LinOTP fa'aumau fa'amaoni e lua

O le asō ou te fia faʻasoa atu pe faʻafefea ona faʻatutuina se faʻaumau faʻamaonia e lua e puipuia ai se fesoʻotaʻiga faʻapitoa, nofoaga, auaunaga, ssh. O le 'auʻaunaga o le a faʻatautaia le tuʻufaʻatasiga nei: LinOTP + FreeRadius.

Aisea tatou te manaomia ai?
O se fofo atoatoa e leai se totogi, faigofie, i totonu o lana lava fesoʻotaʻiga, e tutoʻatasi mai tagata e tuʻuina atu isi vaega.

O lenei 'auʻaunaga e matua faigofie lava, vaʻaia, e le pei o isi mea tatala punaoa, ma e lagolagoina foi le tele o galuega ma faiga faʻavae (Mo se faʻataʻitaʻiga, login + password + (PIN + OTPToken)). E ala i le API, e tuʻufaʻatasia ma le tuʻuina atu o le sms (LinOTP Config-> Provider Config-> SMS Provider), faʻatupuina tulafono mo telefoni feaveaʻi e pei ole Google Authentificator ma sili atu. Ou te manatu e sili atu le faigofie nai lo le auaunaga na talanoaina i totonu tusiga.

O lenei 'auʻaunaga e galue lelei ma Cisco ASA, OpenVPN server, Apache2, ma i se tulaga lautele e toetoe lava o mea uma e lagolagoina le faʻamaoni e ala i se server RADIUS (Mo se faʻataʻitaʻiga, mo SSH i le nofoaga autu o faʻamatalaga).

E manaʻomia:

1) Debian 8 (jessie) - E tatau lava! (faʻatulagaina faʻataʻitaʻiga i le debian 9 o loʻo faʻamatalaina i le faaiuga o le tusiga)

Amata:

Faʻapipiʻi Debian 8.

Faʻaopoopo le fale teu LinOTP:

# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list

Fa'aopoopo ki:

# gpg --search-keys 913DFF12F86258E5

O nisi taimi i le taimi o le "mama" faʻapipiʻi, pe a uma ona faʻatinoina lenei poloaiga, faʻaalia e Debian:

gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI

Ole seti muamua lea o le gnupg. Okei lava. Tau lava o le toe fa'atonuina.
I le fesili a Debian:

gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1)	LSE LinOTP2 Packaging <[email protected]>
	  2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5".  Введите числа, N) Следующий или Q) Выход>

Matou te tali atu: 1

Lisi:

# gpg --export 913DFF12F86258E5 | apt-key add -

# apt-get update

Faʻapipiʻi mysql. I le teori, e mafai ona e faʻaogaina se isi sql server, ae mo le faigofie o le a ou faʻaaogaina e pei ona fautuaina mo LinOTP.

(faʻamatalaga faʻaopoopo, e aofia ai le toe faʻatulagaina o le LinOTP database, e mafai ona maua i le pepa aloaia mo fesoʻotaʻiga. O iina e mafai foi ona e maua ai le poloaiga: dpkg-reconfigure linotp e sui ai faʻamau pe afai ua uma ona e faʻapipiʻi mysql).

# apt-get install mysql-server

# apt-get update

(e le afaina le toe siaki o faʻamatalaga)
Faʻapipiʻi LinOTP ma isi faʻaoga:

# apt-get install linotp

Matou te taliina fesili a le tagata faʻapipiʻi:
Faʻaaoga Apache2: ioe
Fausia se faʻaupuga mo le admin Linotp: "O lau faʻaupuga"
Fausia tusi pasi saini e oe?: ioe
Fa'aoga MySQL?: ioe
O fea oi ai le database: localhost
Fausia se fa'amaumauga LinOTP (igoa fa'avae) ile server: LinOTP2
Fausia se isi tagata fa'aoga mo le fa'amaumauga: LinOTP2
Matou te setiina se faʻaupuga mo le tagata faʻaoga: "Lau Faʻamatalaga"
E tatau ona ou fatuina se faʻamaumauga i le taimi nei? (se mea e pei o le "E te mautinoa e te manaʻo ..."): ioe
Ulufale i le MySQL root password na e fatuina pe a faʻapipiʻi: "YourPassword"
Ua faia.

(filifiliga, e te le tau faʻapipiʻi)

# apt-get install linotp-adminclient-cli 

(filifiliga, e te le tau faʻapipiʻi)

# apt-get install libpam-linotp  

Ma o lea ua avanoa nei le matou upega tafaʻilagi Linotp i:

"<b>https</b>: //IP_сервера/manage"

O le a ou talanoa e uiga i tulaga i luga o le upega tafaʻilagi i se taimi mulimuli ane.

Ia, o le mea sili ona taua! Matou te sii i luga FreeRadius ma faʻafesoʻotaʻi ma Linotp.

Faʻapipiʻi FreeRadius ma le module mo le galue ma LinOTP

# apt-get install freeradius linotp-freeradius-perl

faaleoleo le kalani ma le aufaipisinisi radius configs.

# mv /etc/freeradius/clients.conf  /etc/freeradius/clients.old

# mv /etc/freeradius/users  /etc/freeradius/users.old

Fausia se faila o lo'o gaogao iai:

# touch /etc/freeradius/clients.conf

Fa'asa'o le matou faila faila fou (e mafai ona fa'aoga le fa'aoga lagolago e fai ma fa'ata'ita'iga)

# nano /etc/freeradius/clients.conf

client 192.168.188.0/24 {
secret  = passwd # пароль для подключения клиентов
}

Le isi, fai se faila a tagata fa'aoga:

# touch /etc/freeradius/users

Matou te faʻasaʻo le faila, taʻu atu le radius o le a matou faʻaogaina le perl mo le faʻamaoni.

# nano /etc/freeradius/users

DEFAULT Auth-type := perl

Le isi, faʻasaʻo le faila /etc/freeradius/modules/perl

# nano /etc/freeradius/modules/perl

Matou te manaʻomia le faʻamalamalamaina o le ala i le perl linotp script i le module parameter:

Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm

... ..
O le isi, matou te fatuina se faila lea matou te fai atu ai po o fea (domain, database poʻo faila) e ave ai faʻamatalaga mai.

# touch /etc/linotp2/rlm_perl.ini

# nano /etc/linotp2/rlm_perl.ini

URL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False

O le a ou alu i sina auiliiliga atili iinei aua e taua:

Fa'amatalaga atoa o le faila ma fa'amatalaga:
#IP o le server linOTP (tuatusi IP o la matou server LinOTP)
URL=https://172.17.14.103/validate/simplecheck
#O la matou eria o le a matou faia i le LinOTP web interface.)
MALO = toe fa'aauupega1
#Igoa o le kulupu fa'aoga o lo'o faia i le pupuni o le uepi LinOTP.
RESCONF=flat_file
#optional: fa'ailoa mai pe a foliga mai o lo'o lelei mea uma
Debug=Sa'o
#filifiliga: faʻaaoga lenei, pe a iai sau tusi pasi saini, a leai se faʻamatalaga (SSL pe a fai matou te faia a matou lava tusi faamaonia ma manaʻo e faʻamaonia)
SSL_CHECK=Sese

Le isi, fatuina le faila /etc/freeradius/sites-available/linotp

# touch /etc/freeradius/sites-available/linotp

# nano /etc/freeradius/sites-available/linotp

Ma kopi le config i totonu (e le manaʻomia ona faʻasaʻo se mea):

authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
#  If you are using multiple kinds of realms, you probably
#  want to set "ignore_null = yes" for all of them.
#  Otherwise, when the first style of realm doesn't match,
#  the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
#  Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}

Sosoo ai o le a tatou faia se sootaga SIM:

# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled

O le tagata lava ia, ou te tapeina le faʻaogaina o nofoaga o le Radius, ae afai e te manaʻomia, e mafai ona e faʻasaʻo a latou config pe faʻamalo.

# rm /etc/freeradius/sites-enabled/default

# rm /etc/freeradius/sites-enabled/inner-tunnel

# service freeradius reload

Se'i o tatou toe fo'i atu i luga o le upegatafa'ilagi ma va'ai i ai i se fa'amatalaga atili:
I le tulimanu taumatau pito i luga kiliki LinOTP Config -> UserIdResolvers -> Fou
Matou te filifilia mea matou te manana'o ai: LDAP (AD win, LDAP samba), poʻo SQL, poʻo tagata faʻaoga i le lotoifale o le Flatfile system.

Faatumu ia fanua e manaomia.

Ona sosoo ai lea ma le faia o REALMS:
I le tulimanu taumatau pito i luga, kiliki LinOTP Config -> Malo -> Fou.
ma avatu se igoa i la tatou REALMS, ma kiliki foi i luga ole UserIdResolvers na faia muamua.

E manaʻomia e FreeRadius nei faʻamatalaga uma i le /etc/linotp2/rlm_perl.ini faila, e pei ona ou tusia i luga, o lea afai e te leʻi faʻasaʻoina i lena taimi, fai nei.

O le server ua uma ona configure.

Faʻaopoopoga:

Seti LinOTP ile Debian 9:

Faʻatulagaga:

# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list 

# apt-get install dirmngr

# apt-key adv --recv-keys 913DFF12F86258E5

# apt-get update

# apt-get install mysql-server

(e ala i le faaletonu, i le Debian 9 mysql (mariaDB) e le ofoina atu e seti se upu faʻaupuga, ioe e mafai ona e tuʻu avanoa, ae afai e te faitau i tala fou, e masani ona taʻitaʻia i le "epic fails", o lea o le a matou setiina. ae ui lava i lea)

# mysql -u root -p

use mysql;

UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';

exit

# apt-get install linotp

# apt-get install linotp-adminclient-cli

# apt-get install python-ldap

# apt install freeradius

# nano /etc/freeradius/3.0/sites-enabled/linotp

Pasi le code (auina mai e JuriM, faafetai ia te ia mo lena mea!):

server linotp {
faalogo {
ipaddr = *
taulaga = 1812
ituaiga=auth
}
faalogo {
ipaddr = *
taulaga = 1813
ituaiga = acct
}
faataga {
mua'i faiga
fa'afouga {
&pulea:Auth-Type := Perl
}
}
fa'amaoni {
Auth-Type Perl {
perl
}
}
accounting {
Unix
}
}

Fa'asa'o /etc/freeradius/3.0/mods-enabled/perl

perl {
igoa faila = /usr/share/linotp/radius_linotp.pm
func_authenticate = fa'amaoni
func_authorize = faataga
}

Ae paga lea, i Debian 9 le radius_linotp.pm faletusi e le o faʻapipiʻiina mai fale teu oloa, o lea o le a matou aveina mai le github.

# apt install git

# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl

# cd linotp-auth-freeradius-perl/

# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm

ia tatou fa'asa'o /etc/freeradius/3.0/clients.conf

tagata faigaluega {
ipaddr = 192.168.188.0/24
mealilo = lau upu faataga
}

Ia fa'asa'o le nano /etc/linotp2/rlm_perl.ini

Matou te faʻapipiʻi le code tutusa iina pe a faʻapipiʻi i le debian 8 (faʻamatalaina i luga)

e tusa uma lava ma le manatu. (e le'i tofotofoina)

O le a ou tuʻuina i lalo ni nai fesoʻotaʻiga i le faʻatulagaina o faiga e masani ona manaʻomia ona puipuia i faʻamaoniga e lua:
Fa'atuina le fa'amaoni fa'alua i totonu Apache2

Seti ma Cisco ASA(o loʻo faʻaogaina se isi faʻailoga faʻailoga faʻapipiʻi iina, ae o tulaga o le ASA lava ia e tutusa).

VPN faʻatasi ma faʻamaoniga e lua

tonu lua faʻamaoniga faʻamaonia i ssh (LinOTP o loʻo faʻaaogaina foi iina) - faʻafetai i le tusitala. O iina e te maua ai foi mea manaia e uiga i le setiina o faiga faavae a le LiOTP.

E le gata i lea, o le cms o le tele o nofoaga e lagolagoina ai faʻamaoniga e lua (Mo le WordPress, LinOTP e iai foʻi lana lava faʻapitoa faʻapitoa mo github), mo se faʻataʻitaʻiga, pe afai e te manaʻo e fai se vaega puipuia i lau 'upega tafaʻilagi faʻapitoa mo tagata faigaluega a le kamupani.
FAAMANATU TAUA! AUA LE siaki le pusa "Google authentificator" e faʻaoga ai le Google Authenticator! E le mafai ona faitau le QR code ona... (mea moni uigaese)

Ina ia tusia lenei tusiga, o faʻamatalaga mai tala nei na faʻaaogaina:
itnan.ru/post.php?c=1&p=270571
www.digitalbears.net/?p=469

Faafetai i tusitala.

puna: www.habr.com