Kalmomin sirri masu sauƙi ba su da tsaro, kuma masu rikitarwa ba su da wuya a iya tunawa. Shi ya sa sau da yawa sukan ƙare a kan rubutu mai ɗanɗano a ƙarƙashin maballin madannai ko a kan na'urar duba. Don tabbatar da cewa kalmomin sirri sun kasance a cikin zukatan masu amfani da "masu manta" kuma ba a rasa amincin kariya ba, akwai ingantaccen abu biyu (2FA).

Saboda haɗin mallakar na'ura da sanin PIN ɗinta, PIN ɗin kansa zai iya zama mafi sauƙi da sauƙin tunawa. Rashin lahani a tsayin PIN ko bazuwar ana biya su ta hanyar buƙatun mallaka ta zahiri da ƙuntatawa akan ƙarfin ƙwanƙwasa PIN.

Bugu da ƙari, yana faruwa a cikin hukumomin gwamnati cewa suna son komai ya yi aiki bisa ga GOST. Za a tattauna wannan zaɓi na 2FA don shiga cikin Linux. Zan fara daga nesa.

Farashin PAM

Modulolin Tabbatar da Pluggable (PAM) samfura ne tare da daidaitaccen API da aiwatar da hanyoyin tantancewa iri-iri a aikace-aikace.
Duk abubuwan amfani da aikace-aikacen da za su iya aiki tare da PAM sun ɗauke su kuma suna iya amfani da su don amincin mai amfani.
A aikace, yana aiki da wani abu kamar haka: umarnin shiga yana kiran PAM, wanda ke yin duk abubuwan da suka dace ta amfani da samfuran da aka ƙayyade a cikin fayil ɗin sanyi kuma ya dawo da sakamakon zuwa umarnin shiga.

librtpam

Samfurin da kamfanin Aktiv ya ƙera yana ƙara tabbatar da abubuwa biyu na masu amfani ta amfani da katunan wayo ko alamun USB ta amfani da maɓallan asymmetric bisa ga sabbin ƙa'idodin cryptography na gida.

Bari mu kalli ka'idar aikinsa:

• Alamar tana adana takardar shaidar mai amfani da maɓallin keɓaɓɓen sa;
• An adana takaddun shaida a cikin littafin adireshin gida na mai amfani kamar yadda aka amince.

Tsarin tantancewa yana faruwa kamar haka:

1. Rutoken yana neman takaddun shaida na mai amfani.
2. Ana buƙatar PIN ɗin alamar.
3. An sanya hannu kan bayanan bazuwar akan maɓallin keɓaɓɓen kai tsaye a cikin guntuwar Rutoken.
4. An tabbatar da sakamakon sa hannun ta amfani da maɓallin jama'a daga takardar shaidar mai amfani.
5. Tsarin yana mayar da sakamakon tabbatar da sa hannu zuwa aikace-aikacen kira.

Kuna iya tantancewa ta amfani da maɓallan GOST R 34.10-2012 (tsawon 256 ko 512 bits) ko GOST R 34.10-2001 da suka wuce.

Ba dole ba ne ku damu da amincin maɓallan - ana samar da su kai tsaye a cikin Rutoken kuma kada ku bar ƙwaƙwalwar ajiyar sa yayin ayyukan sirri.

Rutoken EDS 2.0 yana da takaddun shaida ta FSB da FSTEC bisa ga NDV 4, saboda haka ana iya amfani da shi a cikin tsarin bayanan da ke aiwatar da bayanan sirri.

Amfani mai amfani

Kusan kowane Linux na zamani zai yi, misali za mu yi amfani da xUbuntu 18.10.

1) Sanya fakitin da suka dace

sudo apt-get install libccid pcscd opensc
Idan kana son ƙara makullin tebur tare da mai adana allo, shigar da fakitin ƙari libpam-pkcs11.

2) Ƙara tsarin PAM tare da goyan bayan GOST

Ana loda ɗakin karatu daga https://download.rutoken.ru/Rutoken/PAM/
Kwafi abin da ke cikin babban fayil ɗin PAM librtpam.so.1.0.0 zuwa babban fayil ɗin tsarin
/usr/lib/ ko /usr/lib/x86_64-linux-gnu/ko /usr/lib64

3) Sanya kunshin tare da lirtpkcs11ecp.so

Zazzage kuma shigar da kunshin DEB ko RPM daga mahaɗin: https://www.rutoken.ru/support/download/pkcs/

4) Duba cewa Rutoken EDS 2.0 yana aiki a cikin tsarin

A cikin Terminal muna aiwatarwa
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -T
Idan kun ga layi Rutoken ECP <no label> - yana nufin komai yayi kyau.

5) Karanta takardar shaidar

Dubawa cewa na'urar tana da takaddun shaida
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O
Idan bayan layin:
Using slot 0 with a present token (0x0)

• bayanin yana nunawa game da maɓallai da takaddun shaida, kuna buƙatar karanta takaddun shaida kuma ku adana shi a diski. Don yin wannan, gudanar da umarni mai zuwa, inda maimakon {id} kuna buƙatar canza ID ɗin takaddun shaida wanda kuka gani a cikin fitarwa na umarnin da ya gabata:
  $ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -r -y cert --id {id} --output-file cert.crt
  Idan an ƙirƙiri fayil ɗin cert.crt, ci gaba zuwa mataki na 6).
• babu kome, to na'urar ba komai. Tuntuɓi mai sarrafa ku ko ƙirƙirar maɓallai da takaddun shaida da kanku ta bin mataki na gaba.

5.1) Ƙirƙiri takardar shaidar gwaji

Hankali! Hanyoyin da aka bayyana don ƙirƙirar maɓalli da takaddun shaida sun dace don gwaji kuma ba a yi nufin amfani da su a yanayin yaƙi ba. Don yin wannan, kuna buƙatar amfani da maɓallai da takaddun shaida waɗanda amintacciyar hukumar ba da takaddun shaida ta ƙungiyar ku ta bayar ko kuma wata hukuma da aka amince da ita.
An tsara tsarin PAM don kare kwamfutoci na gida kuma an tsara shi don aiki a cikin ƙananan kungiyoyi. Tun da akwai masu amfani kaɗan, Mai Gudanarwa na iya sa ido kan soke takaddun shaida da toshe asusu da hannu, da kuma lokacin ingancin takaddun shaida. Har yanzu tsarin PAM bai san yadda ake tabbatar da takaddun shaida ta amfani da CRLs da gina sarƙoƙi na amana ba.

Hanya mai sauƙi (ta hanyar browser)

Don samun takardar shaidar gwaji, yi amfani sabis na gidan yanar gizo "Rutoken Registration Center". Tsarin ba zai ɗauki fiye da mintuna 5 ba.

Hanyar geek (ta hanyar na'ura mai kwakwalwa da yuwuwar mai tarawa)

Duba sigar OpenSC
$ opensc-tool --version
Idan sigar ta kasa da 0.20, to sabunta ko gina pkcs11-kayan aiki reshe tare da GOST-2012 goyon baya daga GitHub mu (a lokacin buga wannan labarin, sakin 0.20 ba a sake shi ba) ko daga babban reshe na babban aikin OpenSC ba daga baya ba. yi 8cf1e6f

Ƙirƙirar maɓalli na biyu tare da sigogi masu zuwa:
--key-type: GOSTR3410-2012-512:А (ГОСТ-2012 512 бит c парамсетом А), GOSTR3410-2012-256:A (ГОСТ-2012 256 бит с парамсетом A)

--id: Mai gano abu (CKA_ID) azaman lambobi hex mai lamba biyu daga teburin ASCII. Yi amfani da lambobin ASCII kawai don haruffa masu bugawa, saboda... id za a buƙaci a wuce zuwa OpenSSL azaman kirtani. Alal misali, lambar ASCII "3132" yayi daidai da kirtani "12". Don saukakawa, zaka iya amfani sabis na kan layi don canza kirtani zuwa lambobin ASCII.

$ ./pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --keypairgen --key-type GOSTR3410-2012-512:A -l --id 3132

Na gaba za mu ƙirƙiri takardar shaida. Za a bayyana hanyoyi guda biyu a ƙasa: na farko ta hanyar CA (za mu yi amfani da gwajin CAs), na biyu mai sanya hannu ne. Don yin wannan, da farko kuna buƙatar shigarwa da daidaita sigar OpenSSL 1.1 ko kuma daga baya don yin aiki tare da Rutoken ta hanyar ƙirar rtengine ta musamman ta amfani da littafin. Shigarwa da daidaita OpenSSL.
Misali: don '--id 3132' a cikin OpenSSL kuna buƙatar sakawa'pkcs11:id=12".

Kuna iya amfani da sabis na gwajin CA, wanda akwai da yawa, misali, ga shi, ga shi и ga shi, Don wannan za mu ƙirƙiri buƙatun takardar shaida

Wani zabin kuma shine a ba da kai ga kasala da ƙirƙirar mai sanya hannu
$ openssl req -utf8 -new -keyform engine -key "pkcs11:id=12" -engine rtengine -out req.csr

Ana loda takaddun shaida zuwa na'urar
$ openssl req -utf8 -x509 -keyform engine -key "pkcs11:id=12" -engine rtengine -out cert.cer

6) Yi rijistar takardar shaidar a cikin tsarin

Tabbatar cewa takardar shaidarku tayi kama da fayil na base64:

Idan takardar shaidarku tayi kama da haka:

sannan kuna buƙatar canza takardar shaidar daga tsarin DER zuwa tsarin PEM (base64)

$ openssl x509 -in cert.crt -out cert.pem -inform DER -outform PEM
Mun sake dubawa cewa komai yana cikin tsari yanzu.

Ƙara takaddun shaida zuwa jerin amintattun takaddun shaida
$ mkdir ~/.eid
$ chmod 0755 ~/.eid
$ cat cert.pem >> ~/.eid/authorized_certificates
$ chmod 0644 ~/.eid/authorized_certificates
Layi na ƙarshe yana kare jerin amintattun takaddun shaida daga zama masu amfani da gangan ko canza su da gangan. Wannan yana hana wani ƙara takardar shaidarsa anan da samun damar shiga a madadin ku.

7) Saita tantancewa

Ƙaddamar da tsarin PAM ɗin mu gaba ɗaya daidai ne kuma ana yin shi daidai da yadda aka kafa wasu kayayyaki. Ƙirƙiri don yin fayil /usr/share/pam-configs/rutoken-gost-pam dauke da cikakken sunan tsarin, ko an kunna shi ta tsohuwa, fifikon tsarin, da sigogin tantancewa.
Siffofin tantancewa sun ƙunshi buƙatu don nasarar aikin:

• da ake buƙata: Irin waɗannan samfuran dole ne su dawo da amsa mai kyau. Idan sakamakon kiran ƙirar ya ƙunshi amsa mara kyau, wannan zai haifar da kuskuren tantancewa. Za a yi watsi da buƙatar, amma sauran samfuran za a kira.
• buƙatu: Mai kama da buƙata, amma nan da nan ya kasa tantancewa kuma yayi watsi da wasu kayayyaki.
• isa: Idan babu ɗaya daga cikin abubuwan da ake buƙata ko isassun kayayyaki kafin irin wannan module ɗin ya dawo da sakamako mara kyau, to tsarin zai dawo da amsa mai kyau. Za a yi watsi da ragowar samfuran.
• na zaɓi: Idan babu samfuran da ake buƙata akan tari kuma babu ɗaya daga cikin isassun samfuran da ya dawo da sakamako mai kyau, to aƙalla ɗaya daga cikin na'urorin zaɓin dole ne su dawo da sakamako mai kyau.

Cikakken abun ciki na fayil /usr/share/pam-configs/rutoken-gost-pam:
Name: Rutoken PAM GOST
Default: yes
Priority: 800
Auth-Type: Primary
Auth: sufficient /usr/lib/librtpam.so.1.0.0 /usr/lib/librtpkcs11ecp.so

ajiye fayil ɗin, sannan ku aiwatar
$ sudo pam-auth-update
a cikin taga da ya bayyana, sanya alamar alama kusa da shi Rutoken PAM GOST kuma danna OK

8) Duba saitunan

Don fahimtar cewa an saita komai, amma a lokaci guda ba a rasa ikon shiga cikin tsarin ba, shigar da umarnin.
$ sudo login
Shigar da sunan mai amfani. An saita komai daidai idan tsarin yana buƙatar lambar PIN na na'ura.

9) Sanya kwamfutar da za a toshe lokacin da aka cire alamar

Kunshe a cikin kunshin libpam-pkcs11 mai amfani hada pkcs11_eventmgr, wanda ke ba ku damar aiwatar da ayyuka daban-daban lokacin da abubuwan PKCS#11 suka faru.
Domin saituna pkcs11_eventmgr yana aiki azaman fayil ɗin sanyi: /etc/pam_pkcs11/pkcs11_eventmgr.conf
Don rarraba Linux daban-daban, umarnin da ke sa a kulle asusu lokacin da aka cire katin wayo ko alama zai bambanta. Cm. event card_remove.
Ana nuna fayil ɗin daidaitawa misali a ƙasa:

pkcs11_eventmgr
{
    # Запуск в бэкграунде
    daemon = true;
     
    # Настройка сообщений отладки
    debug = false;
 
    # Время опроса в секундах
    polling_time = 1;
 
    # Установка тайм-аута на удаление карты
    # По-умолчанию 0
    expire_time = 0;
 
    # Выбор pkcs11 библиотеки для работы с Рутокен
    pkcs11_module = usr/lib/librtpkcs11ecp.so;
 
    # Действия с картой
    # Карта вставлена:
    event card_insert {
        # Оставляем значения по умолчанию (ничего не происходит)
        on_error = ignore ;
 
        action = "/bin/false";
    }
 
    # Карта извлечена
    event card_remove {
        on_error = ignore;
         
        # Вызываем функцию блокировки экрана
        
        # Для GNOME 
        action = "dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock";
        
        # Для XFCE
        # action = "xflock4";
        
        # Для Astra Linux (FLY)
        # action = "fly-wmfunc FLYWM_LOCK";
    }
 
    # Карта долгое время извлечена
    event expire_time {
        # Оставляем значения по умолчанию (ничего не происходит)
        on_error = ignore;
 
        action = "/bin/false";
    }
}

Bayan haka ƙara aikace-aikacen pkcs11_eventmgr don farawa. Don yin wannan, shirya fayil ɗin .bash_profile:
$ nano /home/<имя_пользователя>/.bash_profile
Ƙara layin pkcs11_eventmgr zuwa ƙarshen fayil ɗin kuma sake yi.

Matakan da aka bayyana don kafa tsarin aiki ana iya amfani da su azaman umarni a cikin kowane rarraba Linux na zamani, gami da na gida.

ƙarshe

Kwamfutoci na Linux suna ƙara samun karbuwa a hukumomin gwamnatin Rasha, kuma kafa ingantaccen ingantaccen abu biyu a cikin wannan OS ba koyaushe bane mai sauƙi. Za mu yi farin cikin taimaka muku warware “matsalar kalmar sirri” tare da wannan jagorar da kuma dogaro da kare damar shiga PC ɗinku ba tare da ɓata lokaci mai yawa akansa ba.

source: www.habr.com