Dina iki aku pengin nuduhake carane nyiyapake server otentikasi loro-faktor kanggo nglindhungi jaringan perusahaan, situs, layanan, ssh. Server bakal mbukak kombinasi ing ngisor iki: LinOTP + FreeRadius.
Yagene dheweke butuh kita?
Iki minangka solusi sing gratis lan trep, ing jaringan dhewe, ora gumantung saka panyedhiya pihak katelu.
Layanan iki trep banget, cukup visual, ora kaya produk open source liyane, lan uga ndhukung akeh fungsi lan kabijakan (Contone, login + sandhi + (PIN + OTPToken)). Liwat API, iki nggabungake karo layanan ngirim sms (LinOTP Config-> Provider Config-> SMS Provider), ngasilake kode kanggo aplikasi seluler kayata Google Authentificator lan liya-liyane. Aku iku luwih trep saka layanan rembugan ing
Server iki dianggo sampurna karo Cisco ASA, OpenVPN server, Apache2, lan ing umum karo meh kabeh sing ndhukung otentikasi liwat server RADIUS (Contone, kanggo SSH ing pusat data).
Dibutuhake:
1) Debian 8 (jessie) - Mesthi! (instalasi nyoba ing debian 9 diterangake ing pungkasan artikel)
Wiwitan:
Nginstal Debian 8.
Tambah repositori LinOTP:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list
Tambah tombol:
# gpg --search-keys 913DFF12F86258E5
Kadhangkala nalika instalasi "resik", sawise nindakake printah iki, Debian nampilake:
gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI
Iki persiyapan gnupg wiwitan. Ora apa-apa. Mung mbukak printah maneh.
Kanggo pitakonan Debian:
gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". Введите числа, N) Следующий или Q) Выход>
Kita mangsuli: 1
Sabanjure:
# gpg --export 913DFF12F86258E5 | apt-key add -
# apt-get update
Instal mysql. Ing teori, sampeyan bisa nggunakake server sql liyane, nanging kanggo gamblang aku bakal nggunakake minangka dianjurake kanggo LinOTP.
(informasi tambahan, kalebu konfigurasi ulang database LinOTP, bisa ditemokake ing dokumentasi resmi kanggo
# apt-get install mysql-server
# apt-get update
(ora bakal lara mriksa nganyari maneh)
Instal LinOTP lan modul tambahan:
# apt-get install linotp
Kita njawab pitakonan installer:
Gunakake Apache2: ya
Gawe sandhi kanggo admin Linotp: "Sandhi Panjenengan"
Nggawe sertifikat sing ditandatangani dhewe?: ya
Gunakake MySQL?: ya
Where is database dumunung: localhost
Nggawe database LinOTP (jeneng dhasar) ing server: LinOTP2
Nggawe pangguna kapisah kanggo database: LinOTP2
Kita nyetel sandhi kanggo pangguna: "Sandhi Panjenengan"
Apa aku kudu nggawe database saiki? (Soko kaya "Apa sampeyan yakin pengin ..."): ya
Ketik sandhi root MySQL sing digawe nalika nginstal: "Sandi Panjenengan"
Rampung.
(opsional, sampeyan ora kudu nginstal)
# apt-get install linotp-adminclient-cli
(opsional, sampeyan ora kudu nginstal)
# apt-get install libpam-linotp
Dadi antarmuka web Linotp saiki kasedhiya ing:
"<b>https</b>: //IP_сервера/manage"
Aku bakal ngomong babagan setelan ing antarmuka web mengko.
Saiki, sing paling penting! Kita mundhakaken FreeRadius lan nyambungake karo Linotp.
Instal FreeRadius lan modul kanggo nggarap LinOTP
# apt-get install freeradius linotp-freeradius-perl
gawe serep konfigurasi radius klien lan Pangguna.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old
# mv /etc/freeradius/users /etc/freeradius/users.old
Gawe file klien kosong:
# touch /etc/freeradius/clients.conf
Ngowahi file konfigurasi anyar kita (konfigurasi sing digawe serep bisa digunakake minangka conto)
# nano /etc/freeradius/clients.conf
client 192.168.188.0/24 {
secret = passwd # пароль для подключения клиентов
}
Sabanjure, gawe file pangguna:
# touch /etc/freeradius/users
Kita ngowahi file kasebut, ngandhani radius yen kita bakal nggunakake perl kanggo otentikasi.
# nano /etc/freeradius/users
DEFAULT Auth-type := perl
Sabanjure, sunting file /etc/freeradius/modules/perl
# nano /etc/freeradius/modules/perl
Kita kudu nemtokake path menyang script perl linotp ing parameter modul:
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
... ..
Sabanjure, kita nggawe file ing ngendi kita ngomong (domain, database utawa file) kanggo njupuk data.
# touch /etc/linotp2/rlm_perl.ini
# nano /etc/linotp2/rlm_perl.ini
URL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False
Aku bakal luwih rinci ing kene amarga penting:
Katrangan lengkap file kanthi komentar:
#IP server linOTP (alamat IP server LinOTP kita)
URL = https://172.17.14.103/validate/simplecheck
#Area kita sing bakal kita gawe ing antarmuka web LinOTP.)
REALM = rearm1
#Jeneng klompok pangguna sing digawe ing moncong web LinOTP.
RESCONF=flat_file
#opsional: komentar yen kabeh katon apik
Debug = Bener
#opsional: gunakake iki, yen sampeyan duwe sertifikat sing ditandatangani dhewe, yen ora menehi komentar (SSL yen kita nggawe sertifikat dhewe lan pengin verifikasi)
SSL_CHECK=Palsu
Sabanjure, gawe file /etc/freeradius/sites-available/linotp
# touch /etc/freeradius/sites-available/linotp
# nano /etc/freeradius/sites-available/linotp
Lan nyalin konfigurasi kasebut (ora perlu ngowahi apa-apa):
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}
Sabanjure kita bakal nggawe link SIM:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled
Secara pribadi, aku mateni situs Radius standar, nanging yen sampeyan butuh, sampeyan bisa ngowahi konfigurasi utawa mateni.
# rm /etc/freeradius/sites-enabled/default
# rm /etc/freeradius/sites-enabled/inner-tunnel
# service freeradius reload
Saiki ayo bali menyang pasuryan web lan deleng kanthi luwih rinci:
Ing pojok tengen ndhuwur klik LinOTP Config -> UserIdResolvers -> New
Kita milih apa sing dikarepake: LDAP (AD win, LDAP samba), utawa SQL, utawa pangguna lokal saka sistem Flatfile.
Isi kolom sing dibutuhake.
Sabanjure kita nggawe REALMS:
Ing pojok tengen ndhuwur, klik LinOTP Config -> Realms -> New.
lan menehi jeneng kanggo REALMS kita, lan uga klik ing UserIdResolvers digawe sadurunge.
FreeRadius mbutuhake kabeh data iki ing file /etc/linotp2/rlm_perl.ini, kaya sing dakcritakake ing ndhuwur, dadi yen sampeyan ora nyunting, mula saiki.
Server wis diatur kabeh.
Tambahan:
Nyetel LinOTP ing Debian 9:
Instalasi:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list
# apt-get install dirmngr
# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update
# apt-get install mysql-server
(kanthi standar, ing Debian 9 mysql (mariaDB) ora nawakake nyetel sandhi ROOT, mesthi sampeyan bisa ninggalake kosong, nanging yen sampeyan maca warta, iki asring banget ndadékaké kanggo "epik gagal", supaya kita bakal nyetel. opo wae)
# mysql -u root -p
use mysql;
UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';
exit
# apt-get install linotp
# apt-get install linotp-adminclient-cli
# apt-get install python-ldap
# apt install freeradius
# nano /etc/freeradius/3.0/sites-enabled/linotp
Tempel kode kasebut (dikirim dening JuriM, matur nuwun kanggo dheweke!):
server linotp {
ngrungokake {
ipaddr = *
port = 1812
jinis = auth
}
ngrungokake {
ipaddr = *
port = 1813
jinis = acct
}
wewenang {
praproses
nganyari {
&kontrol:Auth-Type:= Perl
}
}
keasliane {
Auth-Type Perl {
perl
}
}
akuntansi {
unix
}
}
Sunting /etc/freeradius/3.0/mods-enabled/perl
perl {
jeneng berkas = /usr/share/linotp/radius_linotp.pm
func_authenticate = keasliane
func_authorize = wewenang
}
Sayange, ing Debian 9 perpustakaan radius_linotp.pm ora diinstal saka repositori, supaya kita bakal njupuk saka github.
# apt install git
# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl
# cd linotp-auth-freeradius-perl/
# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm
saiki ayo ngowahi /etc/freeradius/3.0/clients.conf
server klien {
ipaddr = 192.168.188.0/24
rahasia = sandi
}
Saiki ayo mbenerake nano /etc/linotp2/rlm_perl.ini
Kita nempelake kode sing padha nalika nginstal ing debian 8 (diterangake ing ndhuwur)
iku kabeh miturut gagasan. (durung dites)
Aku bakal ninggalake sawetara pranala ing ngisor iki kanggo nyetel sistem sing paling kerep kudu dilindhungi karo otentikasi rong faktor:
Nyetel otentikasi rong faktor ing
imbuhan
Uga, cms saka akeh situs ndhukung otentikasi rong faktor (Kanggo WordPress, LinOTP malah duwe modul khusus dhewe kanggo
FAKTA PENTING! AJA mriksa kothak "Google authenticator" kanggo nggunakake Google Authenticator! Kode QR ora bisa diwaca banjur ... (fakta aneh)
Kanggo nulis artikel iki, informasi saka artikel ing ngisor iki digunakake:
Thanks kanggo penulis.
Source: www.habr.com