LinOTP tūmau motuhēhēnga-rua

I tenei ra e hiahia ana ahau ki te whakapuaki me pehea te whakatu i tetahi tūmau whakamotuhēhēnga-rua hei tiaki i te whatunga umanga, pae, ratonga, ssh. Ka whakahaerehia e te tūmau te huinga e whai ake nei: LinOTP + FreeRadius.

He aha tatou e hiahia ai?
He otinga tino kore utu, watea tenei, i roto i tana ake whatunga, motuhake mai i nga kaiwhakarato tuatoru.

He tino watea tenei ratonga, he tino tirohanga, kaore i rite ki etahi atu hua puna tuwhera, me te tautoko hoki i te maha o nga mahi me nga kaupapa here (Hei tauira, takiuru+kupuhipa+(PIN+OTPToken)). Na roto i te API, ka whakauru ki nga ratonga tuku sms (LinOTP Config->Provider Config->SMS Provider), ka whakaputa waehere mo nga tono waea penei i a Google Authentificator me te maha atu. Ki taku whakaaro he pai ake i te ratonga i korerohia i roto Tuhinga.

He pai te mahi a tenei tūmau me Cisco ASA, OpenVPN server, Apache2, me te nuinga o nga mea katoa e tautoko ana i te whakamotuhēhēnga mā te tūmau RADIUS (Hei tauira, mo te SSH i te pokapū raraunga).

E hiahiatia ana:

1) Debian 8 (jessie) - He hiahia! (Ko te whakaurunga whakamatautau i runga i te debian 9 e whakaahuatia ana i te mutunga o te tuhinga)

Tīmata:

Tāuta Debian 8.

Tāpirihia te kohinga LinOTP:

# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list

Tāpiri kī:

# gpg --search-keys 913DFF12F86258E5

I etahi wa i te wa o te whakaurunga "ma", i muri i te whakahaere i tenei whakahau, ka whakaatu a Debian:

gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI

Koinei te tatūnga gnupg tuatahi. Kei te pai. Me whakahaere ano te whakahau.
Ki te patai a Debian:

gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1)	LSE LinOTP2 Packaging <[email protected]>
	  2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5".  Введите числа, N) Следующий или Q) Выход>

Ka whakautu matou: 1

Tō muri mai:

# gpg --export 913DFF12F86258E5 | apt-key add -

# apt-get update

Tāuta mysql. I roto i te ariā, ka taea e koe te whakamahi i tetahi atu tūmau sql, engari mo te ngawari ka whakamahia e au kia rite ki te tohutohu mo LinOTP.

(Ko etahi atu korero, tae atu ki te whirihora ano i te paataka raraunga LinOTP, ka kitea i roto i nga tuhinga whai mana mo hono. Ka kitea ano e koe te whakahau: dpkg-reconfigure linotp ki te huri i nga tawhā mena kua whakauruhia e koe te mysql).

# apt-get install mysql-server

# apt-get update

(kaore e kino ki te tirotiro ano i nga whakahou)
Tāutahia te LinOTP me etahi atu waahanga:

# apt-get install linotp

Ka whakautua e matou nga patai a te kaiwhakauru:
Whakamahia te Apache2: ae
Waihangahia he kupuhipa mo te kaiwhakahaere Linotp: "To Kupuhipa"
Hanga he tiwhikete haina-whaiaro?: ae
Whakamahia MySQL?: ae
Kei hea te pātengi raraunga: localhost
Waihangahia he papa raraunga LinOTP (ingoa turanga) i runga i te tūmau: LinOTP2
Waihangahia he kaiwhakamahi motuhake mo te papaunga raraunga: LinOTP2
Ka tautuhia e matou he kupuhipa mo te kaiwhakamahi: "To Kupuhipa"
Me hanga e ahau he pātengi raraunga ināianei? (he mea penei “Kei te tino hiahia koe...”): ae
Whakauruhia te kupuhipa pakiaka MySQL i hanga e koe i te wa e whakauru ana koe: "Ko to Kupuhipa"
Kua oti.

(he kōwhiringa, kaore koe e whakauru)

# apt-get install linotp-adminclient-cli 

(he kōwhiringa, kaore koe e whakauru)

# apt-get install libpam-linotp  

Na kei te waatea to maatau atanga paetukutuku Linotp i:

"<b>https</b>: //IP_сервера/manage"

Ka korero ahau mo nga tautuhinga i roto i te atanga tukutuku i muri tata nei.

Inaianei, ko te mea nui! Ka whakaarahia e matou a FreeRadius ka hono atu ki a Linotp.

Tāutahia te FreeRadius me te kōwae mo te mahi tahi me LinOTP

# apt-get install freeradius linotp-freeradius-perl

pūrua te kiritaki me ngā whirihora radius radius Kaiwhakamahi.

# mv /etc/freeradius/clients.conf  /etc/freeradius/clients.old

# mv /etc/freeradius/users  /etc/freeradius/users.old

Waihangatia he kōnae kiritaki putua:

# touch /etc/freeradius/clients.conf

Te whakatika i ta maatau konae whirihora hou (ka taea te whakamahi i te whirihora i tautokohia hei tauira)

# nano /etc/freeradius/clients.conf

client 192.168.188.0/24 {
secret  = passwd # пароль для подключения клиентов
}

Whai muri, hanga he konae kaiwhakamahi:

# touch /etc/freeradius/users

Ka whakatikahia e matou te konae, me te kii i te radius ka whakamahia e matou te perl mo te motuhēhēnga.

# nano /etc/freeradius/users

DEFAULT Auth-type := perl

Whai muri, whakatika i te konae /etc/freeradius/modules/perl

# nano /etc/freeradius/modules/perl

Me tohu tatou i te ara ki te perl linotp script i roto i te tawhā kōwae:

Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm

... ..
I muri mai, ka waihangahia e matou he konae e kii ana ko wai (rohe, papaarangi, konae ranei) hei tango i nga raraunga.

# touch /etc/linotp2/rlm_perl.ini

# nano /etc/linotp2/rlm_perl.ini

URL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False

Ka korero ahau mo etahi atu korero i konei na te mea he mea nui:

Whakamaramatanga katoa o te konae me nga korero:
#IP o te tūmau linOTP (Wāhitau IP o tā mātou tūmau LinOTP)
URL=https://172.17.14.103/validate/simplecheck
#Ko ta matou rohe ka hangaia e matou ki te atanga tukutuku LinOTP.)
REALM=rearm1
#Ingoa o te roopu kaiwhakamahi ka hangaia ki te ngutu tukutuku LinOTP.
RESCONF=kōnae_flat
#kōwhiringa: kōrero mai mena kei te pai nga mea katoa
Debug=Tono
#whiriwhiri: whakamahia tenei, mena kei a koe ano nga tiwhikete hainatanga, ki te kore he korero (SSL mena ka hangaia e maatau ake to tiwhikete me te hiahia ki te manatoko)
SSL_CHECK=Here

Whai muri, hangahia te konae /etc/freeradius/sites-available/linotp

# touch /etc/freeradius/sites-available/linotp

# nano /etc/freeradius/sites-available/linotp

Ka kapehia te whirihora ki roto (kaore e tika kia whakatika tetahi mea):

authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
#  If you are using multiple kinds of realms, you probably
#  want to set "ignore_null = yes" for all of them.
#  Otherwise, when the first style of realm doesn't match,
#  the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
#  Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}

I muri mai ka hanga e matou he hononga SIM:

# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled

Ko ahau ake, ka patua e ahau nga pae Radius taunoa, engari ki te hiahia koe, ka taea e koe te whakatika i o raatau whirihora, te whakakore ranei.

# rm /etc/freeradius/sites-enabled/default

# rm /etc/freeradius/sites-enabled/inner-tunnel

# service freeradius reload

Inaianei ka hoki ano tatou ki te mata o te paetukutuku ka titiro ki nga korero iti ake:
I te kokonga matau o runga pawhiria LinOTP Config -> UserIdResolvers -> New
Ka tohua e matou ta matou e hiahia ana: LDAP (AD win, LDAP samba), SQL ranei, he kaiwhakamahi rohe ranei o te punaha Flatfile.

Whakakiia nga mara e hiahiatia ana.

I muri mai ka hangaia e matou he REALMS:
I te kokonga matau o runga, pawhiria te LinOTP Config -> Realms -> New.
ka hoatu he ingoa ki a tatou REALMS, ka paato ano i nga KaiwhakamahiIdResolvers i hanga i mua.

Kei te hiahia a FreeRadius i enei raraunga katoa i roto i te konae /etc/linotp2/rlm_perl.ini, pera me taku i tuhi i runga ake nei, na ki te kore koe e whakatika i tera wa, mahia inaianei.

Kua whirihora katoa te tūmau.

Tāpiri:

Te whakatu LinOTP ki Debian 9:

Tautuhinga:

# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list 

# apt-get install dirmngr

# apt-key adv --recv-keys 913DFF12F86258E5

# apt-get update

# apt-get install mysql-server

(ma te taunoa, i roto i te Debian 9 mysql (mariaDB) kaore e tuku ki te tautuhi i te kupuhipa pakiaka, o te akoranga ka taea e koe te waiho kia kau, engari ki te panui koe i nga purongo, he maha nga wa ka arahi tenei ki te "epic rahua", no reira ka whakatauhia e matou. ahakoa)

# mysql -u root -p

use mysql;

UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';

exit

# apt-get install linotp

# apt-get install linotp-adminclient-cli

# apt-get install python-ldap

# apt install freeradius

# nano /etc/freeradius/3.0/sites-enabled/linotp

Whakapirihia te waehere (i tukuna e JuriM, he mihi ki a ia mo tera!):

tūmau linotp {
whakarongo {
ipaddr = *
tauranga = 1812
momo=auth
}
whakarongo {
ipaddr = *
tauranga = 1813
momo = acct
}
whakamana {
mahi mua
whakahōu {
&mana:Momo-Motu:= Perl
}
}
motuhēhē {
Momo-Motu Perl {
perl
}
}
kaute {
unix
}
}

Whakatika /etc/freeradius/3.0/mods-enabled/perl

perl {
ingoa kōnae = /usr/share/linotp/radius_linotp.pm
func_authenticate = whakamotuhēhē
func_authorize = whakamana
}

Heoi ano, i roto i te Debian 9 karekau i whakauruhia te whare pukapuka radius_linotp.pm mai i nga putunga, no reira ka tangohia mai i te github.

# apt install git

# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl

# cd linotp-auth-freeradius-perl/

# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm

inaianei me whakatika /etc/freeradius/3.0/clients.conf

tūmau kiritaki {
ipaddr = 192.168.188.0/24
ngaro = to kupu huna
}

Inaianei me whakatika te nano /etc/linotp2/rlm_perl.ini

Ka whakapirihia e matou te waehere kotahi ki reira i te wa e whakauru ana ki te debian 8 (kua whakaahuatia i runga ake nei)

e ai ki te whakaaro. (kaore ano kia whakamatauria)

Ka waiho e ahau etahi hononga ki raro mo te whakatuu i nga punaha e tika ana kia tiakina ma te whakamotuhēhēnga-rua:
Te whakarite motuhēhēnga-rua ki roto Apache2

Tatūnga me Cisco ASA(Kei te whakamahia he tūmau reanga tohu rereke ki reira, engari he rite tonu nga tautuhinga o te ASA ake).

VPN me te motuhēhēnga-rua

whakatikatikanga e rua nga waahanga motuhēhēnga i roto i te ssh (Kei te whakamahia ano a LinOTP ki reira) - he mihi ki te kaituhi. I reira ka kitea e koe nga mea whakamere mo te whakatu kaupapa here LiOTP.

Ano, ko nga cms o nga waahi maha e tautoko ana i te whakamotuhēhēnga-rua (Mo te WordPress, kei a LinOTP ano tana ake waahanga motuhake mo GitHub), hei tauira, ki te hiahia koe ki te hanga i tetahi waahanga tiaki i runga i to paetukutuku umanga mo nga kaimahi kamupene.
MEKA NUI! KAUA e tirotirohia te pouaka "Google Authenticator" hei whakamahi i a Google Authenticator! Ko te waehere QR kaore e taea te panui katahi ... (meka rerekee)

Hei tuhi i tenei tuhinga, i whakamahia nga korero mai i nga tuhinga e whai ake nei:
itnan.ru/post.php?c=1&p=270571
www.digitalbears.net/?p=469

Nga mihi ki nga kaituhi.

Source: will.com