Agar ikki faktorli autentifikatsiya ham ma'qul, ham qiyin bo'lsa-chi, lekin apparat tokenlari uchun pul yo'q va umuman olganda ular yaxshi kayfiyatda bo'lishni taklif qilsalar.
Ushbu yechim juda original narsa emas, balki Internetda topilgan turli xil echimlarning aralashmasidir.
Shunday qilib berilgan
Domen nomi Active Directory.
Bugungi kunda ko'pchilik kabi VPN orqali ishlaydigan domen foydalanuvchilari.
VPN shlyuzi vazifasini bajaradi Fortigate.
VPN mijozi uchun parolni saqlash xavfsizlik siyosati bilan taqiqlangan.
Siyosat Fortinet o'zingizning tokenlaringizga nisbatan siz uni zhlobdan kamroq deb atay olmaysiz - 10 tagacha bepul tokenlar mavjud, qolganlari - juda kosher bo'lmagan narxda. Men RSASecureID, Duo va shunga o'xshashlarni hisobga olmadim, chunki men ochiq manbani xohlayman.
Old shartlar: mezbon * nix o'rnatilgan erkin radius, SSD - domenga kiritilgan domen foydalanuvchilari uni osongina autentifikatsiya qilishlari mumkin.
Qo'shimcha paketlar: shellina qutisi, qirmizi, freeradius-ldap, shrift rebel.tlf omboridan
Mening misolimda - CentOS 7.8.
Ishning mantig'i quyidagicha bo'lishi kerak: VPN ga ulanishda foydalanuvchi parol o'rniga domen logini va OTP ni kiritishi kerak.
Xizmatlarni sozlash
В /etc/raddb/radiusd.conf faqat nomidan boshlanadigan foydalanuvchi va guruh erkin radius, xizmatdan beri radiusd barcha pastki kataloglardagi fayllarni o'qiy olishi kerak / home /.
user = root
group = root
Sozlamalarda guruhlardan foydalanish imkoniyatiga ega bo'lish Fortigate, uzatilishi kerak Sotuvchiga xos atribut. Buning uchun katalogda raddb/policy.d Men quyidagi tarkibga ega fayl yarataman:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
O'rnatishdan keyin freeradius-ldap katalogda raddb/mods-mavjud fayl yaratiladi ldap.
Katalogga ramziy havola yaratish kerak raddb/mods-yoqilgan.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
Men uning mazmunini ushbu shaklga keltiraman:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
Fayllarda raddb/saytlar yoqilgan/standart и raddb/saytlar yoqilgan/ichki tunnel bo'limida ruxsat berish Men foydalaniladigan siyosat nomini qo'shaman - group_authorization. Muhim nuqta - siyosatning nomi katalogdagi fayl nomi bilan belgilanmaydi siyosat.d, lekin jingalak qavslardan oldin fayl ichidagi direktiva bilan.
Bo'limda autentifikatsiya qilish xuddi shu fayllarda siz qatorni izohdan olib tashlashingiz kerak Pam.
Fayl ichida clients.conf u bog'lanadigan parametrlarni belgilang Fortigate:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Modul konfiguratsiyasi pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Birlamchi paketni amalga oshirish imkoniyatlari erkin radius с Google autentifikatori foydalanuvchidan hisob ma'lumotlarini quyidagi formatda kiritishni talab qiling: foydalanuvchi nomi/parol+OTP.
Odatiy to'plamdan foydalangan holda, boshga tushadigan la'natlar sonini tasavvur qilish orqali erkin radius с Google Authenticator, modul konfiguratsiyasidan foydalanishga qaror qilindi Pam shunday qilib, faqat tokenni tekshirish mumkin Google Authenticator.
Foydalanuvchi ulanganda quyidagilar sodir bo'ladi:
- Freeradius foydalanuvchining domenda va ma'lum bir guruhda ekanligini tekshiradi va agar muvaffaqiyatli bo'lsa, OTP tokenini tekshiradi.
"Qanday qilib men 300 dan ortiq foydalanuvchi uchun OTPni ro'yxatdan o'tkazishim mumkin?" Deb o'ylagunimcha hammasi yaxshi ko'rinardi.
Foydalanuvchi bilan serverga kirishi kerak erkin radius va hisobingiz ostidan ilovani ishga tushiring Google autentifikator, bu foydalanuvchi uchun ilova uchun QR kodini yaratadi. Bu erda yordam keladi. shellina qutisi bilan birgalikda .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
Demon konfiguratsiya fayli quyidagi manzilda joylashgan /etc/sysconfig/shellinabox.
Men u erda 443 portni ko'rsataman va siz sertifikatingizni belgilashingiz mumkin.
[root@freeradius ~]#systemctl enable --now shellinaboxd
Foydalanuvchi faqat havolaga amal qilishi, domen kreditlarini kiritishi va ilova uchun QR kodini olishi kerak.
Algoritm quyidagicha:
- Foydalanuvchi brauzer orqali mashinaga kiradi.
- Domen foydalanuvchisi tekshiriladimi. Agar yo'q bo'lsa, unda hech qanday chora ko'rilmaydi.
- Agar foydalanuvchi domen foydalanuvchisi bo'lsa, Administrators guruhiga a'zolik tekshiriladi.
- Agar administrator bo'lmasa, u Google Authenticator sozlanganligini tekshiradi. Agar yo'q bo'lsa, QR-kod va foydalanuvchi tizimdan chiqadi.
- Agar administrator bo'lmasa va Google Authenticator sozlangan bo'lsa, shunchaki tizimdan chiqing.
- Agar administrator bo'lsa, Google Authenticator-ni yana tekshiring. Agar sozlanmagan bo'lsa, QR kodi yaratiladi.
Barcha mantiq yordamida amalga oshiriladi /etc/skel/.bash_profile.
cat /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Fortigate sozlamalari:
- Biz yaratamiz radius-server
- Biz kerakli guruhlarni yaratamiz, agar kerak bo'lsa, guruhlar tomonidan kirishni nazorat qilamiz. Guruh nomi yoqilgan Fortigate kiritilgan guruhga mos kelishi kerak Sotuvchiga xos atribut Fortinet guruhi nomi.
- Keraklilarni tahrirlash SSL-portallar.
- Siyosatlarga guruhlar qo'shish.
Ushbu yechimning afzalliklari:
- OTP orqali autentifikatsiya qilish mumkin Fortigate ochiq manbali yechim.
- VPN orqali ulanishda foydalanuvchi domen parolini kiritmaydi, bu ulanish jarayonini biroz soddalashtiradi. 6 xonali parolni kiritish xavfsizlik siyosatida taqdim etilganidan ko'ra osonroqdir. Natijada, "Men VPN-ga ulana olmayapman" mavzusidagi chiptalar soni kamayadi.
PS Biz ushbu yechimni chaqiruv-javob bilan to‘liq ikki faktorli autentifikatsiyaga oshirishni rejalashtirmoqdamiz.
yangilash:
Va'da qilinganidek, men uni chaqiruv-javob variantiga aylantirdim.
Shunday qilib:
Fayl ichida /etc/raddb/sites-enabled/default Bo'lim ruxsat berish quyidagilar:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Bo'lim autentifikatsiya qilish endi shunday ko'rinadi:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Endi foydalanuvchi tekshiruvi quyidagi algoritmga muvofiq amalga oshiriladi:
- Foydalanuvchi VPN mijoziga domen kreditlarini kiritadi.
- Freeradius hisob va parolning haqiqiyligini tekshiradi
- Agar parol to'g'ri bo'lsa, token uchun so'rov yuboriladi.
- Token tekshirilmoqda.
- foyda).
Manba: www.habr.com