ααααααααααα»αα
ααα
αααααααααΈααααααα‘αΎααααΆαααΈαααααΆααααααααααΆααααΈααααααΆ ααΎααααΈααΆαααΆααααααΆαααΆααΈααααα ααα ααααα ααααΆαααα ssh α αααΆαααΈαααααΉαααααΎαααΆααααααααΌα
ααΆααααααα LinOTP + FreeRadius α
α ααα»α’αααΈααΆαααΆααΎαααααΌαααΆαααΆ?
αααααΊααΆαααααααααΆαααααΆααααα½α αα·αα₯ααα·αααααααΆαααααα»α αα
αααα»ααααααΆααααααααα½α αααα―αααΆαααααΈα’ααααααααααααΆααΆααΈααΈααΈα
ααααΆαααααααααΆαααΆαααΆααααα½α ααΎαααΎαα
αααΆαα αα·αααΌα
ααα·ααααααααααΎαα
αα αααααααααα α αΎαααααΆαααααα»αααΆα αα·ααααααΆααααα½αα
ααα½αααααααα (α§ααΆα ααα α
αΌα+ααΆααααααααΆαα+(PIN+OTPToken))α ααΆαααα API ααΆαα½ααααα
αΌαααΆαα½αααααΆααααααααΎααΆα (LinOTP Config->Provider Config->SMS Provider) αααααΎαααΌααααααΆαααααααα·ααΈααΌααααααααΌα
ααΆ Google Authentificator αα·αα
αααΎααααα αααα»ααα·αααΆααΆααΆααααα½αααΆαααααΆαααααααααΆααα·ααΆααααΆαα
αααα»ααααα
αααΆαααΈααααααααααΎαααΆααααΆαααα’α₯αααα ααααΆαα½α Cisco ASA αααΆαααΈααα OpenVPN Apache2 αα·αααΆααΌαα ααΆαα½αα’αααΈαααααΎαααααΆααα’αααααααΆααααααΆααααααααααΆααααΆαααααααΆαααΈααα RADIUS (α§ααΆα ααααααααΆαα SSH αα αααα»αααααααααααα·αααααα)α
ααΆααααΌαααΆαααΆαααΆαα
1) Debian 8 (jessie) - α αΆαααΆα α! (ααΆαααα‘αΎαααΆααααααα ααΎ debian 9 ααααΌαααΆααα·αααααΆαα α α»ααααα ααααα’ααααα)
α αΆααααααΎαα
ααΆαααα‘αΎα Debian 8 α
ααααααααααΆαα LinOTPα
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list
ααΆαααααααααα
# gpg --search-keys 913DFF12F86258E5
ααααααααααα»αα’αα‘α»ααααααα‘αΎα "ααα’αΆα" αααααΆααααΈααααΎαααΆαααΆααααααααΆααα Debian αααα αΆαα
gpg: ΡΠΎΠ·Π΄Π°Π½ ΠΊΠ°ΡΠ°Π»ΠΎΠ³ `/root/.gnupg'
gpg: ΡΠΎΠ·Π΄Π°Π½ Π½ΠΎΠ²ΡΠΉ ΡΠ°ΠΉΠ» Π½Π°ΡΡΡΠΎΠ΅ΠΊ `/root/.gnupg/gpg.conf'
gpg: ΠΠΠΠΠΠΠΠ: ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ Π² `/root/.gnupg/gpg.conf' Π΅ΡΠ΅ Π½Π΅ Π°ΠΊΡΠΈΠ²Π½Ρ ΠΏΡΠΈ ΡΡΠΎΠΌ Π·Π°ΠΏΡΡΠΊΠ΅
gpg: ΡΠΎΠ·Π΄Π°Π½Π° ΡΠ°Π±Π»ΠΈΡΠ° ΠΊΠ»ΡΡΠ΅ΠΉ `/root/.gnupg/secring.gpg'
gpg: ΡΠΎΠ·Π΄Π°Π½Π° ΡΠ°Π±Π»ΠΈΡΠ° ΠΊΠ»ΡΡΠ΅ΠΉ `/root/.gnupg/pubring.gpg'
gpg: Π½Π΅ Π·Π°Π΄Π°Π½Ρ ΡΠ΅ΡΠ²Π΅ΡΡ ΠΊΠ»ΡΡΠ΅ΠΉ (ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ --keyserver)
gpg: ΡΠ±ΠΎΠΉ ΠΏΡΠΈ ΠΏΠΎΠΈΡΠΊΠ΅ Π½Π° ΡΠ΅ΡΠ²Π΅ΡΠ΅ ΠΊΠ»ΡΡΠ΅ΠΉ: ΠΏΠ»ΠΎΡ
ΠΎΠΉ URI
αααααΊααΆααΆαααα‘αΎα gnupg ααααΌαα αα·αβα’αΈβααα ααααΆααααααααΎαααΆαααΆααααααααΆαααααααα
α
αααααααα½ααααααααααα
gpg: ΠΏΠΎΠΈΡΠΊ "913DFF12F86258E5" Π½Π° hkp ΡΠ΅ΡΠ²Π΅ΡΠ΅ keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, ΡΠΎΠ·Π΄Π°Π½: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". ΠΠ²Π΅Π΄ΠΈΡΠ΅ ΡΠΈΡΠ»Π°, N) Π‘Π»Π΅Π΄ΡΡΡΠΈΠΉ ΠΈΠ»ΠΈ Q) ΠΡΡ
ΠΎΠ΄>
ααΎαααααΎαα α‘
αααααΆαα:
# gpg --export 913DFF12F86258E5 | apt-key add -
# apt-get update
ααα‘αΎα mysql α ααΆαααααΉααααΈ α’αααα’αΆα ααααΎαααΆαααΈααα sql αααααααα ααα»αααααααααΆααααΆαααΆαααα αααα»αααΉαααααΎααΆααΌα αααααΆαααααΆααααααΆαα LinOTP α
(ααααααΆααααααα αα½αααΆααααΆαααααααα
ααΆααααααααααΌαααααΆααα·αααααα LinOTP α‘αΎααα·αα’αΆα
ααααΌαααΆαααααΎααα
αααα»αα―αααΆαααααΌαααΆααααααΆαα
# apt-get install mysql-server
# apt-get update
(ααΆαα·αααΊα
αΆαααααα»αααΆααααα½ααα·αα·αααααΆαα’αΆαααααααααααααα)
ααα‘αΎα LinOTP αα·ααααΌαα»αααααααα
# apt-get install linotp
ααΎαααααΎααααα½αααααα’αααααα‘αΎαα
ααααΎ Apache2: ααΆα
αααααΎαααΆααααααααΆαααααααΆααα’αααααααααααα Linotp: "ααΆααααααααΆααααααα’ααα"
αααααΎααα·ααααΆαααααααααα
α»αα αααααααΆααααααα½αα―α?α ααΆα
ααααΎ MySQL?: ααΆα
ααΎααΌαααααΆααα·αααααααα
α―ααΆα localhost
αααααΎαααΌαααααΆααα·αααααα LinOTP (αααααααΌαααααΆα) αα
ααΎαααΆαααΈαααα LinOTP2
αααααΎαα’αααααααΎααααΆααααΆα
ααααα‘αααααααΆααααΌαααααΆααα·ααααααα LinOTP2
ααΎααααααααΆααααααααΆαααααααΆααα’αααααααΎααααΆααα "ααΆααααααααΆααααααα’ααα"
ααΎαααα»ααα½ααααααΎαααΌαααααΆααα·ααααααα₯α‘αΌαααααα? (α’αααΈαα½αααΌα
ααΆ "ααΎα’αααααααΆααααΆα’αααα
ααααΆα ... "): ααΆα
αααα
αΌαααΆααααααααΆαα MySQL root αααα’αααααΆααααααΎααα
αααααα‘αΎαααΆα βYourPasswordβ
ααααΎα
(ααααα α α·ααα α’ααααα·αα αΆαααΆα αααα‘αΎαααΆαα)
# apt-get install linotp-adminclient-cli
(ααααα α α·ααα α’ααααα·αα αΆαααΆα αααα‘αΎαααΆαα)
# apt-get install libpam-linotp
ααΌα ααααα αΎα α ααα»α αααααΆαααααααΆα Linotp ααααααΎαα₯α‘αΌααααααΆααα α
"<b>https</b>: //IP_ΡΠ΅ΡΠ²Π΅ΡΠ°/manage"
αααα»αααΉααα·ααΆαα’αααΈααΆαααααααα αααα»αα ααα»α αααααΆααααα αααααααααα·α αααααααα
α₯α‘αΌααααα’αααΈαααααααΆαααααα»α! ααΎαααΎα FreeRadius α αΎαααααΆααααΆααΆαα½α Linotp α
ααα‘αΎα FreeRadius αα·ααααΌαα»ααααααΆααααααΎααΆαααΆαα½α LinOTP
# apt-get install freeradius linotp-freeradius-perl
ααααα»ααα»αα’αα·αα·αα αα·αααΆαααααααα ααΆααααααααααΆαα’αααααααΎααααΆααα
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old
# mv /etc/freeradius/users /etc/freeradius/users.old
αααααΎαα―αααΆαα’αα·αα·αααααα
# touch /etc/freeradius/clients.conf
ααΆαααααααα½αα―αααΆαααααααα ααΆααααααααααααΈααααααΎα (ααΆαααααααα ααΆαααααααααααααΆαααααα»ααα»αα’αΆα ααααΌαααΆαααααΎααΆα§ααΆα ααα)
# nano /etc/freeradius/clients.conf
client 192.168.188.0/24 {
secret = passwd # ΠΏΠ°ΡΠΎΠ»Ρ Π΄Π»Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ²
}
αααααΆαααααααααΎαα―αααΆαα’αααααααΎααααΆααα
# touch /etc/freeradius/users
ααΎαααααααα½αα―αααΆααααααααΆααααΆαααΆααΎαααΉαααααΎ perl αααααΆααααΆααααααααααΆααα
# nano /etc/freeradius/users
DEFAULT Auth-type := perl
αααααΆααααααααααα½αα―αααΆα /etc/freeradius/modules/perl
# nano /etc/freeradius/modules/perl
ααΎαααααΌααααααΆααααααΌααα ααΆααααααααΈα perl linotp αααα»ααααΆαααΆαααααααααΌαα»αα
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
... ..
αααααΆααααΎααααααΎαα―αααΆααααααΎααα·ααΆαααΆαα½αααΆ (ααα ααΌαααααΆααα·αααααα α¬α―αααΆα) ααΎααααΈαααα·ααααααααΈα
# touch /etc/linotp2/rlm_perl.ini
# nano /etc/linotp2/rlm_perl.ini
URL=https://IP_Π²Π°ΡΠ΅Π³ΠΎ_LinOTP_ΡΠ΅ΡΠ²Π΅ΡΠ°(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False
αααα»αααΉααααα’α·αααααααααααα ααΈααα αααααααΆααααΆααα
ααΆααα·αααααΆααααααααα―αααΆαααΆαα½αααΉαααα·αααααα
#IP αααααααΆαααΈααα linOTP (α’αΆααααααΆα IP αααααααΆαααΈααα LinOTP ααααααΎα)
URL=https://172.17.14.103/validate/simplecheck
# αααααααααααΎααααααΎαααΉααααααΎααα
αααα»αα
ααα»α
αααααΆαααααααΆα LinOTP α )
REALM=rearm1
#ααααααααα»αα’αααααααΎααααΆαααααααααΌαααΆααααααΎααα
αααα»ααααααΆα LinOTP α
RESCONF=flat_file
#αααααΎαα αααα
ααααα· ααααα·αααΎα’αααΈαα αΆααααΌα
ααΆααααΎαααΆαααα’α
ααααΆααααα α»α=αα·α
#ααααα
α
α·αααα ααααΎααΆ ααααα·αααΎα’αααααΆααα·ααααΆαααααααααα
α»αα αααααααΆααααααα½αα―α ααΎαα·αααΌα
αααααα αααα
ααααα· (SSL ααααα·αααΎααΎααααααΎααα·ααααΆααααααααααΆαααααα½α α αΎαα
αααααααααααΆααααΆ)
SSL_CHECK=αα·ααα·α
αααααΆαααααααααΎαα―αααΆα /etc/freeradius/sites-available/linotp
# touch /etc/freeradius/sites-available/linotp
# nano /etc/freeradius/sites-available/linotp
α αΎαα ααααααΆαααααααα αααα»αααΆ (αα·αα αΆαααΆα αααααααα½αα’αααΈαα)α
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}
αααααΆααααΎαααΉααααααΎαααααααΈααα½αα
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled
αααααααΆαα αααα»ααααααΆααααα ααααα Radius ααααΆαααΎα ααα»ααααααααα·αααΎα’αααααααΌαααΆαααΆ α’αααα’αΆα ααααααα½αααΆαααααααααααα½ααα α¬αα·ααα½αααΆααΆαα
# rm /etc/freeradius/sites-enabled/default
# rm /etc/freeradius/sites-enabled/inner-tunnel
# service freeradius reload
α₯α‘αΌαβαααβααΎαβαααα‘ααβαα
βαααααβαααααΆαβαα·α α αΎαβααΎαβααΆβα±ααβαααα’α·αβααααα·α
βαααα
αα
αααα»αααΆαααααΆαααΆαααΎα
α»α
ααΎ LinOTP Config -> UserIdResolvers -> New
ααΎαααααΎαααΎαα’αααΈαααααΎαα
ααααΆαα LDAP (AD win, LDAP samba) α¬ SQL α¬α’αααααααΎααααΆαααααα»ααααα»ααααααααααα Flatfile α
ααααααααα»αααΆααααααααΌαααΆαα
αααααΆααααΎααααααΎα REALMSα
αα
αααα»αααΆαααααΆαααΆαααΎ α
α»α
LinOTP Config -> Realms -> New α
α αΎαααΆααααααααα
REALMS ααααααΎα α αΎαα
α»α
ααΎ UserIdResolvers αααααΆααααααΎαααΈαα»αα
FreeRadius ααααΌαααΆααα·ααααααααΆααα’ααααααα αααα»αα―αααΆα /etc/linotp2/rlm_perl.ini ααΌα ααααααα»αααΆααααααααΆαααΎ ααΌα ααααααααα·αααΎα’ααααα·αααΆαααααααα½αααΆαα ααΌαααααΎααΆα₯α‘αΌααααα
αααΆαααΈαααααααΌαααΆαααααααα ααΆααααααααααΆααα’ααα
ααααααα
ααΆαααα‘αΎα LinOTP αα ααΎ Debian 9:
ααΆαααα‘αΎα:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list
# apt-get install dirmngr
# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update
# apt-get install mysql-server
(ααΆαααααΆαααΎα αα αααα»α Debian 9 mysql (mariaDB) αα·ααααααααΌαααΎααααΈαααααααΆααααααααΆαα root αα αα·αααΆααα’αααα’αΆα αα»αααΆα±αααα ααα ααα»ααααααααα·αααΎα’αααα’αΆαααααααΆα αααα αααΎαααααΆαα±αα "αααΆααα" ααΌα ααααααΎαααΉααααααααΆ ααααααΆαααΆααααα)
# mysql -u root -p
use mysql;
UPDATE user SET Password = PASSWORD('ΡΡΡ_ΠΏΠ°ΡΠΎΠ»Ρ') WHERE User = 'root';
exit
# apt-get install linotp
# apt-get install linotp-adminclient-cli
# apt-get install python-ldap
# apt install freeradius
# nano /etc/freeradius/3.0/sites-enabled/linotp
αα·αααααΆαααααααΌα (ααααΎααα JuriM α’ααα»ααααααΆαα!)α
αααΆαααΈααα linotp {
ααααΆαα {
ipaddr = *
α ααα = 1812
type=auth
}
ααααΆαα {
ipaddr = *
α ααα = 1813
type=acct
}
α’αα»ααααΆα {
ααααΎαααΆααα»αα
ααααΎαα αα α»ααααααααΆα {
&control:Auth-Type:= Perl
}
}
αααααααααΆαα {
ααΆααααααααααΆααααΆαααααΉαααααΌααααααα Perl {
perl
}
}
ααααααα {
ααΌααΈα
}
}
ααααααα½α /etc/freeradius/3.0/mods-enabled/perl
perl {
αααααα―αααΆα = /usr/share/linotp/radius_linotp.pm
func_authenticate = αααααααααΆααααΆαααααΉαααααΌα
func_authorize = α’αα»ααααΆα
}
ααΆα’αα»αα αα αααα»α Debian 9 αααααΆααα radius_linotp.pm αα·αααααΌαααΆαααα‘αΎαααΈααααΆαααα ααΌα ααααααΎαααΉαααααΆααΈ github α
# apt install git
# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl
# cd linotp-auth-freeradius-perl/
# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm
α₯α‘αΌααααααΌαααααααα½α /etc/freeradius/3.0/clients.conf
αααΆαααΈααααααΎα’αα·αα·αα {
ipaddr = 192.168.188.0/24
secret = ααΆααααααααΆααααααα’αααα
}
α₯α‘αΌααααααΌααααααααΌα nano /etc/linotp2/rlm_perl.ini
ααΎααα·αααααΆααααΌαααΌα ααααΆαα ααΈαααααΌα αααααα‘αΎααα ααΎ debian 8 (αα·αααααΆααΆαααΎ)
αααα αΎαααΆααΆααα’ααααααα ααΆααααα·αα (αα·αααΆααααΆαααΆααααα)
αααα»αβααΉαβαα»αβαααβααΆααααααβαα½αβα
ααα½αβα’αααΈβααΆαβαααα
αβααααααααβαααβααΆαα
αααΎαβααααΌαβααΆαααΆαβαααβααΆαβαααααααααΆααβαααααΆβααΈαα
ααΆαααα‘αΎαααΆααααααααααΆααααΈααααααΆαα
αααα»α
ααΆααααααααΌα
ααΌα
ααααΆαααααααα cms ααααα αααααααΆα
αααΎαααΆααααααΆααααααααααΆααααΈααααααΆ (αααααΆαα WordPress, LinOTP αααααΆααααΆααααΌαα»ααα·αααααααΆαααααα½ααααααΆαα
ααΆααα·αααααΆαα! αα»αααΈααααα’αα βGoogle autenteficatorβ ααΎααααΈααααΎ Google Authenticator! αααααΌα QR αα·αα’αΆα
α’αΆαααΆααα... (ααΆααα·αα
ααααα)
ααΎααααΈαααααα’αααααααα ααααααΆαααΈα’αααααααΆααααααααααΌαααΆαααααΎα
ααΌαα’ααα»ααααα’ααααα·ααααα
ααααα: www.habr.com