A yau ina so in raba yadda za a kafa uwar garken tabbatar da abubuwa biyu don kare cibiyar sadarwar kamfanoni, shafuka, ayyuka, ssh. Sabar zata gudanar da haɗin kai mai zuwa: LinOTP + FreeRadius.
Me yasa muke bukata?
Wannan cikakkiyar kyauta ce, mafita mai dacewa, a cikin hanyar sadarwar ta, mai zaman kanta daga masu samarwa na ɓangare na uku.
Wannan sabis ɗin ya dace sosai, yana gani sosai, ba kamar sauran samfuran buɗaɗɗen tushe ba, kuma yana goyan bayan ɗimbin ayyuka da manufofi (Misali, shiga + kalmar sirri +(PIN+OPTtoken)). Ta hanyar API, yana haɗawa tare da ayyukan aika sms (Config LinOTP Config->Config Mai Bayar da Mai Ba da SMS), yana samar da lambobi don aikace-aikacen hannu kamar Google Authentificator da ƙari mai yawa. Ina tsammanin ya fi dacewa fiye da sabis ɗin da aka tattauna a ciki .
Wannan uwar garken yana aiki daidai da Cisco ASA, uwar garken OpenVPN, Apache2, kuma gabaɗaya tare da kusan duk abin da ke goyan bayan tabbatarwa ta hanyar uwar garken RADIUS (Misali, don SSH a cikin cibiyar bayanai).
An buƙata:
1) Debian 8 (jessie) - Lallai! (an yi bayanin shigarwa na gwaji akan debian 9 a ƙarshen labarin)
Fara:
Shigar da Debian 8.
Ƙara ma'ajiyar LinOTP:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.listƘara maɓallai:
# gpg --search-keys 913DFF12F86258E5Wani lokaci yayin shigarwa "tsabta", bayan gudanar da wannan umarni, Debian yana nunawa:
gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI
Wannan shine saitin gnupg na farko. Ya yi. Kawai sake kunna umarnin.
Ga tambayar Debian:
gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". Введите числа, N) Следующий или Q) Выход>Muna jawabi: 1
Gaba:
# gpg --export 913DFF12F86258E5 | apt-key add -# apt-get updateSanya mysql. A ka'idar, zaku iya amfani da wani sabar sql, amma don sauƙi zan yi amfani da shi kamar yadda aka ba da shawarar ga LinOTP.
(ƙarin bayani, gami da sake saita bayanan LinOTP, ana iya samun su a cikin takaddun hukuma don . A can kuma zaku iya samun umarnin: dpkg-reconfigure linotp don canza sigogi idan kun riga kun shigar da mysql).
# apt-get install mysql-server# apt-get update (ba zai cutar da sake duba sabuntawar ba)
Sanya LinOTP da ƙarin kayayyaki:
# apt-get install linotp
Muna amsa tambayoyin mai sakawa:
Yi amfani da Apache2: Ee
Ƙirƙiri kalmar sirri don admin Linotp: "Password ɗin ku"
Ƙirƙirar takardar shaidar sa hannu?: Ee
Yi amfani da MySQL?: iya
Inda ma'aunin bayanai yake: localhost
Ƙirƙiri bayanan bayanan LinOTP (sunan tushe) akan uwar garken: LinOTP2
Ƙirƙiri keɓantaccen mai amfani don bayanan bayanai: LinOTP2
Mun saita kalmar sirri don mai amfani: "Password ɗin ku"
Shin zan ƙirƙiri rumbun adana bayanai yanzu? (wani abu kamar "Ka tabbata kana so..."): Ee
Shigar da tushen kalmar sirri na MySQL wanda kuka ƙirƙira lokacin shigar da shi: “Password”
Anyi.
(na zaɓi, ba sai ka shigar da shi ba)
# apt-get install linotp-adminclient-cli (na zaɓi, ba sai ka shigar da shi ba)
# apt-get install libpam-linotp Don haka ana samun haɗin yanar gizon mu na Linotp yanzu a:
"<b>https</b>: //IP_сервера/manage"Zan yi magana game da saitunan da ke cikin mahaɗin yanar gizo kadan daga baya.
Yanzu, abu mafi mahimmanci! Muna haɓaka FreeRadius kuma muna haɗa shi da Linotp.
Sanya FreeRadius da module don aiki tare da LinOTP
# apt-get install freeradius linotp-freeradius-perlmadadin abokin ciniki da masu amfani da radius configs.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old# mv /etc/freeradius/users /etc/freeradius/users.oldƘirƙirar fayil ɗin abokin ciniki mara komai:
# touch /etc/freeradius/clients.confShirya sabon fayil ɗin saitin mu (ana iya amfani da saitin da aka goyi baya azaman misali)
# nano /etc/freeradius/clients.confclient 192.168.188.0/24 {
secret = passwd # пароль для подключения клиентов
}Na gaba, ƙirƙiri fayil ɗin masu amfani:
# touch /etc/freeradius/usersMuna gyara fayil ɗin, muna gaya wa radius cewa za mu yi amfani da perl don tantancewa.
# nano /etc/freeradius/usersDEFAULT Auth-type := perlNa gaba, shirya fayil ɗin /etc/freeradius/modules/perl
# nano /etc/freeradius/modules/perlMuna buƙatar ƙayyade hanyar zuwa rubutun perl linotp a cikin sigar module:
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
... ..
Bayan haka, muna ƙirƙiri fayil ɗin da muke faɗi wane (yanki, bayanai ko fayil) don ɗaukar bayanan daga.
# touch /etc/linotp2/rlm_perl.ini# nano /etc/linotp2/rlm_perl.iniURL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=FalseZan dan yi karin bayani a nan saboda yana da mahimmanci:
Cikakken bayanin fayil ɗin tare da sharhi:
#IP na uwar garken linOTP (adireshin IP na sabar LinOTP ɗin mu)
URL=https://172.17.14.103/validate/simplecheck
#Yankin mu da za mu ƙirƙira a cikin gidan yanar gizon LinOTP.)
REALM=gama1
#Sunan ƙungiyar masu amfani waɗanda aka ƙirƙira a cikin maƙallan gidan yanar gizon LinOTP.
RESCOF=Fayil_flat
#na zaɓi: yi sharhi idan komai yana aiki lafiya
Debug=Gaskiya
#zaɓi: yi amfani da wannan, idan kuna da takaddun shaida, in ba haka ba kuyi sharhi (SSL idan muka ƙirƙiri takaddun shaida kuma muna son tabbatarwa)
SSL_CHECK=Karya
Na gaba, ƙirƙirar fayil ɗin /etc/freeradius/sites-available/linotp
# touch /etc/freeradius/sites-available/linotp# nano /etc/freeradius/sites-available/linotpKuma kwafi config a ciki (babu buƙatar gyara wani abu):
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}Na gaba za mu ƙirƙiri hanyar haɗin SIM:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabledDa kaina, Ina kashe tsoffin rukunin yanar gizon Radius, amma idan kuna buƙatar su, kuna iya ko dai gyara tsarin su ko kashe su.
# rm /etc/freeradius/sites-enabled/default# rm /etc/freeradius/sites-enabled/inner-tunnel# service freeradius reload
Yanzu bari mu koma fuskar yanar gizon mu duba ta dalla-dalla:
A cikin kusurwar dama na sama danna LinOTP Config -> UserIdResolvers -> Sabo
Mun zaɓi abin da muke so: LDAP (AD win, LDAP samba), ko SQL, ko masu amfani da gida na tsarin Flatfile.
Cika filayen da ake buƙata.
Na gaba muna ƙirƙirar REALMS:
A cikin kusurwar dama na sama, danna LinOTP Config -> Realms -> Sabo.
kuma ku ba da suna ga REALMS ɗin mu, sannan kuma danna kan UserIdResolvers da aka ƙirƙira a baya.
FreeRadius yana buƙatar duk waɗannan bayanan a cikin /etc/linotp2/rlm_perl.ini fayil, kamar yadda na rubuta game da sama, don haka idan ba ku gyara shi ba to, yi yanzu.
An saita uwar garken duka.
Arin:
Kafa LinOTP akan Debian 9:
Shigarwa:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list # apt-get install dirmngr# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update# apt-get install mysql-server(ta tsohuwa, a cikin Debian 9 mysql (mariaDB) baya bayar da saita tushen kalmar sirri, ba shakka zaku iya barin shi fanko, amma idan kun karanta labarai, wannan sau da yawa yana haifar da “epic kasa”, don haka za mu saita shi. duk da haka)
# mysql -u root -puse mysql;UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';
exit# apt-get install linotp# apt-get install linotp-adminclient-cli# apt-get install python-ldap# apt install freeradius# nano /etc/freeradius/3.0/sites-enabled/linotpManna lambar (wanda JuriM ya aiko, godiya gareshi akan hakan!):
uwar garken linotp {
saurare {
ipaddr =*
tashar jiragen ruwa = 1812
type=auth
}
saurare {
ipaddr =*
tashar jiragen ruwa = 1813
irin = acct
}
ba da izini {
riga-kafi
sabunta {
&control:Auth-Nau'in: = Perl
}
}
tabbata {
Nau'in Rubutu {
perl
}
}
lissafin kudi {
unix
}
}
Shirya /etc/freeradius/3.0/mods-enabled/perl
perl {
filename = /usr/share/linotp/radius_linotp.pm
func_authenticate = ingantacce
func_authorize = izini
}
Abin takaici, a cikin Debian 9 ba a shigar da ɗakin karatu na radius_linotp.pm daga ma'ajin, don haka za mu ɗauke shi daga github.
# apt install git# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl# cd linotp-auth-freeradius-perl/# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pmyanzu bari mu gyara /etc/freeradius/3.0/clients.conf
abokin ciniki sabobin {
ipaddr = 192.168.188.0/24
sirri = kalmar sirri
}
Yanzu bari mu gyara nano /etc/linotp2/rlm_perl.ini
Muna liƙa lambar guda ɗaya a can kamar lokacin da ake shigarwa akan debian 8 (wanda aka kwatanta a sama)
wannan duka bisa ga ra'ayin. (ba a gwada shi ba tukuna)
Zan bar ƙasa kaɗan hanyoyin haɗin yanar gizo akan kafa tsarin waɗanda galibi suna buƙatar kiyaye su tare da tantance abubuwa biyu:
Ƙirƙirar tantancewar abubuwa biyu a ciki
(ana amfani da uwar garken ƙarni na daban daban a can, amma saitunan ASA kanta iri ɗaya ne).
gyara (LinOTP kuma ana amfani dashi a can) - godiya ga marubucin. A can za ku iya samun abubuwa masu ban sha'awa game da kafa manufofin LiOTP.
Hakanan, cms na rukunin yanar gizo da yawa suna goyan bayan ingantaccen abu biyu (Don WordPress, LinOTP ma yana da nasa tsarin na musamman don ), alal misali, idan kuna son yin sashe mai kariya akan gidan yanar gizon ku na kamfani don ma'aikatan kamfanin.
MUHIMMAN GASKIYA! KAR a duba akwatin "Google autenteficator" don amfani da Google Authenticator! Ba za a iya karanta lambar QR ba sannan... (bakon gaskiya)
Don rubuta wannan labarin, an yi amfani da bayanai daga labaran masu zuwa:
Godiya ga marubuta.
source: www.habr.com