Amagama ayimfihlo alula awavikelekile, futhi ayinkimbinkimbi awanakukhunjulwa. Yingakho ngokuvamile begcina benothi olunamathelayo ngaphansi kwekhibhodi noma kumonitha. Ukuqinisekisa ukuthi amaphasiwedi ahlala ezingqondweni zabasebenzisi "abakhohlwayo" futhi ukuthembeka kokuvikela akulahleki, kukhona ukuqinisekiswa kwezinto ezimbili (2FA).
Ngenxa yenhlanganisela yokuba umnikazi wedivayisi nokwazi iphinikhodi yayo, iphinikhodi ngokwayo ingaba lula futhi kube lula ukuyikhumbula. Okubi kubude bephinikhodi noma ukungahleliwe kuxazululwa imfuneko yezinto ezibonakalayo kanye nemikhawulo yamandla e-PIN anonya.
Ngaphezu kwalokho, kwenzeka kuma-ejensi kahulumeni ukuthi bafuna ukuthi konke kusebenze ngokuvumelana ne-GOST. Le nketho ye-2FA yokungena ku-Linux kuzoxoxwa ngayo. Ngizoqala kude.
Amamojula we-PAM
Amamojula Okufakazela Ubuqiniso Axhumekekayo (PAM) amamojula ane-API ejwayelekile kanye nokusetshenziswa kwezindlela ezihlukahlukene zokuqinisekisa ezinhlelweni zokusebenza.
Zonke izinsiza nezinhlelo zokusebenza ezingasebenza ne-PAM zizithathe futhi zingasebenzisela ukuqinisekiswa komsebenzisi.
Empeleni, isebenza into enjengale: umyalo wokungena ngemvume ubiza i-PAM, eyenza wonke amasheke adingekayo isebenzisa amamojula ashiwo kufayela lokucushwa futhi ibuyisela umphumela kumyalo wokungena ngemvume.
librtpam
Imojula eyakhiwe inkampani ye-Aktiv yengeza ukuqinisekiswa kwezinto ezimbili zabasebenzisi abasebenzisa amakhadi ahlakaniphile noma amathokheni e-USB besebenzisa okhiye be-asymmetric ngokuya ngezindinganiso zakamuva ze-cryptography yasekhaya.
Ake sibheke isimiso sokusebenza kwayo:
- Ithokheni igcina isitifiketi somsebenzisi nokhiye wayo oyimfihlo;
- Isitifiketi silondolozwe kuhla lwemibhalo lwasekhaya lomsebenzisi njengoluthenjwayo.
Inqubo yokuqinisekisa yenzeka kanje:
- U-Rutoken usesha isitifiketi somuntu siqu somsebenzisi.
- I-PIN yethokheni iyacelwa.
- Idatha engahleliwe isayinwe kukhiye oyimfihlo ngqo ku-chip ye-Rutoken.
- Isiginesha ewumphumela iqinisekiswa kusetshenziswa ukhiye osesidlangalaleni ovela kusitifiketi somsebenzisi.
- Imojula ibuyisela umphumela wokuqinisekisa isiginesha kuhlelo lokusebenza lokushaya.
Ungaqinisekisa usebenzisa okhiye be-GOST R 34.10-2012 (ubude obungu-256 noma amabhithi angu-512) noma i-GOST R 34.10-2001 ephelelwe yisikhathi.
Akumele ukhathazeke ngokuvikeleka kwezikhiye - zenziwa ngokuqondile ku-Rutoken futhi ungalokothi ushiye inkumbulo yayo ngesikhathi sokusebenza kwe-cryptographic.
I-Rutoken EDS 2.0 iqinisekiswe yi-FSB kanye ne-FSTEC ngokusho kwe-NDV 4, ngakho-ke ingasetshenziswa ezinhlelweni zolwazi ezicubungula ulwazi oluyimfihlo.
Ukusetshenziswa okuwusizo
Cishe noma iyiphi i-Linux yesimanje ezokwenza, isibonelo sizosebenzisa i-xUbuntu 18.10.
1) Faka amaphakheji adingekayo
sudo apt-get install libccid pcscd opensc
Uma ufuna ukwengeza ukukhiya kwedeskithophu ngesilondolozi sesikrini, faka iphakheji futhi libpam-pkcs11
.
2) Faka imojula ye-PAM ngokusekelwa kwe-GOST
Ilayisha umtapo wolwazi kusuka
Kopisha okuqukethwe kwefolda ye-PAM librtpam.so.1.0.0 kufolda yesistimu
/usr/lib/
noma /usr/lib/x86_64-linux-gnu/
noma /usr/lib64
3) Faka iphakheji nge-librtpkcs11ecp.so
Landa futhi ufake iphakheji ye-DEB noma ye-RPM kusuka kusixhumanisi:
4) Hlola ukuthi i-Rutoken EDS 2.0 isebenza ohlelweni
Ku-terminal senza
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -T
Uma ubona umugqa Rutoken ECP <no label>
- kusho ukuthi konke kuhamba kahle.
5) Funda isitifiketi
Ihlola ukuthi idivayisi inaso yini isitifiketi
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O
Uma ngemuva komugqa:
Using slot 0 with a present token (0x0)
- ulwazi luyaboniswa mayelana nokhiye nezitifiketi, udinga ukufunda isitifiketi bese usigcina kudiski. Ukuze wenze lokhu, sebenzisa umyalo olandelayo, lapho esikhundleni sokuthi {id} udinga ukufaka esikhundleni se-ID yesitifiketi oyibone ekuphumeni komyalo odlule:
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -r -y cert --id {id} --output-file cert.crt
Uma ifayela le-cert.crt lidaliwe, qhubekela esinyathelweni sesi-6). - akunalutho, bese idivayisi ayinalutho. Xhumana nomlawuli wakho noma dala okhiye nesitifiketi ngokwakho ngokulandela isinyathelo esilandelayo.
5.1) Dala isitifiketi sokuhlola
Qaphela! Izindlela ezichaziwe zokwenza okhiye nezitifiketi zifanele ukuhlolwa futhi azihloselwe ukusetshenziswa kwimodi yokulwa. Ukuze wenze lokhu, udinga ukusebenzisa okhiye nezitifiketi ezikhishwe isiphathimandla sokunikeza izitifiketi esethembekile senhlangano yakho noma isiphathimandla esigunyaziwe sokunikeza izitifiketi.
Imojula ye-PAM yakhelwe ukuvikela amakhompyutha endawo futhi yakhelwe ukusebenza ezinhlanganweni ezincane. Njengoba kukhona abasebenzisi abambalwa, uMlawuli angakwazi ukuqapha ukuhoxiswa kwezitifiketi futhi avimbe ama-akhawunti ngesandla, kanye nesikhathi sokufaneleka sezitifiketi. Imojula ye-PAM ayikakwazi ukuqinisekisa izitifiketi kusetshenziswa ama-CRL nokwakha amaketango okuthenjwa.
Indlela elula (ngesiphequluli)
Ukuze uthole isitifiketi sokuhlola, sebenzisa
Indlela ye-geek (nge-console futhi mhlawumbe nomdidiyeli)
Hlola inguqulo ye-OpenSC
$ opensc-tool --version
Uma inguqulo ingaphansi kuka-0.20, buyekeza noma wakhe
Dala ipheya yokhiye ngamapharamitha alandelayo:
--key-type: GOSTR3410-2012-512:Π (ΠΠΠ‘Π’-2012 512 Π±ΠΈΡ c ΠΏΠ°ΡΠ°ΠΌΡΠ΅ΡΠΎΠΌ Π), GOSTR3410-2012-256:A (ΠΠΠ‘Π’-2012 256 Π±ΠΈΡ Ρ ΠΏΠ°ΡΠ°ΠΌΡΠ΅ΡΠΎΠΌ A)
--id:
isihlonzi sento (CKA_ID) njengezinombolo zezinhlamvu ze-hex ezinamadijithi amabili ukusuka kuthebula le-ASCII. Sebenzisa kuphela amakhodi e-ASCII ezinhlamvu eziphrintekayo, ngoba... I-id izodinga ukuthi idluliselwe ku-OpenSSL njengeyunithi yezinhlamvu. Isibonelo, ikhodi ye-ASCII "3132" ihambisana neyunithi yezinhlamvu "12". Ukuze kube lula, ungasebenzisa
$ ./pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --keypairgen --key-type GOSTR3410-2012-512:A -l --id 3132
Okulandelayo sizodala isitifiketi. Izindlela ezimbili zizochazwa ngezansi: eyokuqala nge-CA (sizosebenzisa ama-CAs okuhlola), eyesibili iyazisayina. Ukuze wenze lokhu, udinga kuqala ukufaka futhi ulungiselele inguqulo ye-OpenSSL 1.1 noma kamuva ukuze usebenze no-Rutoken ngokusebenzisa imojula ekhethekile ye-rtengine usebenzisa imanuwali.
Isibonelo: okwe-'--id 3132
' ku-OpenSSL udinga ukucacisa "pkcs11:id=12
".
Ungasebenzisa izinsizakalo zokuhlola i-CA, eziningi zazo, ngokwesibonelo,
Enye inketho iwukuba unikeze ubuvila futhi udale ozisayinele
$ openssl req -utf8 -new -keyform engine -key "pkcs11:id=12" -engine rtengine -out req.csr
Ilayisha isitifiketi kudivayisi
$ openssl req -utf8 -x509 -keyform engine -key "pkcs11:id=12" -engine rtengine -out cert.cer
6) Bhalisa isitifiketi ohlelweni
Qiniseka ukuthi isitifiketi sakho sibukeka njengefayela le-base64:
Uma isitifiketi sakho sibukeka kanje:
bese udinga ukuguqula isitifiketi sisuke kufomethi ye-DER siye kufomethi ye-PEM (base64)
$ openssl x509 -in cert.crt -out cert.pem -inform DER -outform PEM
Siphinde sihlole ukuthi konke kuhamba kahle manje.
Engeza isitifiketi ohlwini lwezitifiketi ezithenjwayo
$ mkdir ~/.eid
$ chmod 0755 ~/.eid
$ cat cert.pem >> ~/.eid/authorized_certificates
$ chmod 0644 ~/.eid/authorized_certificates
Ulayini wokugcina uvikela uhlu lwezitifiketi ezithenjiwe ukuthi zingashintshwa ngephutha noma ngenhloso abanye abasebenzisi. Lokhu kuvimbela othile ekungezeni isitifiketi sakhe lapha futhi akwazi ukungena esikhundleni sakho.
7) Setha ubuqiniso
Ukusetha imojuli yethu ye-PAM kusezingeni eliphelele futhi kwenziwa ngendlela efanayo ncamashi nokusetha amanye amamojula. Dala kufayela /usr/share/pam-configs/rutoken-gost-pam
equkethe igama eligcwele lemojuli, noma ngabe inikwe amandla ngokuzenzakalela, ukubaluleka kwemojuli, nemingcele yokuqinisekisa.
Amapharamitha wokuqinisekisa aqukethe izimfuneko zempumelelo yomsebenzi:
- okudingekayo: Amamojula anjalo kufanele abuyisele impendulo eyakhayo. Uma umphumela wekholi yemojuli uqukethe impendulo engeyinhle, lokhu kuzoholela ephutheni lokuqinisekisa. Isicelo sizokwehliswa, kodwa amamojula asele azobizwa.
- okudingekayo: Kufana nokudingekayo, kodwa ngokushesha yehluleka ukufakazela ubuqiniso futhi iziba amanye amamojula.
- okwanele: Uma kungekho neyodwa yamamojula adingekayo noma anele ngaphambi kokuba imojuli enjalo ibuyise umphumela ongemuhle, khona-ke imojuli izobuyisela impendulo evumayo. Amamojula asele azozitshwa.
- ongakukhetha: Uma engekho amamojula adingekayo esitakini futhi kungekho neyodwa imojuli eyanele ebuyisela umphumela ophozithivu, lapho-ke okungenani imojula eyodwa ongayikhetha kufanele ibuyisele umphumela ophozithivu.
Okuqukethwe kwefayela eligcwele /usr/share/pam-configs/rutoken-gost-pam
:
Name: Rutoken PAM GOST
Default: yes
Priority: 800
Auth-Type: Primary
Auth: sufficient /usr/lib/librtpam.so.1.0.0 /usr/lib/librtpkcs11ecp.so
gcina ifayela, bese ukhiphe
$ sudo pam-auth-update
efasiteleni elivelayo, faka inkanyezi eduze kwalo URutoken PAM GOST bese uqhafaza OK
8) Hlola izilungiselelo
Ukuze uqonde ukuthi konke kumisiwe, kodwa ngesikhathi esifanayo ungalahlekelwa amandla okungena ohlelweni, faka umyalo
$ sudo login
Faka igama lakho lomsebenzisi. Yonke into ilungiswa kahle uma isistimu idinga iphinikhodi yedivayisi.
9) Lungiselela ikhompuyutha ukuthi ivinjwe lapho ithokheni ikhishwa
Kufakwe kuphakheji libpam-pkcs11
izinsiza ezifakiwe pkcs11_eventmgr,
okukuvumela ukuthi wenze izenzo ezihlukahlukene uma i-PKCS#11 izenzakalo zenzeka.
Okwezilungiselelo pkcs11_eventmgr
isebenza njengefayela lokumisa: /etc/pam_pkcs11/pkcs11_eventmgr.conf
Ngokusatshalaliswa okuhlukile kwe-Linux, umyalo obangela ukuthi i-akhawunti ikhiye uma kukhishwa ikhadi elihlakaniphile noma ithokheni uzohluka. Cm. event card_remove
.
Isibonelo sefayela lokumisa siboniswa ngezansi:
pkcs11_eventmgr
{
# ΠΠ°ΠΏΡΡΠΊ Π² Π±ΡΠΊΠ³ΡΠ°ΡΠ½Π΄Π΅
daemon = true;
# ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠΉ ΠΎΡΠ»Π°Π΄ΠΊΠΈ
debug = false;
# ΠΡΠ΅ΠΌΡ ΠΎΠΏΡΠΎΡΠ° Π² ΡΠ΅ΠΊΡΠ½Π΄Π°Ρ
polling_time = 1;
# Π£ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° ΡΠ°ΠΉΠΌ-Π°ΡΡΠ° Π½Π° ΡΠ΄Π°Π»Π΅Π½ΠΈΠ΅ ΠΊΠ°ΡΡΡ
# ΠΠΎ-ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ 0
expire_time = 0;
# ΠΡΠ±ΠΎΡ pkcs11 Π±ΠΈΠ±Π»ΠΈΠΎΡΠ΅ΠΊΠΈ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ Ρ Π ΡΡΠΎΠΊΠ΅Π½
pkcs11_module = usr/lib/librtpkcs11ecp.so;
# ΠΠ΅ΠΉΡΡΠ²ΠΈΡ Ρ ΠΊΠ°ΡΡΠΎΠΉ
# ΠΠ°ΡΡΠ° Π²ΡΡΠ°Π²Π»Π΅Π½Π°:
event card_insert {
# ΠΡΡΠ°Π²Π»ΡΠ΅ΠΌ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ (Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
on_error = ignore ;
action = "/bin/false";
}
# ΠΠ°ΡΡΠ° ΠΈΠ·Π²Π»Π΅ΡΠ΅Π½Π°
event card_remove {
on_error = ignore;
# ΠΡΠ·ΡΠ²Π°Π΅ΠΌ ΡΡΠ½ΠΊΡΠΈΡ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ ΡΠΊΡΠ°Π½Π°
# ΠΠ»Ρ GNOME
action = "dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock";
# ΠΠ»Ρ XFCE
# action = "xflock4";
# ΠΠ»Ρ Astra Linux (FLY)
# action = "fly-wmfunc FLYWM_LOCK";
}
# ΠΠ°ΡΡΠ° Π΄ΠΎΠ»Π³ΠΎΠ΅ Π²ΡΠ΅ΠΌΡ ΠΈΠ·Π²Π»Π΅ΡΠ΅Π½Π°
event expire_time {
# ΠΡΡΠ°Π²Π»ΡΠ΅ΠΌ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ (Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
on_error = ignore;
action = "/bin/false";
}
}
Ngemva kwalokho engeza isicelo pkcs11_eventmgr
ukuqalisa. Ukuze wenze lokhu, hlela ifayela le-.bash_profile:
$ nano /home/<ΠΈΠΌΡ_ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ>/.bash_profile
Engeza umugqa pkcs11_eventmgr ekupheleni kwefayela bese uqalisa kabusha.
Izinyathelo ezichaziwe zokusetha isistimu yokusebenza zingasetshenziswa njengemiyalelo kunoma yikuphi ukusatshalaliswa kweLinux yesimanje, okuhlanganisa neyasekhaya.
isiphetho
Ama-PC we-Linux aya ngokuya ethandwa kuma-ejensi kahulumeni waseRussia, futhi ukusetha ukuqinisekiswa kwezinto ezimbili okuthembekile kule OS akulula ngaso sonke isikhathi. Sizokujabulela ukukusiza ukuxazulula "inkinga yephasiwedi" ngalo mhlahlandlela futhi sivikele ngokuthembekile ukufinyelela ku-PC yakho ngaphandle kokuchitha isikhathi esiningi kuyo.
Source: www.habr.com