Namuhla ngifuna ukwabelana ngendlela yokusetha iseva yokuqinisekisa yezinto ezimbili ukuvikela inethiwekhi yenkampani, amasayithi, izinsizakalo, i-ssh. Iseva izosebenzisa inhlanganisela elandelayo: I-LinOTP + FreeRadius.
Kungani siyidinga?
Lesi yisixazululo samahhala, esikahle, ngaphakathi kwenethiwekhi yaso, esizimele kubahlinzeki bezinkampani zangaphandle.
Le sevisi ilula kakhulu, ibukeka kahle, ngokungafani neminye imikhiqizo yomthombo ovulekile, futhi futhi isekela inani elikhulu lemisebenzi nezinqubomgomo (Isibonelo, ngena+iphasiwedi+(I-PIN+OPTToken)). Nge-API, ihlanganisa nezinsizakalo zokuthumela i-sms (i-LinOTP Config->Provider Config->SMS Provider), ikhiqiza amakhodi ezinhlelo zokusebenza zeselula njenge-Google Authentificator nokunye okuningi. Ngicabanga ukuthi kulula kakhulu kunesevisi okuxoxwe ngayo kuyo
Le seva isebenza ngokuphelele ne-Cisco ASA, iseva ye-OpenVPN, i-Apache2, futhi ngokuvamile ngayo yonke into esekela ukuqinisekiswa ngeseva ye-RADIUS (Isibonelo, i-SSH esikhungweni sedatha).
Kuyadingeka:
1) I-Debian 8 (i-jessie) - Impela! (ukufakwa kwesilingo ku-debian 9 kuchazwe ekugcineni kwesihloko)
Qala:
Ifaka i-Debian 8.
Engeza inqolobane ye-LinOTP:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list
Ukwengeza okhiye:
# gpg --search-keys 913DFF12F86258E5
Kwesinye isikhathi ngesikhathi sokufakwa "okuhlanzekile", ngemuva kokusebenzisa lo myalo, i-Debian ibonisa:
gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI
Lokhu ukusethwa kokuqala kwe-gnupg. Kulungile. Vele usebenzise umyalo futhi.
Kumbuzo kaDebian:
gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". Введите числа, N) Следующий или Q) Выход>
Siphendula: 1
Okulandelayo:
# gpg --export 913DFF12F86258E5 | apt-key add -
# apt-get update
Faka i-mysql. Ngombono, ungasebenzisa enye iseva ye-sql, kodwa ukuze kube lula ngizoyisebenzisa njengoba kunconyelwe i-LinOTP.
(ulwazi olwengeziwe, okuhlanganisa nokuhlela kabusha imininingwane egciniwe ye-LinOTP, lungatholakala emibhalweni esemthethweni ye-
# apt-get install mysql-server
# apt-get update
(ngeke kube buhlungu ukuhlola izibuyekezo futhi)
Faka i-LinOTP namamojula engeziwe:
# apt-get install linotp
Siphendula imibuzo yomfaki:
Sebenzisa i-Apache2: yebo
Dala iphasiwedi ye-admin Linopt: “Iphasiwedi Yakho”
Khiqiza isitifiketi esizisayinele wena?: yebo
Sebenzisa i-MySQL?: yebo
Itholakala kuphi i-database: localhost
Dala isizindalwazi se-LinOTP (igama lesizinda) kuseva: I-LinOTP2
Dala umsebenzisi ohlukile wesizindalwazi: LinOTP2
Setha iphasiwedi yomsebenzisi: "Iphasiwedi Yakho"
Ingabe kufanele ngidale isizindalwazi manje? (into efana nokuthi “Uqinisekile ukuthi ufuna...”): yebo
Faka iphasiwedi yempande ye-MySQL oyidalile ngenkathi uyifaka: “YourPassword”
Kwenziwe.
(uma uthanda, akudingeki ukuthi uyifake)
# apt-get install linotp-adminclient-cli
(uma uthanda, akudingeki ukuthi uyifake)
# apt-get install libpam-linotp
Ngakho-ke i-interface yethu yewebhu ye-Linopt isiyatholakala ku:
"<b>https</b>: //IP_сервера/manage"
Ngizokhuluma ngezilungiselelo kusixhumi esibonakalayo sewebhu kamuva nje.
Manje, into ebaluleke kakhulu! Siphakamisa iFreeRadius futhi siyixhumanise neLinopt.
Faka i-FreeRadius kanye nemojula yokusebenza ne-LinOTP
# apt-get install freeradius linotp-freeradius-perl
yenza isipele iklayenti kanye nezilungiselelo zerediyasi yabasebenzisi.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old
# mv /etc/freeradius/users /etc/freeradius/users.old
Dala ifayela leklayenti elingenalutho:
# touch /etc/freeradius/clients.conf
Ukuhlela ifayela lethu elisha lokumisa (ukulungiselelwa okwenziwe isipele kungasetshenziswa njengesibonelo)
# nano /etc/freeradius/clients.conf
client 192.168.188.0/24 {
secret = passwd # пароль для подключения клиентов
}
Okulandelayo, dala ifayela labasebenzisi:
# touch /etc/freeradius/users
Sihlela ifayela, sitshela irediyasi ukuthi sizosebenzisa i-perl ukufakazela ubuqiniso.
# nano /etc/freeradius/users
DEFAULT Auth-type := perl
Okulandelayo, hlela ifayela /etc/freeradius/modules/perl
# nano /etc/freeradius/modules/perl
Sidinga ukucacisa indlela eya kusikripthi se-perl linotp kupharamitha yemojula:
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
… ..
Okulandelayo, sakha ifayela lapho sithi (isizinda, isizindalwazi noma ifayela) ukuthatha idatha kulo.
# touch /etc/linotp2/rlm_perl.ini
# nano /etc/linotp2/rlm_perl.ini
URL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False
Ngizongena emininingwaneni eyengeziwe lapha ngoba ibalulekile:
Incazelo egcwele yefayela enamazwana:
#IP yeseva ye-linOTP (ikheli le-IP leseva yethu ye-LinOTP)
URL=https://172.17.14.103/validate/simplecheck
#Indawo yethu esizoyidala ku-inthanethi ye-LinOTP.)
INDAWO=ingalo1
#Igama leqembu labasebenzisi elakhiwe kumabhomu wewebhu we-LinOTP.
RESCONF=flat_file
#ongakukhetha: phawula uma yonke into ibonakala isebenza kahle
Debug=Iqiniso
#ongakukhetha: sebenzisa lokhu, uma unezitifiketi ozibhalisele, uma kungenjalo phawula (i-SSL uma sidala esethu isitifiketi futhi sifuna ukusiqinisekisa)
SSL_CHECK=Amanga
Okulandelayo, dala ifayela /etc/freeradius/sites-available/linop
# touch /etc/freeradius/sites-available/linotp
# nano /etc/freeradius/sites-available/linotp
Futhi kopisha ukulungiselelwa kuyo (asikho isidingo sokuhlela noma yini):
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}
Okulandelayo sizodala isixhumanisi se-SIM:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled
Ngokwami, ngibulala amasayithi weRadius azenzakalelayo, kepha uma uwadinga, ungahlela ukulungiselelwa kwawo noma uwakhubaze.
# rm /etc/freeradius/sites-enabled/default
# rm /etc/freeradius/sites-enabled/inner-tunnel
# service freeradius reload
Manje ake sibuyele ebusweni bewebhu futhi siyibheke ngemininingwane eyengeziwe:
Ekhoneni eliphezulu kwesokudla chofoza i-LinOTP Config -> UserIdResolvers -> Okusha
Sikhetha esikufunayo: i-LDAP (i-AD win, i-LDAP samba), noma i-SQL, noma abasebenzisi bendawo besistimu ye-Flatfile.
Gcwalisa izinkambu ezidingekayo.
Okulandelayo sidala i-REALMS:
Ekhoneni eliphezulu kwesokudla, chofoza i-LinOTP Config -> Realms -> New.
futhi unikeze igama ku-REALMS yethu, futhi uchofoze ku-UserIdResolvers edalwe ngaphambilini.
I-FreeRadius idinga yonke le datha kufayela /etc/linopt2/rlm_perl.ini, njengoba ngibhale ngenhla, ngakho-ke uma ungazange uyihlele ngaleso sikhathi, yenza manje.
Iseva ilungisiwe konke.
Ukwengeza:
Ukusetha i-LinOTP ku-Debian 9:
Ukufaka:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list
# apt-get install dirmngr
# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update
# apt-get install mysql-server
(ngokuzenzakalelayo, ku-Debian 9 mysql (mariaDB) ayinikezi ukusetha iphasiwedi yempande, yebo ungayishiya ingenalutho, kodwa uma ufunda izindaba, lokhu kuvame ukuholela "ku-epic ehluleka", ngakho-ke sizoyibeka. noma kunjalo)
# mysql -u root -p
use mysql;
UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';
exit
# apt-get install linotp
# apt-get install linotp-adminclient-cli
# apt-get install python-ldap
# apt install freeradius
# nano /etc/freeradius/3.0/sites-enabled/linotp
Namathisela ikhodi (ethunyelwe ngu-JuriM, ngiyabonga ngalokho!):
iseva linotp {
lalela {
ipaddr = *
ichweba = 1812
uhlobo=igunya
}
lalela {
ipaddr = *
ichweba = 1813
uhlobo = act
}
gunyaza {
inqubo
buyekeza {
&control:Auth-Type := Perl
}
}
qinisekisa {
I-Auth-Type Perl {
i-perl
}
}
ukubalwa kwezimali {
unix
}
}
Hlela /etc/freeradius/3.0/mods-enabled/perl
perl {
Igama lefayela = /usr/share/linopp/radius_linopt.pm
func_authenticate = qinisekisa
func_authorize = gunyaza
}
Ngeshwa, ku-Debian 9 umtapo wezincwadi we-radius_linopt.pm awufakiwe kumakhosombe, ngakho-ke sizowuthatha ku-github.
# apt install git
# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl
# cd linotp-auth-freeradius-perl/
# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm
manje ake sihlele /etc/freeradius/3.0/clients.conf
amaseva weklayenti {
ipaddr = 192.168.188.0/24
secret = iphasiwedi yakho
}
Manje ake silungise i-nano /etc/linopt2/rlm_perl.ini
Sinamathisela ikhodi efanayo lapho lapho sifaka i-debian 8 (echazwe ngenhla)
konke lokho kuhambisana nombono. (ayikahlolwa okwamanje)
Ngizoshiya ngezansi izixhumanisi ezimbalwa zokusetha amasistimu adinga kakhulu ukuvikelwa ngokuqinisekiswa kwezinto ezimbili:
Isetha ukuqinisekiswa kwezinto ezimbili ku
Yenza ngokwezifiso
Futhi, ama-cms wamasayithi amaningi asekela ukuqinisekiswa kwezinto ezimbili (Nge-WordPress, i-LinOTP inemodyuli yayo ekhethekile
IQINISO ELIBALULEKILE! UNGATHI umaki ibhokisi elithi “Google autenteficator” ukuze usebenzise i-Google Authenticator! Ikhodi ye-QR ayifundeki ngaleso sikhathi... (iqiniso elimangalisayo)
Ukubhala lesi sihloko, kusetshenziswe ulwazi oluvela ezihlokweni ezilandelayo:
Siyabonga kubabhali.
Source: www.habr.com