Kumaha lamun auténtikasi dua-faktor duanana desirable tur biang, tapi euweuh duit tokens hardware na sacara umum aranjeunna nawiskeun tetep dina wanda alus.
Leyuran ieu sanes hal super aslina, tapi rada campuran solusi béda kapanggih dina Internét.
Jadi dibikeun
Домен aktif Diréktori.
Pamaké domain anu nganggo VPN, sapertos seueur ayeuna.
Tumindak salaku gateway VPN Benteng.
Nyimpen kecap akses pikeun klien VPN dilarang ku kawijakan kaamanan.
Pulitik Fortinet dina hubungan tokens sorangan, anjeun teu bisa nelepon deui kirang ti zhlob a - aya saloba 10 bebas tokens, sésana - dina harga pisan non-halal. Kuring henteu nganggap RSASecureID, Duo sareng anu sanésna, sabab kuring hoyong open source.
Prasyarat: host * nix kalawan ngadegkeun radius bébas, SSD - diasupkeun kana domain, pamaké domain bisa kalayan gampang auténtikasi dina eta.
Paket tambahan: kotak shellina, anjir, freeradius-ldap, hurup rebel.tlf ti gudang
Dina conto kuring - CentOS 7.8.
Logika gawé sakuduna di handap ieu: lamun nyambung ka VPN, pamaké kudu ngasupkeun login domain na OTP tinimbang sandi a.
Setélan jasa
В /etc/raddb/radiusd.conf ngan pamaké sarta grup atas nama nu dimimitian radius bébas, saprak jasa radiusd kedah tiasa maca file dina sadaya subdirektori / Home /.
user = root
group = root
Pikeun tiasa nganggo grup dina setélan Benteng, kudu dikirimkeun Atribut Spésifik Vendor. Jang ngalampahkeun ieu, dina diréktori raddb / kawijakan.d Kuring nyieun file kalawan eusi handap:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Saatos instalasi freeradius-ldap dina diréktori raddb / mods-sadia file dijieun ldap.
Kudu nyieun tumbu simbolis ka diréktori raddb / mods-diaktipkeun.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
Kuring mawa eusina kana formulir ieu:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
Dina file raddb / situs-diaktipkeun / standar и raddb / situs-diaktipkeun / jero-torowongan dina bagian ngesahkeun Kuring nambahan nami kawijakan pikeun dipaké - group_authorization. Titik penting - nami kawijakan henteu ditangtukeun ku nami file dina diréktori kawijakan.d, tapi ku diréktif di jero file sateuacan kurung keriting.
Dina bagian ngoténtikasi dina file sarua anjeun kudu uncomment garis Pam.
Dina file klien.conf nuliskeun parameter jeung nu bakal nyambung Benteng:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Konfigurasi modul pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Pilihan palaksanaan kebat standar radius bébas с google authenticator merlukeun pamaké pikeun nuliskeun kredensial dina format: sandi ngaran pamaké+OTP.
Ku ngabayangkeun jumlah kutukan anu bakal tumiba dina sirah, dina kasus nganggo bungkusan standar radius bébas с google Authenticator, ieu mutuskeun pikeun ngagunakeun konfigurasi modul Pam ku kituna ngan token bisa dipariksa google Authenticator.
Nalika pangguna nyambung, ieu kajadian:
- Freeradius mariksa upami pangguna aya dina domain sareng dina grup anu tangtu sareng, upami suksés, pariksa token OTP.
Sadayana katingali saé dugi ka waktos kuring mikir "Kumaha carana kuring ngadaptarkeun OTP pikeun 300+ pangguna?"
pamaké éta kudu login ka server kalawan radius bébas sareng ti handapeun akun anjeun sareng ngajalankeun aplikasina google authenticator, anu bakal ngahasilkeun kode QR pikeun aplikasi pikeun pangguna. Ieu dimana pitulung asalna di. kotak shellina dina kombinasi kalayan .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
File konfigurasi daemon perenahna di /etc/sysconfig/shellinabox.
Kuring nangtukeun port 443 aya jeung anjeun bisa nangtukeun sertipikat Anjeun.
[root@freeradius ~]#systemctl enable --now shellinaboxd
Pamaké ngan ukur kedah nuturkeun tautan, lebetkeun sks domain sareng nampi kode QR pikeun aplikasi.
Algoritme na sapertos kieu:
- Pamaké log in kana mesin ngaliwatan browser.
- Naha pamaké domain dipariksa. Upami henteu, maka moal aya tindakan anu dilaksanakeun.
- Upami pangguna mangrupikeun pangguna domain, kaanggotaan dina grup Administrator dipariksa.
- Upami sanés admin, éta pariksa naha Google Authenticator dikonpigurasi. Upami henteu, teras kode QR sareng logout pangguna dibangkitkeun.
- Upami sanés admin sareng Google Authenticator dikonpigurasi, teras logout.
- Upami admin, teras parios deui Google Authenticator. Lamun henteu ngonpigurasi, kode QR dihasilkeun.
Kabéh logika dipigawé ngagunakeun /etc/skel/.bash_profile.
ucing /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Setélan fortigate:
- Urang nyieun radius-server
- Urang nyieun grup perlu, lamun perlu, aksés kontrol ku grup. Ngaran grup on Benteng kedah cocog sareng grup anu dilebetkeun Atribut Spésifik Vendor Fortinet-Group-Ngaran.
- Ngédit anu diperlukeun SSL- portals.
- Nambahkeun grup kana kawijakan.
Kaunggulan tina solusi ieu:
- Kasebut nyaéta dimungkinkeun pikeun auténtikasi ku OTP on Benteng solusi open source.
- Pamaké henteu ngasupkeun sandi domain nalika nyambungkeun via VPN, anu rada nyederhanakeun prosés sambungan. Sandi 6-angka langkung gampang diasupkeun tibatan anu disayogikeun ku kawijakan kaamanan. Hasilna, jumlah tikét kalayan subjek: "Kuring teu bisa nyambung ka VPN" nurun.
PS Urang rencanana pikeun ngamutahirkeun solusi ieu ka auténtikasi dua-faktor full-fledged kalawan tantangan-réspon.
update:
Salaku jangji, kuring tweaked kana pilihan tantangan-réspon.
jadi:
Dina file /etc/raddb/sites-enabled/standar bagian ngesahkeun Ieu saperti kieu:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Bagian ngoténtikasi ayeuna sigana kieu:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Ayeuna verifikasi pangguna lumangsung dumasar kana algoritma ieu:
- Pamaké ngasupkeun sks domain dina klien VPN.
- Freeradius pariksa validitas akun sareng kecap akses
- Upami kecap aksesna leres, teras pamenta token dikirim.
- Token keur diverifikasi.
- kauntungan).
sumber: www.habr.com