Taa, achọrọ m ịkekọrịta otu esi edozi ihe nkesa nyocha ihe abụọ iji chebe netwọk ụlọ ọrụ, saịtị, ọrụ, ssh. Ihe nkesa ahụ ga-eme nchikota ndị a: LinOTP + FreeRadius.
Gịnị mere anyị ji chọọ ya?
Nke a bụ ngwọta zuru oke n'efu, dị mma, n'ime netwọk nke ya, na-adabereghị na ndị na-enye ndị ọzọ.
Ọrụ a dị ezigbo mma, na-ahụ anya, n'adịghị ka ngwaahịa ndị ọzọ mepere emepe, ma na-akwadokwa ọtụtụ ọrụ na atumatu (Dịka ọmụmaatụ, nbanye + paswọọdụ +(PIN + OPTtoken)). Site na API, ọ na-ejikọta ya na ọrụ izipu sms (LinOTP Config->Config Config-> Onye na-enye SMS), na-ewepụta koodu maka ngwa mkpanaka dị ka Google Authentificator na ọtụtụ ndị ọzọ. Echere m na ọ dị mma karịa ọrụ a tụlere na ya
Ihe nkesa a na-arụ ọrụ nke ọma na Cisco ASA, OpenVPN server, Apache2, na n'ozuzu ya na ihe niile na-akwado nkwenye site na ihe nkesa RADIUS (Dịka ọmụmaatụ, maka SSH na ebe data).
Achọrọ:
1) Debian 8 (jessie) - Ọ bụchaghị! (a kọwara nrụnye nnwale na debian 9 na njedebe nke akụkọ ahụ)
Malite:
Ịwụnye Debian 8.
Tinye ebe nchekwa LinOTP:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list
Ịtinye igodo:
# gpg --search-keys 913DFF12F86258E5
Mgbe ụfọdụ n'oge nrụnye “dị ọcha”, mgbe ọ gbasachara iwu a, Debian gosipụtara:
gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI
Nke a bụ ntọala gnupg mbụ. Ọ dị mma. Naanị gbanye iwu ahụ ọzọ.
Maka ajụjụ Debian:
gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". Введите числа, N) Следующий или Q) Выход>
Anyị na-aza: 1
Ọzọ:
# gpg --export 913DFF12F86258E5 | apt-key add -
# apt-get update
Wụnye mysql. Na tiori, ị nwere ike iji ihe nkesa sql ọzọ, mana maka ịdị mfe m ga-eji ya dịka akwadoro maka LinOTP.
(ozi ndị ọzọ, gụnyere reconfiguring LinOTP nchekwa data, nwere ike ịhụ na ukara akwụkwọ maka
# apt-get install mysql-server
# apt-get update
(ọ gaghị afụ ụfụ ịlele mmelite ọzọ)
Wụnye LinOTP na modul ndị ọzọ:
# apt-get install linotp
Anyị na-aza ajụjụ onye nrụnye:
Jiri Apache2: ee
Mepụta paswọọdụ maka onye nchịkwa Linotp: “Password gị”
Mepụta asambodo ejiri aka ya bịa?: ee
Jiri MySQL?: ee
Ebe nchekwa data dị: localhost
Mepụta nchekwa data LinOTP (aha ntọala) na sava: LinOTP2
Mepụta onye ọrụ dị iche maka nchekwa data: LinOTP2
Anyị edobere paswọọdụ maka onye ọrụ: “Paswọdu gị”
Enwere m ike ịmepụta nchekwa data ugbu a? (ihe dị ka "Ị ji n'aka na ị chọrọ..."): ee
Tinye MySQL mgbọrọgwụ paswọọdụ ị mepụtara mgbe ị na-etinye ya: "Password gị"
Emela.
(Nhọrọ, ịgaghị etinye ya)
# apt-get install linotp-adminclient-cli
(Nhọrọ, ịgaghị etinye ya)
# apt-get install libpam-linotp
Ya mere interface weebụ Linotp anyị dị ugbu a na:
"<b>https</b>: //IP_сервера/manage"
Aga m ekwu maka ntọala dị na interface weebụ obere oge ma emechaa.
Ugbu a, ihe kacha mkpa! Anyị na-ebuli FreeRadius wee jikọta ya na Linotp.
Wụnye FreeRadius na modul maka ịrụ ọrụ na LinOTP
# apt-get install freeradius linotp-freeradius-perl
ndabere onye ahịa na ndị ọrụ radius configs.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old
# mv /etc/freeradius/users /etc/freeradius/users.old
Mepụta faịlụ onye ahịa efu:
# touch /etc/freeradius/clients.conf
Na-edezi faịlụ nhazi ọhụrụ anyị (enwere ike iji nhazi akwadoro dịka ọmụmaatụ)
# nano /etc/freeradius/clients.conf
client 192.168.188.0/24 {
secret = passwd # пароль для подключения клиентов
}
Ọzọ, mepụta faịlụ ndị ọrụ:
# touch /etc/freeradius/users
Anyị na-edezi faịlụ ahụ, na-agwa radius na anyị ga-eji perl maka nyocha.
# nano /etc/freeradius/users
DEFAULT Auth-type := perl
Ọzọ, dezie faịlụ /etc/freeradius/modules/perl
# nano /etc/freeradius/modules/perl
Anyị kwesịrị ịkọwa ụzọ nke perl linotp script na oke modul:
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
... ..
Ọzọ, anyị na-emepụta faịlụ nke anyị na-ekwu nke (ngalaba, nchekwa data ma ọ bụ faịlụ) iji wepụ data ahụ.
# touch /etc/linotp2/rlm_perl.ini
# nano /etc/linotp2/rlm_perl.ini
URL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False
Aga m abanye ntakịrị nkọwa ebe a n'ihi na ọ dị mkpa:
Nkọwa zuru ezu nke faịlụ ahụ nwere nkọwa:
#IP nke sava linOTP (adreesị IP nke sava LinOTP anyị)
URL=https://172.17.14.103/validate/simplecheck
# Mpaghara anyị nke anyị ga-emepụta na ntanetị LinOTP.)
REALM = ogwe aka1
# Aha otu onye ọrụ emebere na muzzle webụ LinOTP.
RESCOF=flat_file
#Nhọrọ: kwuo ma ọ bụrụ na ihe niile yiri ka ọ na-arụ ọrụ nke ọma
Debug=Eziokwu
#nhọrọ: jiri nke a, ma ọ bụrụ na ị nwere asambodo debere onwe ya, ma ọ bụghị kwuo (SSL ma ọ bụrụ na anyị mepụtara akwụkwọ nke anyị ma chọọ ịchọpụta ya)
SSL_CHECK= Ụgha
Ọzọ, mepụta faịlụ /etc/freeradius/sites-available/linotp
# touch /etc/freeradius/sites-available/linotp
# nano /etc/freeradius/sites-available/linotp
Ma detuo nhazi ahụ n'ime ya (ọ dịghị mkpa idezi ihe ọ bụla):
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}
Ọzọ anyị ga-emepụta njikọ SIM:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled
Onwe m, ana m egbu saịtị Radius ndabara, mana ọ bụrụ na ịchọrọ ha, ị nwere ike dezie nhazi ha ma ọ bụ gbanyụọ ha.
# rm /etc/freeradius/sites-enabled/default
# rm /etc/freeradius/sites-enabled/inner-tunnel
# service freeradius reload
Ugbu a, ka anyị laghachi na ihu webụ wee lelee ya n'ụzọ zuru ezu karị:
N'akụkụ aka nri elu pịa LinOTP Config -> UserIdResolvers -> Ọhụrụ
Anyị na-ahọrọ ihe anyị chọrọ: LDAP (AD mmeri, LDAP samba), ma ọ bụ SQL, ma ọ bụ ndị ọrụ mpaghara nke Flatfile.
Dejupụta mpaghara achọrọ.
Ọzọ anyị na-emepụta REALMS:
N'akụkụ aka nri elu, pịa LinOTP Config -> Realms -> Ọhụrụ.
ma nye REALMS anyị aha, ma pịakwa UserIdResolvers nke emebere mbụ.
FreeRadius chọrọ data niile a na faịlụ /etc/linotp2/rlm_perl.ini, dị ka m dere banyere n'elu, yabụ ọ bụrụ na ideghị ya mgbe ahụ, mee ya ugbu a.
Ahaziri ihe nkesa ahụ niile.
Mgbakwunye:
Ịtọlite LinOTP na Debian 9:
Nwụnye:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list
# apt-get install dirmngr
# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update
# apt-get install mysql-server
(site na ndabara, na Debian 9 mysql (mariaDB) anaghị enye ohere ịtọ paswọọdụ mgbọrọgwụ, n'ezie ị nwere ike ịhapụ ya efu, mana ọ bụrụ na ị gụọ akụkọ ahụ, nke a na-edugakarị na "epic dara", yabụ anyị ga-edozi ya. agbanyeghị)
# mysql -u root -p
use mysql;
UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';
exit
# apt-get install linotp
# apt-get install linotp-adminclient-cli
# apt-get install python-ldap
# apt install freeradius
# nano /etc/freeradius/3.0/sites-enabled/linotp
Tapawa koodu ahụ (JuriM zitere, daalụ ya maka nke ahụ!):
sava linotp {
gee ntị {
ipaddr = *
ọdụ ụgbọ mmiri = 1812
type=auth
}
gee ntị {
ipaddr = *
ọdụ ụgbọ mmiri = 1813
ụdị = acct
}
nye ikike {
tupu usoro
imelite {
&control:Auth-Ụdị: = Perl
}
}
kwenye {
Ụdị Perl {
pearl
}
}
ndekọ ego {
unix
}
}
Dezie /etc/freeradius/3.0/mods-enabled/perl
perl {
Aha faịlụ = /usr/share/linotp/radius_linotp.pm
func_authenticate = eziokwu
func_authorize = inye ikike
}
Ọ dị nwute, na Debian 9, etinyeghị ọbaakwụkwọ radius_linotp.pm site na ebe nchekwa, yabụ anyị ga-ewepụ ya na github.
# apt install git
# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl
# cd linotp-auth-freeradius-perl/
# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm
ugbu a ka anyị dezie /etc/freeradius/3.0/clients.conf
sava ndị ahịa {
ipaddr = 192.168.188.0/24
nzuzo = paswọọdụ gị
}
Ugbu a, ka anyị dozie nano /etc/linotp2/rlm_perl.ini
Anyị na-amanye otu koodu ahụ dị ka mgbe ị na-etinye na debian 8 (akọwara n'elu)
nke ahụ bụ ihe niile dị ka echiche. (A nwalebeghị ya)
M ga-ahapụ n'okpuru njikọ ole na ole maka ịtọlite sistemụ nke na-adịkarị mkpa ka ejiri njirimara ihe abụọ chekwaa ya:
Ịtọlite nyocha nke ihe abụọ n'ime
ukpụhọde
Ọzọkwa, cms nke ọtụtụ saịtị na-akwado njirimara ihe abụọ (Maka WordPress, LinOTP ọbụna nwere modul pụrụ iche nke ya maka.
Eziokwu dị mkpa! Atụlela igbe “Google autenteficator” iji jiri Google Authenticator! Enweghị ike ịgụ koodu QR mgbe ahụ… (eziokwu dị ịtụnanya)
Iji dee akụkọ a, ejiri ozi sitere na akụkọ ndị a:
Ekele dịrị ndị edemede.
isi: www.habr.com