Me zai faru idan tabbaci guda biyu yana da kyawawa kuma mai ban sha'awa, amma babu kuɗi don alamun kayan aiki kuma a gaba ɗaya suna ba da damar zama cikin yanayi mai kyau.
Wannan bayani ba wani abu ba ne mai girma na asali, amma sai dai cakuda hanyoyin magance daban-daban da aka samo akan Intanet.
Don haka aka ba
Домен Active Directory.
Masu amfani da yanki suna aiki ta hanyar VPN, kamar mutane da yawa a yau.
Yana aiki azaman ƙofar VPN Abin ci.
Ajiye kalmar sirri don abokin ciniki na VPN an hana shi ta manufofin tsaro.
Siyasa Sojoji dangane da alamun ku, ba za ku iya kiran shi ƙasa da zhlob ba - akwai alamun kyauta guda 10, sauran - a farashin da ba na kosher ba. Ban yi la'akari da RSASEcureID, Duo da makamantansu ba, saboda ina son buɗe tushen.
Abubuwan da ake buƙata: mai gida * nix tare da kafa freeradius, ssd - shigar da yankin, masu amfani da yankin za su iya tantance shi cikin sauƙi.
Ƙarin fakiti: akwatin shellina, ɓaure, freeradius-ldap, font tawaye.tlf daga ma'ajiyar
A cikin misali na - CentOS 7.8.
Dalili na aikin yakamata ya kasance kamar haka: lokacin haɗi zuwa VPN, mai amfani dole ne ya shigar da login yanki da OTP maimakon kalmar sirri.
Saitin ayyuka
В /etc/raddb/radiusd.conf kawai mai amfani da rukuni a madadin wanda zai fara freeradius, tun da sabis radiusd ya kamata ya iya karanta fayiloli a cikin duk ƙananan kundin adireshi / gida /.
user = root
group = root
Don samun damar amfani da ƙungiyoyi a cikin saitunan Abin ci, dole ne a watsa Takaitaccen Siffar Mai siyarwa. Don yin wannan, a cikin daftarin aiki raddb/siyasa.d Ina ƙirƙirar fayil tare da abun ciki mai zuwa:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Bayan kafuwa freeradius-ldap a cikin directory raddb/mods-akwai an ƙirƙira fayil ɗin ldap.
Bukatar ƙirƙirar hanyar haɗi ta alama zuwa kundin adireshi raddb/mods-an kunna.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
Na kawo abubuwan da ke cikinsa zuwa wannan tsari:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
A cikin fayiloli raddb/shafukan-kunna/default и raddb/shafukan-kunna/ramin ciki a sashe ba da izini Na ƙara sunan manufofin da za a yi amfani da su - group_authorization. Wani muhimmin batu - sunan manufar ba a ƙayyade ta sunan fayil a cikin shugabanci ba siyasa.d, amma ta umarnin cikin fayil ɗin kafin takalmin gyaran kafa.
A cikin sashin tabbatarwa a cikin fayilolin guda ɗaya kuna buƙatar uncomment layin Pam.
A cikin fayil abokan ciniki.conf rubuta sigogin da zai haɗa su Abin ci:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Tsarin Module pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Zaɓuɓɓukan aiwatar da damfara na asali freeradius с google authenticator buƙatar mai amfani ya shigar da takaddun shaida a cikin tsari: sunan mai amfani / kalmar sirri+OTP.
Ta hanyar tunanin adadin la'anar da za su faɗo a kai, a cikin yanayin amfani da gunkin da aka saba freeradius с Google Authenticator, an yanke shawarar yin amfani da tsarin tsarin Pam don kawai a iya bincika alamar Google Authenticator.
Lokacin da mai amfani ya haɗa, mai zuwa yana faruwa:
- Freeradius yana bincika idan mai amfani yana cikin yanki kuma a cikin takamaiman rukuni kuma, idan yayi nasara, yana bincika alamar OTP.
Komai yayi kyau sosai har zuwa lokacin da na yi tunanin "Ta yaya zan iya yin rijistar OTP don masu amfani da 300+?"
Dole ne mai amfani ya shiga uwar garken da freeradius kuma daga ƙarƙashin asusun ku kuma gudanar da aikace-aikacen google ingantacce, wanda zai samar da lambar QR don aikace-aikacen don mai amfani. Anan ne taimako ya shigo. akwatin shellina a hade tare .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
Fayil ɗin daidaitawar daemon yana nan a /etc/sysconfig/shellinabox.
Na saka tashar jiragen ruwa 443 a can kuma za ku iya tantance takaddun ku.
[root@freeradius ~]#systemctl enable --now shellinaboxd
Mai amfani kawai yana buƙatar bin hanyar haɗin yanar gizo, shigar da ƙimar yanki kuma karɓar lambar QR don aikace-aikacen.
Algorithm shine kamar haka:
- Mai amfani yana shiga cikin injin ta hanyar burauza.
- Ko an duba mai amfani da yankin. Idan ba haka ba, to babu wani mataki da za a dauka.
- Idan mai amfani mai amfani ne na yanki, ana duba memba a ƙungiyar Masu Gudanarwa.
- Idan ba admin ba, yana bincika idan an daidaita Google Authenticator. Idan ba haka ba, to an samar da lambar QR da alamar mai amfani.
- Idan ba admin kuma an saita Google Authenticator, to kawai fita.
- Idan admin, to sake duba Google Authenticator. Idan ba a daidaita shi ba, ana samar da lambar QR.
Ana yin duk dabaru ta amfani da su /etc/skel/.bash_profile.
cat /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Ƙarfafa saitin:
- Mun halitta radius- uwar garken
- Muna ƙirƙirar ƙungiyoyi masu mahimmanci, idan ya cancanta, samun damar sarrafawa ta ƙungiyoyi. Sunan rukuni a kunne Abin ci dole ne ya dace da rukunin da aka shiga Takaitaccen Siffar Mai siyarwa Fortinet-Rukunin-Sunan.
- Gyara zama dole SSL- portals.
- Ƙara ƙungiyoyi zuwa manufofi.
Amfanin wannan maganin:
- Yana yiwuwa a tantance ta OTP akan Abin ci bude tushen bayani.
- Mai amfani baya shigar da kalmar sirri ta yanki lokacin haɗi ta VPN, wanda ɗan sauƙaƙe tsarin haɗin. Kalmar sirri mai lamba 6 ta fi sauƙi don shigar da ita fiye da wacce tsarin tsaro ya tanadar. A sakamakon haka, adadin tikiti tare da batun: "Ba zan iya haɗawa da VPN ba" yana raguwa.
PS Muna shirin haɓaka wannan mafita zuwa ingantaccen ingantaccen abu biyu tare da amsa ƙalubale.
ta karshe:
Kamar yadda aka yi alkawari, na canza shi zuwa zaɓin amsa kalubale.
Saboda haka:
A cikin fayil /etc/raddb/sites-enabled/default sashe ba da izini kama da wannan:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Sashe tabbatarwa yanzu ya zama kamar haka:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Yanzu tabbacin mai amfani yana faruwa bisa ga algorithm mai zuwa:
- Mai amfani yana shigar da ƙimar yanki a cikin abokin ciniki na VPN.
- Freeradius yana duba ingancin asusu da kalmar wucewa
- Idan kalmar sirri daidai ne, to ana aika buƙatar alama.
- Ana tabbatar da alamar.
- riba).
source: www.habr.com