我正在尝试部署具有双重身份验证的 VPN。在阅读 ocserv 文档时,我发现 oicd 选项 (https://gitlab.com/openconnect/ocserv/-/blob/master/doc/README-oidc.md)我现在正尝试将我的 VPN 与我的 sso Keycloack 链接起来。
我的配置:
/etc/ocserv/ocserv.conf:
auth = "oidc[config=/etc/ocserv/oidc.json]"
/etc/ocserv/oidc.json:
{
"openid_configuration_url": "http://10.1.1.1:8080/auth/realms/master/.well-known/openid-configuration",
"user_name_claim": "preferred_username",
"required_claims": {
"aud": "http://10.1.1.1:8080/auth/realms/master",
"iss": "http://10.1.1.1:8080/auth/realms/master"
}
}
启动 ocserv(版本 1.1.6)时,我可以看到显示 openid 配置的 Keycloak SSO 配置记录:
ocserv[590033]: main: initialized ocserv 1.1.6
ocserv[590034]: sec-mod: reading supplemental config from files
ocserv[590034]: ocserv-oidc: fetched new JWK XXX
ocserv[590034]: ocserv-oidc: fetched new JWK XXX
ocserv[590034]: sec-mod: loaded 1 keys
ocserv[590034]: sec-mod: sec-mod initialized (socket: /run/ocserv.socket.1891ca24.0)
当我尝试使用 cli 中的 openconnect 进行连接(在 Debian 或 Fedora 上)时,我的客户端无法连接并失败。
# openconnect --protocol=anyconnect https://10.1.1.1 --servercert pin-sha256:XXX -v
POST https://10.1.1.1/
Attempting to connect to server 10.1.1.1:443
Connected to 10.1.1.1:443
SSL negotiation with 10.1.1.1
Server certificate verify failed: signer not found
Connected to HTTPS on 10.1.1.1
Got HTTP response: HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer
Content-Length: 0
HTTP body length: (0)
Server '10.1.1.1' requested Basic authentication which is disabled by default
GET https://10.1.1.1/
Attempting to connect to server 10.1.1.1:443
Connected to 10.1.1.1:443
SSL negotiation with 10.1.1.1
Server certificate verify failed: signer not found
Connected to HTTPS on 10.1.1.1
Got HTTP response: HTTP/1.1 200 OK
Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure; HttpOnly
Content-Type: text/xml
Content-Length: 250
X-Transcend-Version: 1
HTTP body length: (250)
Please enter your username.
Failed to obtain WebVPN cookie
服务器端:
ocserv[590033]: main: added 1 points (total 1) for IP '10.2.2.2' to ban list
ocserv[590123]: main: map worker serving remote address 10.2.2.2:20264 to secmod instance 0
note: vhost:default: setting 'oidc' as primary authentication method
ocserv[590034]: sec-mod: received request from pid 590123 and uid 0
ocserv[590034]: sec-mod: cmd [size=57] sm: sign
note: setting 'file' as supplemental config option
ocserv[590123]: worker: 10.2.2.2 accepted connection
ocserv[590034]: sec-mod: received request from pid 590123 and uid 65534
ocserv[590034]: sec-mod: cmd [size=38] sm: sign hash
ocserv[590123]: worker: 10.2.2.2 TLS handshake completed
ocserv[590123]: worker: 10.2.2.2 sending message 'session info' to main
ocserv[590033]: main:10.2.2.2:20264 main received worker's message 'session info' of 66 bytes
ocserv[590123]: worker: 10.2.2.2 User-agent: 'Open AnyConnect VPN Agent v8.05-1'
ocserv[590123]: worker: 10.2.2.2 Detected OpenConnect v4 or newer
ocserv[590033]: main:10.2.2.2:20264 worker terminated
ocserv[590033]: main:10.2.2.2:20264 user disconnected (reason: unspecified, rx: 0, tx: 0)
ocserv[590033]: main: added 1 points (total 2) for IP '10.2.2.2' to ban list
ocserv[590124]: main: map worker serving remote address 10.2.2.2:16254 to secmod instance 0
note: vhost:default: setting 'oidc' as primary authentication method
ocserv[590034]: sec-mod: received request from pid 590124 and uid 0
ocserv[590034]: sec-mod: cmd [size=57] sm: sign
note: setting 'file' as supplemental config option
ocserv[590124]: worker: 10.2.2.2 accepted connection
ocserv[590034]: sec-mod: received request from pid 590124 and uid 65534
ocserv[590034]: sec-mod: cmd [size=38] sm: sign hash
ocserv[590124]: worker: 10.2.2.2 TLS handshake completed
ocserv[590124]: worker: 10.2.2.2 sending message 'session info' to main
ocserv[590124]: worker: 10.2.2.2 User-agent: 'Open AnyConnect VPN Agent v8.05-1'
ocserv[590033]: main:10.2.2.2:16254 main received worker's message 'session info' of 66 bytes
ocserv[590124]: worker: 10.2.2.2 Detected OpenConnect v4 or newer
ocserv[590033]: main:10.2.2.2:16254 worker terminated
ocserv[590033]: main:10.2.2.2:16254 user disconnected (reason: unspecified, rx: 0, tx: 0)
问题似乎来自无法处理 oidc 部分的客户端 openconnect。有人曾经在 ocserv 上使用此身份验证方法成功登录过吗?
感谢您的帮助 !