Today I want to share how to set up a two-factor authentication server to protect the corporate network, sites, services, ssh. The link will work on the server: LinOTP + FreeRadius.
Why do we need it?
This is a completely free, convenient solution, within your network, independent of third-party providers.
This service is very convenient, quite visual, unlike other open source products, and also supports a huge number of functions and policies (For example, login+password+(PIN+OTPToken)). Through the API, it integrates with sms sending services (LinOTP Config->Provider Config->SMS Provider), generates codes for mobile applications such as Google Autentificator and much more. I think it is more convenient than the service considered in
This server works fine with Cisco ASA, OpenVPN server, Apache2, and indeed with almost everything that supports authentication via a RADIUS server (For example, for SSH to the data center).
Required:
1) Debian 8 (jessie) - Required! (trial installation on debian 9 is described at the end of the article)
Start:
Install Debian 8.
Add the LinOTP repository:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list
Adding keys:
# gpg --search-keys 913DFF12F86258E5
Sometimes on a clean install, after executing this command, Debian issues:
gpg: ΡΠΎΠ·Π΄Π°Π½ ΠΊΠ°ΡΠ°Π»ΠΎΠ³ `/root/.gnupg'
gpg: ΡΠΎΠ·Π΄Π°Π½ Π½ΠΎΠ²ΡΠΉ ΡΠ°ΠΉΠ» Π½Π°ΡΡΡΠΎΠ΅ΠΊ `/root/.gnupg/gpg.conf'
gpg: ΠΠΠΠΠΠΠΠ: ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ Π² `/root/.gnupg/gpg.conf' Π΅ΡΠ΅ Π½Π΅ Π°ΠΊΡΠΈΠ²Π½Ρ ΠΏΡΠΈ ΡΡΠΎΠΌ Π·Π°ΠΏΡΡΠΊΠ΅
gpg: ΡΠΎΠ·Π΄Π°Π½Π° ΡΠ°Π±Π»ΠΈΡΠ° ΠΊΠ»ΡΡΠ΅ΠΉ `/root/.gnupg/secring.gpg'
gpg: ΡΠΎΠ·Π΄Π°Π½Π° ΡΠ°Π±Π»ΠΈΡΠ° ΠΊΠ»ΡΡΠ΅ΠΉ `/root/.gnupg/pubring.gpg'
gpg: Π½Π΅ Π·Π°Π΄Π°Π½Ρ ΡΠ΅ΡΠ²Π΅ΡΡ ΠΊΠ»ΡΡΠ΅ΠΉ (ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ --keyserver)
gpg: ΡΠ±ΠΎΠΉ ΠΏΡΠΈ ΠΏΠΎΠΈΡΠΊΠ΅ Π½Π° ΡΠ΅ΡΠ²Π΅ΡΠ΅ ΠΊΠ»ΡΡΠ΅ΠΉ: ΠΏΠ»ΠΎΡ
ΠΎΠΉ URI
This is the initial gnupg setup. It's OK. Just run the command again.
To Debian's question:
gpg: ΠΏΠΎΠΈΡΠΊ "913DFF12F86258E5" Π½Π° hkp ΡΠ΅ΡΠ²Π΅ΡΠ΅ keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, ΡΠΎΠ·Π΄Π°Π½: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". ΠΠ²Π΅Π΄ΠΈΡΠ΅ ΡΠΈΡΠ»Π°, N) Π‘Π»Π΅Π΄ΡΡΡΠΈΠΉ ΠΈΠ»ΠΈ Q) ΠΡΡ
ΠΎΠ΄>
Answer: 1
Next:
# gpg --export 913DFF12F86258E5 | apt-key add -
# apt-get update
Install mysql. In theory, you can use another sql server, but for simplicity I will use it as recommended for LinOTP.
(additional information, including reconfiguring the LinOTP database, can be found in the official documentation for
# apt-get install mysql-server
# apt-get update
(It doesn't hurt to check again for updates)
Install LinOTP and additional modules:
# apt-get install linotp
We answer the questions of the installer:
Use Apache2: yes
Create a password for admin Linotp: "YourPassword"
Generate self-signed certificate?: yes
Use MySQL?: yes
Where is the database located: localhost
Create a LinOTP database (base name) on the server: LinOTP2
Create a separate user for the database: LinOTP2
Set the password for the user: "YourPassword"
Should I create a base now? (something like βAre you sure you wantβ¦β): yes
Enter the MySQL root password that you created during installation: "YourPassword"
Done.
(optional, you can not put)
# apt-get install linotp-adminclient-cli
(optional, you can not put)
# apt-get install libpam-linotp
And so our Linotp web interface is now available at:
"<b>https</b>: //IP_ΡΠ΅ΡΠ²Π΅ΡΠ°/manage"
I will talk about the settings in the web interface a little later.
Now, the most important thing! Raise FreeRadius and link it to Linotp.
Install FreeRadius and the LinOTP module
# apt-get install freeradius linotp-freeradius-perl
back up the client and Users configs of the radius.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old
# mv /etc/freeradius/users /etc/freeradius/users.old
Create an empty client file:
# touch /etc/freeradius/clients.conf
Editing our new config file (backed up config can be used as an example)
# nano /etc/freeradius/clients.conf
client 192.168.188.0/24 {
secret = passwd # ΠΏΠ°ΡΠΎΠ»Ρ Π΄Π»Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ²
}
Next, create the users file:
# touch /etc/freeradius/users
We edit the file, telling the radius that we will use perl for authentication.
# nano /etc/freeradius/users
DEFAULT Auth-type := perl
Next, edit the file /etc/freeradius/modules/perl
# nano /etc/freeradius/modules/perl
We need to set the path to the linotp perl script in the module parameter:
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
.....
Next, we create a file in which we say from which (domain, database or file) to take data.
# touch /etc/linotp2/rlm_perl.ini
# nano /etc/linotp2/rlm_perl.ini
URL=https://IP_Π²Π°ΡΠ΅Π³ΠΎ_LinOTP_ΡΠ΅ΡΠ²Π΅ΡΠ°(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False
Here I will dwell a little more, because it is important:
Full description of the file with comments:
#IP of the linotp server (IP address of our LinOTP server)
URL=https://172.17.14.103/validate/simplecheck
#Our area that we will create in the LinOTP web interface.)
REALM=rearm1
#Name of the user group that is created in the LinOTP webmord.
RESCONF=flat_file
#optional: comment out if everything seems to work fine
Debug=True
#optional: use this, if you have selfsigned certificates, otherwise comment out (SSL if we create our own certificate and want to verify it)
SSL_CHECK=False
Next, create the file /etc/freeradius/sites-available/linotp
# touch /etc/freeradius/sites-available/linotp
# nano /etc/freeradius/sites-available/linotp
And copy the config into it (nothing needs to be edited):
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}
Next, we will make a sim link:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled
Personally, I kill the default radius sites, but if you need them, you can either edit their config or disable them.
# rm /etc/freeradius/sites-enabled/default
# rm /etc/freeradius/sites-enabled/inner-tunnel
# service freeradius reload
Now let's get back to the web muzzle and look at it in a little more detail:
In the upper right corner, click LinOTP Config -> UserIdResolvers -> New
We choose what we want: LDAP (AD win, LDAP samba), or SQL, or local users of the Flatfile system.
Fill in the required fields.
Next, we create REALMS:
In the upper right corner, click LinOTP Config -> Realms -> New.
and give a name to our REALMS, and also click on the UserIdResolvers created earlier.
All this data is needed by freeRadius in the /etc/linotp2/rlm_perl.ini file, which I wrote about above, so if you didn't edit it then, do it now.
All server is configured.
Supplement:
Setting up LinOTP on Debian 9:
Installation:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list
# apt-get install dirmngr
# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update
# apt-get install mysql-server
(by default, in Debian 9 mysql (mariaDB) does not offer to set a root password, of course you can leave it blank, but if you read the news, it often leads to "epic fails", so we will still set it)
# mysql -u root -p
use mysql;
UPDATE user SET Password = PASSWORD('ΡΡΡ_ΠΏΠ°ΡΠΎΠ»Ρ') WHERE User = 'root';
exit
# apt-get install linotp
# apt-get install linotp-adminclient-cli
# apt-get install python-ldap
# apt install freeradius
# nano /etc/freeradius/3.0/sites-enabled/linotp
Paste the code (sent by JuriM, thanks to him for that!):
server linotp {
listen {
ipaddr=*
port=1812
type=auth
}
listen {
ipaddr=*
port=1813
type = acct
}
authorize {
preprocess
update {
&control:Auth-Type := Perl
}
}
authenticate {
Auth-Type Perl {
perl
}
}
accounting {
unix
}
}
Edit /etc/freeradius/3.0/mods-enabled/perl
perl {
filename = /usr/share/linotp/radius_linotp.pm
func_authenticate = authenticate
func_authorize = authorize
}
Unfortunately, in debian 9, the radius_linotp.pm library is not installed from the repositories, so we will take it from github.
# apt install git
# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl
# cd linotp-auth-freeradius-perl/
# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm
now let's fix /etc/freeradius/3.0/clients.conf
client servers {
ipaddr = 192.168.188.0/24
secret = your password
}
now let's fix nano /etc/linotp2/rlm_perl.ini
We paste the same code there as when installing on debian 8 (described above)
on the idea of ββeverything. (not tested yet)
I will leave below a few links to set up systems that most often need to be protected by two-factor authorization:
Setting up two-factor authentication in
Setting
Also, cms of many sites support two-factor authentication (For WordPress, LinOTP even has its own special module on
IMPORTANT FACT! DO NOT check the "Google authenticator" box to use Google Authenticator! The QR code is not readable then⦠(weird fact)
Information from the following articles was used to write the article:
Thanks to the authors.
Source: habr.com