LinOTP ob-factor authentication server

Hnub no kuv xav qhia txog yuav ua li cas teeb tsa ob qhov kev lees paub tus neeg rau zaub mov los tiv thaiv lub tuam txhab network, chaw, kev pabcuam, ssh. Cov neeg rau zaub mov yuav khiav cov kev sib txuas hauv qab no: LinOTP + FreeRadius.

Vim li cas peb thiaj xav tau nws?
Qhov no yog kev daws teeb meem dawb, yooj yim, hauv nws tus kheej lub network, ywj pheej ntawm peb tus neeg muab kev pabcuam.

Cov kev pabcuam no yooj yim heev, pom kev zoo, tsis zoo li lwm cov khoom lag luam qhib, thiab tseem txhawb nqa ntau lub zog thiab cov cai (Piv txwv li nkag mus + password + (PIN + OTPToken)). Los ntawm API, nws ua ke nrog sms xa cov kev pabcuam (LinOTP Config-> Tus Pabcuam Config-> SMS Provider), tsim cov lej rau cov ntawv thov mobile xws li Google Authentificator thiab ntau ntxiv. Kuv xav tias nws yooj yim dua li qhov kev pabcuam tau tham hauv Tshooj.

Cov neeg rau zaub mov no ua haujlwm zoo nrog Cisco ASA, OpenVPN server, Apache2, thiab feem ntau nrog yuav luag txhua yam uas txhawb kev lees paub ntawm RADIUS server (Piv txwv li, rau SSH hauv cov ntaub ntawv chaw).

Yuav tsum muaj:

1) Debian 8 (jessie) - Yuav tsum tau! (kev sim kev teeb tsa ntawm debian 9 tau piav qhia hauv qhov kawg ntawm tsab xov xwm)

Pib:

Txhim kho Debian 8.

Ntxiv LinOTP repository:

# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list

Ntxiv cov yuam sij:

# gpg --search-keys 913DFF12F86258E5

Qee zaum thaum lub sij hawm "huv" installation, tom qab khiav cov lus txib no, Debian qhia:

gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI

Qhov no yog qhov pib gnupg teeb. OK. Cia li khiav cov lus txib dua.
Rau Debian cov lus nug:

gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1)	LSE LinOTP2 Packaging <[email protected]>
	  2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5".  Введите числа, N) Следующий или Q) Выход>

Peb teb: 1

Tom ntej:

# gpg --export 913DFF12F86258E5 | apt-key add -

# apt-get update

Nruab mysql. Hauv kev xav, koj tuaj yeem siv lwm tus neeg siv sql, tab sis rau qhov yooj yim kuv yuav siv nws raws li kev pom zoo rau LinOTP.

(Cov ntaub ntawv ntxiv, suav nrog kev teeb tsa cov ntaub ntawv LinOTP, tuaj yeem pom hauv cov ntaub ntawv raug cai rau txuas. Nyob ntawd koj tuaj yeem nrhiav tau cov lus txib: dpkg-reconfigure linotp hloov cov tsis yog tias koj twb tau nruab mysql).

# apt-get install mysql-server

# apt-get update

(Nws yuav tsis mob los xyuas qhov hloov tshiab dua)
Nruab LinOTP thiab ntxiv modules:

# apt-get install linotp

Peb teb tus installer cov lus nug:
Siv Apache2: yog
Tsim tus password rau admin Linotp: "Koj tus password"
Tsim daim ntawv pov thawj tus kheej kos npe?: yog
Siv MySQL?: yog
Lub database nyob qhov twg: localhost
Tsim LinOTP database (lub npe lub npe) ntawm lub server: LinOTP2
Tsim ib tus neeg siv cais rau cov ntaub ntawv: LinOTP2
Peb teev tus password rau tus neeg siv: "Koj tus password"
Kuv puas yuav tsum tsim lub database tam sim no? (qee yam zoo li "Koj puas xav tau ..."): yog
Nkag mus rau MySQL hauv paus lo lus zais uas koj tsim thaum txhim kho nws: "YourPassword"
Ua li cas.

(yeem, koj tsis tas yuav nruab nws)

# apt-get install linotp-adminclient-cli 

(yeem, koj tsis tas yuav nruab nws)

# apt-get install libpam-linotp  

Thiab yog li peb lub vev xaib Linotp tam sim no muaj nyob ntawm:

"<b>https</b>: //IP_сервера/manage"

Kuv mam li tham txog cov chaw hauv web interface me ntsis tom qab.

Tam sim no, qhov tseem ceeb tshaj plaws! Peb tsa FreeRadius thiab txuas nws nrog Linotp.

Nruab FreeRadius thiab module rau kev ua haujlwm nrog LinOTP

# apt-get install freeradius linotp-freeradius-perl

backup cov neeg siv khoom thiab cov neeg siv lub vojvoog configs.

# mv /etc/freeradius/clients.conf  /etc/freeradius/clients.old

# mv /etc/freeradius/users  /etc/freeradius/users.old

Tsim cov ntaub ntawv tus neeg siv khoom khoob:

# touch /etc/freeradius/clients.conf

Kho peb cov ntaub ntawv config tshiab (cov thaub qab config tuaj yeem siv ua piv txwv)

# nano /etc/freeradius/clients.conf

client 192.168.188.0/24 {
secret  = passwd # пароль для подключения клиентов
}

Tom ntej no, tsim cov neeg siv cov ntaub ntawv:

# touch /etc/freeradius/users

Peb kho cov ntaub ntawv, qhia lub vojvoog uas peb yuav siv perl rau authentication.

# nano /etc/freeradius/users

DEFAULT Auth-type := perl

Tom ntej no, hloov cov ntaub ntawv /etc/freeradius/modules/perl

# nano /etc/freeradius/modules/perl

Peb yuav tsum tau qhia txoj hauv kev rau perl linotp tsab ntawv nyob rau hauv module parameter:

Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm

… ..
Tom ntej no, peb tsim cov ntaub ntawv uas peb hais qhov twg (domain, database lossis file) coj cov ntaub ntawv los ntawm.

# touch /etc/linotp2/rlm_perl.ini

# nano /etc/linotp2/rlm_perl.ini

URL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False

Kuv yuav mus rau hauv me ntsis ntxiv ntawm no vim nws tseem ceeb:

Cov lus piav qhia tag nrho ntawm cov ntaub ntawv nrog cov lus pom:
# IP ntawm linOTP server (IP chaw nyob ntawm peb LinOTP server)
URL=https://172.17.14.103/validate/simplecheck
#Peb cheeb tsam uas peb yuav tsim nyob rau hauv LinOTP lub vev xaib interface.)
REALM = 1
#Npe ntawm pawg neeg siv uas tau tsim hauv LinOTP lub vev xaib.
RESCONF=flat_file
#optional: tawm tswv yim tawm yog tias txhua yam zoo li ua haujlwm zoo
Debug = Muaj tseeb
#optional: siv qhov no, yog tias koj muaj daim ntawv pov thawj tus kheej, txwv tsis pub tawm tswv yim (SSL yog tias peb tsim peb tus kheej daim ntawv pov thawj thiab xav kuaj nws)
SSL_CHECK=False

Tom ntej no, tsim cov ntaub ntawv /etc/freeradius/sites-available/linotp

# touch /etc/freeradius/sites-available/linotp

# nano /etc/freeradius/sites-available/linotp

Thiab luam cov config rau hauv nws (tsis tas yuav hloov dab tsi):

authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
#  If you are using multiple kinds of realms, you probably
#  want to set "ignore_null = yes" for all of them.
#  Otherwise, when the first style of realm doesn't match,
#  the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
#  Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}

Tom ntej no peb yuav tsim ib tug SIM txuas:

# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled

Tus kheej, kuv tua qhov chaw Radius default, tab sis yog tias koj xav tau lawv, koj tuaj yeem hloov kho lawv cov teeb tsa lossis lov tes taw lawv.

# rm /etc/freeradius/sites-enabled/default

# rm /etc/freeradius/sites-enabled/inner-tunnel

# service freeradius reload

Tam sim no cia peb rov qab mus rau lub vev xaib lub ntsej muag thiab saib nws hauv me ntsis ntxiv:
Hauv kaum sab xis saum toj nyem LinOTP Config -> UserIdResolvers -> Tshiab
Peb xaiv qhov peb xav tau: LDAP (AD yeej, LDAP samba), lossis SQL, lossis cov neeg siv hauv zos ntawm Flatfile system.

Sau rau hauv cov teb uas xav tau.

Tom ntej no peb tsim REALMS:
Hauv kaum sab xis saum toj, nyem LinOTP Config -> Realms -> Tshiab.
thiab muab lub npe rau peb REALMS, thiab tseem nyem rau ntawm tus tsim UserIdResolvers yav dhau los.

FreeRadius xav tau tag nrho cov ntaub ntawv no hauv /etc/linotp2/rlm_perl.ini cov ntaub ntawv, raws li kuv tau sau txog saum toj no, yog li yog tias koj tsis kho nws, ua tam sim no.

Lub server yog tag nrho configured.

Ntxiv:

Teeb tsa LinOTP ntawm Debian 9:

Txhim Kho:

# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list 

# apt-get install dirmngr

# apt-key adv --recv-keys 913DFF12F86258E5

# apt-get update

# apt-get install mysql-server

(los ntawm lub neej ntawd, hauv Debian 9 mysql (mariaDB) tsis muab los teeb tsa tus password hauv paus, tau kawg koj tuaj yeem tso nws khoob, tab sis yog tias koj nyeem cov xov xwm, qhov no feem ntau ua rau "epic tsis ua haujlwm", yog li peb yuav teeb tsa nws. txawm li cas los xij)

# mysql -u root -p

use mysql;

UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';

exit

# apt-get install linotp

# apt-get install linotp-adminclient-cli

# apt-get install python-ldap

# apt install freeradius

# nano /etc/freeradius/3.0/sites-enabled/linotp

Muab tshuaj txhuam tus lej (xa los ntawm JuriM, ua tsaug rau nws!):

server linotp {
mloog {
ipaddr = *
PIB = 1812
type=auth
}
mloog {
ipaddr = *
PIB = 1813
type = ua
}
tso cai {
ua ntej
hloov tshiab {
&control:Auth-Type := Perl
}
}
pov thawj {
Auth-Type Perl {
pearl
}
}
accounting {
unix
}
}

Kho kom raug /etc/freeradius/3.0/mods-enabled/perl

perl {
filename = /usr/share/linotp/radius_linotp.pm
func_authenticate = authenticate
func_authorize = tso cai
}

Hmoov tsis zoo, hauv Debian 9 lub tsev qiv ntawv radius_linotp.pm tsis tau teeb tsa los ntawm cov chaw khaws cia, yog li peb yuav coj nws los ntawm github.

# apt install git

# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl

# cd linotp-auth-freeradius-perl/

# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm

tam sim no cia peb hloov /etc/freeradius/3.0/clients.conf

neeg rau zaub mov {
ipaddr = 192.168.188.0/24
zais cia = koj tus password
}

Tam sim no cia peb kho nano /etc/linotp2/rlm_perl.ini

Peb muab tshuaj txhuam tib txoj cai nyob rau ntawd thaum txhim kho ntawm debian 8 (piv txwv li saum toj no)

yog tag nrho raws li lub tswv yim. (tsis tau sim)

Kuv yuav tawm hauv qab ob peb qhov txuas ntawm kev teeb tsa cov tshuab uas feem ntau yuav tsum tau tiv thaiv nrog ob-factor authentication:
Teem ob-factor authentication hauv Apache2

Teeb nrog Cisco ASA(ib tug sib txawv token tiam neeg rau zaub mov siv nyob rau ntawd, tab sis cov chaw ntawm ASA nws tus kheej yog tib yam).

VPN nrog ob-factor authentication

hloov ob yam authentication hauv ssh (LinOTP kuj siv nyob ntawd) - ua tsaug rau tus sau. Nyob ntawd koj tseem tuaj yeem pom cov khoom nthuav qhia txog kev teeb tsa LiOTP cov cai.

Tsis tas li ntawd, cms ntawm ntau qhov chaw txhawb nqa ob qhov kev lees paub (Rau WordPress, LinOTP txawm muaj nws tus kheej tshwj xeeb module rau github), piv txwv li, yog tias koj xav ua ib qho kev tiv thaiv ntawm koj lub vev xaib tuam txhab rau cov neeg ua haujlwm hauv tuam txhab.
TSEEM CEEB! Tsis txhob khij lub "Google authenteficator" lub thawv siv Google Authenticator! QR code nyeem tsis tau ces... (qhov tseeb txawv)

Txhawm rau sau tsab xov xwm no, cov ntaub ntawv los ntawm cov kab lus hauv qab no tau siv:
itnan.ru/post.php?c=1&p=270571
www.digitalbears.net/?p=469

Ua tsaug rau cov neeg sau ntawv.

Tau qhov twg los: www.hab.com