Maanta waxaan rabaa in aan wadaago sida loo sameeyo laba-factor authentication server si loo ilaaliyo shabakadaada shirkadaha, mareegaha, adeegyada, ssh. Seerfarku waxa uu ku shaqayn doonaa isku darka soo socda: LinOTP + FreeRadius.
Maxaynu ugu baahanahay?
Tani waa gebi ahaanba bilaash, xal ku habboon, gudaha shabakadeeda, oo ka madax bannaan bixiyeyaasha dhinac saddexaad.
Adeegani waa mid aad u haboon, aad u muuqda, si ka duwan alaabooyinka kale ee furan, sidoo kale wuxuu taageeraa tiro badan oo hawlo iyo siyaasado ah (Tusaale ahaan, login+password+(PIN+OTPToken)). Iyada oo loo marayo API-ga, waxay la midaysaa adeegyada dirida sms-ka (LinOTP Config-> Bixiyaha Config-> Bixiyaha SMS), waxay soo saartaa koodka codsiyada moobilka sida Google Authentificator iyo wax kaloo badan. Waxaan filayaa inay aad uga habboon tahay adeegga lagaga hadlay .
Adeeggani wuxuu si fiican ula shaqeeyaa Cisco ASA, OpenVPN server, Apache2, iyo guud ahaan wax kasta oo taageeraya xaqiijinta iyada oo loo marayo server-ka RADIUS (Tusaale, SSH ee xarunta xogta).
Loo baahan yahay:
1) Debian 8 (jessie) - Waa lagama maarmaan! (ku rakibida tijaabada debian 9 ayaa lagu sharaxay dhamaadka maqaalka)
Bilow:
Ku rakibida Debian 8.
Kudar kaydka LinOTP:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.listKu darida furayaasha:
# gpg --search-keys 913DFF12F86258E5Mararka qaarkood inta lagu jiro rakibidda "nadiif", ka dib markii la socodsiiyo amarkan, Debian wuxuu soo bandhigayaa:
gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI
Tani waa bilowga gnupg dejinta. Waa caadi Kaliya mar kale socodsii amarka
Ku socota su'aasha Debian:
gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". Введите числа, N) Следующий или Q) Выход>Waxaan ku jawaabay: 1
Xiga:
# gpg --export 913DFF12F86258E5 | apt-key add -# apt-get updateKu rakib mysql. Aragti ahaan, waxaad isticmaali kartaa server kale sql, laakiin fududaan ahaan waxaan u isticmaali doonaa sida lagu taliyay LinOTP.
(macluumaad dheeri ah, oo ay ku jirto dib u habeynta xogta LinOTP, waxaa laga heli karaa dukumeentiyada rasmiga ah ee . Halkaa waxa kale oo aad ka heli kartaa amarka: dpkg-reconfigure linotp si aad u bedesho xuduudaha haddii aad hore u rakibtay mysql).
# apt-get install mysql-server# apt-get update (ma dhaawacmi doonto inaad mar kale hubiso wararka cusub)
Ku rakib LinOTP iyo qaybo dheeraad ah:
# apt-get install linotp
Waxaan ka jawaabeynaa su'aalaha rakibaha:
Isticmaal Apache2: haa
U samee erayga sirta ah ee maamulaha Linotp: "Passwordkaaga"
Samee shahaado iskiis saxiixday?: haa
Isticmaal MySQL?: haa
Xagee ku yaal xog-ururinta: localhost
Ku samee kaydka xogta LinOTP (magaca saldhiga) ee serverka: LinOTP2
U samee isticmaale gooni ah xogta xogta: LinOTP2
Isticmaalaha waxaan u dejinay furaha sirta ah: "Passwordkaaga"
Miyaan hadda abuuraa xog ururin? (wax sida "Ma hubtaa inaad rabto..."): haa
Geli erayga sirta ah ee MySQL ee aad abuurtay markii aad rakibtay: "YourPassword"
Done.
(ikhtiyaar, uma baahnid inaad rakibto)
# apt-get install linotp-adminclient-cli (ikhtiyaar, uma baahnid inaad rakibto)
# apt-get install libpam-linotp Markaa interface-kayaga shabakadda Linotp hadda waa laga heli karaa:
"<b>https</b>: //IP_сервера/manage"Wax yar ka dib ayaan ka hadli doonaa Settings in interface webka.
Hadda, waxa ugu muhiimsan! Waxaan kor u qaadeynaa FreeRadius waxaanan ku xireynaa Linotp.
Ku rakib FreeRadius iyo moduleka la shaqaynta LinOTP
# apt-get install freeradius linotp-freeradius-perlkaydinta macmiilka iyo Isticmaalayaasha radius configs.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old# mv /etc/freeradius/users /etc/freeradius/users.oldSamee fayl macmiil maran:
# touch /etc/freeradius/clients.confTafatirka faylkayaga qaabaynta cusub (habaynta la taageeray waxa loo isticmaali karaa tusaale ahaan)
# nano /etc/freeradius/clients.confclient 192.168.188.0/24 {
secret = passwd # пароль для подключения клиентов
}Marka xigta, samee faylka isticmaalayaasha:
# touch /etc/freeradius/usersWaxaan tafatirnaa faylka, anagoo u sheegayna raadiyaha inaan u isticmaali doono perl si loo xaqiijiyo.
# nano /etc/freeradius/usersDEFAULT Auth-type := perlMarka xigta, tafatir faylka /etc/freeradius/modules/perl
# nano /etc/freeradius/modules/perlWaxaan u baahanahay inaan ku qeexno jidka loo maro qoraalka perl linotp ee cabbirka moduleka:
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
... ..
Marka xigta, waxaan abuurnaa fayl kaas oo aan ku niraahno (Domain, database ama file) si aan xogta uga soo qaadno.
# touch /etc/linotp2/rlm_perl.ini# nano /etc/linotp2/rlm_perl.iniURL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=FalseWaxaan halkan ku sii faahfaahin doonaa wax yar sababtoo ah waa muhiim:
Sifeynta buuxda ee faylka oo leh faallooyin:
#IP ee server-ka linOTP (Ciwaanka IP-ga ee server-keena LinOTP)
URL=https://172.17.14.103/validate/simplecheck
#Aaggayaga aan ku abuuri doono shabakadda internetka ee LinOTP.)
REALM=gacan1
#Magaca kooxda adeegsadaha ee ka dhex abuurmay mareegaha LinOTP.
RESCONF=fayl_flat
#ikhtiyaar: faallo bixi haddii wax walba u muuqdaan inay si fiican u shaqeynayaan
Debug=Run
#ikhtiyaar: isticmaal kan, haddii aad haysato shahaadooyin iskiis ah, haddii kale faallo ka bixi (SSL haddii aanu samayno shahaado noo gaar ah oo aan rabno inaan xaqiijino)
SSL_CHECK=Been
Marka xigta, samee faylka /etc/freeradius/sites-available/linotp
# touch /etc/freeradius/sites-available/linotp# nano /etc/freeradius/sites-available/linotpOo koobi ka samee qaabka (looma baahna in wax laga beddelo):
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}Marka xigta waxaan abuuri doonaa isku xirka SIM:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabledShakhsi ahaan, waxaan dilaa goobaha raadiyaha caadiga ah, laakiin haddii aad u baahato, waad beddeli kartaa qaabayntooda ama waad joojin kartaa.
# rm /etc/freeradius/sites-enabled/default# rm /etc/freeradius/sites-enabled/inner-tunnel# service freeradius reload
Haddaba aan ku soo laabano wejiga shabakadda oo aan si yar oo faahfaahsan u eegno:
Koonaha midig ee sare guji LinOTP Config -> UserIdResolvers -> Cusub
Waxaan dooranaa waxaan rabno: LDAP (AD guul, LDAP samba), ama SQL, ama isticmaalayaasha maxalliga ah ee nidaamka Flatfile.
Buuxi meelaha loo baahan yahay
Marka xigta waxaan abuurnaa REALMS:
Dhinaca geeska midig ee sare, dhagsii LinOTP Config -> Realms -> Cusub.
oo magac u sii REALMS-keena, oo waliba guji UserIdResolvers-ka hore loo sameeyay.
FreeRadius wuxuu u baahan yahay dhammaan xogtan ku jirta faylka /etc/linotp2/rlm_perl.ini, sida aan kor ugu soo qoray, markaa haddii aadan wax ka beddelin, hadda samee.
Seerfarku dhammaan waa la habeeyey.
Isku dar:
Ku dejinta LinOTP ee Debian 9:
Rakibaadda:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list # apt-get install dirmngr# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update# apt-get install mysql-server(sida caadiga ah, gudaha Debian 9 mysql (mariaDB) ma bixiso inaad dejiso erayga sirta ah, dabcan waad ka tagi kartaa madhan, laakiin haddii aad akhrido wararka, tani waxay inta badan keentaa "epic failure", markaa waan dejin doonaa si kastaba)
# mysql -u root -puse mysql;UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';
exit# apt-get install linotp# apt-get install linotp-adminclient-cli# apt-get install python-ldap# apt install freeradius# nano /etc/freeradius/3.0/sites-enabled/linotpKu dheji koodka (waxaa soo diray JuriM, isaga ayaa ku mahadsan taas!):
server linotp {
dhageyso {
ipaddr = *
dekedda = 1812
type=aqoon
}
dhageyso {
ipaddr = *
dekedda = 1813
nooca = acct
}
idman {
horudhac
cusbooneysii {
&control:Auth-Nooca := Perl
}
}
xaqiijin {
Nooca Perl {
perl
}
}
xisaabinta {
unix
}
}
Tafatir /etc/freeradius/3.0/mods-enabled/perl
perl {
filename = /usr/share/linotp/radius_linotp.pm
func_authenticate = run
func_authorize = oggolaan
}
Nasiib darro, gudaha Debian 9 maktabadda radius_linotp.pm lagama rakibin kaydadka, markaa waxaan ka soo qaadan doonaa github.
# apt install git# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl# cd linotp-auth-freeradius-perl/# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pmhadda aynu wax ka beddelno /etc/freeradius/3.0/clients.conf
adeegayaasha macmiilka {
ipaddr = 192.168.188.0/24
sir = eraygaaga sirta ah
}
Hadda aan saxno nano /etc/linotp2/rlm_perl.ini
Waxaan ku dhejineynaa isla koodka markii lagu rakibayo debian 8 (kor lagu sharaxay)
taasi waa dhan sida fikradda. (wali lama tijaabin)
Waxaan hoos kaga tagi doonaa dhawr xiriiriye oo ku saabsan dejinta nidaamyada inta badan u baahan in lagu ilaaliyo xaqiijinta laba arrimood:
Dejinta xaqiijinta laba-factor gudaha
(Halkaas waxaa loo adeegsadaa server jiil ka duwan, laakiin goobaha ASA lafteeda waa isku mid).
sixitaanka (LinOTP ayaa sidoo kale halkaas lagu isticmaalaa) - mahadsanid qoraaga. Halkaas waxa kale oo aad ka heli kartaa waxyaabo xiiso leh oo ku saabsan dejinta siyaasadaha LiOTP.
Sidoo kale, cms ee goobo badan ayaa taageera xaqiijinta laba-factor (For WordPress, LinOTP xitaa waxay leedahay qayb gaar ah oo loogu talagalay ), tusaale ahaan, haddii aad rabto inaad u samayso qayb la ilaaliyo oo ku taal boggaaga shirkadda shaqaalaha shirkadda.
XAQIIQO MUHIIM AH! Ha calaamadin sanduuqa "Google autenteficator" si aad u isticmaasho Google Authenticator! Koodhka QR lama akhrin karo markaa... (xaqiiqo qariib ah)
Si loo qoro maqaalkan, macluumaadka maqaallada soo socda ayaa la isticmaalay:
Waad ku mahadsan tahay qorayaasha.
Source: www.habr.com