🥇LinOTP seva yotsimikizira zinthu ziwiri

Lero ndikufuna kugawana nawo momwe mungakhazikitsire seva yotsimikizika yazinthu ziwiri kuti muteteze maukonde amakampani, masamba, mautumiki, ssh. Seva idzayendetsa zotsatirazi: LinOTP + FreeRadius.

N’chifukwa chiyani tikuzifuna?
Iyi ndi njira yaulere, yosavuta, mkati mwamaneti ake, osadalira othandizira ena.

Utumikiwu ndiwothandiza kwambiri, wowoneka bwino, mosiyana ndi zinthu zina zotseguka, komanso umathandizira magwiridwe antchito ndi mfundo zambiri (Mwachitsanzo, lowani + password + (PIN + OPTToken)). Kudzera mu API, imaphatikizana ndi ntchito zotumizira ma sms (LinOTP Config->Provider Config->SMS Provider), imapanga ma code a mafoni monga Google Authentificator ndi zina zambiri. Ndikuganiza kuti ndizosavuta kuposa zomwe takambiranazi nkhani.

Seva iyi imagwira ntchito bwino ndi Cisco ASA, seva ya OpenVPN, Apache2, komanso pafupifupi chilichonse chomwe chimathandizira kutsimikizika kudzera pa seva ya RADIUS (Mwachitsanzo, ya SSH pakatikati pa data).

Amafunika:

1) Debian 8 (jessie) - Moyenera! (kuyika koyeserera pa debian 9 kufotokozedwa kumapeto kwa nkhaniyi)

Yambani:

Kuyika Debian 8.

Onjezani chosungira cha LinOTP:

# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list

Kuwonjezera makiyi:

# gpg --search-keys 913DFF12F86258E5

Nthawi zina pakukhazikitsa "koyera", mutayendetsa lamuloli, Debian amawonetsa:

gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI

Uku ndiye kukhazikitsa kwa gnupg koyamba. Palibe kanthu. Ingoyendetsanso lamulo.
Kwa funso la Debian:

gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1)	LSE LinOTP2 Packaging <[email protected]>
	  2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5".  Введите числа, N) Следующий или Q) Выход>

Timayankha: 1

Yotsatira:

# gpg --export 913DFF12F86258E5 | apt-key add -

# apt-get update

Ikani mysql. Mwachidziwitso, mutha kugwiritsa ntchito seva ina ya sql, koma kuti ikhale yosavuta ndiigwiritsa ntchito monga momwe ndikulimbikitsira LinOTP.

(zidziwitso zowonjezera, kuphatikiza kukonzanso nkhokwe ya LinOTP, zitha kupezeka pazolembedwa zovomerezeka za kugwirizana. Kumeneko mungapezenso lamulo: dpkg-reconfigure linotp kuti musinthe magawo ngati mwayika kale mysql).

# apt-get install mysql-server

# apt-get update

(sizingakhale zopweteka kuyang'ananso zosintha)
Ikani LinOTP ndi ma module owonjezera:

# apt-get install linotp

Timayankha mafunso a installer:
Gwiritsani ntchito Apache2: inde
Pangani mawu achinsinsi a admin Linopt: "Njira Yanu Yachinsinsi"
Pangani satifiketi yodzisainira?: inde
Gwiritsani ntchito MySQL ?: inde
Kodi database ili kuti: localhost
Pangani database ya LinOTP (dzina loyambira) pa seva: LinOTP2
Pangani wogwiritsa ntchito wina wankhokwe: LinOTP2
Timayika mawu achinsinsi kwa wogwiritsa ntchito: "Njira Yanu Yachinsinsi"
Kodi ndipange nkhokwe tsopano? (chinachake ngati "Kodi mukutsimikiza kuti mukufuna ..."): inde
Lowetsani mawu achinsinsi a MySQL omwe mudapanga mukuyiyika: "YourPassword"
Wachita.

(posankha, simukuyenera kuyiyika)

# apt-get install linotp-adminclient-cli

(posankha, simukuyenera kuyiyika)

# apt-get install libpam-linotp

Ndipo mawonekedwe athu a intaneti a Linopt tsopano akupezeka ku:

"<b>https</b>: //IP_сервера/manage"

Ndilankhula za zoikamo pa intaneti pakapita nthawi.

Tsopano, chinthu chofunikira kwambiri! Timakweza FreeRadius ndikuyilumikiza ndi Linopp.

Ikani FreeRadius ndi gawo logwira ntchito ndi LinOTP

# apt-get install freeradius linotp-freeradius-perl

sungani kasitomala ndi Ogwiritsa ntchito ma radius configs.

# mv /etc/freeradius/clients.conf  /etc/freeradius/clients.old

# mv /etc/freeradius/users  /etc/freeradius/users.old

Pangani fayilo ya kasitomala yopanda kanthu:

# touch /etc/freeradius/clients.conf

Kukonza fayilo yathu yatsopano yosinthira (zosunga zobwezeretsera zitha kugwiritsidwa ntchito ngati chitsanzo)

# nano /etc/freeradius/clients.conf

client 192.168.188.0/24 {
secret  = passwd # пароль для подключения клиентов
}

Kenako, pangani fayilo ya ogwiritsa:

# touch /etc/freeradius/users

Timasintha fayilo, ndikuwuza radius kuti tidzagwiritsa ntchito perl kutsimikizira.

# nano /etc/freeradius/users

DEFAULT Auth-type := perl

Kenako, sinthani fayilo /etc/freeradius/modules/perl

# nano /etc/freeradius/modules/perl

Tiyenera kufotokoza njira yopita ku perl linotp script mu gawo la module:

Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm

... ..
Kenaka, timapanga fayilo yomwe timanena (domain, database kapena file) kuti titengere deta.

# touch /etc/linotp2/rlm_perl.ini

# nano /etc/linotp2/rlm_perl.ini

URL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False

Ndilowa mwatsatanetsatane apa chifukwa ndikofunikira:

Kufotokozera kwathunthu kwa fayilo yokhala ndi ndemanga:
#IP ya seva ya linOTP (adilesi ya IP ya seva yathu ya LinOTP)
URL=https://172.17.14.103/validate/simplecheck
#Dera lathu lomwe tipanga pa intaneti ya LinOTP.)
DZIKO = mkono1
#Dzina la gulu la ogwiritsa ntchito lomwe limapangidwa pa intaneti ya LinOTP.
RESCONF=flat_file
#posankha: perekani ndemanga ngati zonse zikuyenda bwino
Debug=Zowona
#mwachisawawa: gwiritsani ntchito izi, ngati muli ndi ziphaso zodzilembera nokha, apo ayi perekani ndemanga (SSL ngati tipanga satifiketi yathu ndipo tikufuna kutsimikizira)
SSL_CHECK=Zabodza

Kenako, pangani fayilo /etc/freeradius/sites-available/linop

# touch /etc/freeradius/sites-available/linotp

# nano /etc/freeradius/sites-available/linotp

Ndipo koperani config mmenemo (palibe chifukwa chosintha chilichonse):

authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
#  If you are using multiple kinds of realms, you probably
#  want to set "ignore_null = yes" for all of them.
#  Otherwise, when the first style of realm doesn't match,
#  the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
#  Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}

Kenako tipanga ulalo wa SIM:

# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled

Payekha, ndimapha masamba osasinthika a Radius, koma ngati muwafuna, mutha kusintha makonzedwe awo kapena kuwaletsa.

# rm /etc/freeradius/sites-enabled/default

# rm /etc/freeradius/sites-enabled/inner-tunnel

# service freeradius reload

Tsopano tiyeni tibwerere ku nkhope ya intaneti ndikuyiyang'ana mwatsatanetsatane:
Pakona yakumanja yakumanja dinani LinOTP Config -> UserIdResolvers -> Chatsopano
Timasankha zomwe tikufuna: LDAP (AD win, LDAP samba), kapena SQL, kapena ogwiritsa ntchito a Flatfile system.

Lembani minda yofunikira.

Kenako timapanga REALMS:
Pakona yakumanja yakumanja, dinani LinOTP Config -> Realms -> Chatsopano.
ndikupereka dzina ku REALMS zathu, ndikudinanso pa UserIdResolvers zomwe zidapangidwa kale.

FreeRadius ikufunika deta yonseyi mu fayilo /etc/linopt2/rlm_perl.ini, monga momwe ndinalembera pamwambapa, kotero ngati simunasinthe ndiye, chitani tsopano.

Seva zonse zakonzedwa.

Zowonjezera:

Kukhazikitsa LinOTP pa Debian 9:

Kukhazikitsa:

# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list

# apt-get install dirmngr

# apt-key adv --recv-keys 913DFF12F86258E5

# apt-get update

# apt-get install mysql-server

(mwachisawawa, mu Debian 9 mysql (mariaDB) sapereka kuyika mawu achinsinsi, ndithudi mukhoza kusiya opanda kanthu, koma ngati muwerenga nkhani, izi nthawi zambiri zimabweretsa "epic imalephera", kotero tidzayiyika. Komabe)

# mysql -u root -p

use mysql;

UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';

exit

# apt-get install linotp

# apt-get install linotp-adminclient-cli

# apt-get install python-ldap

# apt install freeradius

# nano /etc/freeradius/3.0/sites-enabled/linotp

Matani khodi (yotumizidwa ndi JuriM, zikomo kwa iye chifukwa cha izo!):

seva linotp {
mverani {
ipaddr = *
doko = 1812
mtundu=auth
}
mverani {
ipaddr = *
doko = 1813
mtundu = acct
}
vomereza {
ndondomeko
sinthani {
&control:Auth-Type := Perl
}
}
tsimikizira {
Auth-Type Perl {
perl
}
}
akaunti {
unix
}
}

Sinthani /etc/freeradius/3.0/mods-enabled/perl

vuto {
filename = /usr/share/linop/radius_linopp.pm
func_authenticate = tsimikizirani
func_authorize = chilolezo
}

Tsoka ilo, mu Debian 9 laibulale ya radius_linopt.pm sinayikidwe kuchokera kumalo osungira, chifukwa chake tidzachotsa ku github.

# apt install git

# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl

# cd linotp-auth-freeradius-perl/

# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm

tsopano tiyeni tisinthe /etc/freeradius/3.0/clients.conf

ma seva a kasitomala {
ipaddr = 192.168.188.0/24
secret = password yanu
}

Tsopano tiyeni tikonze nano /etc/linopt2/rlm_perl.ini

Timayika kachidindo komweko monga momwe tikuyika pa debian 8 (yofotokozedwa pamwambapa)

Ndizo zonse molingana ndi lingaliro. (sanayesedwe pano)

Ndisiya m'munsimu maulalo angapo pakukhazikitsa machitidwe omwe nthawi zambiri amafunika kutetezedwa ndi kutsimikizika kwazinthu ziwiri:
Kukhazikitsa kutsimikizika kwazinthu ziwiri mu Apache2

Kupanga ndi Cisco ASA(ma seva amtundu wosiyanasiyana amagwiritsidwa ntchito pamenepo, koma zosintha za ASA palokha ndizofanana).

VPN yokhala ndi kutsimikizika kwazinthu ziwiri

kusintha kutsimikizika kwazinthu ziwiri mu ssh (LinOTP imagwiritsidwanso ntchito pamenepo) - zikomo kwa wolemba. Kumeneko mutha kupezanso zinthu zosangalatsa pakukhazikitsa mfundo za LiOTP.

Komanso, ma cms amasamba ambiri amathandizira kutsimikizika kwazinthu ziwiri (Kwa WordPress, LinOTP ngakhale ili ndi gawo lake lapadera la github), mwachitsanzo, ngati mukufuna kupanga gawo lotetezedwa patsamba lanu lamakampani kwa antchito akampani.
MFUNDO YOFUNIKA! OSATI kusaka bokosi la "Google autenteficator" kuti mugwiritse ntchito Google Authenticator! Khodi ya QR simawerengeka ndiye... (chodabwitsa)

Polemba nkhaniyi, mfundo zochokera m'nkhani zotsatirazi zidagwiritsidwa ntchito:
itnan.ru/post.php?c=1&p=270571
www.digitalbears.net/?p=469

Zikomo kwa olemba.

Source: www.habr.com

Seva yotsimikizira zinthu ziwiri za LinOTP

Kuwonjezera ndemanga kuletsa reply