Nhasi ndinoda kugovera nzira yekumisikidza maviri-factor authentication server kuchengetedza makambani network, masaiti, masevhisi, ssh. Sevha inomhanya inotevera musanganiswa: LinOTP + FreeRadius.
Nei tichichida?
Iyi isarudzo yemahara, yakasununguka, mukati metiweki yayo, yakazvimirira kune yechitatu-bato vanopa.
Iyi sevhisi iri nyore kwazvo, inooneka, kusiyana nezvimwe zvakavhurika sosi zvigadzirwa, uye zvakare inotsigira huwandu hukuru hwemabasa uye marongero (Semuenzaniso, login + password + (PIN + OPTToken)). Kuburikidza neAPI, inobatanidza neSMS kutumira masevhisi (LinOTP Config-> Provider Config-> SMS Provider), inogadzira macode emafoni ekushandisa akadai seGoogle Authentificator nezvimwe zvakawanda. Ndinofunga zviri nyore kupfuura sevhisi inokurukurwa mukati
Iyi sevha inoshanda zvakakwana neCisco ASA, OpenVPN server, Apache2, uye kazhinji nezvose zvinotsigira huchokwadi kuburikidza neRADIUS server (Semuenzaniso, yeSSH iri munzvimbo yedata).
Zvinotarisirwa:
1) Debian 8 (jessie) - Zvakakodzera! (kuiswa kwekuedza pa debian 9 kunotsanangurwa pakupera kwechinyorwa)
Kutanga:
Kuisa Debian 8.
Wedzera iyo LinOTP repository:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list
Kuwedzera makiyi:
# gpg --search-keys 913DFF12F86258E5
Dzimwe nguva panguva yekumisikidzwa "kwakachena", mushure mekuita murairo uyu, Debian inoratidza:
gpg: ΡΠΎΠ·Π΄Π°Π½ ΠΊΠ°ΡΠ°Π»ΠΎΠ³ `/root/.gnupg'
gpg: ΡΠΎΠ·Π΄Π°Π½ Π½ΠΎΠ²ΡΠΉ ΡΠ°ΠΉΠ» Π½Π°ΡΡΡΠΎΠ΅ΠΊ `/root/.gnupg/gpg.conf'
gpg: ΠΠΠΠΠΠΠΠ: ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ Π² `/root/.gnupg/gpg.conf' Π΅ΡΠ΅ Π½Π΅ Π°ΠΊΡΠΈΠ²Π½Ρ ΠΏΡΠΈ ΡΡΠΎΠΌ Π·Π°ΠΏΡΡΠΊΠ΅
gpg: ΡΠΎΠ·Π΄Π°Π½Π° ΡΠ°Π±Π»ΠΈΡΠ° ΠΊΠ»ΡΡΠ΅ΠΉ `/root/.gnupg/secring.gpg'
gpg: ΡΠΎΠ·Π΄Π°Π½Π° ΡΠ°Π±Π»ΠΈΡΠ° ΠΊΠ»ΡΡΠ΅ΠΉ `/root/.gnupg/pubring.gpg'
gpg: Π½Π΅ Π·Π°Π΄Π°Π½Ρ ΡΠ΅ΡΠ²Π΅ΡΡ ΠΊΠ»ΡΡΠ΅ΠΉ (ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ --keyserver)
gpg: ΡΠ±ΠΎΠΉ ΠΏΡΠΈ ΠΏΠΎΠΈΡΠΊΠ΅ Π½Π° ΡΠ΅ΡΠ²Π΅ΡΠ΅ ΠΊΠ»ΡΡΠ΅ΠΉ: ΠΏΠ»ΠΎΡ
ΠΎΠΉ URI
Iyi ndiyo yekutanga gnupg setup. Zvakanaka. Ingomhanya murairo zvakare.
Kumubvunzo waDebian:
gpg: ΠΏΠΎΠΈΡΠΊ "913DFF12F86258E5" Π½Π° hkp ΡΠ΅ΡΠ²Π΅ΡΠ΅ keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, ΡΠΎΠ·Π΄Π°Π½: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". ΠΠ²Π΅Π΄ΠΈΡΠ΅ ΡΠΈΡΠ»Π°, N) Π‘Π»Π΅Π΄ΡΡΡΠΈΠΉ ΠΈΠ»ΠΈ Q) ΠΡΡ
ΠΎΠ΄>
Tinopindura: 1
Zvadaro:
# gpg --export 913DFF12F86258E5 | apt-key add -
# apt-get update
Isa mysql. Mune dzidziso, unogona kushandisa imwe sql server, asi kuti zvive nyore ndichaishandisa sekukurudzirwa kweLinOTP.
(rumwe ruzivo, kusanganisira kugadzirisa zvakare LinOTP dhatabhesi, inogona kuwanikwa mune zviri pamutemo zvinyorwa zve
# apt-get install mysql-server
# apt-get update
(hazvingakuvadze kutarisa zvigadziriso zvakare)
Isa LinOTP uye mamwe mamodule:
# apt-get install linotp
Isu tinopindura mibvunzo yemugadziri:
Shandisa Apache2: hongu
Gadzira password ye admin Linopt: "Pasiwedhi Yako"
Gadzira chitupa chakasaina?: hongu
Shandisa MySQL ?: hongu
Iyo database iripi: localhost
Gadzira database yeLinOTP (zita rekutanga) pane sevha: LinOTP2
Gadzira mushandisi akaparadzana wedatabase: LinOTP2
Isu tinoseta password yemushandisi: "Pasiwedhi Yako"
Ndinofanira kugadzira dhatabhesi izvozvi? (chimwe chinhu chakadai se "Une chokwadi chekuti unoda ..."): hongu
Pinda iyo MySQL midzi password yawakagadzira paunenge uchiiisa: "YourPassword"
Yakaitwa.
(zvichida, haufanirwe kuiisa)
# apt-get install linotp-adminclient-cli
(zvichida, haufanirwe kuiisa)
# apt-get install libpam-linotp
Uye saka yedu Linopp yewebhu interface yave kuwanikwa ku:
"<b>https</b>: //IP_ΡΠ΅ΡΠ²Π΅ΡΠ°/manage"
Ini ndichataura nezve marongero ari muwebhu interface zvishoma gare gare.
Zvino, chinhu chinonyanya kukosha! Isu tinosimudza FreeRadius uye tinoibatanidza neLinopt.
Isa FreeRadius uye module yekushanda neLinOTP
# apt-get install freeradius linotp-freeradius-perl
backup mutengi uye Users radius configs.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old
# mv /etc/freeradius/users /etc/freeradius/users.old
Gadzira faira remutengi risina chinhu:
# touch /etc/freeradius/clients.conf
Kugadzirisa yedu itsva config file (iyo yakatsigirwa config inogona kushandiswa semuenzaniso)
# nano /etc/freeradius/clients.conf
client 192.168.188.0/24 {
secret = passwd # ΠΏΠ°ΡΠΎΠ»Ρ Π΄Π»Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ²
}
Tevere, gadzira faira revashandisi:
# touch /etc/freeradius/users
Isu tinogadzirisa iyo faira, tichiudza radius kuti isu tichashandisa perl yekusimbisa.
# nano /etc/freeradius/users
DEFAULT Auth-type := perl
Tevere, gadzirisa faira /etc/freeradius/modules/perl
# nano /etc/freeradius/modules/perl
Isu tinoda kutsanangura nzira inoenda kune perl linotp script mune module parameter:
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
β¦ ..
Zvadaro, tinogadzira faira yatinoti (domain, database kana faira) kutora data kubva.
# touch /etc/linotp2/rlm_perl.ini
# nano /etc/linotp2/rlm_perl.ini
URL=https://IP_Π²Π°ΡΠ΅Π³ΠΎ_LinOTP_ΡΠ΅ΡΠ²Π΅ΡΠ°(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False
Ini ndichaenda mune zvishoma zvishoma pano nekuti zvakakosha:
Tsanangudzo izere yefaira ine makomendi:
#IP yeLinOTP server (IP kero yeLinOTP server yedu)
URL=https://172.17.14.103/validate/simplecheck
#Nzvimbo yedu yatichagadzira muLinOTP yewebhu interface.)
NYAYA=rearm1
#Zita reboka revashandisi iro rakagadzirwa muLinOTP webhu muzzle.
RESCONF=flat_file
#sarudzo: taura kunze kana zvese zvichiita sezviri kushanda zvakanaka
Debug=Chokwadi
#sarudzo: shandisa izvi, kana iwe uine zvitupa wakazvisainira, ukasadaro taura kunze (SSL kana tikagadzira yedu yedu chitupa uye tichida kuisimbisa)
SSL_CHECK=Nhema
Tevere, gadzira iyo faira /etc/freeradius/sites-available/linop
# touch /etc/freeradius/sites-available/linotp
# nano /etc/freeradius/sites-available/linotp
Uye kopira iyo config mairi (hapana chikonzero chekugadzirisa chero chinhu):
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}
Zvadaro tichagadzira SIM link:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled
Ini pachangu, ini ndinouraya default Radius masaiti, asi kana iwe uchivada, unogona kana kugadzirisa yavo config kana kudzima.
# rm /etc/freeradius/sites-enabled/default
# rm /etc/freeradius/sites-enabled/inner-tunnel
# service freeradius reload
Zvino ngatidzokere kuwebhu kumeso uye titarise mune zvishoma zvimwe zvakadzama:
Mukona yepamusoro yekurudyi tinya LinOTP Config -> UserIdResolvers -> Nyowani
Isu tinosarudza zvatinoda: LDAP (AD win, LDAP samba), kana SQL, kana vashandisi venzvimbo yeFlatfile system.
Zadza minda inodiwa.
Tevere tinogadzira REALMS:
Mukona yepamusoro yekurudyi, tinya LinOTP Config -> Realms -> Nyowani.
uye ipa zita kune yedu REALMS, uye zvakare tinya pane yakambogadzirwa UserIdResolvers.
FreeRadius inoda data iyi yese mu /etc/linopp2/rlm_perl.ini faira, sezvandanyora pamusoro apa, saka kana usina kuigadzirisa ipapo, ita izvozvi.
Sevha yakagadziridzwa yese.
Kuwedzera:
Kumisikidza LinOTP paDebian 9:
Kuiswa:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list
# apt-get install dirmngr
# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update
# apt-get install mysql-server
(nekusagadzika, muDebian 9 mysql (mariaDB) haipe kuseta midzi password, hongu unogona kuisiya isina chinhu, asi kana iwe ukaverenga nhau, izvi zvinowanzo tungamira kune "epic inokundikana", saka isu tichaiisa. zvakadaro)
# mysql -u root -p
use mysql;
UPDATE user SET Password = PASSWORD('ΡΡΡ_ΠΏΠ°ΡΠΎΠ»Ρ') WHERE User = 'root';
exit
# apt-get install linotp
# apt-get install linotp-adminclient-cli
# apt-get install python-ldap
# apt install freeradius
# nano /etc/freeradius/3.0/sites-enabled/linotp
Nama kodhi (yakatumirwa naJuriM, ndatenda kwaari nazvo!):
server linotp {
teerera {
ipaddr = *
chiteshi = 1812
mhando=munyori
}
teerera {
ipaddr = *
chiteshi = 1813
type = acct
}
mvumo {
preprocess
gadziridza {
&kutonga:Auth-Type := Perl
}
}
tsigira {
Auth-Type Perl {
pera
}
}
accounting {
Unix
}
}
Rongedza /etc/freeradius/3.0/mods-enabled/perl
perl {
filename = /usr/share/linopp/radius_linopp.pm
func_authenticate = chokwadi
func_authorize = mvumo
}
Nehurombo, muDebian 9 iyo radius_linopp.pm raibhurari haina kuisirwa kubva kumatura, saka isu tichaitora kubva github.
# apt install git
# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl
# cd linotp-auth-freeradius-perl/
# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm
ikozvino ngatigadzirise /etc/freeradius/3.0/clients.conf
maseva evatengi {
ipaddr = 192.168.188.0/24
chakavanzika = password yako
}
Zvino ngatigadzirise nano /etc/linopp2/rlm_perl.ini
Isu tinoisa iyo kodhi imwechete ipapo sepakuisa pa debian 8 (inotsanangurwa pamusoro)
ndizvo zvose maererano nepfungwa. (hazvisati zvaedzwa)
Ini ndichasiya pazasi mashoma malink ekumisikidza masisitimu anowanzoda kuchengetedzwa nehuviri-chinhu chechokwadi:
Kumisikidza maviri-factor authentication mukati
kuchinja
Zvakare, iwo macms emasaiti mazhinji anotsigira maviri-chinhu chechokwadi (YeWordPress, LinOTP inotova neyayo yakakosha module ye.
CHOKWADI CHINOKOSHA! USAtarise bhokisi re "Google autenteficator" kushandisa Google Authenticator! Iyo QR kodhi haiverengeke ipapo ... (zvinoshamisa chokwadi)
Kunyora chinyorwa ichi, ruzivo kubva muzvinyorwa zvinotevera rwakashandiswa:
Thanks kune vanyori.
Source: www.habr.com