Lero ndikufuna kugawana nawo momwe mungakhazikitsire seva yotsimikizika yazinthu ziwiri kuti muteteze maukonde amakampani, masamba, mautumiki, ssh. Seva idzayendetsa zotsatirazi: LinOTP + FreeRadius.
N’chifukwa chiyani tikuzifuna?
Iyi ndi njira yaulere, yosavuta, mkati mwamaneti ake, osadalira othandizira ena.
Utumikiwu ndiwothandiza kwambiri, wowoneka bwino, mosiyana ndi zinthu zina zotseguka, komanso umathandizira magwiridwe antchito ndi mfundo zambiri (Mwachitsanzo, lowani + password + (PIN + OPTToken)). Kudzera mu API, imaphatikizana ndi ntchito zotumizira ma sms (LinOTP Config->Provider Config->SMS Provider), imapanga ma code a mafoni monga Google Authentificator ndi zina zambiri. Ndikuganiza kuti ndizosavuta kuposa zomwe takambiranazi
Seva iyi imagwira ntchito bwino ndi Cisco ASA, seva ya OpenVPN, Apache2, komanso pafupifupi chilichonse chomwe chimathandizira kutsimikizika kudzera pa seva ya RADIUS (Mwachitsanzo, ya SSH pakatikati pa data).
Amafunika:
1) Debian 8 (jessie) - Moyenera! (kuyika koyeserera pa debian 9 kufotokozedwa kumapeto kwa nkhaniyi)
Yambani:
Kuyika Debian 8.
Onjezani chosungira cha LinOTP:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list
Kuwonjezera makiyi:
# gpg --search-keys 913DFF12F86258E5
Nthawi zina pakukhazikitsa "koyera", mutayendetsa lamuloli, Debian amawonetsa:
gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI
Uku ndiye kukhazikitsa kwa gnupg koyamba. Palibe kanthu. Ingoyendetsanso lamulo.
Kwa funso la Debian:
gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". Введите числа, N) Следующий или Q) Выход>
Timayankha: 1
Yotsatira:
# gpg --export 913DFF12F86258E5 | apt-key add -
# apt-get update
Ikani mysql. Mwachidziwitso, mutha kugwiritsa ntchito seva ina ya sql, koma kuti ikhale yosavuta ndiigwiritsa ntchito monga momwe ndikulimbikitsira LinOTP.
(zidziwitso zowonjezera, kuphatikiza kukonzanso nkhokwe ya LinOTP, zitha kupezeka pazolembedwa zovomerezeka za
# apt-get install mysql-server
# apt-get update
(sizingakhale zopweteka kuyang'ananso zosintha)
Ikani LinOTP ndi ma module owonjezera:
# apt-get install linotp
Timayankha mafunso a installer:
Gwiritsani ntchito Apache2: inde
Pangani mawu achinsinsi a admin Linopt: "Njira Yanu Yachinsinsi"
Pangani satifiketi yodzisainira?: inde
Gwiritsani ntchito MySQL ?: inde
Kodi database ili kuti: localhost
Pangani database ya LinOTP (dzina loyambira) pa seva: LinOTP2
Pangani wogwiritsa ntchito wina wankhokwe: LinOTP2
Timayika mawu achinsinsi kwa wogwiritsa ntchito: "Njira Yanu Yachinsinsi"
Kodi ndipange nkhokwe tsopano? (chinachake ngati "Kodi mukutsimikiza kuti mukufuna ..."): inde
Lowetsani mawu achinsinsi a MySQL omwe mudapanga mukuyiyika: "YourPassword"
Wachita.
(posankha, simukuyenera kuyiyika)
# apt-get install linotp-adminclient-cli
(posankha, simukuyenera kuyiyika)
# apt-get install libpam-linotp
Ndipo mawonekedwe athu a intaneti a Linopt tsopano akupezeka ku:
"<b>https</b>: //IP_сервера/manage"
Ndilankhula za zoikamo pa intaneti pakapita nthawi.
Tsopano, chinthu chofunikira kwambiri! Timakweza FreeRadius ndikuyilumikiza ndi Linopp.
Ikani FreeRadius ndi gawo logwira ntchito ndi LinOTP
# apt-get install freeradius linotp-freeradius-perl
sungani kasitomala ndi Ogwiritsa ntchito ma radius configs.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old
# mv /etc/freeradius/users /etc/freeradius/users.old
Pangani fayilo ya kasitomala yopanda kanthu:
# touch /etc/freeradius/clients.conf
Kukonza fayilo yathu yatsopano yosinthira (zosunga zobwezeretsera zitha kugwiritsidwa ntchito ngati chitsanzo)
# nano /etc/freeradius/clients.conf
client 192.168.188.0/24 {
secret = passwd # пароль для подключения клиентов
}
Kenako, pangani fayilo ya ogwiritsa:
# touch /etc/freeradius/users
Timasintha fayilo, ndikuwuza radius kuti tidzagwiritsa ntchito perl kutsimikizira.
# nano /etc/freeradius/users
DEFAULT Auth-type := perl
Kenako, sinthani fayilo /etc/freeradius/modules/perl
# nano /etc/freeradius/modules/perl
Tiyenera kufotokoza njira yopita ku perl linotp script mu gawo la module:
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
... ..
Kenaka, timapanga fayilo yomwe timanena (domain, database kapena file) kuti titengere deta.
# touch /etc/linotp2/rlm_perl.ini
# nano /etc/linotp2/rlm_perl.ini
URL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False
Ndilowa mwatsatanetsatane apa chifukwa ndikofunikira:
Kufotokozera kwathunthu kwa fayilo yokhala ndi ndemanga:
#IP ya seva ya linOTP (adilesi ya IP ya seva yathu ya LinOTP)
URL=https://172.17.14.103/validate/simplecheck
#Dera lathu lomwe tipanga pa intaneti ya LinOTP.)
DZIKO = mkono1
#Dzina la gulu la ogwiritsa ntchito lomwe limapangidwa pa intaneti ya LinOTP.
RESCONF=flat_file
#posankha: perekani ndemanga ngati zonse zikuyenda bwino
Debug=Zowona
#mwachisawawa: gwiritsani ntchito izi, ngati muli ndi ziphaso zodzilembera nokha, apo ayi perekani ndemanga (SSL ngati tipanga satifiketi yathu ndipo tikufuna kutsimikizira)
SSL_CHECK=Zabodza
Kenako, pangani fayilo /etc/freeradius/sites-available/linop
# touch /etc/freeradius/sites-available/linotp
# nano /etc/freeradius/sites-available/linotp
Ndipo koperani config mmenemo (palibe chifukwa chosintha chilichonse):
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}
Kenako tipanga ulalo wa SIM:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled
Payekha, ndimapha masamba osasinthika a Radius, koma ngati muwafuna, mutha kusintha makonzedwe awo kapena kuwaletsa.
# rm /etc/freeradius/sites-enabled/default
# rm /etc/freeradius/sites-enabled/inner-tunnel
# service freeradius reload
Tsopano tiyeni tibwerere ku nkhope ya intaneti ndikuyiyang'ana mwatsatanetsatane:
Pakona yakumanja yakumanja dinani LinOTP Config -> UserIdResolvers -> Chatsopano
Timasankha zomwe tikufuna: LDAP (AD win, LDAP samba), kapena SQL, kapena ogwiritsa ntchito a Flatfile system.
Lembani minda yofunikira.
Kenako timapanga REALMS:
Pakona yakumanja yakumanja, dinani LinOTP Config -> Realms -> Chatsopano.
ndikupereka dzina ku REALMS zathu, ndikudinanso pa UserIdResolvers zomwe zidapangidwa kale.
FreeRadius ikufunika deta yonseyi mu fayilo /etc/linopt2/rlm_perl.ini, monga momwe ndinalembera pamwambapa, kotero ngati simunasinthe ndiye, chitani tsopano.
Seva zonse zakonzedwa.
Zowonjezera:
Kukhazikitsa LinOTP pa Debian 9:
Kukhazikitsa:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list
# apt-get install dirmngr
# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update
# apt-get install mysql-server
(mwachisawawa, mu Debian 9 mysql (mariaDB) sapereka kuyika mawu achinsinsi, ndithudi mukhoza kusiya opanda kanthu, koma ngati muwerenga nkhani, izi nthawi zambiri zimabweretsa "epic imalephera", kotero tidzayiyika. Komabe)
# mysql -u root -p
use mysql;
UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';
exit
# apt-get install linotp
# apt-get install linotp-adminclient-cli
# apt-get install python-ldap
# apt install freeradius
# nano /etc/freeradius/3.0/sites-enabled/linotp
Matani khodi (yotumizidwa ndi JuriM, zikomo kwa iye chifukwa cha izo!):
seva linotp {
mverani {
ipaddr = *
doko = 1812
mtundu=auth
}
mverani {
ipaddr = *
doko = 1813
mtundu = acct
}
vomereza {
ndondomeko
sinthani {
&control:Auth-Type := Perl
}
}
tsimikizira {
Auth-Type Perl {
perl
}
}
akaunti {
unix
}
}
Sinthani /etc/freeradius/3.0/mods-enabled/perl
vuto {
filename = /usr/share/linop/radius_linopp.pm
func_authenticate = tsimikizirani
func_authorize = chilolezo
}
Tsoka ilo, mu Debian 9 laibulale ya radius_linopt.pm sinayikidwe kuchokera kumalo osungira, chifukwa chake tidzachotsa ku github.
# apt install git
# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl
# cd linotp-auth-freeradius-perl/
# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm
tsopano tiyeni tisinthe /etc/freeradius/3.0/clients.conf
ma seva a kasitomala {
ipaddr = 192.168.188.0/24
secret = password yanu
}
Tsopano tiyeni tikonze nano /etc/linopt2/rlm_perl.ini
Timayika kachidindo komweko monga momwe tikuyika pa debian 8 (yofotokozedwa pamwambapa)
Ndizo zonse molingana ndi lingaliro. (sanayesedwe pano)
Ndisiya m'munsimu maulalo angapo pakukhazikitsa machitidwe omwe nthawi zambiri amafunika kutetezedwa ndi kutsimikizika kwazinthu ziwiri:
Kukhazikitsa kutsimikizika kwazinthu ziwiri mu
kusintha
Komanso, ma cms amasamba ambiri amathandizira kutsimikizika kwazinthu ziwiri (Kwa WordPress, LinOTP ngakhale ili ndi gawo lake lapadera la
MFUNDO YOFUNIKA! OSATI kusaka bokosi la "Google autenteficator" kuti mugwiritse ntchito Google Authenticator! Khodi ya QR simawerengeka ndiye... (chodabwitsa)
Polemba nkhaniyi, mfundo zochokera m'nkhani zotsatirazi zidagwiritsidwa ntchito:
Zikomo kwa olemba.
Source: www.habr.com