Hodie communicare volo quomodo duos factores authenticas servo instituere ad corporatum reticulum, sites, officia, ssh tuendi. Servo sequens compositionem fugiet: LinOTP + FreeRadius.
Quid opus est?
Haec solutio omnino libera, opportuna, intra reticulum suum proprium, independentium a provisoribus tertiae partis est.
Ministerium hoc valde commodum est, satis visuale, dissimilis aliunde producto aperto, atque etiam ingentem numerum functionum et operum (exempli gratia, login+password+(PIN+OTPToken) sustinet). Per API, integrat cum sms missis officiis (LinOTP Config->Provisoris Mando->SMS Providentis), codices generat ad applicationes mobiles sicut Google Authentificator et multo plus. Opinor commodius quam de quibus agitur in .
Hic ministrator perfecte operatur cum Cisco ASA, OpenVPN servo, Apache2, et in genere cum omnibus fere quae authenticas per RADIUS server (Exempli gratia, pro SSH in centro notariorum).
exigit:
1) Debian VIII (jessie) - Omnino! (iudicium institutionem de debian IX in fine articuli descriptus est)
in domum suam:
Inaugurari Debian VIII.
LinOTP addere repositio:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.listClaves addit:
# gpg --search-keys 913DFF12F86258E5Aliquando per institutionem "mundam", postquam hoc mandatum currit, Debian ostendit:
gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI
Haec initialis gnupg setup. Bene est. Modo currite mandatum iterum.
Ad quaestionem Debian:
gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". Введите числа, N) Следующий или Q) Выход>Respondemus: 1
Next:
# gpg --export 913DFF12F86258E5 | apt-key add -# apt-get updateInstrue mysql. In theoria, alio sql servo uti potes, sed pro simplici eo utar ut LinOTP commendatum.
(Additional informationes, e quibus LinOTP datorum reconfigurans, inveniri potest in documentis officialibus pro . Ibi etiam praeceptum reperire potes: dpkg-reconfigurare linotp ad parametros mutare, si mysql iam inauguravit).
# apt-get install mysql-server# apt-get update (Non noceret sisto updates iterum)
LinOTP et modulorum additional install:
# apt-get install linotp
Respondemus ad interrogationes installer:
Apache2 utere: sic
Creare password pro Linotp admin "Tesseram tuum"
Generate auto-signati certificatorium ?: sic;
MySQL ?: sic utere
Ubi sita est database: localhost
Facere LinOTP database (nomen basi) in servo: LinOTP2
Facere separatum user pro datorum: LinOTP2
Nos tesseram pro user: "Tesseram tuum"
Nunc database debeo creare? (Similiter "esne certe vis..."): sic
Intrant MySQL tesseram radicem quam creasti cum eam inauguravit: "YourPassword"
Fieri.
(libitum, non habes ut instituas)
# apt-get install linotp-adminclient-cli (libitum, non habes ut instituas)
# apt-get install libpam-linotp Itaque nostra interfaciendi Linotp nunc in promptu est:
"<b>https</b>: //IP_сервера/manage"De fundis in interretiali interretiali paulo post loquar.
Nunc, primum! FreeRadius levamus et cum Linotp coniungimus.
Install FreeRadius et moduli operandi cum LinOTP
# apt-get install freeradius linotp-freeradius-perltergum clientis et Users radii confis.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old# mv /etc/freeradius/users /etc/freeradius/users.oldCreate an inanis clientis fasciculus:
# touch /etc/freeradius/clients.confNovam config limam nostram emendare (config subnixum ad exemplum adhiberi potest)
# nano /etc/freeradius/clients.confclient 192.168.188.0/24 {
secret = passwd # пароль для подключения клиентов
}Deinde, file utentes creare:
# touch /etc/freeradius/usersTabellam emendamus, radios indicans quod perl ad authenticas utemur.
# nano /etc/freeradius/usersDEFAULT Auth-type := perlDeinde, lima /etc/freeradius/modules/perl edit edit
# nano /etc/freeradius/modules/perlOpus est ut iter perl linotp in moduli moduli scriptione designetur;
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
... ..
Deinde limam creamus in qua dicimus (domain, database vel fasciculum) notitias ex iis accipere.
# touch /etc/linotp2/rlm_perl.ini# nano /etc/linotp2/rlm_perl.iniURL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=FalseIngrediar hic paulo subtilius quia amet:
Plena descriptio tabellae cum comment:
#IP de linOTP server (IP oratio nostra servo LinOTP)
URL=https://172.17.14.103/validate/simplecheck
#Our aream quam in interfaciei LinOTP creabimus.)
IMPERIUM = rearm1
#Nomen coetus usoris quod in ligamento LinOTP creatur.
RESCONF=flat_file
#optional: comment out si omnia videtur opus bene
Debug = Verum
#libitum: hoc utere, si testimonias proprias habes, alioquin explanare (SSL si libellum proprium creamus et illud cognoscere volumus)
SSL_CHECK=Falsum
Deinde, creare tabellam /etc/freeradius/sites-available/linotp
# touch /etc/freeradius/sites-available/linotp# nano /etc/freeradius/sites-available/linotpet config in eam imitari (nihil opus est ad aliquid recensere);
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}Proximam simplicem nexum creabimus:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabledPersonaliter, situs Radius default occido, sed si opus est eis, vel config eas emendare vel inactivare potes.
# rm /etc/freeradius/sites-enabled/default# rm /etc/freeradius/sites-enabled/inner-tunnel# service freeradius reload
Nunc ad os interreti revertamur et paulo accuratius intueamur:
In angulo dextro superiore preme LinOTP Mando -> UserIdResolvers -> New
Quod volumus eligimus: LDAP (AD win, LDAP samba), vel SQL, vel localis utentes systematis flatfile.
Imple in campis.
Deinde regna creamus:
In angulo dextro superiore deprime LinOTP Mando -> Regna -> Nova.
et nomen nostris REGNIS dare, ac etiam deprime in UserIdResolvers antea creato.
FreeRadius omnia haec notitia in tabella /etc/linotp2/rlm_perl.ini eget, sicut de supra scripsi, ita si tunc illud non edit, nunc fac.
In server configuratur.
additur:
LinOTP profecta sunt in Debian IX ":
suadentque cadentia:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list # apt-get install dirmngr# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update# apt-get install mysql-server(per defaltam, in Debian 9 mysql (mariaDB) non praebet ut tesseram radicem ponas, utique vacuam relinquere potes, sed si nuntium legeris, hoc saepissime ad "deficit epicorum", ita eam ponemus. usquam)
# mysql -u root -puse mysql;UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';
exit# apt-get install linotp# apt-get install linotp-adminclient-cli# apt-get install python-ldap# apt install freeradius# nano /etc/freeradius/3.0/sites-enabled/linotpCrustulum codicem (a JuriM missum, ei pro eo gratias!);
server linotp {
audite {
iPaddr = *
port=1812
type = auth
}
audite {
iPaddr = *
port=1813
type = acct
}
auctor {
preprocess
update {
& control:Auth-Type := Perl
}
}
signo authenticitatis incisionem {
Auth-Type Perl {
perl
}
}
ratio {
unix
}
}
Edit /etc/freeradius/3.0/mods-enabled/perl
perl {
filename = /usr/share/linotp/radius_linotp.pm
func_authenticate = authenticitatis
func_authorize = patres auctores fiant
}
Infeliciter, in Debian 9 bibliotheca radius_linotp.pm a repositoriis non installatur, ita eam e github accipiemus.
# apt install git# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl# cd linotp-auth-freeradius-perl/# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pmnunc edite /etc/freeradius/3.0/clients.conf
clientis servers {
ipaddr = 192.168.188.0/24
secretum = es tesserae
}
Nunc corrigamus nano /etc/linotp2/rlm_perl.ini
In eodem codice crustulum habemus ut cum insertis in debian VIII (de quo supra);
id omne secundum rationem. (Non tamen probata)
Aliquot nexus infra relinquemus in instituendis systematibus quae saepissime necesse est ut cum duobus factoribus authenticis muniatur;
Constituens duos elementum authenticas in
(diversim generationis signum servientis ibi adhibetur, sed occasus ipsius ASA idem sunt).
tionibus (LinOTP etiam ibi adhibetur) - gratias auctori. Ibi etiam res interesting invenire potes de consiliis LiOTP constituendis.
Etiam, cms plurium situum duos factores authenticas confirmant (Pro WordPress, LinOTP etiam proprium moduli sui habet pro ) , exempli gratia, si vis tuta sectionem facere in website corporato tuo pro societatibus operariorum.
MAGNUS FACT! NOLI reprehendo arca "Google autenteficator" uti Google Authenticator! The QR code is not readable then...
Ad hunc articulum scribendum, notitia ex articulis sequentibus adhibita est.
Auctoribus gratias.
Source: www.habr.com