🥇Seva ea netefatso ea lintlha tse peli ea LinOTP

Kajeno ke batla ho arolelana mokhoa oa ho theha seva sa netefatso ea lintlha tse peli ho sireletsa marang-rang a khoebo, libaka, lits'ebeletso, ssh. Seva e tla tsamaisa motsoako o latelang: LinOTP + FreeRadius.

Ke hobane'ng ha re e hloka?
Ena ke tharollo e sa lefelloeng ka ho feletseng, e loketseng, ka har'a marang-rang a eona, e ikemetseng ho bafani ba mekhatlo ea boraro.

Ts'ebeletso ena e bonolo haholo, e bonahala haholo, ho fapana le lihlahisoa tse ling tse bulehileng tsa mohloli, hape e ts'ehetsa mesebetsi le maano a mangata (mohlala, login+password+(PIN+OTPToken)). Ka API, e hokahana le lits'ebeletso tsa ho romella li-sms (LinOTP Config-> Provider Config-> SMS Provider), e hlahisa likhoutu bakeng sa lits'ebetso tsa mehala tse kang Google Authentificator le tse ling tse ngata. Ke nahana hore e bonolo ho feta tšebeletso eo ho buisanoeng ka eona sehlooho.

Seva ena e sebetsa ka mokhoa o phethahetseng le Cisco ASA, seva sa OpenVPN, Apache2, 'me ka kakaretso hoo e batlang e le ntho e' ngoe le e 'ngoe e tšehetsang bopaki ka seva sa RADIUS (Ka mohlala, bakeng sa SSH setsing sa data).

E ea hlokahala:

1) Debian 8 (jessie) - Ho lokile! (ho kenya teko ho debian 9 ho hlalositsoe qetellong ea sengoloa)

Qala:

Ho kenya Debian 8.

Kenya polokelo ea LinOTP:

# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list

Ho eketsa linotlolo:

# gpg --search-keys 913DFF12F86258E5

Ka linako tse ling nakong ea ho kenya "hloekile", ka mor'a ho sebelisa taelo ena, Debian e bonts'a:

gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI

Ena ke mokhoa oa ho qala oa gnupg. Ho lokile. Tsamaisa taelo hape.
Ho potso ea Debian:

gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1)	LSE LinOTP2 Packaging <[email protected]>
	  2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5".  Введите числа, N) Следующий или Q) Выход>

Re araba: 1

E latelang:

# gpg --export 913DFF12F86258E5 | apt-key add -

# apt-get update

Kenya mysql. Ka khopolo, u ka sebelisa seva e 'ngoe ea sql, empa bakeng sa ho nolofatsa ke tla e sebelisa joalokaha e khothalelitsoe bakeng sa LinOTP.

(lintlha tse ling, ho kenyelletsa le ho hlophisa bocha database tsa LinOTP, li ka fumaneha litokomaneng tsa semmuso tsa kgokahanyo. Ha u le moo u ka fumana taelo: dpkg-reconfigure linotp ho fetola liparamente haeba u se u kentse mysql).

# apt-get install mysql-server

# apt-get update

(ho ne ho ke ke ha utloisa bohloko ho hlahloba lintlafatso hape)
Kenya LinOTP le li-module tse ling:

# apt-get install linotp

Re araba lipotso tsa installer:
Sebelisa Apache2: ho joalo
Theha phasewete bakeng sa admin Linopt: "Password ea hau"
Hlahisa setifikeiti se itekenetseng?: ho joalo
Sebelisa MySQL?: ho joalo
Sebaka sa polokelo ea boitsebiso se hokae: localhost
Theha database ea LinOTP (lebitso la motheo) ho seva: LinOTP2
Theha mosebelisi ea arohaneng bakeng sa database: LinOTP2
Re beha phasewete bakeng sa mosebelisi: "Password ea hau"
Na ke lokela ho theha database hona joale? (ntho e kang "Na u na le bonnete ba hore u batla ..."): ho joalo
Kenya phasewete ea motso ea MySQL eo u e entseng ha u e kenya: "YourPassword"
E entsoe.

(ka boikhethelo, ha ua tlameha ho e kenya)

# apt-get install linotp-adminclient-cli

(ka boikhethelo, ha ua tlameha ho e kenya)

# apt-get install libpam-linotp

Kahoo sebopeho sa rona sa marang-rang sa Linopt se se se fumaneha ho:

"<b>https</b>: //IP_сервера/manage"

Ke tla bua ka litlhophiso tsa sehokelo sa webo nakoana hamorao.

Jwale, ntho ya bohlokwa ka ho fetisisa! Re phahamisa FreeRadius mme re e hokahanya le Linopp.

Kenya FreeRadius le module bakeng sa ho sebetsa le LinOTP

# apt-get install freeradius linotp-freeradius-perl

backup ea moreki le Users radius configs.

# mv /etc/freeradius/clients.conf  /etc/freeradius/clients.old

# mv /etc/freeradius/users  /etc/freeradius/users.old

Etsa faele e se nang letho ea bareki:

# touch /etc/freeradius/clients.conf

Ho hlophisa faele ea rona e ncha ea config (sebopeho se tšehetsoeng se ka sebelisoa e le mohlala)

# nano /etc/freeradius/clients.conf

client 192.168.188.0/24 {
secret  = passwd # пароль для подключения клиентов
}

E latelang, etsa faele ea basebelisi:

# touch /etc/freeradius/users

Re hlophisa faele, re bolella radius hore re tla sebelisa perl bakeng sa netefatso.

# nano /etc/freeradius/users

DEFAULT Auth-type := perl

E latelang, fetola faele /etc/freeradius/modules/perl

# nano /etc/freeradius/modules/perl

Re hloka ho hlakisa tsela e eang ho script ea perl linotp ho parameter ea module:

Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm

… ..
Ka mor'a moo, re theha faele eo ho eona re reng (domain, database kapa file) ho nka data ho eona.

# touch /etc/linotp2/rlm_perl.ini

# nano /etc/linotp2/rlm_perl.ini

URL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False

Ke tla fana ka lintlha tse ling mona hobane ho bohlokoa:

Tlhaloso e felletseng ea faele e nang le maikutlo:
#IP ea seva ea linOTP (aterese ea IP ea seva sa rona sa LinOTP)
URL=https://172.17.14.103/validate/simplecheck
#Sebaka sa rona seo re tla se theha sehokelong sa marang-rang sa LinOTP.)
SEBAKA=letsoho1
#Lebitso la sehlopha sa basebelisi se thehiloeng ho LinOTP web muzzle.
RECONF=faele_sephara
#ka boikhethelo: fana ka maikutlo haeba tsohle li bonahala li sebetsa hantle
Debug=Nnete
#ka boikhethelo: sebelisa sena, haeba u na le litifikeiti tsa ho ingolisa, ho seng joalo fana ka maikutlo (SSL haeba re iketsetsa setifikeiti sa rona mme re batla ho se netefatsa)
SSL_CHECK=Bohata

E latelang, theha faele /etc/freeradius/sites-available/linop

# touch /etc/freeradius/sites-available/linotp

# nano /etc/freeradius/sites-available/linotp

'Me u kopitse config ho eona (ha ho hlokahale ho hlophisa letho):

authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
#  If you are using multiple kinds of realms, you probably
#  want to set "ignore_null = yes" for all of them.
#  Otherwise, when the first style of realm doesn't match,
#  the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
#  Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}

E latelang re tla theha sehokelo sa SIM:

# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled

Ka bonna, ke bolaea libaka tsa kamehla tsa Radius, empa haeba u li hloka, u ka li hlophisa kapa ua li thibela.

# rm /etc/freeradius/sites-enabled/default

# rm /etc/freeradius/sites-enabled/inner-tunnel

# service freeradius reload

Joale ha re khutleleng sefahlehong sa tepo 'me re e shebe ka botlalo:
K'honeng e kaholimo ho le letona tobetsa LinOTP Config -> UserIdResolvers -> Ncha
Re khetha seo re se batlang: LDAP (AD win, LDAP samba), kapa SQL, kapa basebelisi ba lehae ba Flatfile system.

Tlatsa likarolo tse hlokahalang.

E latelang re theha REALMS:
K'honeng e kaholimo ho le letona, tlanya LinOTP Config -> Realms -> E Ncha.
'me u fane ka lebitso ho REALMS ea rona, hape u tobetse ho UserIdResolvers e entsoeng pele.

FreeRadius e hloka data ena kaofela faeleng ea /etc/linopt2/rlm_perl.ini, joalokaha ke ngotse ka holimo, kahoo haeba u sa ka ua e fetola ka nako eo, e etse hona joale.

Seva e hlophisitsoe kaofela.

Keketso:

Ho theha LinOTP ho Debian 9:

Ho kenya:

# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list

# apt-get install dirmngr

# apt-key adv --recv-keys 913DFF12F86258E5

# apt-get update

# apt-get install mysql-server

(ka ho sa feleng, ho Debian 9 mysql (mariaDB) ha e fane ka ho beha phasewete ea motso, ehlile u ka e tlohela e se na letho, empa haeba u bala litaba, hangata sena se lebisa ho "epic hloleha", kahoo re tla e beha. leha ho le joalo)

# mysql -u root -p

use mysql;

UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';

exit

# apt-get install linotp

# apt-get install linotp-adminclient-cli

# apt-get install python-ldap

# apt install freeradius

# nano /etc/freeradius/3.0/sites-enabled/linotp

Beha khoutu (e rometsoeng ke JuriM, kea leboha ka seo!):

seva linotp {
mamela {
ipaddr = *
boema-kepe = 1812
mofuta=mongolo
}
mamela {
ipaddr = *
boema-kepe = 1813
mofuta = act
}
fana ka tumello {
tshebetso pele
ntjhafatsa {
&control:Auth-Type := Perl
}
}
netefatsa {
Auth-Type Perl {
Perl
}
}
accounting {
khopotso
}
}

Fetola /etc/freeradius/3.0/mods-enabled/perl

perl {
filename = /usr/share/linopp/radius_linopp.pm
func_authenticate = netefatsa
func_authorize = lumella
}

Ka bomalimabe, ho Debian 9 laeborari ea radius_linopt.pm ha e ea kengoa ho tsoa litsing tsa polokelo, kahoo re tla e nka ho github.

# apt install git

# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl

# cd linotp-auth-freeradius-perl/

# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm

joale ha re fetoleng /etc/freeradius/3.0/clients.conf

li-server tsa bareki {
ipaddr = 192.168.188.0/24
sephiri = password ea hau
}

Joale a re lokiseng nano /etc/linopt2/rlm_perl.ini

Re beha khoutu e ts'oanang le ha re kenya ho debian 8 (e hlalositsoeng ka holimo)

ke tsohle ho ya ka mohopolo. (ha e so lekoe)

Ke tla siea ka tlase lihokelo tse 'maloa mabapi le ho theha litsamaiso tseo hangata li hlokang ho sireletsoa ka netefatso ea lintlha tse peli:
Ho theha netefatso ea lintlha tse peli ho Apache2

Hlophisa le Cisco ASA(seva e fapaneng ea tlhahiso ea li-token e sebelisoa moo, empa litlhophiso tsa ASA ka boeona li tšoana).

VPN e nang le netefatso ea lintlha tse peli

phetoho netefatso ea lintlha tse peli ho ssh (LinOTP e boetse e sebelisoa moo) - ka lebaka la mongoli. Ha u le moo u ka fumana lintho tse khahlisang mabapi le ho theha maano a LiOTP.

Hape, li-cms tsa libaka tse ngata li tšehetsa netefatso ea lintlha tse peli (Bakeng sa WordPress, LinOTP e bile e na le module ea eona e khethehileng bakeng sa github), ka mohlala, haeba u batla ho etsa karolo e sirelelitsoeng ho websaeteng ea hau ea khoebo bakeng sa basebetsi ba khampani.
NNETE EA BOHLOKOA! U SE KE UA hlahloba lebokose la "Google autenteficator" ho sebelisa Google Authenticator! Khoutu ea QR ha e balehe ka nako eo ... ('nete e makatsang)

Ho ngola sengoloa sena, ho sebelisitsoe lintlha tse tsoang lihloohong tse latelang:
itnan.ru/post.php?c=1&p=270571
www.digitalbears.net/?p=469

Ke leboha bangoli.

Source: www.habr.com

Seva ea netefatso ea lintlha tse peli tsa LinOTP

Eketsa ka tlhaloso hlakola karabo