

auth-user-pass-verify /usr/local/open***/conf/scripts/checkpsw.sh via-env

client-cert-not-required

/usr/local/open***/conf/scripts/checkpsw.sh的文件内容如下:

#!/bin/bash

PASSFILE="/usr/local/open***/conf/passwd"

LOG_FILE="/usr/local/open***/logs/open***-password.log"

TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then

echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}

exit 1

fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then

echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

exit 1

fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then

echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}

exit 0

fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

exit 1

其实按照上面我们可以看出，脚本输入${username},${password}两个变量，只要脚本返回0就是认证成功，否则认证失败，按照这个思路，我们就可以利用MySQL来进行认证

/usr/local/open***/conf/passwd文件的内容是

user1 pass1

user2 pass2

这样就是2个用户了user1和user2

2.使用MySQL数据库来进行认证,于是/usr/local/open***/conf/scripts/checkpsw.sh的内容可以改为如下:

#!/bin/bash

HOST="localhost"

DB="open***"

DBUSER="open***"

DBPASS="123456"

DBTABLE='open***_user'

user=`echo ${username}|sed "s#'\|;\|=\|%##g"`

MYSQL="/usr/bin/mysql -h${HOST} -u${DBUSER} -p${DBPASS} "

result=`$MYSQL << EOF |tail -n +2

select count(1) from ${DB}.${DBTABLE} WHERE is_enabled='1' AND is_***='1' AND password=md5('${password}') AND username='${user}';

EOF`

if [ $result -eq 1 ];then

exit 0;

else

exit 1;

fi

数据库的表结构就是

create database open***;

use open***;

create table open***_user (id int(11) not null primary key auto_increment,username varchar(64) not null,password char(64) not null,is_*** tinyint(1) default 1,is_enabled tinyint(1) default 1);

grant all on open***.* to 'open***'@'localhost' identified by '123456';

flush privileges;

©著作权归作者所有：来自51CTO博客作者rong341233的原创作品，如需转载，请注明出处，否则将追究法律责任