Loni Mo fẹ pin bi o ṣe le ṣeto olupin ijẹrisi ifosiwewe meji lati daabobo nẹtiwọki ajọṣepọ kan, awọn aaye, awọn iṣẹ, ssh. Olupin naa yoo ṣiṣẹ akojọpọ atẹle: LinOTP + FreeRadius.
Kí nìdí tá a fi nílò rẹ̀?
Eyi jẹ ọfẹ patapata, ojutu irọrun, laarin nẹtiwọọki tirẹ, ominira ti awọn olupese ẹnikẹta.
Iṣẹ yii rọrun pupọ, wiwo pupọ, ko dabi awọn ọja orisun ṣiṣi miiran, ati pe o tun ṣe atilẹyin nọmba nla ti awọn iṣẹ ati awọn eto imulo (Fun apẹẹrẹ, buwolu wọle + ọrọ igbaniwọle + (PIN + OPTtoken)). Nipasẹ API, o ṣepọ pẹlu awọn iṣẹ fifiranṣẹ sms (LinOTP Config-> Olupese Config-> Olupese SMS), n ṣe awọn koodu fun awọn ohun elo alagbeka gẹgẹbi Google Authentificator ati pupọ diẹ sii. Mo ro pe o rọrun diẹ sii ju iṣẹ ti a sọrọ ni .
Olupin yii n ṣiṣẹ ni pipe pẹlu Sisiko ASA, olupin OpenVPN, Apache2, ati ni gbogbogbo pẹlu ohun gbogbo ti o ṣe atilẹyin ijẹrisi nipasẹ olupin RADIUS (Fun apẹẹrẹ, fun SSH ni ile-iṣẹ data).
O nilo:
1) Debian 8 (jessie) - dandan! (fifi sori ẹrọ idanwo lori debian 9 jẹ apejuwe ni ipari nkan naa)
Bibẹrẹ:
Fifi Debian 8 sori ẹrọ.
Ṣafikun ibi ipamọ LinOTP:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.listFifi awọn bọtini:
# gpg --search-keys 913DFF12F86258E5Nigba miiran lakoko fifi sori “mimọ” kan, lẹhin ṣiṣe aṣẹ yii, Debian ṣafihan:
gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI
Eyi ni ipilẹṣẹ gnupg akọkọ. O dara. Kan ṣiṣẹ aṣẹ naa lẹẹkansi.
Si ibeere Debian:
gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". Введите числа, N) Следующий или Q) Выход>A dahun: 1
Nigbamii ti:
# gpg --export 913DFF12F86258E5 | apt-key add -# apt-get updateFi sori ẹrọ mysql. Ni imọran, o le lo olupin sql miiran, ṣugbọn fun ayedero Emi yoo lo bi a ṣe iṣeduro fun LinOTP.
(afikun alaye, pẹlu atunto LinOTP database, le ri ninu awọn osise iwe fun . Nibẹ ni o tun le rii aṣẹ naa: dpkg-reconfigure linotp lati yi awọn paramita pada ti o ba ti fi mysql tẹlẹ sii).
# apt-get install mysql-server# apt-get update (kii yoo ṣe ipalara lati ṣayẹwo awọn imudojuiwọn lẹẹkansi)
Fi LinOTP sori ẹrọ ati awọn modulu afikun:
# apt-get install linotp
A dahun awọn ibeere olupilẹṣẹ:
Lo Apache2: bẹẹni
Ṣẹda ọrọ igbaniwọle kan fun abojuto Linotp: “Ọrọigbaniwọle rẹ”
Ṣe ipilẹṣẹ ijẹrisi ti ara ẹni?: Bẹẹni
Lo MySQL?: Bẹẹni
Nibo ni ibi ipamọ data wa: localhost
Ṣẹda aaye data LinOTP (orukọ mimọ) lori olupin: LinOTP2
Ṣẹda olumulo lọtọ fun aaye data: LinOTP2
A ṣeto ọrọ igbaniwọle kan fun olumulo: “Ọrọigbaniwọle rẹ”
Ṣe MO yẹ ki n ṣẹda aaye data ni bayi? (nkankan bi "Ṣe o da ọ loju pe o fẹ..."): bẹẹni
Tẹ ọrọ igbaniwọle root MySQL ti o ṣẹda nigbati o nfi sii: “Ọrọigbaniwọle rẹ”
Ṣe.
(aṣayan, o ko ni lati fi sii)
# apt-get install linotp-adminclient-cli (aṣayan, o ko ni lati fi sii)
# apt-get install libpam-linotp Ati nitorinaa wiwo oju opo wẹẹbu Linotp wa ni bayi ni:
"<b>https</b>: //IP_сервера/manage"Emi yoo sọrọ nipa awọn eto ni wiwo oju opo wẹẹbu diẹ nigbamii.
Bayi, ohun pataki julọ! A gbe FreeRadius soke ati sopọ mọ Linotp.
Fi sori ẹrọ FreeRadius ati module fun ṣiṣẹ pẹlu LinOTP
# apt-get install freeradius linotp-freeradius-perlafẹyinti ose ati Users rediosi configs.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old# mv /etc/freeradius/users /etc/freeradius/users.oldṢẹda faili alabara ti o ṣofo:
# touch /etc/freeradius/clients.confṢatunkọ faili atunto tuntun wa (iṣeto ti o ṣe afẹyinti le ṣee lo bi apẹẹrẹ)
# nano /etc/freeradius/clients.confclient 192.168.188.0/24 {
secret = passwd # пароль для подключения клиентов
}Nigbamii, ṣẹda faili olumulo kan:
# touch /etc/freeradius/usersA ṣatunkọ faili naa, sọ fun redio pe a yoo lo perl fun ìfàṣẹsí.
# nano /etc/freeradius/usersDEFAULT Auth-type := perlNigbamii, ṣatunkọ faili /etc/freeradius/modules/perl
# nano /etc/freeradius/modules/perlA nilo lati pato ọna si iwe afọwọkọ perl linotp ninu paramita module:
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
... ..
Nigbamii, a ṣẹda faili kan ninu eyiti a sọ eyiti (ašẹ, data data tabi faili) lati mu data naa lati.
# touch /etc/linotp2/rlm_perl.ini# nano /etc/linotp2/rlm_perl.iniURL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=FalseEmi yoo lọ sinu alaye diẹ sii nibi nitori o ṣe pataki:
Apejuwe kikun ti faili pẹlu awọn asọye:
#IP ti olupin linOTP (adirẹsi IP ti olupin LinOTP wa)
URL = https://172.17.14.103/validate/simplecheck
#Agbegbe wa ti a yoo ṣẹda ni wiwo oju opo wẹẹbu LinOTP.)
REALM=apa apa1
# Orukọ ẹgbẹ olumulo ti o ṣẹda ni muzzle wẹẹbu LinOTP.
RESCONF=flat_file
#iyan: sọ asọye ti ohun gbogbo ba dabi pe o ṣiṣẹ daradara
Ṣatunkọ=Otitọ
#aṣayan: lo eyi, ti o ba ni awọn iwe-ẹri ti ara ẹni, bibẹẹkọ ṣe asọye jade (SSL ti a ba ṣẹda ijẹrisi tiwa ti o fẹ rii daju)
SSL_CHECK=Iro
Nigbamii, ṣẹda faili /etc/freeradius/sites-available/linotp
# touch /etc/freeradius/sites-available/linotp# nano /etc/freeradius/sites-available/linotpAti daakọ atunto sinu rẹ (ko si ye lati ṣatunkọ ohunkohun):
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}Nigbamii a yoo ṣẹda ọna asopọ SIM kan:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabledTikalararẹ, Mo pa awọn aaye redio aiyipada, ṣugbọn ti o ba nilo wọn, o le boya ṣatunkọ atunto wọn tabi mu wọn kuro.
# rm /etc/freeradius/sites-enabled/default# rm /etc/freeradius/sites-enabled/inner-tunnel# service freeradius reload
Bayi jẹ ki a pada si oju oju opo wẹẹbu ki a wo ni alaye diẹ sii:
Ni igun apa ọtun oke tẹ LinOTP Config -> UserIdResolvers -> Tuntun
A yan ohun ti a fẹ: LDAP (AD win, LDAP samba), tabi SQL, tabi agbegbe awọn olumulo ti Flatfile eto.
Fọwọsi awọn aaye ti a beere.
Nigbamii ti a ṣẹda REALMS:
Ni igun apa ọtun oke, tẹ LinOTP Config -> Realms -> Titun.
ki o si fun orukọ si REALMS wa, ati tun tẹ UserIdResolvers ti o ṣẹda tẹlẹ.
FreeRadius nilo gbogbo data yii ninu faili /etc/linotp2/rlm_perl.ini, bi mo ti kọ nipa loke, nitorina ti o ko ba ṣatunkọ lẹhinna, ṣe ni bayi.
Awọn olupin ti wa ni gbogbo tunto.
Afikun:
Ṣiṣeto LinOTP lori Debian 9:
Fifi sori:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list # apt-get install dirmngr# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update# apt-get install mysql-server(nipasẹ aiyipada, ni Debian 9 mysql (mariaDB) ko funni lati ṣeto ọrọ igbaniwọle gbongbo, nitorinaa o le fi silẹ ni ofo, ṣugbọn ti o ba ka awọn iroyin, eyi nigbagbogbo yori si “apọju kuna”, nitorinaa a yoo ṣeto rẹ. lonakona)
# mysql -u root -puse mysql;UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';
exit# apt-get install linotp# apt-get install linotp-adminclient-cli# apt-get install python-ldap# apt install freeradius# nano /etc/freeradius/3.0/sites-enabled/linotpLẹẹmọ koodu naa (firanṣẹ nipasẹ JuriM, o ṣeun fun iyẹn!):
olupin linotp {
gbo {
ipaddr = *
ibudo = 1812
iru = auth
}
gbo {
ipaddr = *
ibudo = 1813
iru = acct
}
fun laṣẹ {
ilana iṣaaju
imudojuiwọn {
&control:Auth-Iru:= Perl
}
}
jẹri {
Iṣe-Iru Perl {
perl
}
}
iṣiro {
unix
}
}
Ṣatunkọ /etc/freeradius/3.0/mods-enabled/perl
perl {
filename = /usr/share/linotp/radius_linotp.pm
func_authenticate = jeri
func_authorize = laṣẹ
}
Laanu, ni Debian 9 ile-ikawe radius_linotp.pm ko fi sii lati awọn ibi ipamọ, nitorinaa a yoo gba lati github.
# apt install git# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl# cd linotp-auth-freeradius-perl/# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pmbayi jẹ ki a ṣatunkọ /etc/freeradius/3.0/clients.conf
olupin onibara {
ipaddr = 192.168.188.0/24
asiri = ọrọ igbaniwọle rẹ
}
Bayi jẹ ki a ṣe atunṣe nano /etc/linotp2/rlm_perl.ini
A lẹẹmọ koodu kanna nibẹ bi nigba fifi sori debian 8 (ti ṣe apejuwe loke)
ti o ni gbogbo ni ibamu si awọn agutan. (ko ṣe idanwo sibẹsibẹ)
Emi yoo fi silẹ ni isalẹ awọn ọna asopọ diẹ lori siseto awọn eto ti o nilo pupọ julọ lati ni aabo pẹlu ijẹrisi ifosiwewe meji:
Ṣiṣeto ifitonileti ifosiwewe meji ni
(O yatọ si olupin iran àmi ti lo nibẹ, ṣugbọn awọn eto ti ASA ara jẹ kanna).
Ṣe akanṣe (LinOTP tun lo nibẹ) - ọpẹ si onkọwe. Nibẹ ni o tun le rii awọn nkan ti o nifẹ nipa ṣiṣeto awọn eto imulo LiOTP.
Paapaa, awọn cms ti ọpọlọpọ awọn aaye ṣe atilẹyin ijẹrisi ifosiwewe meji (Fun Wodupiresi, LinOTP paapaa ni module pataki tirẹ fun ), fun apẹẹrẹ, ti o ba fẹ ṣe apakan ti o ni idaabobo lori oju opo wẹẹbu ajọ rẹ fun awọn oṣiṣẹ ile-iṣẹ.
OTITO PATAKI! MAA ṢE ṣayẹwo apoti “Google autenteficator” lati lo Google Authenticator! Koodu QR ko ṣee ka lẹhinna… (otitọ ajeji)
Lati kọ nkan yii, alaye lati awọn nkan wọnyi ni a lo:
O ṣeun si awọn onkọwe.
orisun: www.habr.com