Mawu achinsinsi osavuta sakhala otetezeka, ndipo zovuta sizingakumbukike. Ndicho chifukwa chake nthawi zambiri amathera pa cholemba chomata pansi pa kiyibodi kapena pa polojekiti. Kuonetsetsa kuti mawu achinsinsi amakhalabe m'maganizo a ogwiritsa ntchito "oyiwala" ndipo kudalirika kwa chitetezo sikutayika, pali kutsimikizika kwazinthu ziwiri (2FA).
Chifukwa chophatikiza kukhala ndi chipangizo komanso kudziwa PIN yake, PIN yokha imatha kukhala yosavuta komanso yosavuta kukumbukira. Zoyipa mu kutalika kwa PIN kapena kusakhazikika zimathetsedwa ndi zomwe zili ndi zofunikira komanso zoletsa pa PIN brute force.
Kuonjezera apo, zimachitika m'mabungwe a boma kuti akufuna kuti zonse ziziyenda molingana ndi GOST. Njira iyi ya 2FA yolowera mu Linux idzakambidwa. Ndiyambira patali.
PAM modules
Pluggable Authentication Modules (PAM) ndi ma module okhala ndi API yokhazikika komanso kukhazikitsidwa kwa njira zosiyanasiyana zotsimikizira pamapulogalamu.
Zida zonse ndi mapulogalamu omwe angagwire ntchito ndi PAM amawatenga ndikuwagwiritsa ntchito potsimikizira ogwiritsa ntchito.
M'malo mwake, imagwira ntchito motere: lamulo lolowera limayitanira PAM, yomwe imayang'ana zonse zofunikira pogwiritsa ntchito ma module omwe afotokozedwa mufayilo yosinthira ndikubwezeretsa zotsatira ku lamulo lolowera.
librtpam
Module yopangidwa ndi kampani ya Aktiv imawonjezera kutsimikizika kwazinthu ziwiri kwa ogwiritsa ntchito makadi anzeru kapena ma tokeni a USB pogwiritsa ntchito makiyi asymmetric malinga ndi miyezo yaposachedwa ya cryptography yapakhomo.
Tiyeni tiwone mfundo ya ntchito yake:
- Chizindikirocho chimasunga satifiketi ya wogwiritsa ntchito ndi kiyi yake yachinsinsi;
- Satifiketi imasungidwa m'ndandanda wanyumba ya wogwiritsa ntchito ngati wodalirika.
Njira yotsimikizira ikuchitika motere:
- Rutoken amafufuza satifiketi ya wogwiritsa ntchito.
- Chizindikiro cha PIN chikufunsidwa.
- Deta yosasinthika imasainidwa pa kiyi yachinsinsi mwachindunji mu chipangizo cha Rutoken.
- Siginecha yotsatiridwayo imatsimikiziridwa pogwiritsa ntchito kiyi yapagulu kuchokera pa satifiketi ya wogwiritsa ntchito.
- Module imabwezeretsa zotsatira zotsimikizira siginecha ku pulogalamu yoyimbira.
Mutha kutsimikizira pogwiritsa ntchito makiyi a GOST R 34.10-2012 (kutalika kwa 256 kapena 512 bits) kapena GOST R 34.10-2001 yachikale.
Simuyenera kudandaula za chitetezo cha makiyi - amapangidwa mwachindunji ku Rutoken ndipo samasiya kukumbukira kwake panthawi ya ntchito za cryptographic.
Rutoken EDS 2.0 imatsimikiziridwa ndi FSB ndi FSTEC malinga ndi NDV 4, choncho ingagwiritsidwe ntchito m'makina odziwa zambiri omwe amagwiritsa ntchito zinsinsi.
Kugwiritsa ntchito moyenera
Pafupifupi Linux iliyonse yamakono idzachita, mwachitsanzo tidzagwiritsa ntchito xUbuntu 18.10.
1) Ikani phukusi lofunikira
sudo apt-get install libccid pcscd opensc
Ngati mukufuna kuwonjezera loko yotsekera pakompyuta yokhala ndi chophimba, ikaninso phukusilo libpam-pkcs11
.
2) Onjezani gawo la PAM ndi thandizo la GOST
Kutsegula laibulale kuchokera
Koperani zomwe zili mufoda ya PAM librtpam.so.1.0.0 kufoda yadongosolo
/usr/lib/
kapena /usr/lib/x86_64-linux-gnu/
kapena /usr/lib64
3) Ikani phukusi ndi librtpkcs11ecp.so
Tsitsani ndikuyika phukusi la DEB kapena RPM kuchokera pa ulalo:
4) Onetsetsani kuti Rutoken EDS 2.0 ikugwira ntchito mu dongosolo
Mu terminal timachita
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -T
Ngati muwona mzere Rutoken ECP <no label>
- zikutanthauza kuti zonse zili bwino.
5) Werengani satifiketi
Kuwona ngati chipangizocho chili ndi satifiketi
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O
Ngati pambuyo pa mzere:
Using slot 0 with a present token (0x0)
- chidziwitso chikuwonetsedwa za makiyi ndi satifiketi, muyenera kuwerenga satifiketi ndikuisunga ku disk. Kuti muchite izi, yendetsani lamulo ili, pomwe m'malo mwa {id} muyenera kulowetsa chizindikiritso cha ID chomwe mudachiwona pakutulutsa kwa lamulo lapitalo:
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -r -y cert --id {id} --output-file cert.crt
Ngati fayilo ya cert.crt idapangidwa, pitani ku gawo 6). - palibe chilichonse, ndiye kuti chipangizocho chilibe kanthu. Lumikizanani ndi woyang'anira wanu kapena pangani makiyi ndi satifiketi nokha potsatira sitepe yotsatira.
5.1) Pangani satifiketi yoyeserera
Chenjerani! Njira zomwe zafotokozedwa zopangira makiyi ndi satifiketi ndizoyenera kuyesa ndipo sizinapangidwe kuti zigwiritsidwe ntchito pankhondo. Kuti muchite izi, muyenera kugwiritsa ntchito makiyi ndi ziphaso zoperekedwa ndi oyang'anira ziphaso odalirika a bungwe lanu kapena akuluakulu ovomerezeka ovomerezeka.
Module ya PAM idapangidwa kuti iteteze makompyuta am'deralo ndipo idapangidwa kuti igwire ntchito m'mabungwe ang'onoang'ono. Popeza pali ogwiritsa ntchito ochepa, Woyang'anira amatha kuyang'anira kuchotsedwa kwa ziphaso ndikuletsa pamanja maakaunti, komanso nthawi yovomerezeka ya ziphaso. Gawo la PAM silikudziwabe kutsimikizira ziphaso pogwiritsa ntchito ma CRL ndikupanga maunyolo odalirika.
Njira yosavuta (kudzera msakatuli)
Kuti mupeze satifiketi yoyeserera, gwiritsani ntchito
Njira ya geek (kudzera pa console komanso mwina wopanga)
Onani mtundu wa OpenSC
$ opensc-tool --version
Ngati mtunduwo ndi wochepera 0.20, sinthani kapena pangani
Pangani makiyi awiri okhala ndi magawo awa:
--key-type: GOSTR3410-2012-512:Π (ΠΠΠ‘Π’-2012 512 Π±ΠΈΡ c ΠΏΠ°ΡΠ°ΠΌΡΠ΅ΡΠΎΠΌ Π), GOSTR3410-2012-256:A (ΠΠΠ‘Π’-2012 256 Π±ΠΈΡ Ρ ΠΏΠ°ΡΠ°ΠΌΡΠ΅ΡΠΎΠΌ A)
--id:
chinthu chozindikiritsa (CKA_ID) ngati manambala amitundu iwiri ya hex kuchokera patebulo la ASCII. Gwiritsani ntchito ma code ASCII okha pa zilembo zosindikizidwa, chifukwa... id iyenera kuperekedwa ku OpenSSL ngati chingwe. Mwachitsanzo, ASCII code "3132" ikugwirizana ndi chingwe "12". Kuti zitheke, mutha kugwiritsa ntchito
$ ./pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --keypairgen --key-type GOSTR3410-2012-512:A -l --id 3132
Kenako tipanga satifiketi. Njira ziwiri zidzafotokozedwa pansipa: yoyamba ndi kudzera mu CA (tidzagwiritsa ntchito mayeso a CA), yachiwiri ndi yodzilemba yokha. Kuti muchite izi, choyamba muyenera kukhazikitsa ndikusintha mtundu wa OpenSSL 1.1 kapena mtsogolo kuti mugwire ntchito ndi Rutoken kudzera pagawo lapadera la rtengine pogwiritsa ntchito bukuli.
Mwachitsanzo: za '--id 3132
' mu OpenSSL muyenera kufotokoza "pkcs11:id=12
".
Mutha kugwiritsa ntchito ntchito zoyeserera za CA, zomwe zilipo zambiri, mwachitsanzo,
Njira ina ndikupereka ulesi ndikupanga munthu wodzilemba yekha
$ openssl req -utf8 -new -keyform engine -key "pkcs11:id=12" -engine rtengine -out req.csr
Kukweza satifiketi ku chipangizo
$ openssl req -utf8 -x509 -keyform engine -key "pkcs11:id=12" -engine rtengine -out cert.cer
6) Lembani satifiketi mu dongosolo
Onetsetsani kuti satifiketi yanu ikuwoneka ngati fayilo ya base64:
Ngati satifiketi yanu ikuwoneka motere:
ndiye muyenera kusintha satifiketi kuchokera ku mtundu wa DER kukhala mtundu wa PEM (base64)
$ openssl x509 -in cert.crt -out cert.pem -inform DER -outform PEM
Timayang'ananso kuti zonse zili bwino tsopano.
Onjezani satifiketi pamndandanda wamasatifiketi odalirika
$ mkdir ~/.eid
$ chmod 0755 ~/.eid
$ cat cert.pem >> ~/.eid/authorized_certificates
$ chmod 0644 ~/.eid/authorized_certificates
Mzere womaliza umateteza mndandanda wa ziphaso zodalirika kuti usasinthidwe mwangozi kapena mwadala ndi ogwiritsa ntchito ena. Izi zimalepheretsa wina kuwonjezera satifiketi yake pano ndikulowa m'malo mwanu.
7) Khazikitsani kutsimikizika
Kukhazikitsa gawo lathu la PAM ndizokhazikika ndipo zimachitika chimodzimodzi monga kukhazikitsa ma module ena. Pangani fayilo /usr/share/pam-configs/rutoken-gost-pam
yomwe ili ndi dzina lathunthu la gawoli, kaya limayatsidwa mwachisawawa, kufunikira kwa gawoli, ndi magawo otsimikizira.
Magawo otsimikizira ali ndi zofunika kuti ntchitoyo ipambane:
- zofunikira: Ma module oterowo ayenera kubweretsa yankho labwino. Ngati zotsatira za foni yam'manja zili ndi kuyankha kolakwika, izi zimabweretsa cholakwika chotsimikizira. Pempho lidzatsitsidwa, koma ma module otsalawo adzayitanidwa.
- zofunikira: Zofanana ndi zofunikira, koma nthawi yomweyo zimalephera kutsimikizika ndikunyalanyaza ma module ena.
- zokwanira: Ngati palibe ma module ofunikira kapena okwanira module yotereyi isanabweretse zotsatira zoyipa, ndiye kuti gawoli libweretsa yankho labwino. Ma module otsala adzanyalanyazidwa.
- kusankha: Ngati palibe ma module ofunikira pa stack ndipo palibe ma module okwanira omwe amabweretsa zotsatira zabwino, ndiye kuti imodzi mwazosankha iyenera kubweretsa zotsatira zabwino.
Fayilo yathunthu /usr/share/pam-configs/rutoken-gost-pam
:
Name: Rutoken PAM GOST
Default: yes
Priority: 800
Auth-Type: Primary
Auth: sufficient /usr/lib/librtpam.so.1.0.0 /usr/lib/librtpkcs11ecp.so
sungani fayilo, kenako tsatirani
$ sudo pam-auth-update
pawindo lomwe likuwoneka, ikani nyenyezi pafupi ndi iyo Rutoken PAM GOST ndikudina OK
8) Onani zoikamo
Kuti mumvetsetse kuti zonse zakonzedwa, koma osataya mwayi wolowa mu dongosolo, lowetsani lamulo.
$ sudo login
Lowetsani dzina lanu lolowera. Chilichonse chimakonzedwa bwino ngati dongosolo likufuna PIN code.
9) Konzani kompyuta kuti ikhale yotsekedwa pamene chizindikirocho chikuchotsedwa
Kuphatikizidwa mu phukusi libpam-pkcs11
zofunikira zikuphatikizidwa pkcs11_eventmgr,
zomwe zimakulolani kuchita zinthu zosiyanasiyana pamene PKCS#11 zochitika zikuchitika.
Kwa makonda pkcs11_eventmgr
imagwira ntchito ngati fayilo yosinthira: /etc/pam_pkcs11/pkcs11_eventmgr.conf
Kwa magawo osiyanasiyana a Linux, lamulo lomwe limapangitsa kuti akaunti ikhale yotsekedwa pamene khadi lanzeru kapena chizindikiro chachotsedwa lidzasiyana. Cm. event card_remove
.
Fayilo yosinthira yachitsanzo ikuwonetsedwa pansipa:
pkcs11_eventmgr
{
# ΠΠ°ΠΏΡΡΠΊ Π² Π±ΡΠΊΠ³ΡΠ°ΡΠ½Π΄Π΅
daemon = true;
# ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠΉ ΠΎΡΠ»Π°Π΄ΠΊΠΈ
debug = false;
# ΠΡΠ΅ΠΌΡ ΠΎΠΏΡΠΎΡΠ° Π² ΡΠ΅ΠΊΡΠ½Π΄Π°Ρ
polling_time = 1;
# Π£ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° ΡΠ°ΠΉΠΌ-Π°ΡΡΠ° Π½Π° ΡΠ΄Π°Π»Π΅Π½ΠΈΠ΅ ΠΊΠ°ΡΡΡ
# ΠΠΎ-ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ 0
expire_time = 0;
# ΠΡΠ±ΠΎΡ pkcs11 Π±ΠΈΠ±Π»ΠΈΠΎΡΠ΅ΠΊΠΈ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ Ρ Π ΡΡΠΎΠΊΠ΅Π½
pkcs11_module = usr/lib/librtpkcs11ecp.so;
# ΠΠ΅ΠΉΡΡΠ²ΠΈΡ Ρ ΠΊΠ°ΡΡΠΎΠΉ
# ΠΠ°ΡΡΠ° Π²ΡΡΠ°Π²Π»Π΅Π½Π°:
event card_insert {
# ΠΡΡΠ°Π²Π»ΡΠ΅ΠΌ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ (Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
on_error = ignore ;
action = "/bin/false";
}
# ΠΠ°ΡΡΠ° ΠΈΠ·Π²Π»Π΅ΡΠ΅Π½Π°
event card_remove {
on_error = ignore;
# ΠΡΠ·ΡΠ²Π°Π΅ΠΌ ΡΡΠ½ΠΊΡΠΈΡ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ ΡΠΊΡΠ°Π½Π°
# ΠΠ»Ρ GNOME
action = "dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock";
# ΠΠ»Ρ XFCE
# action = "xflock4";
# ΠΠ»Ρ Astra Linux (FLY)
# action = "fly-wmfunc FLYWM_LOCK";
}
# ΠΠ°ΡΡΠ° Π΄ΠΎΠ»Π³ΠΎΠ΅ Π²ΡΠ΅ΠΌΡ ΠΈΠ·Π²Π»Π΅ΡΠ΅Π½Π°
event expire_time {
# ΠΡΡΠ°Π²Π»ΡΠ΅ΠΌ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ (Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
on_error = ignore;
action = "/bin/false";
}
}
Pambuyo pake onjezani ntchito pkcs11_eventmgr
kuti ayambe. Kuti muchite izi, sinthani fayilo ya .bash_profile:
$ nano /home/<ΠΈΠΌΡ_ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ>/.bash_profile
Onjezani mzere pkcs11_eventmgr kumapeto kwa fayilo ndikuyambiranso.
Njira zomwe zafotokozedwa pakukhazikitsa makina ogwiritsira ntchito zitha kugwiritsidwa ntchito ngati malangizo pakugawa kwamakono kwa Linux, kuphatikiza zapakhomo.
Pomaliza
Ma PC a Linux akukhala otchuka kwambiri m'mabungwe aboma la Russia, ndipo kukhazikitsa kutsimikizika kwazinthu ziwiri mu OS iyi sikophweka nthawi zonse. Tidzakhala okondwa kukuthandizani kuthana ndi "vuto lachinsinsi" ndi bukhuli ndikuteteza modalirika mwayi wopezeka pa PC yanu osataya nthawi yayitali.
Source: www.habr.com