ProHoster > Blog > Utongi > Maitiro ekushandisa PAM mamodule ekusimbisa emunharaunda muLinux uchishandisa GOST-2012 makiyi paRutoken

Maitiro ekushandisa PAM mamodule ekusimbisa emunharaunda muLinux uchishandisa GOST-2012 makiyi paRutoken

Maitiro ekushandisa PAM mamodule ekusimbisa emunharaunda muLinux uchishandisa GOST-2012 makiyi paRutoken

Mapassword ari nyore haana kuchengetedzeka, uye akaomarara haagone kurangarira. Ndokusaka ivo vachiwanzo guma pane inonamira noti pasi pekhibhodi kana pamonitor. Kuti uone kuti mapepa ekufambisa anoramba ari mupfungwa dzevashandisi "vanokanganwa" uye kuvimbika kwekudzivirira hakuna kurasika, pane zvinhu zviviri-zvisimbiso (2FA).

Nekuda kwekubatanidzwa kwekuva nemudziyo uye kuziva PIN yayo, iyo PIN pachayo inogona kuve nyore uye nyore kuyeuka. Kukanganisa mukureba kwePIN kana kusarongeka kunogadziriswa nezvinodiwa zvenyama uye zvirambidzo paPIN brute force.

Mukuwedzera, zvinoitika mumasangano ehurumende kuti vanoda kuti zvinhu zvose zvishande maererano neGOST. Iyi 2FA sarudzo yekupinda muLinux ichakurukurwa. Ndichatangira kure.

PAM modules

Pluggable Authentication Modules (PAM) mamodule ane yakajairwa API uye mashandisirwo eakasiyana echokwadi masisitimu mumashandisirwo.
Zvese zvinoshandiswa uye maapplication anogona kushanda nePAM azvitore uye anogona kuzvishandisa kune chokwadi chemushandisi.
Mukuita, inoshanda seizvi: murairo wekupinda unodana PAM, iyo inoita cheki dzose dzinodiwa uchishandisa ma modules anotsanangurwa mufaira rekugadzirisa uye inodzorera chigumisiro kumurairo wekupinda.

librtpam

Iyo module yakagadziridzwa nekambani yeAktiv inowedzera mbiri-zvinhu chokwadi chevashandisi vanoshandisa smart makadhi kana USB tokens vachishandisa asymmetric makiyi zvinoenderana neazvino zviyero zvepamba cryptography.

Ngatitarisei musimboti wekushanda kwayo:

  • Chiratidzo chinochengeta chitupa chemushandisi uye kiyi yayo yakavanzika;
  • Chitupa chinochengetwa mudhairekitori remusha wemushandisi seakavimbika.

Iyo yechokwadi process inoitika seinotevera:

  1. Rutoken anotsvaga chitupa chemushandisi.
  2. Pini yechiratidzo inokumbirwa.
  3. Random data inosainwa pane yakavanzika kiyi yakananga muRutoken chip.
  4. Siginicha yabuda inosimbiswa pachishandiswa kiyi yeruzhinji kubva pachitupa chemushandisi.
  5. Iyo module inodzosera siginecha yekusimbisa mhinduro kune yekufona application.

Iwe unogona kutendesa uchishandisa GOST R 34.10-2012 makiyi (kureba 256 kana 512 bits) kana yekare GOST R 34.10-2001.

Iwe haufanirwe kunetseka nezve kuchengetedzeka kwemakiyi - iwo anogadzirwa zvakananga muRutoken uye usambosiya chiyeuchidzo chayo panguva yecryptographic mashandiro.

Maitiro ekushandisa PAM mamodule ekusimbisa emunharaunda muLinux uchishandisa GOST-2012 makiyi paRutoken

Rutoken EDS 2.0 inopupurirwa neFSB uye FSTEC maererano neNDV 4, saka inogona kushandiswa mumagadzirirwo emashoko anogadzirisa ruzivo rwakavanzika.

Kushandisa kunoshanda

Anenge chero Linux yemazuva ano ichaita, semuenzaniso isu tichashandisa xUbuntu 18.10.

1) Isa mapakeji anodiwa

sudo apt-get install libccid pcscd opensc
Kana iwe uchida kuwedzera kiyi yedesktop ine screensaver, isa iyo package zvakare libpam-pkcs11.

2) Wedzera PAM module ine GOST rutsigiro

Kuisa raibhurari kubva https://download.rutoken.ru/Rutoken/PAM/
Kopa zviri mukati mePAM forodha librtpam.so.1.0.0 kune system forodha
/usr/lib/ kana /usr/lib/x86_64-linux-gnu/kana /usr/lib64

3) Isa pasuru ine librtpkcs11ecp.so

Dhawunirodha uye isa iyo DEB kana RPM package kubva pane iyi link: https://www.rutoken.ru/support/download/pkcs/

4) Tarisa kuti Rutoken EDS 2.0 inoshanda muhurongwa

Muiyo terminal tinotora
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -T
Kana ukaona mutsara Rutoken ECP <no label> - zvinoreva kuti zvinhu zvose zvakanaka.

5) Verenga chitupa

Kutarisa kuti mudziyo une chitupa
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O
Kana mushure memutsara:
Using slot 0 with a present token (0x0)

  • ruzivo runoratidzwa nezve makiyi uye zvitupa, unofanirwa kuverenga chitupa wochichengeta ku diski. Kuti uite izvi, mhanya unotevera kuraira, uko panzvimbo ye {id} iwe unofanirwa kutsiva chitupa ID chawaona mukubuda kweiyo yapfuura rairo:
    $ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -r -y cert --id {id} --output-file cert.crt
    Kana iyo cert.crt faira yagadzirwa, enda kunhanho yechitanhatu).
  • hapana chinhu, ipapo mudziyo hauna chinhu. Bata maneja wako kana gadzira makiyi uye chitupa iwe pachako nekutevera nhanho inotevera.

5.1) Gadzira chitupa chebvunzo

Attention! Nzira dzakatsanangurwa dzekugadzira makiyi uye zvitupa dzakakodzera kuyedza uye hadzina kuitirwa kushandiswa mukurwisa maitiro. Kuti uite izvi, unofanirwa kushandisa makiyi uye zvitupa zvakapihwa nesangano rako rakavimbika retifiketi chiremera kana chiremera chetifiketi chakatenderwa.
Iyo PAM module yakagadzirirwa kuchengetedza makomputa emunharaunda uye yakagadzirirwa kushanda mumasangano madiki. Sezvo paine vashoma vashandisi, Administrator anogona kutarisa kubviswa kwezvitupa uye nemaoko kuvhara maakaundi, pamwe nenguva yechokwadi yezvitupa. Iyo PAM module haisati yaziva nzira yekusimbisa zvitupa uchishandisa maCRL uye kuvaka maketani ekuvimba.

Nzira iri nyore (kuburikidza nebrowser)

Kuti uwane chitupa chebvunzo, shandisa sevhisi yewebhu "Rutoken Registration Center". Iyo nzira haitore kupfuura 5 maminetsi.

Iyo geek's nzira (kuburikidza nekoni uye pamwe iyo compiler)

Tarisa iyo OpenSC vhezheni
$ opensc-tool --version
Kana iyo vhezheni iri pasi pe0.20, ipapo gadziridza kana kuvaka pkcs11-chishandiso bazi ine GOST-2012 rutsigiro kubva kuGitHub yedu (panguva yekuburitswa kwechinyorwa ichi, kuburitswa 0.20 haisati yaburitswa) kana kubva kubazi guru reiyo OpenSC chirongwa hapana gare gare. kuita 8cf1e6f

Gadzira makiyi maviri nematanho anotevera:
--key-type: GOSTR3410-2012-512:А (Π“ΠžΠ‘Π’-2012 512 Π±ΠΈΡ‚ c парамсСтом А), GOSTR3410-2012-256:A (Π“ΠžΠ‘Π’-2012 256 Π±ΠΈΡ‚ с парамсСтом A)

--id: chinhu chiziviso (CKA_ID) senhamba-maviri hex hunhu nhamba kubva patafura yeASCII. Shandisa chete ASCII macode kune anodhinda mavara, nekuti... id ichada kupfuudzwa kuOpenSSL setambo. Semuenzaniso, iyo ASCII kodhi "3132" inoenderana netambo "12". Kuti zvive nyore, unogona kushandisa online sevhisi yekushandura tambo kuita ASCII makodhi.

$ ./pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --keypairgen --key-type GOSTR3410-2012-512:A -l --id 3132

Tevere tichagadzira chitupa. Nzira mbiri dzichatsanangurwa pazasi: yekutanga iri kuburikidza neCA (tichashandisa test CAs), yechipiri inozvisaina. Kuti uite izvi, iwe unofanirwa kutanga waisa nekugadzirisa OpenSSL vhezheni 1.1 kana gare gare kuti ushande naRutoken kuburikidza yakakosha rtengine module uchishandisa bhuku rekushandisa. Kuisa uye kugadzirisa OpenSSL.
Somuenzaniso: nokuti '--id 3132' mu OpenSSL unofanirwa kutsanangura "pkcs11:id=12".

Iwe unogona kushandisa masevhisi ebvunzo CA, ane akawanda, semuenzaniso, tarisai, tarisai ΠΈ tarisai, nokuda kweizvi tichagadzira chikumbiro chechitupa

Imwe sarudzo ndeyekupa husimbe uye kugadzira wega-signed
$ openssl req -utf8 -new -keyform engine -key "pkcs11:id=12" -engine rtengine -out req.csr

Kuisa chitupa kumudziyo
$ openssl req -utf8 -x509 -keyform engine -key "pkcs11:id=12" -engine rtengine -out cert.cer

6) Nyoresa chitupa muhurongwa

Ita shuwa kuti chitupa chako chinoita senge base64 faira:

Maitiro ekushandisa PAM mamodule ekusimbisa emunharaunda muLinux uchishandisa GOST-2012 makiyi paRutoken

Kana chitupa chako chichiita seizvi:

Maitiro ekushandisa PAM mamodule ekusimbisa emunharaunda muLinux uchishandisa GOST-2012 makiyi paRutoken

ipapo unofanirwa kushandura chitupa kubva kuDER fomati kuenda kuPEM fomati (base64)

$ openssl x509 -in cert.crt -out cert.pem -inform DER -outform PEM
Tinoongorora zvakare kuti zvinhu zvose zvakarongeka.

Wedzera chitupa kune runyorwa rwezvitupa zvinovimbwa
$ mkdir ~/.eid
$ chmod 0755 ~/.eid
$ cat cert.pem >> ~/.eid/authorized_certificates
$ chmod 0644 ~/.eid/authorized_certificates
Mutsetse wekupedzisira unochengetedza runyorwa rwezvitupa zvinovimbwa kubva pakusandurwa netsaona kana nemaune nevamwe vashandisi. Izvi zvinotadzisa mumwe munhu kuwedzera chitupa chake pano uye kukwanisa kupinda panzvimbo yako.

7) Gadzira chokwadi

Kumisikidza yedu PAM module yakajairika uye inoitwa nenzira yakafanana nekumisa mamwe ma module. Gadzira kufaira /usr/share/pam-configs/rutoken-gost-pam ine zita rakazara remodule, ingave inogoneswa nekusarudzika, iyo yekutanga moduru, uye maparamendi echokwadi.
Iwo maparamendi echokwadi ane zvinodikanwa zvekubudirira kwekushanda:

  • inodiwa: Mamodule akadaro anofanira kudzorera mhinduro yakanaka. Kana mhedzisiro yekufona kwemodule ine mhinduro isina kunaka, izvi zvinokonzeresa kukanganisa kwechokwadi. Chikumbiro chichadonhedzwa, asi ma module asara achadaidzwa.
  • zvinodiwa: Zvakafanana nezvinodiwa, asi zvinongotadza kuvimbiswa uye kufuratira mamwe ma module.
  • zvakakwana: Kana pasina imwe yemamodule anodiwa kana akakwana pamberi peiyo module yakaunza mhedzisiro yakaipa, ipapo module inodzosera mhinduro yakanaka. Iwo asara ma modules haazotarisirwi.
  • Optional: Kana pasina mamodule anodiwa pastack uye pasina kana mamodule akakwana anodzosera mhedzisiro yakanaka, zvino imwe yemamodule esarudzo inofanira kudzosera mhedzisiro yakanaka.

Full file content /usr/share/pam-configs/rutoken-gost-pam:
Name: Rutoken PAM GOST
Default: yes
Priority: 800
Auth-Type: Primary
Auth: sufficient /usr/lib/librtpam.so.1.0.0 /usr/lib/librtpkcs11ecp.so

Maitiro ekushandisa PAM mamodule ekusimbisa emunharaunda muLinux uchishandisa GOST-2012 makiyi paRutoken

chengetedza faira, wobva waita
$ sudo pam-auth-update
mufafitera rinooneka, isa asterisk pedyo nayo Rutoken PAM GOST uye pfugama OK

Maitiro ekushandisa PAM mamodule ekusimbisa emunharaunda muLinux uchishandisa GOST-2012 makiyi paRutoken

8) Tarisa marongero

Kuti unzwisise kuti zvinhu zvese zvakagadziriswa, asi panguva imwechete kwete kurasikirwa nekukwanisa kupinda muhurongwa, pinda murairo.
$ sudo login
Isa zita rako rekushandisa. Zvese zvinogadziriswa nemazvo kana sisitimu ichida PIN kodhi yemuchina.

Maitiro ekushandisa PAM mamodule ekusimbisa emunharaunda muLinux uchishandisa GOST-2012 makiyi paRutoken

9) Gadzira komputa kuti ivharwe kana chiratidzo chabviswa

Inosanganisirwa mupakeji libpam-pkcs11 zvinoshandiswa zvinosanganisirwa pkcs11_eventmgr, iyo inokubvumira kuita zviito zvakasiyana-siyana kana zviitiko zvePKCS#11 zvikaitika.
Zvekugadzirisa pkcs11_eventmgr inoshanda sefaira rekugadzirisa: /etc/pam_pkcs11/pkcs11_eventmgr.conf
Kune kwakasiyana Linux kugoverwa, iwo murairo unokonzeresa kukiyiwa account kana smart kadhi kana tokeni yabviswa ichasiyana. Cm. event card_remove.
Muenzaniso faira yekumisikidza inoratidzwa pazasi:

pkcs11_eventmgr
{
    # Запуск Π² бэкграундС
    daemon = true;
     
    # Настройка сообщСний ΠΎΡ‚Π»Π°Π΄ΠΊΠΈ
    debug = false;
 
    # ВрСмя опроса Π² сСкундах
    polling_time = 1;
 
    # Установка Ρ‚Π°ΠΉΠΌ-Π°ΡƒΡ‚Π° Π½Π° ΡƒΠ΄Π°Π»Π΅Π½ΠΈΠ΅ ΠΊΠ°Ρ€Ρ‚Ρ‹
    # По-ΡƒΠΌΠΎΠ»Ρ‡Π°Π½ΠΈΡŽ 0
    expire_time = 0;
 
    # Π’Ρ‹Π±ΠΎΡ€ pkcs11 Π±ΠΈΠ±Π»ΠΈΠΎΡ‚Π΅ΠΊΠΈ для Ρ€Π°Π±ΠΎΡ‚Ρ‹ с Π ΡƒΡ‚ΠΎΠΊΠ΅Π½
    pkcs11_module = usr/lib/librtpkcs11ecp.so;
 
    # ДСйствия с ΠΊΠ°Ρ€Ρ‚ΠΎΠΉ
    # ΠšΠ°Ρ€Ρ‚Π° вставлСна:
    event card_insert {
        # ΠžΡΡ‚Π°Π²Π»ΡΠ΅ΠΌ значСния ΠΏΠΎ ΡƒΠΌΠΎΠ»Ρ‡Π°Π½ΠΈΡŽ (Π½ΠΈΡ‡Π΅Π³ΠΎ Π½Π΅ происходит)
        on_error = ignore ;
 
        action = "/bin/false";
    }
 
    # ΠšΠ°Ρ€Ρ‚Π° ΠΈΠ·Π²Π»Π΅Ρ‡Π΅Π½Π°
    event card_remove {
        on_error = ignore;
         
        # Π’Ρ‹Π·Ρ‹Π²Π°Π΅ΠΌ Ρ„ΡƒΠ½ΠΊΡ†ΠΈΡŽ Π±Π»ΠΎΠΊΠΈΡ€ΠΎΠ²ΠΊΠΈ экрана
        
        # Для GNOME 
        action = "dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock";
        
        # Для XFCE
        # action = "xflock4";
        
        # Для Astra Linux (FLY)
        # action = "fly-wmfunc FLYWM_LOCK";
    }
 
    # ΠšΠ°Ρ€Ρ‚Π° Π΄ΠΎΠ»Π³ΠΎΠ΅ врСмя ΠΈΠ·Π²Π»Π΅Ρ‡Π΅Π½Π°
    event expire_time {
        # ΠžΡΡ‚Π°Π²Π»ΡΠ΅ΠΌ значСния ΠΏΠΎ ΡƒΠΌΠΎΠ»Ρ‡Π°Π½ΠΈΡŽ (Π½ΠΈΡ‡Π΅Π³ΠΎ Π½Π΅ происходит)
        on_error = ignore;
 
        action = "/bin/false";
    }
}

Mushure mezvo wedzera iyo application pkcs11_eventmgr kutanga. Kuita izvi, gadzirisa .bash_profile faira:
$ nano /home/<имя_ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»Ρ>/.bash_profile
Wedzera mutsara pkcs11_eventmgr kusvika kumagumo efaira uye reboot.

Iwo akatsanangurwa matanho ekumisikidza sisitimu yekushandisa anogona kushandiswa semirairo mune chero yazvino Linux kugovera, kusanganisira yepamba.

Maitiro ekushandisa PAM mamodule ekusimbisa emunharaunda muLinux uchishandisa GOST-2012 makiyi paRutoken

mhedziso

Linux PCs dziri kuwedzera mukurumbira mumasangano ehurumende yeRussia, uye kumisikidza yakavimbika-zvinhu-zvinhu kuvimbiswa mune ino OS hakusi nyore nguva dzose. Isu tichafara kukubatsira kugadzirisa iyo "password dambudziko" negwaro iri uye nekuvimbika kudzivirira kuwana kuPC yako pasina kushandisa nguva yakawanda pairi.

Source: www.habr.com

Voeg