Zvakadini kana mbiri-chinhu chechokwadi chiri zvese zvinodiwa uye prickly, asi hapana mari yemahara tokens uye kazhinji vanopa kuti vagare mune yakanaka mood.
Iyi mhinduro haisi chinhu chepamusoro chepakutanga, asi musanganiswa wemhinduro dzakasiyana dzinowanikwa paInternet.
Saka kupihwa
Domain Active Directory.
Vashandisi veDomain vanoshanda kuburikidza neVPN, sevazhinji nhasi.
Inoshanda seVPN gedhi Simbisa.
Kuchengetedza password yemutengi weVPN kunorambidzwa nemutemo wekuchengetedza.
Zvematongerwo enyika Fortinet maererano nezviratidzo zvako pachako, haugone kuidana isingasviki zhlob - kune akawanda segumi emahara tokens, mamwe - pamutengo usiri wekosher. Ini handina kufunga RSSecureID, Duo nezvimwe zvakadaro, nekuti ini ndinoda yakavhurika sosi.
Zvinodiwa: mushanyi * nix pamwe yakasimbiswa freeradius, ssd - yakapinda mudura, vashandisi vedomasi vanogona kutendesa zviri nyore pairi.
Mamwe mapaketi: shellina box, figlett, freeradius-ldap, font rebel.tlf kubva ku repository
Mumuenzaniso wangu - CentOS 7.8.
Iyo logic yebasa inofanirwa kuve inotevera: kana uchibatanidza kuVPN, mushandisi anofanira kupinda mudura rekupinda uye OTP panzvimbo yepassword.
Services setup
В /etc/raddb/radiusd.conf mushandisi chete neboka pachinzvimbo chinotanga freeradius, kubva pashumiro radiusd inofanirwa kuverenga mafaera mune ese madhairekitori / musha /.
user = root
group = root
Kukwanisa kushandisa mapoka muzvirongwa Simbisa, inofanira kuparadzirwa Vendor Specific Attribute. Kuti aite izvi, mune dhairekitori raddb/policy.d Ini ndinogadzira faira rine zvinotevera zvirimo:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Mushure mekuisirwa freeradius-ldap mudhairekitori raddb/mods-inowanikwa faira inogadzirwa ldap.
Inoda kugadzira chinongedzo chekufananidzira kune dhairekitori raddb/mods-enabled.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
Ndinounza zvirimo kune iyi fomu:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
Mumafaira raddb/saiti-enabled/default и raddb/saiti-enabled/inner-tunnel muchikamu bvumidza Ini ndinowedzera zita remutemo uchashandiswa - group_authorization. Chinhu chakakosha - zita remutemo harina kutsanangurwa nezita refaira mudhairekitori policy.d, asi nekuraira mukati mefaira pamberi peakamonana braces.
Muchikamu ita chokwadi mumafaira akafanana iwe unofanirwa kusunungura mutsara Pam.
Mufaira clients.conf nyora maparameter ayo achabatana nawo Simbisa:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Module yekumisikidza pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Default bundle kuita sarudzo freeradius с google authenticator inoda kuti mushandisi aise magwaro mufomati: username/password+OTP.
Nokufungidzira nhamba yezvituko zvichawira pamusoro, muchiitiko chekushandisa default bundle freeradius с Google Authenticator, zvakasarudzwa kushandisa module configuration Pam kuitira kuti chiratidzo chete chitariswe Google Authenticator.
Kana mushandisi akabatana, zvinotevera zvinoitika:
- Freeradius anotarisa kana mushandisi aripo mudura uye mune rimwe boka uye, kana akabudirira, chiratidzo cheOTP chinotariswa.
Zvese zvaitaridzika zvakanaka kusvika panguva yandaifunga kuti "Ndinganyoresa sei OTP ye300+ vashandisi?"
Mushandisi anofanira kupinda kune server ne freeradius uye kubva pasi peakaundi yako uye mhanyisa application Google Authenticator, iyo ichagadzira QR kodhi yekushandisa yemushandisi. Apa ndipo panouya rubatsiro. shellina box yakabatana ne .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
Iyo daemon yekumisikidza faira iri pa /etc/sysconfig/shellinabox.
Ini ndinotsanangura port 443 ipapo uye unogona kutsanangura chitupa chako.
[root@freeradius ~]#systemctl enable --now shellinaboxd
Mushandisi anongoda kutevedzera chinongedzo, pinda domain kiredhiti uye kugamuchira QR kodhi yekushandisa.
Iyo algorithm iri seinotevera:
- Mushandisi anopinda mumuchina kuburikidza nebrowser.
- Kana mushandisi wedomasi akatariswa. Kana zvisina kudaro, hapana chiito chinotorwa.
- Kana mushandisi ari mushandisi wedomasi, nhengo muboka reVatungamiriri inotariswa.
- Kana isiri admin, inotarisa kana Google Authenticator yakagadziridzwa. Kana zvisiri, ipapo kodhi yeQR uye kubuda kwemushandisi inogadzirwa.
- Kana isiri admin uye Google Authenticator yakagadziriswa, saka ingobuda.
- Kana admin, wobva watarisa Google Authenticator zvakare. Kana isina kugadzirwa, QR kodhi inogadzirwa.
Yese logic inoitwa uchishandisa /etc/skel/.bash_profile.
katsi /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Fortigate setup:
- Isu tinosika nharaunda-server
- Isu tinogadzira mapoka anodiwa, kana zvichidikanwa, kutonga kwekuwana nemapoka. Zita reboka riripo Simbisa inofanira kuenderana neboka rinopfuudzwa Vendor Specific Attribute Fortinet-Group-Zita.
- Kugadzirisa zvinodiwa SSL-portals.
- Kuwedzera mapoka kumitemo.
Zvakanakira mhinduro iyi:
- Zvinogoneka kuita chokwadi neOTP pa Simbisa open source solution.
- Mushandisi haaise password password kana achibatanidza neVPN, iyo inorerutsa maitiro ekubatanidza. Iyo 6-manhamba password iri nyore kuisa pane yakapihwa nechengetedzo policy. Nekuda kweizvozvo, nhamba yematikiti ane chinyorwa: "Handigone kubatana neVPN" inoderera.
PS Isu tinoronga kukwidziridza iyi mhinduro kune yakazara-yakazara mbiri-chinhu chechokwadi nedambudziko-mhinduro.
update:
Sezvakavimbiswa, ndakaishandura kune yekunetsa-mhinduro sarudzo.
Saka:
Mufaira /etc/raddb/sites-enabled/default chikamu bvumidza zvinoita seizvi:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Chikamu ita chokwadi zvino zvinoita seizvi:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Ikozvino kuongororwa kwemushandisi kunoitika zvinoenderana neinotevera algorithm:
- Mushandisi anopinda domain kiredhiti muVPN mutengi.
- Freeradius inotarisa chokwadi cheakaundi uye password
- Kana iyo password yakarurama, ipapo chikumbiro chechiratidzo chinotumirwa.
- Chiratidzo chiri kusimbiswa.
- purofiti).
Source: www.habr.com