Mapassword ari nyore haana kuchengetedzeka, uye akaomarara haagone kurangarira. Ndokusaka ivo vachiwanzo guma pane inonamira noti pasi pekhibhodi kana pamonitor. Kuti uone kuti mapepa ekufambisa anoramba ari mupfungwa dzevashandisi "vanokanganwa" uye kuvimbika kwekudzivirira hakuna kurasika, pane zvinhu zviviri-zvisimbiso (2FA).
Nekuda kwekubatanidzwa kwekuva nemudziyo uye kuziva PIN yayo, iyo PIN pachayo inogona kuve nyore uye nyore kuyeuka. Kukanganisa mukureba kwePIN kana kusarongeka kunogadziriswa nezvinodiwa zvenyama uye zvirambidzo paPIN brute force.
Mukuwedzera, zvinoitika mumasangano ehurumende kuti vanoda kuti zvinhu zvose zvishande maererano neGOST. Iyi 2FA sarudzo yekupinda muLinux ichakurukurwa. Ndichatangira kure.
PAM modules
Pluggable Authentication Modules (PAM) mamodule ane yakajairwa API uye mashandisirwo eakasiyana echokwadi masisitimu mumashandisirwo.
Zvese zvinoshandiswa uye maapplication anogona kushanda nePAM azvitore uye anogona kuzvishandisa kune chokwadi chemushandisi.
Mukuita, inoshanda seizvi: murairo wekupinda unodana PAM, iyo inoita cheki dzose dzinodiwa uchishandisa ma modules anotsanangurwa mufaira rekugadzirisa uye inodzorera chigumisiro kumurairo wekupinda.
librtpam
Iyo module yakagadziridzwa nekambani yeAktiv inowedzera mbiri-zvinhu chokwadi chevashandisi vanoshandisa smart makadhi kana USB tokens vachishandisa asymmetric makiyi zvinoenderana neazvino zviyero zvepamba cryptography.
Ngatitarisei musimboti wekushanda kwayo:
- Chiratidzo chinochengeta chitupa chemushandisi uye kiyi yayo yakavanzika;
- Chitupa chinochengetwa mudhairekitori remusha wemushandisi seakavimbika.
Iyo yechokwadi process inoitika seinotevera:
- Rutoken anotsvaga chitupa chemushandisi.
- Pini yechiratidzo inokumbirwa.
- Random data inosainwa pane yakavanzika kiyi yakananga muRutoken chip.
- Siginicha yabuda inosimbiswa pachishandiswa kiyi yeruzhinji kubva pachitupa chemushandisi.
- Iyo module inodzosera siginecha yekusimbisa mhinduro kune yekufona application.
Iwe unogona kutendesa uchishandisa GOST R 34.10-2012 makiyi (kureba 256 kana 512 bits) kana yekare GOST R 34.10-2001.
Iwe haufanirwe kunetseka nezve kuchengetedzeka kwemakiyi - iwo anogadzirwa zvakananga muRutoken uye usambosiya chiyeuchidzo chayo panguva yecryptographic mashandiro.
Rutoken EDS 2.0 inopupurirwa neFSB uye FSTEC maererano neNDV 4, saka inogona kushandiswa mumagadzirirwo emashoko anogadzirisa ruzivo rwakavanzika.
Kushandisa kunoshanda
Anenge chero Linux yemazuva ano ichaita, semuenzaniso isu tichashandisa xUbuntu 18.10.
1) Isa mapakeji anodiwa
sudo apt-get install libccid pcscd opensc
Kana iwe uchida kuwedzera kiyi yedesktop ine screensaver, isa iyo package zvakare libpam-pkcs11
.
2) Wedzera PAM module ine GOST rutsigiro
Kuisa raibhurari kubva
Kopa zviri mukati mePAM forodha librtpam.so.1.0.0 kune system forodha
/usr/lib/
kana /usr/lib/x86_64-linux-gnu/
kana /usr/lib64
3) Isa pasuru ine librtpkcs11ecp.so
Dhawunirodha uye isa iyo DEB kana RPM package kubva pane iyi link:
4) Tarisa kuti Rutoken EDS 2.0 inoshanda muhurongwa
Muiyo terminal tinotora
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -T
Kana ukaona mutsara Rutoken ECP <no label>
- zvinoreva kuti zvinhu zvose zvakanaka.
5) Verenga chitupa
Kutarisa kuti mudziyo une chitupa
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O
Kana mushure memutsara:
Using slot 0 with a present token (0x0)
- ruzivo runoratidzwa nezve makiyi uye zvitupa, unofanirwa kuverenga chitupa wochichengeta ku diski. Kuti uite izvi, mhanya unotevera kuraira, uko panzvimbo ye {id} iwe unofanirwa kutsiva chitupa ID chawaona mukubuda kweiyo yapfuura rairo:
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -r -y cert --id {id} --output-file cert.crt
Kana iyo cert.crt faira yagadzirwa, enda kunhanho yechitanhatu). - hapana chinhu, ipapo mudziyo hauna chinhu. Bata maneja wako kana gadzira makiyi uye chitupa iwe pachako nekutevera nhanho inotevera.
5.1) Gadzira chitupa chebvunzo
Attention! Nzira dzakatsanangurwa dzekugadzira makiyi uye zvitupa dzakakodzera kuyedza uye hadzina kuitirwa kushandiswa mukurwisa maitiro. Kuti uite izvi, unofanirwa kushandisa makiyi uye zvitupa zvakapihwa nesangano rako rakavimbika retifiketi chiremera kana chiremera chetifiketi chakatenderwa.
Iyo PAM module yakagadzirirwa kuchengetedza makomputa emunharaunda uye yakagadzirirwa kushanda mumasangano madiki. Sezvo paine vashoma vashandisi, Administrator anogona kutarisa kubviswa kwezvitupa uye nemaoko kuvhara maakaundi, pamwe nenguva yechokwadi yezvitupa. Iyo PAM module haisati yaziva nzira yekusimbisa zvitupa uchishandisa maCRL uye kuvaka maketani ekuvimba.
Nzira iri nyore (kuburikidza nebrowser)
Kuti uwane chitupa chebvunzo, shandisa
Iyo geek's nzira (kuburikidza nekoni uye pamwe iyo compiler)
Tarisa iyo OpenSC vhezheni
$ opensc-tool --version
Kana iyo vhezheni iri pasi pe0.20, ipapo gadziridza kana kuvaka
Gadzira makiyi maviri nematanho anotevera:
--key-type: GOSTR3410-2012-512:Π (ΠΠΠ‘Π’-2012 512 Π±ΠΈΡ c ΠΏΠ°ΡΠ°ΠΌΡΠ΅ΡΠΎΠΌ Π), GOSTR3410-2012-256:A (ΠΠΠ‘Π’-2012 256 Π±ΠΈΡ Ρ ΠΏΠ°ΡΠ°ΠΌΡΠ΅ΡΠΎΠΌ A)
--id:
chinhu chiziviso (CKA_ID) senhamba-maviri hex hunhu nhamba kubva patafura yeASCII. Shandisa chete ASCII macode kune anodhinda mavara, nekuti... id ichada kupfuudzwa kuOpenSSL setambo. Semuenzaniso, iyo ASCII kodhi "3132" inoenderana netambo "12". Kuti zvive nyore, unogona kushandisa
$ ./pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --keypairgen --key-type GOSTR3410-2012-512:A -l --id 3132
Tevere tichagadzira chitupa. Nzira mbiri dzichatsanangurwa pazasi: yekutanga iri kuburikidza neCA (tichashandisa test CAs), yechipiri inozvisaina. Kuti uite izvi, iwe unofanirwa kutanga waisa nekugadzirisa OpenSSL vhezheni 1.1 kana gare gare kuti ushande naRutoken kuburikidza yakakosha rtengine module uchishandisa bhuku rekushandisa.
Somuenzaniso: nokuti '--id 3132
' mu OpenSSL unofanirwa kutsanangura "pkcs11:id=12
".
Iwe unogona kushandisa masevhisi ebvunzo CA, ane akawanda, semuenzaniso,
Imwe sarudzo ndeyekupa husimbe uye kugadzira wega-signed
$ openssl req -utf8 -new -keyform engine -key "pkcs11:id=12" -engine rtengine -out req.csr
Kuisa chitupa kumudziyo
$ openssl req -utf8 -x509 -keyform engine -key "pkcs11:id=12" -engine rtengine -out cert.cer
6) Nyoresa chitupa muhurongwa
Ita shuwa kuti chitupa chako chinoita senge base64 faira:
Kana chitupa chako chichiita seizvi:
ipapo unofanirwa kushandura chitupa kubva kuDER fomati kuenda kuPEM fomati (base64)
$ openssl x509 -in cert.crt -out cert.pem -inform DER -outform PEM
Tinoongorora zvakare kuti zvinhu zvose zvakarongeka.
Wedzera chitupa kune runyorwa rwezvitupa zvinovimbwa
$ mkdir ~/.eid
$ chmod 0755 ~/.eid
$ cat cert.pem >> ~/.eid/authorized_certificates
$ chmod 0644 ~/.eid/authorized_certificates
Mutsetse wekupedzisira unochengetedza runyorwa rwezvitupa zvinovimbwa kubva pakusandurwa netsaona kana nemaune nevamwe vashandisi. Izvi zvinotadzisa mumwe munhu kuwedzera chitupa chake pano uye kukwanisa kupinda panzvimbo yako.
7) Gadzira chokwadi
Kumisikidza yedu PAM module yakajairika uye inoitwa nenzira yakafanana nekumisa mamwe ma module. Gadzira kufaira /usr/share/pam-configs/rutoken-gost-pam
ine zita rakazara remodule, ingave inogoneswa nekusarudzika, iyo yekutanga moduru, uye maparamendi echokwadi.
Iwo maparamendi echokwadi ane zvinodikanwa zvekubudirira kwekushanda:
- inodiwa: Mamodule akadaro anofanira kudzorera mhinduro yakanaka. Kana mhedzisiro yekufona kwemodule ine mhinduro isina kunaka, izvi zvinokonzeresa kukanganisa kwechokwadi. Chikumbiro chichadonhedzwa, asi ma module asara achadaidzwa.
- zvinodiwa: Zvakafanana nezvinodiwa, asi zvinongotadza kuvimbiswa uye kufuratira mamwe ma module.
- zvakakwana: Kana pasina imwe yemamodule anodiwa kana akakwana pamberi peiyo module yakaunza mhedzisiro yakaipa, ipapo module inodzosera mhinduro yakanaka. Iwo asara ma modules haazotarisirwi.
- Optional: Kana pasina mamodule anodiwa pastack uye pasina kana mamodule akakwana anodzosera mhedzisiro yakanaka, zvino imwe yemamodule esarudzo inofanira kudzosera mhedzisiro yakanaka.
Full file content /usr/share/pam-configs/rutoken-gost-pam
:
Name: Rutoken PAM GOST
Default: yes
Priority: 800
Auth-Type: Primary
Auth: sufficient /usr/lib/librtpam.so.1.0.0 /usr/lib/librtpkcs11ecp.so
chengetedza faira, wobva waita
$ sudo pam-auth-update
mufafitera rinooneka, isa asterisk pedyo nayo Rutoken PAM GOST uye pfugama OK
8) Tarisa marongero
Kuti unzwisise kuti zvinhu zvese zvakagadziriswa, asi panguva imwechete kwete kurasikirwa nekukwanisa kupinda muhurongwa, pinda murairo.
$ sudo login
Isa zita rako rekushandisa. Zvese zvinogadziriswa nemazvo kana sisitimu ichida PIN kodhi yemuchina.
9) Gadzira komputa kuti ivharwe kana chiratidzo chabviswa
Inosanganisirwa mupakeji libpam-pkcs11
zvinoshandiswa zvinosanganisirwa pkcs11_eventmgr,
iyo inokubvumira kuita zviito zvakasiyana-siyana kana zviitiko zvePKCS#11 zvikaitika.
Zvekugadzirisa pkcs11_eventmgr
inoshanda sefaira rekugadzirisa: /etc/pam_pkcs11/pkcs11_eventmgr.conf
Kune kwakasiyana Linux kugoverwa, iwo murairo unokonzeresa kukiyiwa account kana smart kadhi kana tokeni yabviswa ichasiyana. Cm. event card_remove
.
Muenzaniso faira yekumisikidza inoratidzwa pazasi:
pkcs11_eventmgr
{
# ΠΠ°ΠΏΡΡΠΊ Π² Π±ΡΠΊΠ³ΡΠ°ΡΠ½Π΄Π΅
daemon = true;
# ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠΉ ΠΎΡΠ»Π°Π΄ΠΊΠΈ
debug = false;
# ΠΡΠ΅ΠΌΡ ΠΎΠΏΡΠΎΡΠ° Π² ΡΠ΅ΠΊΡΠ½Π΄Π°Ρ
polling_time = 1;
# Π£ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° ΡΠ°ΠΉΠΌ-Π°ΡΡΠ° Π½Π° ΡΠ΄Π°Π»Π΅Π½ΠΈΠ΅ ΠΊΠ°ΡΡΡ
# ΠΠΎ-ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ 0
expire_time = 0;
# ΠΡΠ±ΠΎΡ pkcs11 Π±ΠΈΠ±Π»ΠΈΠΎΡΠ΅ΠΊΠΈ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ Ρ Π ΡΡΠΎΠΊΠ΅Π½
pkcs11_module = usr/lib/librtpkcs11ecp.so;
# ΠΠ΅ΠΉΡΡΠ²ΠΈΡ Ρ ΠΊΠ°ΡΡΠΎΠΉ
# ΠΠ°ΡΡΠ° Π²ΡΡΠ°Π²Π»Π΅Π½Π°:
event card_insert {
# ΠΡΡΠ°Π²Π»ΡΠ΅ΠΌ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ (Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
on_error = ignore ;
action = "/bin/false";
}
# ΠΠ°ΡΡΠ° ΠΈΠ·Π²Π»Π΅ΡΠ΅Π½Π°
event card_remove {
on_error = ignore;
# ΠΡΠ·ΡΠ²Π°Π΅ΠΌ ΡΡΠ½ΠΊΡΠΈΡ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ ΡΠΊΡΠ°Π½Π°
# ΠΠ»Ρ GNOME
action = "dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock";
# ΠΠ»Ρ XFCE
# action = "xflock4";
# ΠΠ»Ρ Astra Linux (FLY)
# action = "fly-wmfunc FLYWM_LOCK";
}
# ΠΠ°ΡΡΠ° Π΄ΠΎΠ»Π³ΠΎΠ΅ Π²ΡΠ΅ΠΌΡ ΠΈΠ·Π²Π»Π΅ΡΠ΅Π½Π°
event expire_time {
# ΠΡΡΠ°Π²Π»ΡΠ΅ΠΌ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ (Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
on_error = ignore;
action = "/bin/false";
}
}
Mushure mezvo wedzera iyo application pkcs11_eventmgr
kutanga. Kuita izvi, gadzirisa .bash_profile faira:
$ nano /home/<ΠΈΠΌΡ_ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ>/.bash_profile
Wedzera mutsara pkcs11_eventmgr kusvika kumagumo efaira uye reboot.
Iwo akatsanangurwa matanho ekumisikidza sisitimu yekushandisa anogona kushandiswa semirairo mune chero yazvino Linux kugovera, kusanganisira yepamba.
mhedziso
Linux PCs dziri kuwedzera mukurumbira mumasangano ehurumende yeRussia, uye kumisikidza yakavimbika-zvinhu-zvinhu kuvimbiswa mune ino OS hakusi nyore nguva dzose. Isu tichafara kukubatsira kugadzirisa iyo "password dambudziko" negwaro iri uye nekuvimbika kudzivirira kuwana kuPC yako pasina kushandisa nguva yakawanda pairi.
Source: www.habr.com