Gịnị ma ọ bụrụ na abụọ-ihe nyocha bụ ma na-achọsi ike na prickly, ma ọ dịghị ego maka ngwaike tokens na n'ozuzu ha na-enye na-anọ na a ọma ọnọdụ.
Ihe ngwọta a abụghị ihe dị oke mma, kama ọ bụ ngwakọta nke ngwọta dị iche iche dị na Ịntanetị.
Ya mere nyere
Home Ọrụ ndekọ.
Ndị ọrụ ngalaba na-arụ ọrụ site na VPN, dị ka ọtụtụ taa.
Na-arụ ọrụ dị ka ọnụ ụzọ VPN Gbasara.
Amụma nchekwa amachibidoro ịchekwa paswọọdụ maka onye ahịa VPN.
Ọchịchị Fortinet N'ihe gbasara akara aka gị, ị nweghị ike ịkpọ ya ihe na-erughị zhlob - enwere ihe ruru 10 n'efu, ndị ọzọ - na ọnụ ahịa na-abụghị nke kosher. Atụleghị m RSASEcureID, Duo na ihe ndị ọzọ, n'ihi na achọrọ m isi mmalite mepere emepe.
Ihe achọrọ: onye nnabata * nix na guzosie ike freeradius, ssd - banyere na ngalaba, ngalaba ọrụ nwere ike mfe nyochaa na ya.
Ngwungwu ndị ọzọ: igbe shellina, fig, freeradius-ldap, mkpụrụedemede nnupu isi.tlf site na ebe nchekwa .
N'ihe atụ m - CentOS 7.8.
Echiche nke ọrụ kwesịrị ịdị ka ndị a: mgbe ị na-ejikọ na VPN, onye ọrụ ga-abanyerịrị nbanye ngalaba yana OTP kama paswọọdụ.
Nhazi ọrụ
В /etc/raddb/radiusd.conf naanị onye ọrụ na otu na nnọchite nke na-amalite freeradius, kemgbe ọrụ radiusd kwesịrị inwe ike ịgụ faịlụ n'ime akwụkwọ ndekọ aha niile / ụlọ /.
user = root
group = root
Iji nwee ike iji otu na ntọala Gbasara, ga-ebunye Àgwà ọma onye na-ere ere. Iji mee nke a, na ndekọ raddb/usoro iwu.d Ana m ekepụta faịlụ nwere ọdịnaya ndị a:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Mgbe echichi freeradius-ldap na ndekọ raddb/mods-dị a na-emepụta faịlụ ldap.
Mkpa ịmepụta njikọ ihe atụ na ndekọ raddb/mods-kwadoro.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapAna m ebute ọdịnaya ya n'ụdị a:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
Na faịlụ raddb/ saịtị-enyere/ndabere и raddb/ saịtị-enyere/n'ime-ọwara na ngalaba nye iwu M tinye aha iwu a ga-eji - group_authorization. Otu ihe dị mkpa - aha nke iwu anaghị ekpebi aha faịlụ dị na ndekọ amụma.d, mana site na ntụzịaka dị n'ime faịlụ ahụ tupu emee nkwado ahụ.
Na ngalaba nyochaa n'otu faịlụ ahụ ịkwesịrị ịmegharị ahịrị ahụ Pam.
Na faịlụ clients.conf depụta paramita nke ọ ga-eji jikọọ Gbasara:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Nhazi modulu pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Nhọrọ mmejuputa ngwugwu ngwugwu freeradius с google authenticator choro ka onye ọrụ tinye nzere n'ụdị: aha njirimara/paswọọdụ+OTP.
Site n'ichepụta ọnụ ọgụgụ ọbụbụ ọnụ ga-ada n'isi, n'ihe banyere iji ngwugwu ndabara freeradius с Google Authenticator, e kpebiri iji nhazi modul Pam nke mere na naanị akara ngosi nwere ike ịlele Google Authenticator.
Mgbe onye ọrụ jikọtara, ihe ndị a na-eme:
- Freeradius na-enyocha ma ọ bụrụ na onye ọrụ nọ na ngalaba yana n'otu otu yana, ọ bụrụ na ọ ga-aga nke ọma, lelee akara ngosi OTP.
Ihe niile dị mma ruo oge m chere "Kedu ka m ga-esi debanye aha OTP maka ndị ọrụ 300+?"
Onye ọrụ ga-ejirịrị banye na nkesa freeradius na si n'okpuru akaụntụ gị na-agba ọsọ ngwa Google Authenticator, nke ga-ewepụta koodu QR maka ngwa maka onye ọrụ. Nke a bụ ebe enyemaka na-abata. igbe shellina yana yana .bash_profaịlụ.
[root@freeradius ~]# yum install -y shellinabox
Faịlụ nhazi daemon dị na /etc/sysconfig/shellinabox.
Ana m ezipụta ọdụ ụgbọ mmiri 443 n'ebe ahụ ma ị nwere ike ịkọwapụta akwụkwọ gị.
[root@freeradius ~]#systemctl enable --now shellinaboxdNaanị onye ọrụ kwesịrị iso njikọ ahụ, tinye kredit ngalaba wee nweta koodu QR maka ngwa ahụ.
The algọridim bụ dị ka ndị:
- Onye ọrụ na-abanye na igwe site na ihe nchọgharị.
- Ma enyochara onye ọrụ ngalaba. Ọ bụrụ na ọ bụghị, mgbe ahụ, ọ dịghị ihe e mere.
- Ọ bụrụ na onye ọrụ bụ onye ọrụ ngalaba, a na-enyocha otu n'ime otu ndị nchịkwa.
- Ọ bụrụ na ọ bụghị onye nchịkwa, ọ na-enyocha ma ahaziri Google Authenticator. Ọ bụrụ na ọ bụghị, a na-emepụta koodu QR na njiri mara onye ọrụ.
- Ọ bụrụ na ọ bụghị onye nchịkwa na Google Authenticator ka ahaziri, wee pụta naanị.
- Ọ bụrụ onye nchịkwa, lelee Google Authenticator ọzọ. Ọ bụrụ na ahazighị ya, a na-emepụta koodu QR.
A na-eme mgbagha niile site na iji /etc/skel/.bash_profile.
pusi /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Nhazi ihe nchekwa:
- Anyị na-eke okirikiri- ihe nkesa
- Anyị na-emepụta otu ndị dị mkpa, ọ bụrụ na ọ dị mkpa, nweta njikwa site na otu. Aha otu na Gbasara ga-adabarịrị na otu a na-agafe Àgwà ọma onye na-ere ere Fortinet- Otu-Aha.
- Na-edezi mkpa SSL- portals.
- Na-agbakwụnye otu na atumatu.
Uru nke ngwọta a:
- Enwere ike iji OTP nyochaa ya Gbasara ngwọta isi mmalite.
- Onye ọrụ anaghị abanye paswọọdụ ngalaba mgbe ị na-ejikọ site na VPN, nke na-eme ka usoro njikọ dị mfe. Okwuntughe ọnụọgụ isii dị mfe ịbanye karịa nke iwu nchekwa nyere. N'ihi ya, ọnụ ọgụgụ nke tiketi nwere isiokwu: "Enweghị m ike jikọọ na VPN" na-ebelata.
PS Anyị na-eme atụmatụ ịkwalite ihe ngwọta a ka ọ bụrụ nnwapụta ihe abụọ zuru oke yana nzaghachi ịma aka.
update:
Dịka e kwere nkwa, etinyere m ya na nhọrọ nzaghachi ịma aka.
Ya mere:
Na faịlụ /etc/raddb/sites-enabled/default ngalaba nye iwu yiri nke a:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Ngalaba nyochaa ugbu a dị ka nke a:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Ugbu a nkwenye onye ọrụ na-eme dịka algọridim na-esonụ:
- Onye ọrụ na-abanye kredit ngalaba na onye ahịa VPN.
- Freeradius na-enyocha izi ezi nke akaụntụ na paswọọdụ
- Ọ bụrụ na paswọọdụ ziri ezi, mgbe ahụ, a ga-eziga arịrịọ maka akara ngosi.
- A na-enyocha akara ngosi ahụ.
- uru).
isi: www.habr.com