Building A QEMU Authentication Server
From FreeAuth Wiki
Contents |
[edit] Getting Qemu
Firstly you will need the qemu tools etc, to do this on a debian based system simply do the following:
apt-get install qemu qemuctl
If you want kernal acceleration you will also need the following:
m-a auto-install kqemu modprobe kqemu
[edit] Making a Qemu image
Run the following command:
qemu-img create -f qcow hda.img 500M
- I tried to only allocate 300M for hda, but a base testing install needed more.
[edit] Getting a Debian ISO
If you already have a debian or other ISO handy you can simply use that, alternatively I suggest you download the smallest ISO possible to get a basic system up and running then you can download the latest of everything else from the internet repositories. At the time of writing the following was the latest version available.
wget http://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/i386/iso-cd/debian-testing-i386-netinst.iso
[edit] Installing Debian
qemu -hda ./hda.img -hdb ./hdb.img -m 64 -cdrom debian-testing-i386-netinst.iso -boot d
[edit] Debian Install Notes
On the first screen where you are shown the debian logo etc you will need to type in a few options to ensure the clock timing is correct. This is a widely known problem.
Instead of hitting enter, I typed in the following:
Press F1 for help, or ENTER to boot: linux clocksource=pit tsc=off acpi=off apm=off apic=off lapic=off smp=off
If you are using an older kernel you may have to specify clock=pit instead of clocksource, if you do have multiple CPUs you may not want to specify nosmp, but you will need twice as many CPUs as you allocate your image.
Also running with -m 64 the installer will complain about low memory, under QEMU I haven't had a problem as a result it just seems to show less options.
For the hostname I specified 'EMS' (short for Enterprise Management System) For the domain I specified 'freeauth.org'
[edit] Partition Thoughts
I created 2 disk images, the reason for this was to exclude swap space from the main disk image, this way you only need to distribute the main disk image not the swap space as well as anyone can recreate it as needed, perhaps a start-up script could be made to take care of all this etc.
I also usually use reiserfs for my partitions, this handles small files extremely well and I've had no problems running systems using reiserfs since I started using it in the early 2.4 kernel days.
I selected manual partitioning and I assigned 100% to the hda image for the system, and 100% of the hdb image to swap space.
Also when you manually create the main partition it doesn't automatically add the boot flag, I did this mostly out of habbit, not sure if grub or any of the other setup scripts would fix this or if it would be a problem but it's better to be safe then sorry.
[edit] Usernames and Passwords
By default I set the root password to 'password', I was also prompted for a non-root user, I set the username to 'freeauth' and the password to 'password', this user is probably not needed and will most likely be removed, as for the root password, for demonstraitive purposes I plan to disable the unix pam module and only allow pam to authenticate against radius. This way the only initial login people can do is via the MIDlet, this system is supposed to be a proof of concept and not actually used, the timing source for starters is very bad when running in guest mode.
[edit] Running Qemu
After installing from the debian iso, you can run qemu with the following:
qemu -hda ./hda.img -redir tcp:22::22 -redir tcp:443::443 -redir udp:1812::1812 -m 32
The redirects above allow you to run a ssh, http, https and radius server which can be accessed directly from your IP without setting up messy bridges or other techniques, you will need to run this as root, or modify the port redirects below 1024, since these are reserved for the root user only.
I wasn't able to run Debian Testing with 16M (with or without swap), but 24M works ok without swap.
[edit] Minimising the base install
After getting root access to the new image I started some general house keeping to keep the image to a minimum, this include installing deborphan and wiping out most of the /usr/shar/doc files.
It's also possible and probably a good idea to pipe all console output to the serial port, this way qemu can be run on servers without GUIs, although people running this seriously should use a real server rather then a virtual one. QEMU has a -nographic to disable the GUI part.
[edit] Putting the software togeather
We'll need to install radius, XT Radius seems good enough, and doesn't depend on any of the SQL engines which would seriously bloat the image beyond what is needed. Jump over to RADIUS One Time Password Authentication for details on install and setup etc. You can skip the freeauth.php script for the time being, the one listed on the page depends on MySQL and we are going to need an alternative method instead.
Next since we are not going to use MySQL we will need some method of storing the authentication information and other information in such a way that both multiple users on a web interface and back end authentication can access/update the details without causing a race condition.
For this we can make use of a PHP script which will run as a daemon in the background, it alone will cache the authentication information in memory and write out changes as needed, because it will run as root we need to be mindful of security considerations. The side benefit here is that it will also be able to reload radius if new clients (authentication clients, not users) are added to radius.
You can try a beta version of the QEMU image by downloading and running it with the following command line:
qemu -hda hda.img -m 32 -redir tcp:22::22 -redir tcp:443::443 -redir udp:1812::1812 -nographic
- Time issues are problematic (known issue with vmware etc), although not as bad as they were, have added a ntpdate job to cron to run every 10 minutes against pool.ntp.org, although if you have a local ntp daemon you should run it against that instead so you are a good net citizen.
- New QEMU image now online, fixes all issues etc
- New image dumped DHCP and uses static interface config
- New image when compressed is about 12M smaller (58M v 70M).
Todo:
- QEMU should probably be converted from qcow to vmware, this way people that already have vmware won't need to install yet another application, and it should run fine on both.
- Need additional radius code to enforce realms
- This would easily allow multiple secrets per IP (eg PAM + website)
- This would ensure example.com hosts can't authenticate for example.net users (realms could be enforced by IP ACLs)
[edit] Features
Managed to create code needed to have a simple radius authentication server in PHP and have combined it with the freeauth daemon code, this way data files only need to be read once (or if -HUP is sent/received) after which config data can be cached in memory and shared between the two sockets. It also means no app is called each time auth is required as it is now handled inside a single multi-threaded PHP daemon.
Also since a separate radius daemon doesn't need to be restarted each time certain config changes are made the daemon is now set to run as a non-root user, ports opened are 1812 for radius authentication and 10000 for the configuration daemon. Files are read/written into /etc/freeauth, /var/cache/freeauth/OTP, /var/log/freeauth.log and /var/log/radiusd.log.
The configuration directory is own/group by freeauth and permissions are 0700 for the directory and 0600 for config files as these files contain very sensitive information that only root and the daemon process should get access to.
