LinOTP mea hoʻopaʻa inoa ʻelua kumu

I kēia lā makemake wau e kaʻana like pehea e hoʻonohonoho ai i kahi kikowaena hōʻoia ʻelua-factor no ka pale ʻana i kahi pūnaewele hui, nā pūnaewele, nā lawelawe, ssh. E holo ana ke kikowaena i kēia hui pū ʻana: LinOTP + FreeRadius.

No ke aha mākou e pono ai?
ʻO kēia kahi hoʻonā manuahi a maʻalahi, i loko o kāna pūnaewele ponoʻī, kūʻokoʻa i nā mea hoʻolako ʻekolu.

He mea maʻalahi kēia lawelawe, ʻike maka, ʻaʻole like me nā huahana open source, a kākoʻo pū i ka nui o nā hana a me nā kulekele (no ka laʻana, login + password + (PIN + OTPToken)). Ma o ka API, hoʻohui ia me nā lawelawe hoʻouna sms (LinOTP Config->Provider Config->SMS Provider), hoʻopuka i nā code no nā polokalamu kelepona e like me Google Authentificator a ʻoi aku. Manaʻo wau ʻoi aku ka maʻalahi ma mua o ka lawelawe i kūkākūkā ʻia ma 'ōlelo.

Hana maikaʻi kēia kikowaena me Cisco ASA, OpenVPN server, Apache2, a ma ka laulā me nā mea āpau e kākoʻo ana i ka hōʻoia ma o kahi kikowaena RADIUS (No ka laʻana, no SSH i ka kikowaena data).

Kōkua:

1) Debian 8 (jessie) - Pono! (Ua wehewehe ʻia ka hoʻonohonoho hoʻāʻo ma debian 9 ma ka hope o ka ʻatikala)

Hoʻomaka:

Ke hoʻokomo nei iā Debian 8.

Hoʻohui i ka waihona LinOTP:

# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list

Hoʻohui i nā kī:

# gpg --search-keys 913DFF12F86258E5

I kekahi manawa i kahi hoʻonohonoho "maʻemaʻe", ma hope o ka holo ʻana i kēia kauoha, hōʻike ʻo Debian:

gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI

ʻO kēia ka hoʻonohonoho gnupg mua. ʻaʻole pilikia. E holo hou i ke kauoha.
I ka nīnau a Debian:

gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1)	LSE LinOTP2 Packaging <[email protected]>
	  2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5".  Введите числа, N) Следующий или Q) Выход>

Pane mākou: 1

Eia kekahi:

# gpg --export 913DFF12F86258E5 | apt-key add -

# apt-get update

E hoʻouka i ka mysql. Ma ke kumumanaʻo, hiki iā ʻoe ke hoʻohana i kahi kikowaena sql ʻē aʻe, akā no ka maʻalahi e hoʻohana wau e like me ka mea i ʻōlelo ʻia no LinOTP.

(ʻike hou aʻe, me ka hoʻonohonoho hou ʻana i ka waihona LinOTP, hiki ke loaʻa i ka palapala mana no loulou. Ma laila ʻoe e ʻike ai i ke kauoha: dpkg-reconfigure linotp e hoʻololi i nā ʻāpana inā ua kau mua ʻoe i ka mysql).

# apt-get install mysql-server

# apt-get update

(ʻaʻole e ʻeha ke nānā hou i nā mea hou)
E hoʻouka iā LinOTP a me nā modula hou aʻe:

# apt-get install linotp

Pane mākou i nā nīnau a ka mea hoʻonoho:
E hoʻohana iā Apache2: ʻae
E hana i ka ʻōlelo huna no ka admin Linotp: "Kau ʻōlelo huna"
E hana i ka palapala hōʻailona pūlima?: ʻae
E hoʻohana i ka MySQL?: ʻae
Aia i hea ka waihona: localhost
E hana i kahi waihona LinOTP (inoa kumu) ma ke kikowaena: LinOTP2
E hana i mea hoʻohana kaʻawale no ka waihona: LinOTP2
Hoʻonoho mākou i kahi ʻōlelo huna no ka mea hoʻohana: "Kau ʻōlelo huna"
Pono au e hana i kahi waihona i kēia manawa? (kahi mea e like me "Are you sure you want..."): ʻae
E hoʻokomo i ka ʻōlelo huna huna MySQL āu i hana ai i ka wā e hoʻokomo ai: "YourPassword"
Hanaʻia.

(koho, ʻaʻole pono ʻoe e hoʻokomo iā ia)

# apt-get install linotp-adminclient-cli 

(koho, ʻaʻole pono ʻoe e hoʻokomo iā ia)

# apt-get install libpam-linotp  

A no laila, loaʻa kā mākou pūnaewele pūnaewele Linotp ma:

"<b>https</b>: //IP_сервера/manage"

E kamaʻilio wau e pili ana i nā hoʻonohonoho ma ka pūnaewele pūnaewele ma hope iki.

I kēia manawa, ʻo ka mea nui loa! Hoʻokiʻekiʻe mākou iā FreeRadius a hoʻopili iā ia me Linotp.

E hoʻouka i FreeRadius a me ka module no ka hana pū me LinOTP

# apt-get install freeradius linotp-freeradius-perl

kākoʻo i ka mea kūʻai aku a me nā mea hoʻohana radius configs.

# mv /etc/freeradius/clients.conf  /etc/freeradius/clients.old

# mv /etc/freeradius/users  /etc/freeradius/users.old

E hana i kahi waihona mea kūʻai ʻole:

# touch /etc/freeradius/clients.conf

Ke hoʻoponopono nei i kā mākou faila config hou (hiki ke hoʻohana ʻia ka config i kākoʻo ʻia ma ke ʻano he laʻana)

# nano /etc/freeradius/clients.conf

client 192.168.188.0/24 {
secret  = passwd # пароль для подключения клиентов
}

A laila, hana i kahi faila mea hoʻohana:

# touch /etc/freeradius/users

Hoʻoponopono mākou i ka faila, e haʻi ana i ka radius e hoʻohana mākou i ka perl no ka hōʻoia.

# nano /etc/freeradius/users

DEFAULT Auth-type := perl

A laila, hoʻoponopono i ka faila /etc/freeradius/modules/perl

# nano /etc/freeradius/modules/perl

Pono mākou e kuhikuhi i ke ala i ka perl linotp script i ka ʻāpana module:

Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm

...
A laila, hana mākou i kahi faila kahi a mākou e ʻōlelo ai (domain, database a faila paha) e lawe ai i ka ʻikepili.

# touch /etc/linotp2/rlm_perl.ini

# nano /etc/linotp2/rlm_perl.ini

URL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False

E hele au i kahi kikoʻī hou aʻe ma aneʻi no ka mea nui ia:

ʻO ka wehewehe piha o ka faila me nā manaʻo:
#IP o ke kikowaena linOTP (ka helu IP o kā mākou kikowaena LinOTP)
URL=https://172.17.14.103/validate/simplecheck
#ʻO kā mākou wahi e hana ai mākou ma ka pūnaewele pūnaewele LinOTP.)
REALM=rearm1
#Ka inoa o ka pūʻulu mea hoʻohana i hana ʻia ma ka ʻaoʻao pūnaewele LinOTP.
RESCONF=palapala_palapala
#koho: e haʻi mai inā maikaʻi nā mea a pau
Debug=ʻOiaʻiʻo
#optional: hoʻohana i kēia, inā loaʻa iā ʻoe nā palapala hōʻoia iā ʻoe iho, a i ʻole e ʻōlelo mai (SSL inā mākou e hana i kā mākou palapala ponoʻī a makemake mākou e hōʻoia)
SSL_CHECK=Hoʻopunipuni

A laila, hana i ka faila /etc/freeradius/sites-available/linotp

# touch /etc/freeradius/sites-available/linotp

# nano /etc/freeradius/sites-available/linotp

A kope i ka config i loko (ʻaʻole pono e hoʻoponopono i kekahi mea):

authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
#  If you are using multiple kinds of realms, you probably
#  want to set "ignore_null = yes" for all of them.
#  Otherwise, when the first style of realm doesn't match,
#  the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
#  Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}

A laila e hana mākou i kahi loulou SIM:

# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled

ʻO wau iho, pepehi wau i nā pūnaewele Radius paʻamau, akā inā makemake ʻoe iā lākou, hiki iā ʻoe ke hoʻoponopono i kā lākou config a hoʻopau paha iā lākou.

# rm /etc/freeradius/sites-enabled/default

# rm /etc/freeradius/sites-enabled/inner-tunnel

# service freeradius reload

I kēia manawa, e hoʻi kāua i ka ʻaoʻao pūnaewele a e nānā hou aku i nā kikoʻī hou aku:
Ma ke kihi ʻākau kiʻekiʻe e kaomi iā LinOTP Config -> UserIdResolvers -> New
Koho mākou i kā mākou makemake: LDAP (AD win, LDAP samba), a i ʻole SQL, a i ʻole nā ​​mea hoʻohana kūloko o ka ʻōnaehana Flatfile.

E hoʻopiha i nā kahua i makemake ʻia.

A laila hana mākou i REALMS:
Ma ke kihi ʻākau i luna, kaomi LinOTP Config -> Realms -> New.
a hāʻawi i inoa i kā mākou REALMS, a kaomi pū i nā UserIdResolvers i hana mua ʻia.

Pono ʻo FreeRadius i kēia ʻikepili āpau i ka faila /etc/linotp2/rlm_perl.ini, e like me kaʻu i kākau ai ma luna nei, no laila inā ʻaʻole ʻoe i hoʻoponopono ia manawa, e hana i kēia manawa.

Ua hoʻonohonoho pono ʻia ke kikowaena.

Hoʻohui:

Hoʻonohonoho i ka LinOTP ma Debian 9:

Ke hoʻonohonoho nei:

# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list 

# apt-get install dirmngr

# apt-key adv --recv-keys 913DFF12F86258E5

# apt-get update

# apt-get install mysql-server

(ma ka maʻamau, ma Debian 9 mysql (mariaDB) ʻaʻole hāʻawi e hoʻonohonoho i kahi ʻōlelo huna, ʻoiaʻiʻo hiki iā ʻoe ke waiho ʻole, akā inā heluhelu ʻoe i ka nūhou, alakaʻi pinepine kēia i ka "epic fails", no laila e hoʻonohonoho mākou. ʻoiai)

# mysql -u root -p

use mysql;

UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';

exit

# apt-get install linotp

# apt-get install linotp-adminclient-cli

# apt-get install python-ldap

# apt install freeradius

# nano /etc/freeradius/3.0/sites-enabled/linotp

Hoʻopili i ke code (hoʻouna ʻia e JuriM, mahalo iā ia no kēlā!):

kikowaena linotp {
hoʻolohe {
ipaddr = *
awa = 1812
ʻano=auth
}
hoʻolohe {
ipaddr = *
awa = 1813
ʻano = acct
}
ʻae {
hana mua
hou {
&ka mana:Auth-Kype := Perl
}
}
hōʻoia {
ʻAno-ʻano Perl {
perl
}
}
helu helu {
unix
}
}

Hoʻoponopono /etc/freeradius/3.0/mods-enabled/perl

perl {
filename = /usr/share/linotp/radius_linotp.pm
func_authenticate = hōʻoiaʻiʻo
func_authorize = ʻae
}

ʻO ka mea pōʻino, ma Debian 9 ʻaʻole i hoʻokomo ʻia ka waihona radius_linotp.pm mai nā waihona, no laila e lawe mākou iā ia mai github.

# apt install git

# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl

# cd linotp-auth-freeradius-perl/

# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm

i kēia manawa e hoʻoponopono /etc/freeradius/3.0/clients.conf

nā mea kūʻai aku {
ipaddr = 192.168.188.0/24
huna = kāu ʻōlelo huna
}

I kēia manawa e hoʻoponopono kāu nano /etc/linotp2/rlm_perl.ini

Hoʻopili mākou i ka code like ma laila e like me ke kau ʻana ma debian 8 (i wehewehe ʻia ma luna)

ʻo ia wale nō e like me ka manaʻo. (ʻaʻole i hoʻāʻo ʻia)

E waiho wau ma lalo o kekahi mau loulou i ka hoʻonohonoho ʻana i nā ʻōnaehana e pono e pale ʻia me ka hōʻoia ʻelua kumu:
Hoʻonohonoho i ka hōʻoia ʻelua kumu i loko Apache2

Hoʻonohonoho me Cisco ASA(Hoʻohana ʻia kahi kikowaena hōʻailona hōʻailona ʻē aʻe ma laila, akā like nā hoʻonohonoho o ka ASA ponoʻī).

VPN me ka hōʻoia ʻelua kumu

hoʻoponopono ʻelua helu hōʻoia ma ssh (Hoʻohana ʻia ʻo LinOTP ma laila) - mahalo i ka mea kākau. Ma laila ʻoe e ʻike ai i nā mea hoihoi e pili ana i ka hoʻonohonoho ʻana i nā kulekele LiOTP.

Eia nō hoʻi, kākoʻo nā cms o nā pūnaewele he nui i ka hōʻoia ʻelua kumu (No WordPress, LinOTP a loaʻa i kāna module kūikawā no github), no ka laʻana, inā makemake ʻoe e hana i kahi ʻāpana palekana ma kāu pūnaewele hui no nā limahana ʻoihana.
KA MEA NUI! MAI nānā i ka pahu "Google authentificator" no ka hoʻohana ʻana iā Google Authenticator! ʻAʻole hiki ke heluhelu ʻia ka QR code a laila ... (ka mea ʻē)

No ke kākau ʻana i kēia ʻatikala, ua hoʻohana ʻia ka ʻike mai kēia mau ʻatikala:
itnan.ru/post.php?c=1&p=270571
www.digitalbears.net/?p=469

Mahalo i nā mea kākau.

Source: www.habr.com