ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Xaqiijinta laba-factor ee goobta iyadoo la adeegsanayo calaamad USB ah. Hadda sidoo kale Linux

Xaqiijinta laba-factor ee goobta iyadoo la adeegsanayo calaamad USB ah. Hadda sidoo kale Linux

Xaqiijinta laba-factor ee goobta iyadoo la adeegsanayo calaamad USB ah. Hadda sidoo kale Linux
Π’ mid ka mid ah maqaaladeenii hore Waxaan ka hadalnay muhiimadda ay leedahay xaqiijinta laba-factor ee marinnada shirkadaha ee shirkadaha. Markii ugu dambeysay waxaan soo bandhignay sida loo dejiyo sugida amniga ee server-ka IIS.

Faallooyinka, waxaa nala weydiistay inaan u qorno tilmaamaha server-yada ugu caansan ee Linux - nginx iyo Apache.

Waad waydiisay - waanu qornay.

Maxaad u baahan tahay si aad u bilowdo?

  • Qayb kasta oo casri ah Linux. Waxaan ku sameeyay tijaabinta MX Linux 18.2_x64. Tani dabcan maaha qaybinta server-ka, laakiin uma badna inay wax farqi ah u jiraan Debian. Qaybinta kale, dariiqyada loo maro maktabadaha habaynta waxyar way ka duwanaan karaan.
  • Token Waxaan sii wadeynaa isticmaalka qaabka Rutoken EDS PKI, kaas oo ku habboon marka la eego sifooyinka xawaaraha ee isticmaalka shirkadda.
  • Si aad ula shaqeyso calaamada Linux, waxaad u baahan tahay inaad ku rakibto xirmooyinka soo socda:
    libccid libpcsclite1 pcscd pcsc-tools opensc

Xaqiijinta laba-factor ee goobta iyadoo la adeegsanayo calaamad USB ah. Hadda sidoo kale Linux

Bixinta shahaadooyinka

Maqaaladii hore, waxaan ku tiirsanay xaqiiqda ah in server-ka iyo shahaadooyinka macmiilka la bixin doono iyadoo la adeegsanayo Microsoft CA. Laakiin maadaama aan wax walba ku dejineyno Linux, waxaan sidoo kale kuu sheegi doonaa qaab kale oo lagu bixiyo shahaadooyinkan - adoon ka tagin Linux.
Waxaan u isticmaali doonaa XCA sida CAhttps://hohnstaedt.de/xca/), kaas oo laga heli karo qayb kasta oo casri ah Linux. Dhammaan ficillada aan ku fulin doono XCA waxaa lagu samayn karaa habka khadka taliska iyadoo la adeegsanayo OpenSSL iyo pkcs11-tool utilities, laakiin si fudud iyo caddayn weyn, kuma soo bandhigi doono maqaalkan.

Bilaabidda

  1. Ku rakib: 
    $ apt-get install xca
  2. Oo waanu ordanaa: 
    $ xca
  3. Waxaan u abuurnaa xogtayada CA - /root/CA.xdb
    Waxaan kugula talineynaa in lagu kaydiyo xogta Hay'adda Shahaadada galka halka maamulaha kaliya uu geli karo. Tani waa muhiim si loo ilaaliyo furayaasha gaarka ah ee shahaadooyinka xididka, kuwaas oo loo isticmaalo in lagu saxiixo dhammaan shahaadooyinka kale.

Abuur furayaasha iyo xididka shahaadada CA

Kaabayaasha muhiimka ah ee dadweynaha (PKI) waxay ku salaysan yihiin nidaam kala sareyn. Waxa ugu weyn ee nidaamkan waa maamulka shahaadada xididka ama xididka CA. shahaadadeeda waa in marka hore la abuuraa.

  1. Waxaan u abuurnay RSA-2048 fure gaar ah CA. Si tan loo sameeyo, tabka Furayaasha gaarka ah Riix Furaha cusub oo dooro nooca ku habboon.
  2. U deji magaca labada fure ee cusub. Waxaan u bixiyay CA Key.
  3. Waxaan bixinaa shahaadada CA lafteeda, anagoo adeegsanayna lamaanaha muhiimka ah ee la abuuray. Si tan loo sameeyo, aad tab tab Certificates oo riix Shahaado Cusub.
  4. Hubi inaad doorato SHA-256, sababtoo ah isticmaalka SHA-1 mar dambe looma tixgelin karo badbaado.
  5. U hubso inaad doorato qaab tusaale ahaan [default] CA. Ha ilaawin inaad gujiso Codso dhammaan, haddii kale qaab-dhismeedka lama dabaqo.
  6. In tab Subject dooro lamaanahayada muhiimka ah. Halkaas waxaad ku buuxin kartaa dhammaan qaybaha ugu muhiimsan ee shahaadada.

Xaqiijinta laba-factor ee goobta iyadoo la adeegsanayo calaamad USB ah. Hadda sidoo kale Linux

Abuuritaanka furayaasha iyo shahaadada server https

  1. Si la mid ah, waxaan u abuurnaa RSA-2048 furaha gaarka ah ee server-ka, waxaan ugu yeeray Furaha Server.
  2. Marka la abuurayo shahaado, waxaan dooranaynaa in shahaadada server waa in lagu saxiixo shahaado CA.
  3. Ha ilaawin inaad doorato SHA-256.
  4. Waxaan u dooranaa qaab tusaale ahaan [default] HTTPS_server. Guji Codso dhammaan.
  5. Kadibna tabka Subject dooro furahayaga oo buuxi meelaha loo baahan yahay.

Xaqiijinta laba-factor ee goobta iyadoo la adeegsanayo calaamad USB ah. Hadda sidoo kale Linux

U samee furayaasha iyo shahaado isticmaalaha

  1. Furaha gaarka ah ee isticmaalaha waxa lagu kaydin doonaa calaamadayada. Si aad ula shaqeyso, waxaad u baahan tahay inaad ku rakibto PKCS#11 maktabadda mareegahayaga. Qaybinta caanka ah, waxaan u qaybineynaa baakadaha diyaarsan, kuwaas oo halkan ku yaal - https://www.rutoken.ru/support/download/pkcs/. Waxaan sidoo kale leenahay shirarka arm64, armv7el, armv7hf, e2k, mipso32el, kuwaas oo laga soo dejisan karo SDK-keena - https://www.rutoken.ru/developers/sdk/. Marka lagu daro shirarka Linux, waxaa sidoo kale jira kulano loogu talagalay macOS, freebsd iyo android.
  2. Ku darida PKCS#11 Bixiye cusub XCA. Si tan loo sameeyo, aad menu-ka Options ilaa tab PKCS#11 Bixiyaha.
  3. Waanu riixnaa Add oo dooro jidka PKCS#11 maktabadda. Xaaladeyda waa usrliblibrtpkcs11ecp.so.
  4. Waxaan u baahan doonaa calaamad Rutoken EDS PKI ah oo habaysan. Soo deji utility rtAdmin - https://dev.rutoken.ru/pages/viewpage.action?pageId=7995615
  5. Waan fulinaa 
    $ rtAdmin -f -q -z /usr/lib/librtpkcs11ecp.so -u <PIN-ΠΊΠΎΠ΄ ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»Ρ>
  6. Waxaan u dooranaa furaha RSA-2048 ee Rutoken EDS PKI oo ah nooca furaha. Waxa aan u yeedhay Furaha Macmiilka.

    Xaqiijinta laba-factor ee goobta iyadoo la adeegsanayo calaamad USB ah. Hadda sidoo kale Linux

  7. Geli lambarka sirta ah Oo waxaan sugeynaa dhamaystirka jiilka qalabka ee lamaanaha muhiimka ah

    Xaqiijinta laba-factor ee goobta iyadoo la adeegsanayo calaamad USB ah. Hadda sidoo kale Linux

  8. Waxaan u abuurnaa adeegsaha shahaado anagoo la mid ah shahaadada serverka. Markan waxaan dooraneynaa qaab-dhismeedka [default] HTTPS_macmiil hana ilaawin inaad gujiso Codso dhammaan.
  9. In tab Subject geli macluumaadka ku saabsan isticmaalaha. Waxaan si dhab ah uga jawaabnay codsiga ah in lagu keydiyo shahaadada calaamadda.

Natiijo ahaan, tabka Shahaadooyinka gudaha XCA waa inaad ka heshaa wax sidan oo kale ah.

Xaqiijinta laba-factor ee goobta iyadoo la adeegsanayo calaamad USB ah. Hadda sidoo kale Linux
Qaybtan ugu yar ee furayaasha iyo shahaadooyinka ayaa ku filan inay bilaabaan dejinta server-yada laftooda.

Si loo habeeyo, waxaan u baahanahay inaan dhoofino shahaadada CA, shahaadada server-ka iyo furaha gaarka ah ee server-ka.

Si tan loo sameeyo, dooro gelida la rabo ee tab u dhiganta ee XCA oo guji dhoofinta.

Nginx

Ma qori doono wax ku saabsan sida loo rakibo oo loo maamulo server nginx - waxaa jira maqaallo ku filan mawduucan oo ku saabsan internetka, ma aha in la xuso dukumentiyada rasmiga ah. Aynu si toos ah u gaadhno dejinta HTTPS iyo xaqiijinta laba-factor anagoo adeegsanayna calaamad.

Ku dar khadadka soo socda qaybta server-ka ee nginx.conf:

server {
	listen 443 ssl;
	ssl_verify_depth 1;
	ssl_certificate /etc/nginx/Server.crt;
	ssl_certificate_key /etc/nginx/ServerKey.pem;
	ssl_client_certificate /etc/nginx/CA.crt;
	ssl_verify_client on;
}

Sharaxaad faahfaahsan oo ku saabsan dhammaan xuduudaha la xidhiidha habaynta ssl ee nginx ayaa laga heli karaa halkan - https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate

Waxaan si kooban u tilmaami doonaa kuwa aan is weydiiyey:

  • ssl_verify_client - waxay qeexaysaa in silsiladda aaminaadda shahaadada loo baahan yahay in la xaqiijiyo.
  • ssl_verify_depth - Qeexayaa qoto dheer raadinta shahaado xidid la aamini karo ee silsiladda. Maadaama shahaadada macmiilka isla markiiba lagu saxeexay shahaadada xididka, qoto dheer ayaa loo dhigay 1. Haddii shahaadada isticmaalaha lagu saxeexo CA dhexdhexaad ah, markaa 2 waa in lagu qeexaa qiyaastan, iyo wixii la mid ah.
  • ssl_client_certificate - waxay qeexaysaa dariiqa loo marayo shahaadada xididka la aamini karo, taas oo la isticmaalo marka la hubinayo kalsoonida isticmaalaha shahaado.
  • ssl_certificate/ssl_certificate_key - tilmaan dariiqa loo marayo shahaadada serverka/furaha gaarka ah.

Ha iloobin inaad socodsiiso nginx -t si aad u hubiso in aysan jirin wax qoraal ah oo ku jira qaabeynta, iyo in dhammaan faylasha ay ku yaalliin meesha saxda ah, iyo wixii la mid ah.

Taasina waa dhan! Sida aad arki karto, dejinta waa mid aad u fudud.

Hubinta inay ka shaqaynayso Firefox

Maaddaama aan wax walba ku sameyneyno Linux, waxaan u qaadaneynaa in isticmaaleyaasheenu ay sidoo kale ka shaqeeyaan Linux (haddii ay leeyihiin Windows, markaa eeg tilmaamaha dejinta daalacashada maqaalkii hore.

  1. Aan bilowno Firefox.
  2. Aan isku dayno inaan galno calaamad la'aan marka hore. Waxaan helnaa sawirkan:

    Xaqiijinta laba-factor ee goobta iyadoo la adeegsanayo calaamad USB ah. Hadda sidoo kale Linux

  3. Waan sii wadnaa ku saabsan: doorbidista # asturnaanta, waana u tagnaa Aaladaha Amniga
  4. Waanu riixnaa loadin lagu daro PKCS#11 Aaladda Darawalka oo aan caddeeyo dariiqa loo maro librtpkcs11ecp.so.
  5. Si aad u hubiso in shahaadodu ay muuqato, waxaad aadi kartaa Maareeyaha Shahaadada. Waxaa lagu weydiin doonaa inaad geliso PIN-kaaga. Ka dib galinta saxda ah, waxaad hubin kartaa waxa ku yaal tab Shahaadooyinkaaga Shahaadadayada calaamadda ayaa soo baxday.
  6. Hadda aan raacno calaamadda. Firefox waxay ku boorinaysaa inaad doorato shahaado loo dooran doono server-ka. Dooro shahaadadayada.

    Xaqiijinta laba-factor ee goobta iyadoo la adeegsanayo calaamad USB ah. Hadda sidoo kale Linux

  7. DAKHLIGA!

    Xaqiijinta laba-factor ee goobta iyadoo la adeegsanayo calaamad USB ah. Hadda sidoo kale Linux

Habaynta ayaa la sameeyaa hal mar, iyo sida aad ku arki karto daaqada codsiga shahaadada, waxaan badbaadin karnaa doorashadayada. Taas ka dib, mar kasta oo aan galno portal-ka, waxaan u baahan doonaa oo kaliya in aan gelinno calaamad oo gelisa lambarka sirta ah ee isticmaalaha kaas oo lagu qeexay inta lagu jiro qaabeynta. Xaqiijinta caynkaas ah ka dib, server-ku wuu sii garanayaa isticmaalaha soo galay oo ma abuuri kartid daaqado dheeraad ah si loo xaqiijiyo, laakiin isla markiiba isticmaaluhu u oggolow akoonkiisa gaarka ah.

Apache

Sida nginx, qofna waa inuusan wax dhibaato ah kala kulmin rakibidda apache. Haddii aadan aqoon sida loo rakibo server-kan, kaliya isticmaal dukumeentiga rasmiga ah.

Oo waxaan bilownay dejinta HTTPS-yadayada iyo xaqiijinta laba-factor:

  1. Marka hore waxaad u baahan tahay inaad dhaqaajiso mod_ssl: 
    $ a2enmod ssl
  2. Ka dibna awood u geli dejinta HTTPS ee goobta: 
    $ a2ensite default-ssl
  3. Hadda waxaan tafatireynaa faylka qaabeynta: /etc/apache2/sites-enabled/default-ssl.conf: 
        SSLEngine on
    SSLProtocol all -SSLv2

    SSLCertificateFile	/etc/apache2/sites-enabled/Server.crt
    SSLCertificateKeyFile /etc/apache2/sites-enabled/ServerKey.pem

    SSLCACertificateFile /etc/apache2/sites-enabled/CA.crt

    SSLVerifyClient require
    SSLVerifyDepth  10

    Sida aad arki karto, magacyada halbeegyada waxay si dhab ah ula mid yihiin magacyada xuduudaha nginx, markaa ma sharxi doono. Mar labaad, qof kasta oo xiisaynaya faahfaahinta waa lagu soo dhaweynayaa dukumentiyada.
    Hadda waxaan dib u bilaabaynaa server-kayaga:

    $ service apache2 reload
$ service apache2 restart

    4. Sida aad arki karto, samaynta xaqiijinta laba-factor ee server-ka kasta, ha ahaato Windows ama Linux, waxay qaadataa hal saac ugu badnaan. Samaynta browser-yada waxay qaadataa ilaa 5 daqiiqo. Dad badan ayaa u maleynaya in dejinta iyo ku shaqeynta xaqiijinta laba-factor ay tahay mid adag oo aan caddayn. Waxaan rajeynayaa in maqaalkeena uu beeninaayo khuraafaadkan, ugu yaraan.

Isticmaalayaasha diiwaangashan oo keliya ayaa ka qaybqaadan kara sahanka. Soo gal, soo dhawoow.

Ma u baahan tahay tilmaamo ku saabsan samaynta TLS oo wata shahaadooyin sida waafaqsan GOST 34.10-2012:

  • Haa, TLS-GOST aad bay lagama maarmaan u tahay

  • Maya, ku hagaajinta algorithms-ka GOST maaha mid xiiso leh

44 isticmaale ayaa u codeeyay. 9 isticmaale ayaa ka aamusay.

Source: www.habr.com

Add a comment