Erayada sirta ah ee fudud ma ahan kuwo sugan, kuwa adagna lama xasuusan karo. Taasi waa sababta ay inta badan ku dhameeyaan qoraal dhegdheg ah oo ka hooseeya kiiboodhka ama kormeeraha. Si loo hubiyo in ereyada sirta ah ay ku sii jiraan maskaxda isticmaalayaasha "halmaamay" iyo isku halaynta ilaalinta aan la lumin, waxaa jira xaqiijin laba arrimood ah (2FA).
Isku darka lahaanshaha aaladda iyo garashada PIN-kiisa awgeed, PIN-ka laftiisu wuu fududaan karaa oo si fudud ayuu u xasuusan karaa. Khasaaraha ku jira dhererka PIN ama randomity-ka waxaa daboolaya shuruudaha lahaanshaha jirka iyo xaddidaadaha xoogga PIN.
Intaa waxaa dheer, waxay ku dhacdaa hay'adaha dawladda inay rabaan wax walba inay ku shaqeeyaan sida waafaqsan GOST. Doorashadan 2FA ee gelitaanka Linux waa laga wada hadli doonaa. meel fog baan ka bilaabayaa
Qaybaha PAM
Modules Authentication Pluggable (PAM) waa cutubyo leh API-ga caadiga ah iyo hirgelinta hababka xaqiijinta ee kala duwan ee codsiyada.
Dhammaan adeegyada iyo codsiyada la shaqayn kara PAM ayaa soo qaada oo u isticmaali kara xaqiijinta isticmaalaha.
Ficil ahaan, waxay u shaqeysaa sidan oo kale: amarka gelitaanka ayaa wacaya PAM, kaas oo fulisa dhammaan hubinta lagama maarmaanka ah iyadoo la adeegsanayo cutubyada lagu qeexay faylka qaabeynta oo natiijada dib ugu soo celisa amarka gelitaanka.
librtpam
Module-ka ay soo saartay shirkadda Aktiv waxay ku daraysaa xaqiijinta laba-factor ee isticmaaleyaasha isticmaalaya kaadhadhka casriga ah ama calaamada USB iyadoo la adeegsanayo furayaasha asymmetric iyadoo la raacayo heerarka ugu dambeeyay ee cryptografiga gudaha.
Aynu eegno mabda'a hawlgalkeeda:
- Calaamaduhu waxay kaydiyaan shahaadada isticmaalaha iyo furaheeda gaarka ah;
- Shahaadada waxaa lagu kaydiyaa tusaha guriga isticmaalaha sida la aamini karo.
Habka xaqiijinta wuxuu u dhacaa sida soo socota:
- Rutoken wuxuu raadiyaa shahaadada shakhsi ahaaneed ee isticmaalaha
- PIN-ka calaamada ayaa la codsaday
- Xogta random waxaa si toos ah loogu saxeexay furaha gaarka ah ee Chip-ka Rutoken.
- Saxeexa natiijada waxaa lagu xaqiijiyay iyadoo la isticmaalayo furaha dadweynaha ee shahaadada isticmaalaha.
- Cutubku wuxuu ku soo celiyaa natiijada xaqiijinta saxeexa codsiga wicitaanka.
Waxaad ku xaqiijin kartaa adigoo isticmaalaya GOST R 34.10-2012 furayaasha (dhererka 256 ama 512 bits) ama GOST R 34.10-2001.
Uma baahnid inaad ka walwasho amniga furayaasha - waxay si toos ah uga soo baxaan Rutoken oo waligaa ha ka tagin xusuusta inta lagu jiro hawlgallada cryptographic.
Rutoken EDS 2.0 waxaa shahaado siisay FSB iyo FSTEC sida ku cad NDV 4, sidaas darteed waxaa loo isticmaali karaa nidaamyada macluumaadka ee socodsiiya macluumaadka sirta ah.
Isticmaalka wax ku oolka ah
Ku dhawaad ββLinux kasta oo casri ah ayaa sameyn doona, tusaale ahaan waxaan isticmaali doonaa xUbuntu 18.10.
1) Ku rakib xirmooyinka lagama maarmaanka ah
sudo apt-get install libccid pcscd opensc
Haddii aad rabto in aad ku darto quful desktop ah oo leh shaashad ilaaliye, ku dheji xirmada intaa dheer libpam-pkcs11
.
2) Ku dar module PAM ah oo leh taageerada GOST
Soo dejinta maktabadda
Nuqul ka koobbi waxa ku jira gal PAM librtpam.so.1.0.0 gal nidaamka
/usr/lib/
ama /usr/lib/x86_64-linux-gnu/
ama /usr/lib64
3) Ku rakib xirmada librtpkcs11ecp.so
Soo deji oo ku dheji xirmada DEB ama RPM isku xirka:
4) Hubi in Rutoken EDS 2.0 uu ku shaqeeyo nidaamka
Terminalka waxaan ku fulineynaa
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -T
Hadii aad aragto khadka Rutoken ECP <no label>
- macnaheedu waa wax walba waa OK.
5) Akhriso shahaadada
Hubinta in qalabku leeyahay shahaado
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O
Haddii khadka ka dib:
Using slot 0 with a present token (0x0)
- macluumaadka waa la soo bandhigay ku saabsan furayaasha iyo shahaadooyinka, waxaad u baahan tahay inaad akhrido shahaadada oo aad ku kaydiso diskka. Si tan loo sameeyo, socodsii amarka soo socda, halkaas oo halkii aad ka isticmaali lahayd {id} aad u baahan tahay inaad ku beddesho aqoonsiga shahaadada ee aad ku aragtay soo-saarkii amarkii hore:
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -r -y cert --id {id} --output-file cert.crt
Haddii faylka cert.crt la sameeyay, u gudub tallaabada 6). - waxba ma jiraan, ka dibna qalabku waa madhan yahay. La xidhiidh maamulahaaga ama samee furayaasha iyo shahaado laftaada adiga oo raacaya talaabada xigta.
5.1) Samee shahaado imtixaan
Fiiro gaar ah! Hababka lagu sharraxay ee abuuritaanka furayaasha iyo shahaadooyinku waxay ku habboon yihiin tijaabinta oo looguma talogelin in loo isticmaalo habka dagaalka. Si tan loo sameeyo, waxaad u baahan tahay inaad isticmaasho furayaasha iyo shahaadooyinka ay bixiso hay'adda shahaado-siinta ee lagu kalsoon yahay ee ururkaaga ama hay'adda shahaado bixinta ee la aqoonsan yahay.
Qeybta PAM waxaa loogu talagalay in lagu ilaaliyo kombuyuutarrada maxalliga ah waxaana loogu talagalay inay ka shaqeeyaan hay'adaha yaryar. Maadaama ay jiraan isticmaaleyaal yar, maamuluhu wuxuu la socon karaa kala noqoshada shahaadooyinka oo uu gacanta ku xannibi karaa xisaabaadka, iyo sidoo kale muddada ansaxnimada shahaadooyinka. Qaybta PAM weli ma garanayo sida loo xaqiijiyo shahaadooyinka iyadoo la isticmaalayo CRLs iyo in la dhiso silsiladaha kalsoonida.
Habka ugu fudud (iyada oo loo marayo browserka)
Si aad u hesho shahaado imtixaan, isticmaal
Habka geek (iyada oo loo marayo console-ka iyo suurtogalnimada isku-duwaha)
Hubi nooca OpenSC
$ opensc-tool --version
Haddii nooca uu ka yar yahay 0.20, ka dibna cusbooneysii ama dhis
Samee lamaane fure ah oo leh cabbirada soo socda:
--key-type: GOSTR3410-2012-512:Π (ΠΠΠ‘Π’-2012 512 Π±ΠΈΡ c ΠΏΠ°ΡΠ°ΠΌΡΠ΅ΡΠΎΠΌ Π), GOSTR3410-2012-256:A (ΠΠΠ‘Π’-2012 256 Π±ΠΈΡ Ρ ΠΏΠ°ΡΠ°ΠΌΡΠ΅ΡΠΎΠΌ A)
--id:
Aqoonsiga shayga (CKA_ID) oo ah nambarada xarfaha laba-god ee hex ee miiska ASCII. U isticmaal furaha ASCII oo keliya xarfaha daabacan, sababtoo ah... id ayaa u baahan doona in loo gudbiyo OpenSSL sidi xadhig ahaan. Tusaale ahaan, lambarka ASCII "3132" wuxuu u dhigmaa xargaha "12". Si ku habboon, waxaad isticmaali kartaa
$ ./pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --keypairgen --key-type GOSTR3410-2012-512:A -l --id 3132
Marka xigta waxaan abuuri doonaa shahaado. Laba siyaabood ayaa hoos lagu sharxi doonaa: kan kowaad waa iyada oo loo marayo CA (waxaan isticmaali doonaa imtixaanka CAs), ka labaad waa iskiis saxiixday. Si tan loo sameeyo, marka hore waxaad u baahan tahay inaad rakibto oo aad dejiso nooca OpenSSL 1.1 ama ka dib si aad ula shaqeyso Rutoken iyada oo loo marayo module rtengine gaar ah adoo isticmaalaya buug-gacmeedka
Tusaale ahaan: "--id 3132
' gudaha OpenSSL waxaad u baahan tahay inaad ku qeexdo'pkcs11:id=12
Β«.
Waxaad isticmaali kartaa adeegyada imtixaanka CA, kaas oo ay jiraan qaar badan, tusaale ahaan,
Ikhtiyaarka kale waa in la dhiibo caajisnimada oo la abuuro is-saxiix
$ openssl req -utf8 -new -keyform engine -key "pkcs11:id=12" -engine rtengine -out req.csr
Ku dhejinta shahaadada qalabka
$ openssl req -utf8 -x509 -keyform engine -key "pkcs11:id=12" -engine rtengine -out cert.cer
6) Ku diiwaan geli shahaadada nidaamka
Hubi in shahaadadaadu u ekaato faylka base64:
Haddii shahaadadaadu u egtahay sidan:
markaa waxaad u baahan tahay inaad ka beddesho shahaadada qaabka DER una beddelo qaabka PEM (base64)
$ openssl x509 -in cert.crt -out cert.pem -inform DER -outform PEM
Waxaan mar kale hubineynaa in wax walba ay hagaagsan yihiin hadda.
Ku dar shahaadada liiska shahaadooyinka la aaminsan yahay
$ mkdir ~/.eid
$ chmod 0755 ~/.eid
$ cat cert.pem >> ~/.eid/authorized_certificates
$ chmod 0644 ~/.eid/authorized_certificates
Sadarka ugu dambeeya wuxuu ilaaliyaa liiska shahaadooyinka la aamini karo inay si lama filaan ah ama ula kac ah u beddelaan isticmaaleyaasha kale. Tani waxay ka hortagtaa qof inuu ku daro shahaadadiisa halkan oo uu awood u yeesho inuu ku galo magacaaga.
7) Deji aqoonsiga
Dejinta modulekayaga PAM gabi ahaanba waa heer caadi ah waxaana loo sameeyaa si la mid ah sida loo dejiyo qaybo kale. Abuur si aad u fayl garaysato /usr/share/pam-configs/rutoken-gost-pam
oo ka kooban magaca buuxa ee moduleka, haddii uu si toos ah u shaqaynayo, mudnaanta moduleka, iyo cabbirrada xaqiijinta.
Halbeegyada xaqiijinta waxay ka kooban yihiin shuruudaha guusha hawlgalka:
- loo baahan yahay: Qaybaha noocan oo kale ah waa inay soo celiyaan jawaab celin togan. Haddii natiijada wicitaanka moduleka ay ka kooban tahay jawaab celin taban, tani waxay keeni doontaa qalad xaqiijin ah. Codsiga waa la tuurayaa, laakiin cutubyada soo hadhay waa la wici doonaa.
- loo baahan yahay: La mid ah kuwa loo baahan yahay, laakiin isla markiiba wuu guuldareystaa xaqiijinta wuxuuna iska indhatiraa cutubyada kale.
- ku filan: Haddii mid ka mid ah qaybaha loo baahan yahay ama ku filan ka hor moduleka noocan oo kale ah uusan soo celin natiijo xun, ka dibna moduleku wuxuu soo celin doonaa jawaab celin togan. Qaybaha soo hadhay waa la iska indhatiraa
- ikhtiyaari ah: Haddii aysan jirin cutubyo loo baahan yahay oo ku saabsan xirmada oo midkoodna modules ku filan uusan soo celin natiijo wanaagsan, markaa ugu yaraan mid ka mid ah qaybaha ikhtiyaariga ah waa inuu soo celiyaa natiijo wanaagsan.
Waxa ku jira faylka oo buuxa /usr/share/pam-configs/rutoken-gost-pam
:
Name: Rutoken PAM GOST
Default: yes
Priority: 800
Auth-Type: Primary
Auth: sufficient /usr/lib/librtpam.so.1.0.0 /usr/lib/librtpkcs11ecp.so
kaydi faylka, ka dibna fuli
$ sudo pam-auth-update
daaqadda soo muuqata, ag dhig calaamad calaamad ah Rutoken PAM GOST oo riix OK
8) Hubi goobaha
Si aad u fahamto in wax walba la habeeyey, laakiin isla mar ahaantaana ma lumin awoodda aad u gasho nidaamka, geli amarka
$ sudo login
Geli magaca isticmaalaha Wax walba waxaa loo habeeyey si sax ah haddii nidaamku u baahan yahay lambarka sirta ah ee qalabka.
9) Habee kumbiyuutarka la xirayo marka calaamadda la soo saaro
Waxaa ku jira xirmada libpam-pkcs11
utility ka mid ah pkcs11_eventmgr,
kaas oo kuu ogolaanaya inaad samayso falal kala duwan marka PKCS # 11 dhacdo.
Wixii dejinta pkcs11_eventmgr
Waxay u adeegtaa sidii faylka qaabeynta: /etc/pam_pkcs11/pkcs11_eventmgr.conf
Qaybinta Linux ee kala duwan, amarka sababaya in akoonku la xiro marka kaadhka smart ama calaamada meesha laga saaro way ka duwanaan doontaa. Cm. event card_remove
.
Tusaalaha faylka qaabeynta ayaa lagu muujiyay hoos:
pkcs11_eventmgr
{
# ΠΠ°ΠΏΡΡΠΊ Π² Π±ΡΠΊΠ³ΡΠ°ΡΠ½Π΄Π΅
daemon = true;
# ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠΉ ΠΎΡΠ»Π°Π΄ΠΊΠΈ
debug = false;
# ΠΡΠ΅ΠΌΡ ΠΎΠΏΡΠΎΡΠ° Π² ΡΠ΅ΠΊΡΠ½Π΄Π°Ρ
polling_time = 1;
# Π£ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° ΡΠ°ΠΉΠΌ-Π°ΡΡΠ° Π½Π° ΡΠ΄Π°Π»Π΅Π½ΠΈΠ΅ ΠΊΠ°ΡΡΡ
# ΠΠΎ-ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ 0
expire_time = 0;
# ΠΡΠ±ΠΎΡ pkcs11 Π±ΠΈΠ±Π»ΠΈΠΎΡΠ΅ΠΊΠΈ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ Ρ Π ΡΡΠΎΠΊΠ΅Π½
pkcs11_module = usr/lib/librtpkcs11ecp.so;
# ΠΠ΅ΠΉΡΡΠ²ΠΈΡ Ρ ΠΊΠ°ΡΡΠΎΠΉ
# ΠΠ°ΡΡΠ° Π²ΡΡΠ°Π²Π»Π΅Π½Π°:
event card_insert {
# ΠΡΡΠ°Π²Π»ΡΠ΅ΠΌ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ (Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
on_error = ignore ;
action = "/bin/false";
}
# ΠΠ°ΡΡΠ° ΠΈΠ·Π²Π»Π΅ΡΠ΅Π½Π°
event card_remove {
on_error = ignore;
# ΠΡΠ·ΡΠ²Π°Π΅ΠΌ ΡΡΠ½ΠΊΡΠΈΡ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ ΡΠΊΡΠ°Π½Π°
# ΠΠ»Ρ GNOME
action = "dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock";
# ΠΠ»Ρ XFCE
# action = "xflock4";
# ΠΠ»Ρ Astra Linux (FLY)
# action = "fly-wmfunc FLYWM_LOCK";
}
# ΠΠ°ΡΡΠ° Π΄ΠΎΠ»Π³ΠΎΠ΅ Π²ΡΠ΅ΠΌΡ ΠΈΠ·Π²Π»Π΅ΡΠ΅Π½Π°
event expire_time {
# ΠΡΡΠ°Π²Π»ΡΠ΅ΠΌ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ (Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
on_error = ignore;
action = "/bin/false";
}
}
Intaa ka dib ku dar codsiga pkcs11_eventmgr
in la bilaabo. Si tan loo sameeyo, wax ka beddel faylka .bash_profile:
$ nano /home/<ΠΈΠΌΡ_ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ>/.bash_profile
Ku dar khadka pkcs11_eventmgr dhamaadka faylka oo dib u bilow.
Tallaabooyinka la sharraxay ee dejinta nidaamka qalliinka waxaa loo isticmaali karaa tilmaamo ahaan qaybinta Linux kasta oo casri ah, oo ay ku jiraan kuwa gudaha.
gunaanad
Kombuyuutarrada Linux ayaa si isa soo taraysa caan uga ah hay'adaha dawladda Ruushka, iyo samaynta xaqiijinta laba arrimood ee la isku halayn karo ee OS-kan had iyo jeer ma fududa. Waxaan ku farxi doonaa inaan kaa caawino inaad ku xalliso "dhibaatada sirta ah" ee hagahan oo aad si kalsooni leh u ilaaliso gelitaanka PC-gaaga adoon waqti badan ku bixin.
Source: www.habr.com