O le asō ou te fia faʻasoa atu pe faʻafefea ona faʻatutuina se faʻaumau faʻamaonia e lua e puipuia ai se fesoʻotaʻiga faʻapitoa, nofoaga, auaunaga, ssh. O le 'auʻaunaga o le a faʻatautaia le tuʻufaʻatasiga nei: LinOTP + FreeRadius.
Aisea tatou te manaomia ai?
O se fofo atoatoa e leai se totogi, faigofie, i totonu o lana lava fesoʻotaʻiga, e tutoʻatasi mai tagata e tuʻuina atu isi vaega.
O lenei 'auʻaunaga e matua faigofie lava, vaʻaia, e le pei o isi mea tatala punaoa, ma e lagolagoina foi le tele o galuega ma faiga faʻavae (Mo se faʻataʻitaʻiga, login + password + (PIN + OTPToken)). E ala i le API, e tuʻufaʻatasia ma le tuʻuina atu o le sms (LinOTP Config-> Provider Config-> SMS Provider), faʻatupuina tulafono mo telefoni feaveaʻi e pei ole Google Authentificator ma sili atu. Ou te manatu e sili atu le faigofie nai lo le auaunaga na talanoaina i totonu
O lenei 'auʻaunaga e galue lelei ma Cisco ASA, OpenVPN server, Apache2, ma i se tulaga lautele e toetoe lava o mea uma e lagolagoina le faʻamaoni e ala i se server RADIUS (Mo se faʻataʻitaʻiga, mo SSH i le nofoaga autu o faʻamatalaga).
E manaʻomia:
1) Debian 8 (jessie) - E tatau lava! (faʻatulagaina faʻataʻitaʻiga i le debian 9 o loʻo faʻamatalaina i le faaiuga o le tusiga)
Amata:
Faʻapipiʻi Debian 8.
Faʻaopoopo le fale teu LinOTP:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list
Fa'aopoopo ki:
# gpg --search-keys 913DFF12F86258E5
O nisi taimi i le taimi o le "mama" faʻapipiʻi, pe a uma ona faʻatinoina lenei poloaiga, faʻaalia e Debian:
gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI
Ole seti muamua lea o le gnupg. Okei lava. Tau lava o le toe fa'atonuina.
I le fesili a Debian:
gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". Введите числа, N) Следующий или Q) Выход>
Matou te tali atu: 1
Lisi:
# gpg --export 913DFF12F86258E5 | apt-key add -
# apt-get update
Faʻapipiʻi mysql. I le teori, e mafai ona e faʻaogaina se isi sql server, ae mo le faigofie o le a ou faʻaaogaina e pei ona fautuaina mo LinOTP.
(faʻamatalaga faʻaopoopo, e aofia ai le toe faʻatulagaina o le LinOTP database, e mafai ona maua i le pepa aloaia mo
# apt-get install mysql-server
# apt-get update
(e le afaina le toe siaki o faʻamatalaga)
Faʻapipiʻi LinOTP ma isi faʻaoga:
# apt-get install linotp
Matou te taliina fesili a le tagata faʻapipiʻi:
Faʻaaoga Apache2: ioe
Fausia se faʻaupuga mo le admin Linotp: "O lau faʻaupuga"
Fausia tusi pasi saini e oe?: ioe
Fa'aoga MySQL?: ioe
O fea oi ai le database: localhost
Fausia se fa'amaumauga LinOTP (igoa fa'avae) ile server: LinOTP2
Fausia se isi tagata fa'aoga mo le fa'amaumauga: LinOTP2
Matou te setiina se faʻaupuga mo le tagata faʻaoga: "Lau Faʻamatalaga"
E tatau ona ou fatuina se faʻamaumauga i le taimi nei? (se mea e pei o le "E te mautinoa e te manaʻo ..."): ioe
Ulufale i le MySQL root password na e fatuina pe a faʻapipiʻi: "YourPassword"
Ua faia.
(filifiliga, e te le tau faʻapipiʻi)
# apt-get install linotp-adminclient-cli
(filifiliga, e te le tau faʻapipiʻi)
# apt-get install libpam-linotp
Ma o lea ua avanoa nei le matou upega tafaʻilagi Linotp i:
"<b>https</b>: //IP_сервера/manage"
O le a ou talanoa e uiga i tulaga i luga o le upega tafaʻilagi i se taimi mulimuli ane.
Ia, o le mea sili ona taua! Matou te sii i luga FreeRadius ma faʻafesoʻotaʻi ma Linotp.
Faʻapipiʻi FreeRadius ma le module mo le galue ma LinOTP
# apt-get install freeradius linotp-freeradius-perl
faaleoleo le kalani ma le aufaipisinisi radius configs.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old
# mv /etc/freeradius/users /etc/freeradius/users.old
Fausia se faila o lo'o gaogao iai:
# touch /etc/freeradius/clients.conf
Fa'asa'o le matou faila faila fou (e mafai ona fa'aoga le fa'aoga lagolago e fai ma fa'ata'ita'iga)
# nano /etc/freeradius/clients.conf
client 192.168.188.0/24 {
secret = passwd # пароль для подключения клиентов
}
Le isi, fai se faila a tagata fa'aoga:
# touch /etc/freeradius/users
Matou te faʻasaʻo le faila, taʻu atu le radius o le a matou faʻaogaina le perl mo le faʻamaoni.
# nano /etc/freeradius/users
DEFAULT Auth-type := perl
Le isi, faʻasaʻo le faila /etc/freeradius/modules/perl
# nano /etc/freeradius/modules/perl
Matou te manaʻomia le faʻamalamalamaina o le ala i le perl linotp script i le module parameter:
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
... ..
O le isi, matou te fatuina se faila lea matou te fai atu ai po o fea (domain, database poʻo faila) e ave ai faʻamatalaga mai.
# touch /etc/linotp2/rlm_perl.ini
# nano /etc/linotp2/rlm_perl.ini
URL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False
O le a ou alu i sina auiliiliga atili iinei aua e taua:
Fa'amatalaga atoa o le faila ma fa'amatalaga:
#IP o le server linOTP (tuatusi IP o la matou server LinOTP)
URL=https://172.17.14.103/validate/simplecheck
#O la matou eria o le a matou faia i le LinOTP web interface.)
MALO = toe fa'aauupega1
#Igoa o le kulupu fa'aoga o lo'o faia i le pupuni o le uepi LinOTP.
RESCONF=flat_file
#optional: fa'ailoa mai pe a foliga mai o lo'o lelei mea uma
Debug=Sa'o
#filifiliga: faʻaaoga lenei, pe a iai sau tusi pasi saini, a leai se faʻamatalaga (SSL pe a fai matou te faia a matou lava tusi faamaonia ma manaʻo e faʻamaonia)
SSL_CHECK=Sese
Le isi, fatuina le faila /etc/freeradius/sites-available/linotp
# touch /etc/freeradius/sites-available/linotp
# nano /etc/freeradius/sites-available/linotp
Ma kopi le config i totonu (e le manaʻomia ona faʻasaʻo se mea):
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}
Sosoo ai o le a tatou faia se sootaga SIM:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled
O le tagata lava ia, ou te tapeina le faʻaogaina o nofoaga o le Radius, ae afai e te manaʻomia, e mafai ona e faʻasaʻo a latou config pe faʻamalo.
# rm /etc/freeradius/sites-enabled/default
# rm /etc/freeradius/sites-enabled/inner-tunnel
# service freeradius reload
Se'i o tatou toe fo'i atu i luga o le upegatafa'ilagi ma va'ai i ai i se fa'amatalaga atili:
I le tulimanu taumatau pito i luga kiliki LinOTP Config -> UserIdResolvers -> Fou
Matou te filifilia mea matou te manana'o ai: LDAP (AD win, LDAP samba), poʻo SQL, poʻo tagata faʻaoga i le lotoifale o le Flatfile system.
Faatumu ia fanua e manaomia.
Ona sosoo ai lea ma le faia o REALMS:
I le tulimanu taumatau pito i luga, kiliki LinOTP Config -> Malo -> Fou.
ma avatu se igoa i la tatou REALMS, ma kiliki foi i luga ole UserIdResolvers na faia muamua.
E manaʻomia e FreeRadius nei faʻamatalaga uma i le /etc/linotp2/rlm_perl.ini faila, e pei ona ou tusia i luga, o lea afai e te leʻi faʻasaʻoina i lena taimi, fai nei.
O le server ua uma ona configure.
Faʻaopoopoga:
Seti LinOTP ile Debian 9:
Faʻatulagaga:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list
# apt-get install dirmngr
# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update
# apt-get install mysql-server
(e ala i le faaletonu, i le Debian 9 mysql (mariaDB) e le ofoina atu e seti se upu faʻaupuga, ioe e mafai ona e tuʻu avanoa, ae afai e te faitau i tala fou, e masani ona taʻitaʻia i le "epic fails", o lea o le a matou setiina. ae ui lava i lea)
# mysql -u root -p
use mysql;
UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';
exit
# apt-get install linotp
# apt-get install linotp-adminclient-cli
# apt-get install python-ldap
# apt install freeradius
# nano /etc/freeradius/3.0/sites-enabled/linotp
Pasi le code (auina mai e JuriM, faafetai ia te ia mo lena mea!):
server linotp {
faalogo {
ipaddr = *
taulaga = 1812
ituaiga=auth
}
faalogo {
ipaddr = *
taulaga = 1813
ituaiga = acct
}
faataga {
mua'i faiga
fa'afouga {
&pulea:Auth-Type := Perl
}
}
fa'amaoni {
Auth-Type Perl {
perl
}
}
accounting {
Unix
}
}
Fa'asa'o /etc/freeradius/3.0/mods-enabled/perl
perl {
igoa faila = /usr/share/linotp/radius_linotp.pm
func_authenticate = fa'amaoni
func_authorize = faataga
}
Ae paga lea, i Debian 9 le radius_linotp.pm faletusi e le o faʻapipiʻiina mai fale teu oloa, o lea o le a matou aveina mai le github.
# apt install git
# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl
# cd linotp-auth-freeradius-perl/
# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm
ia tatou fa'asa'o /etc/freeradius/3.0/clients.conf
tagata faigaluega {
ipaddr = 192.168.188.0/24
mealilo = lau upu faataga
}
Ia fa'asa'o le nano /etc/linotp2/rlm_perl.ini
Matou te faʻapipiʻi le code tutusa iina pe a faʻapipiʻi i le debian 8 (faʻamatalaina i luga)
e tusa uma lava ma le manatu. (e le'i tofotofoina)
O le a ou tuʻuina i lalo ni nai fesoʻotaʻiga i le faʻatulagaina o faiga e masani ona manaʻomia ona puipuia i faʻamaoniga e lua:
Fa'atuina le fa'amaoni fa'alua i totonu
tonu
E le gata i lea, o le cms o le tele o nofoaga e lagolagoina ai faʻamaoniga e lua (Mo le WordPress, LinOTP e iai foʻi lana lava faʻapitoa faʻapitoa mo
FAAMANATU TAUA! AUA LE siaki le pusa "Google authentificator" e faʻaoga ai le Google Authenticator! E le mafai ona faitau le QR code ona... (mea moni uigaese)
Ina ia tusia lenei tusiga, o faʻamatalaga mai tala nei na faʻaaogaina:
Faafetai i tusitala.
puna: www.habr.com