Iipassword ezilula azikhuselekanga, kwaye ezintsonkothileyo azinakukhunjulwa. Yiyo loo nto zihlala ziphelela kwinqaku elincangathi phantsi kwekhibhodi okanye kwimonitha. Ukuqinisekisa ukuba iiphasiwedi zihlala ezingqondweni zabasebenzisi "abalibalayo" kwaye ukuthembeka kokukhusela akulahlekanga, kukho ukuqinisekiswa kwezinto ezimbini (2FA).
Ngenxa yendibaniselwano yokuba nesixhobo kunye nokwazi i-PIN yaso, i-PIN ngokwayo ingaba lula kwaye kulula ukuyikhumbula. Ukungalungi kubude be-PIN okanye ukungakhethi buso bulungiswa yimfuno yezinto eziphathekayo kunye nezithintelo kwi-PIN brute force.
Ukongezelela, kwenzeka kwii-arhente zikarhulumente ukuba zifuna ukuba yonke into isebenze ngokweGOST. Olu khetho lwe-2FA lokungena kwi-Linux luya kuxoxwa. Ndizakuqala kude.
Iimodyuli zePAM
IiModyuli zoQinisekiso eziPluggable (PAM) ziimodyuli ezine-API eqhelekileyo kunye nokuphunyezwa kweendlela ezahlukeneyo zokuqinisekisa kwizicelo.
Zonke izinto eziluncedo kunye nezicelo ezinokusebenza kunye ne-PAM zichole kwaye zingasebenzisa ukuqinisekiswa komsebenzisi.
Ngokwenza, isebenza into enje: umyalelo wokungena ubiza i-PAM, eyenza zonke iitshekhi eziyimfuneko usebenzisa iimodyuli ezichazwe kwifayile yoqwalaselo kwaye ibuyisela umphumo kumyalelo wokungena.
librtpam
Imodyuli ephuhliswe yinkampani ye-Aktiv yongeza ukuqinisekiswa kwezinto ezimbini zabasebenzisi abasebenzisa amakhadi ahlakaniphile okanye iithokheni ze-USB usebenzisa izitshixo ze-asymmetric ngokwemigangatho yamva nje ye-cryptography yasekhaya.
Makhe sijonge umgaqo wokusebenza kwayo:
- Uphawu lugcina isatifikethi somsebenzisi kunye nesitshixo saso sabucala;
- Isatifikethi sigcinwe kuluhlu lwasekhaya lomsebenzisi njengoko luthenjiweyo.
Inkqubo yokuqinisekisa yenzeka ngolu hlobo lulandelayo:
- URutoken ukhangela isatifikethi sobuqu somsebenzisi.
- I-PIN yomqondiso iyacelwa.
- Idatha engaqhelekanga isayinwe kwisitshixo sangasese ngokuthe ngqo kwi-chip ye-Rutoken.
- Isiphumo sotyikityo siqinisekiswa kusetyenziswa isitshixo sikawonke-wonke esisuka kwisatifikethi somsebenzisi.
- Imodyuli ibuyisela iziphumo zokuqinisekisa utyikityo kwisicelo sokufowuna.
Unokuqinisekisa usebenzisa iGOST R 34.10-2012 izitshixo (ubude be-256 okanye i-512 bits) okanye i-GOST R 34.10-2001 yakudala.
Awunakukhathazeka malunga nokukhuselwa kwezitshixo - zenziwe ngokuthe ngqo kwiRutoken kwaye ungalokothi ushiye imemori yayo ngexesha lokusebenza kwe-cryptographic.
I-Rutoken EDS 2.0 iqinisekiswa yi-FSB kunye ne-FSTEC ngokwe-NDV 4, ngoko ke ingasetyenziselwa kwiinkqubo zolwazi ezenza ulwazi oluyimfihlo.
Ukusetyenziswa okusebenzayo
Phantse nayiphi na iLinux yanamhlanje eya kwenza, umzekelo siya kusebenzisa i-xUbuntu 18.10.
1) Faka iipakethe eziyimfuneko
sudo apt-get install libccid pcscd opensc
Ukuba ufuna ukongeza isitshixo sedesktop ngesigcina-skrini, faka ipakethe kwakhona libpam-pkcs11.
2) Yongeza imodyuli yePAM ngenkxaso yeGOST
Ilayisha ithala leencwadi ukusuka
Khuphela imixholo yePAM ifolda librtpam.so.1.0.0 kwisixokelelwano sefolda
/usr/lib/ okanye /usr/lib/x86_64-linux-gnu/okanye /usr/lib64
3) Faka iphakheji kunye ne-librtpkcs11ecp.so
Khuphela kwaye ufake i-DEB okanye iphakheji ye-RPM kwikhonkco:
4) Khangela ukuba i-Rutoken EDS 2.0 isebenza kwinkqubo
Kwi-terminal senza
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -T
Ukuba ubona umgca Rutoken ECP <no label> - kuthetha ukuba yonke into ilungile.
5) Funda isatifikethi
Ukujonga ukuba isixhobo sinaso na isatifikethi
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O
Ukuba emva komgca:
Using slot 0 with a present token (0x0)
- ulwazi lubonisiwe malunga nezitshixo kunye nezatifikethi, kufuneka ufunde isatifikethi kwaye usigcine kwidiski. Ukwenza oku, sebenzisa lo myalelo ulandelayo, apho endaweni ye- {id} kufuneka ufake endaweni ye-ID yesatifikethi osibonile kwisiphumo somyalelo wangaphambili:
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -r -y cert --id {id} --output-file cert.crt
Ukuba ifayile ye-cert.crt yenziwe, qhubela phambili kwinyathelo lesi-6). - akukho nto, ngoko isixhobo asinanto. Qhagamshelana nomlawuli wakho okanye wenze izitshixo kunye nesatifikethi ngokwakho ngokulandela inyathelo elilandelayo.
5.1) Yenza isatifikethi sovavanyo
Ingqalelo! Iindlela ezichazwe zokwenza izitshixo kunye nezatifikethi zifanelekile ukuvavanya kwaye azijoliswanga ukusetyenziswa kwimodi yokulwa. Ukwenza oku, kufuneka usebenzise izitshixo kunye nezatifikethi ezikhutshwe ngugunyaziwe wesatifikethi othenjiweyo kumbutho wakho okanye ugunyaziwe woqinisekiso oluvunyiweyo.
Imodyuli yePAM yenzelwe ukukhusela iikhomputha zendawo kwaye yenzelwe ukusebenza kwimibutho emincinci. Ekubeni kukho abasebenzisi abambalwa, uMlawuli unokubeka esweni ukuchithwa kwezatifikethi kunye nee-akhawunti zebhloko ngesandla, kunye nexesha lokuqinisekisa iziqinisekiso. Imodyuli yePAM ayikayazi indlela yokuqinisekisa izatifikethi kusetyenziswa iiCRL kunye nokwakha ikhonkco lokuthembana.
Indlela elula (nge-browser)
Ukufumana isatifikethi sovavanyo, sebenzisa . Inkqubo ayiyi kuthatha ngaphezu kwemizuzu emi-5.
Indlela ye geek (nge console kwaye mhlawumbi nomqambi)
Jonga inguqulelo ye-OpenSC
$ opensc-tool --version
Ukuba inguqulelo ingaphantsi kwe-0.20, ngoko uhlaziye okanye wakhe ukusuka kwi-GitHub yethu (ngexesha lokukhutshwa kwenqaku i-0.20 ayikakhululwa) okanye kwisebe eliphambili leprojekthi ye-OpenSC engundoqo emva koko.
Yenza iperi engundoqo ngezi pharamitha zilandelayo:
--key-type: GOSTR3410-2012-512:Π (ΠΠΠ‘Π’-2012 512 Π±ΠΈΡ c ΠΏΠ°ΡΠ°ΠΌΡΠ΅ΡΠΎΠΌ Π), GOSTR3410-2012-256:A (ΠΠΠ‘Π’-2012 256 Π±ΠΈΡ Ρ ΠΏΠ°ΡΠ°ΠΌΡΠ΅ΡΠΎΠΌ A)
--id: into echonga into (CKA_ID) njengamanani anemivo emibini yehex ukusuka kwitheyibhile ye-ASCII. Sebenzisa kuphela iikhowudi ze-ASCII zoonobumba abaprintwayo, kuba... id iyakufuna ukugqithiselwa kwi-OpenSSL njengomtya. Ngokomzekelo, ikhowudi ye-ASCII "3132" ihambelana nomtya "12". Ukuze kube lula, ungasebenzisa .
$ ./pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --keypairgen --key-type GOSTR3410-2012-512:A -l --id 3132
Okulandelayo siza kwenza isatifikethi. Iindlela ezimbini ziya kuchazwa ngezantsi: eyokuqala nge-CA (siya kusebenzisa ii-CAs zovavanyo), eyesibini i-self-signed. Ukwenza oku, kufuneka kuqala ufake kwaye uqwalasele i-OpenSSL version 1.1 okanye kamva ukusebenza noRutoken ngokusebenzisa imodyuli ekhethekileyo ye-rtengine usebenzisa incwadi .
Umzekelo: kuba '--id 3132' kwi-OpenSSL kufuneka uyichaze "pkcs11:id=12Β«.
Ungasebenzisa iinkonzo zovavanyo lwe-CA, apho zininzi, umzekelo, , ΠΈ , oku siya kudala isicelo sesatifikethi
Enye inketho kukunikezela kubuvila kunye nokudala u-self-signed
$ openssl req -utf8 -new -keyform engine -key "pkcs11:id=12" -engine rtengine -out req.csr
Ukulayisha isiqinisekiso kwisixhobo
$ openssl req -utf8 -x509 -keyform engine -key "pkcs11:id=12" -engine rtengine -out cert.cer
6) Bhalisa isatifikethi kwinkqubo
Qinisekisa ukuba isatifikethi sakho sijongeka njengefayile ye-base64:
Ukuba isatifikethi sakho sijongeka ngolu hlobo:
emva koko kufuneka uguqule isatifikethi kwi-DER ifomathi ukuya kwifomati ye-PEM (base64)
$ openssl x509 -in cert.crt -out cert.pem -inform DER -outform PEM
Siphinde sajonga ukuba yonke into ilungile ngoku.
Yongeza isatifikethi kuluhlu lwezatifikethi ezithembekileyo
$ mkdir ~/.eid
$ chmod 0755 ~/.eid
$ cat cert.pem >> ~/.eid/authorized_certificates
$ chmod 0644 ~/.eid/authorized_certificates
Umgca wokugqibela ukhusela uluhlu lwezatifikethi ezithembekileyo ekubeni zitshintshwe ngengozi okanye ngabom ngabanye abasebenzisi. Oku kuthintela umntu ekongezeni isatifikethi sakhe apha kwaye akwazi ukungena egameni lakho.
7) Misela ukuqinisekiswa
Ukuseta imodyuli yethu yePAM kusemgangathweni ngokupheleleyo kwaye kwenziwa ngendlela efanayo nokuseta ezinye iimodyuli. Yila kwifayile /usr/share/pam-configs/rutoken-gost-pam iqulathe igama elipheleleyo lomnqongo, nokuba yenziwe ngokungagqibekanga, umba ophambili womnqongo, kunye neparameters zoqinisekiso.
Iiparamitha zokuqinisekisa ziqulathe iimfuno zempumelelo yomsebenzi:
- ezifunekayo: Iimodyuli ezinjalo kufuneka zibuyisele impendulo eyakhayo. Ukuba isiphumo somnxeba wemodyuli siqulathe impendulo engalunganga, oku kuya kubangela impazamo yoqinisekiso. Isicelo siya kuchithwa, kodwa iimodyuli eziseleyo ziya kubizwa.
- efunekayo: Iyafana nefunekayo, kodwa ngoko nangoko iyasilela uqinisekiso kwaye ayihoyi ezinye iimodyuli.
- ngokwaneleyo: Ukuba akukho nanye kwiimodyuli ezifunekayo okanye ezaneleyo phambi kokuba imodyuli enjalo ibuyise iziphumo ezingalunganga, ngoko imodyuli iya kubuyisela impendulo efanelekileyo. Iimodyuli ezishiyekileyo aziyi kuhoywa.
- ngokuzikhethela: Ukuba akukho zimodyuli ezifunekayo kwistakhi kwaye akukho nanye kwiimodyuli ezaneleyo ezibuyisela isiphumo esihle, ngoko ke ubuncinane imodyuli enye yokhetho kufuneka ibuyisele isiphumo esihle.
Imixholo yefayile epheleleyo /usr/share/pam-configs/rutoken-gost-pam:
Name: Rutoken PAM GOST
Default: yes
Priority: 800
Auth-Type: Primary
Auth: sufficient /usr/lib/librtpam.so.1.0.0 /usr/lib/librtpkcs11ecp.so
gcina ifayile, emva koko phumeza
$ sudo pam-auth-update
kwifestile evelayo, beka iinkwenkwezi ecaleni kwayo Rutoken PAM GOST kwaye ucofe OK
8) Jonga izicwangciso
Ukuqonda ukuba yonke into iqwalaselwe, kodwa kwangaxeshanye ungaphulukana namandla okungena kwinkqubo, ngenisa umyalelo.
$ sudo login
Ngenisa igama lakho lomsebenzisi. Yonke into iqwalaselwe ngokuchanekileyo ukuba inkqubo ifuna ikhowudi yePIN yesixhobo.
9) Lungisa ikhomputha ukuba ivalwe xa ithokheni ikhutshwa
Ibandakanyiwe kwiphakheji libpam-pkcs11 into eluncedo ibandakanyiwe pkcs11_eventmgr, ekuvumela ukuba wenze iintshukumo ezahlukeneyo xa iziganeko ze-PKCS#11 zisenzeka.
Useto pkcs11_eventmgr isebenza njengefayile yoqwalaselo: /etc/pam_pkcs11/pkcs11_eventmgr.conf
Kunikezelo lweLinux olwahlukileyo, umyalelo obangela ukuba iakhawunti itshixiwe xa i-smart card okanye uphawu lususiwe luya kwahluka. I-cm. event card_remove.
Umzekelo wefayile yoqwalaselo uboniswe ngezantsi:
pkcs11_eventmgr
{
# ΠΠ°ΠΏΡΡΠΊ Π² Π±ΡΠΊΠ³ΡΠ°ΡΠ½Π΄Π΅
daemon = true;
# ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠΉ ΠΎΡΠ»Π°Π΄ΠΊΠΈ
debug = false;
# ΠΡΠ΅ΠΌΡ ΠΎΠΏΡΠΎΡΠ° Π² ΡΠ΅ΠΊΡΠ½Π΄Π°Ρ
polling_time = 1;
# Π£ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° ΡΠ°ΠΉΠΌ-Π°ΡΡΠ° Π½Π° ΡΠ΄Π°Π»Π΅Π½ΠΈΠ΅ ΠΊΠ°ΡΡΡ
# ΠΠΎ-ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ 0
expire_time = 0;
# ΠΡΠ±ΠΎΡ pkcs11 Π±ΠΈΠ±Π»ΠΈΠΎΡΠ΅ΠΊΠΈ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ Ρ Π ΡΡΠΎΠΊΠ΅Π½
pkcs11_module = usr/lib/librtpkcs11ecp.so;
# ΠΠ΅ΠΉΡΡΠ²ΠΈΡ Ρ ΠΊΠ°ΡΡΠΎΠΉ
# ΠΠ°ΡΡΠ° Π²ΡΡΠ°Π²Π»Π΅Π½Π°:
event card_insert {
# ΠΡΡΠ°Π²Π»ΡΠ΅ΠΌ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ (Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
on_error = ignore ;
action = "/bin/false";
}
# ΠΠ°ΡΡΠ° ΠΈΠ·Π²Π»Π΅ΡΠ΅Π½Π°
event card_remove {
on_error = ignore;
# ΠΡΠ·ΡΠ²Π°Π΅ΠΌ ΡΡΠ½ΠΊΡΠΈΡ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ ΡΠΊΡΠ°Π½Π°
# ΠΠ»Ρ GNOME
action = "dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock";
# ΠΠ»Ρ XFCE
# action = "xflock4";
# ΠΠ»Ρ Astra Linux (FLY)
# action = "fly-wmfunc FLYWM_LOCK";
}
# ΠΠ°ΡΡΠ° Π΄ΠΎΠ»Π³ΠΎΠ΅ Π²ΡΠ΅ΠΌΡ ΠΈΠ·Π²Π»Π΅ΡΠ΅Π½Π°
event expire_time {
# ΠΡΡΠ°Π²Π»ΡΠ΅ΠΌ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ (Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
on_error = ignore;
action = "/bin/false";
}
}Emva koko yongeza isicelo pkcs11_eventmgr ukuqalisa. Ukwenza oku, hlela ifayile ye-.bash_profile:
$ nano /home/<ΠΈΠΌΡ_ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ>/.bash_profile
Yongeza umgca pkcs11_eventmgr ukuya ekupheleni kwefayile kwaye uqalise kwakhona.
Amanyathelo achaziweyo okuseta isixokelelwano sokusebenza anokusetyenziswa njengemiyalelo kulo naluphi na usasazo lweLinux lwangoku, kuquka nezasekhaya.
isiphelo
IiPC zeLinux ziya zithandwa kakhulu kwiiarhente zikarhulumente waseRussia, kwaye ukuseta ukuqinisekiswa kwezinto ezimbini ezithembekileyo kule OS akusoloko kulula. Siya kukuvuyela ukukunceda ukusombulula "ingxaki yephasiwedi" ngesi sikhokelo kwaye sikhusele ngokuthembekileyo ukufikelela kwiPC yakho ngaphandle kokuchitha ixesha elininzi kuyo.
umthombo: www.habr.com