Namuhla ngifuna ukwabelana ngendlela yokusetha iseva yokuqinisekisa yezinto ezimbili ukuvikela inethiwekhi yenkampani, amasayithi, izinsizakalo, i-ssh. Iseva izosebenzisa inhlanganisela elandelayo: I-LinOTP + FreeRadius.
Kungani siyidinga?
Lesi yisixazululo samahhala, esikahle, ngaphakathi kwenethiwekhi yaso, esizimele kubahlinzeki bezinkampani zangaphandle.
Le sevisi ilula kakhulu, ibukeka kahle, ngokungafani neminye imikhiqizo yomthombo ovulekile, futhi futhi isekela inani elikhulu lemisebenzi nezinqubomgomo (Isibonelo, ngena+iphasiwedi+(I-PIN+OPTToken)). Nge-API, ihlanganisa nezinsizakalo zokuthumela i-sms (i-LinOTP Config->Provider Config->SMS Provider), ikhiqiza amakhodi ezinhlelo zokusebenza zeselula njenge-Google Authentificator nokunye okuningi. Ngicabanga ukuthi kulula kakhulu kunesevisi okuxoxwe ngayo kuyo .
Le seva isebenza ngokuphelele ne-Cisco ASA, iseva ye-OpenVPN, i-Apache2, futhi ngokuvamile ngayo yonke into esekela ukuqinisekiswa ngeseva ye-RADIUS (Isibonelo, i-SSH esikhungweni sedatha).
Kuyadingeka:
1) I-Debian 8 (i-jessie) - Impela! (ukufakwa kwesilingo ku-debian 9 kuchazwe ekugcineni kwesihloko)
Qala:
Ifaka i-Debian 8.
Engeza inqolobane ye-LinOTP:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.listUkwengeza okhiye:
# gpg --search-keys 913DFF12F86258E5Kwesinye isikhathi ngesikhathi sokufakwa "okuhlanzekile", ngemuva kokusebenzisa lo myalo, i-Debian ibonisa:
gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI
Lokhu ukusethwa kokuqala kwe-gnupg. Kulungile. Vele usebenzise umyalo futhi.
Kumbuzo kaDebian:
gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". Введите числа, N) Следующий или Q) Выход>Siphendula: 1
Okulandelayo:
# gpg --export 913DFF12F86258E5 | apt-key add -# apt-get updateFaka i-mysql. Ngombono, ungasebenzisa enye iseva ye-sql, kodwa ukuze kube lula ngizoyisebenzisa njengoba kunconyelwe i-LinOTP.
(ulwazi olwengeziwe, okuhlanganisa nokuhlela kabusha imininingwane egciniwe ye-LinOTP, lungatholakala emibhalweni esemthethweni ye- . Lapho ungathola futhi umyalo: dpkg-reconfigure linotp ukuze ushintshe imingcele uma usuvele uyifakile i-mysql).
# apt-get install mysql-server# apt-get update (ngeke kube buhlungu ukuhlola izibuyekezo futhi)
Faka i-LinOTP namamojula engeziwe:
# apt-get install linotp
Siphendula imibuzo yomfaki:
Sebenzisa i-Apache2: yebo
Dala iphasiwedi ye-admin Linopt: “Iphasiwedi Yakho”
Khiqiza isitifiketi esizisayinele wena?: yebo
Sebenzisa i-MySQL?: yebo
Itholakala kuphi i-database: localhost
Dala isizindalwazi se-LinOTP (igama lesizinda) kuseva: I-LinOTP2
Dala umsebenzisi ohlukile wesizindalwazi: LinOTP2
Setha iphasiwedi yomsebenzisi: "Iphasiwedi Yakho"
Ingabe kufanele ngidale isizindalwazi manje? (into efana nokuthi “Uqinisekile ukuthi ufuna...”): yebo
Faka iphasiwedi yempande ye-MySQL oyidalile ngenkathi uyifaka: “YourPassword”
Kwenziwe.
(uma uthanda, akudingeki ukuthi uyifake)
# apt-get install linotp-adminclient-cli (uma uthanda, akudingeki ukuthi uyifake)
# apt-get install libpam-linotp Ngakho-ke i-interface yethu yewebhu ye-Linopt isiyatholakala ku:
"<b>https</b>: //IP_сервера/manage"Ngizokhuluma ngezilungiselelo kusixhumi esibonakalayo sewebhu kamuva nje.
Manje, into ebaluleke kakhulu! Siphakamisa iFreeRadius futhi siyixhumanise neLinopt.
Faka i-FreeRadius kanye nemojula yokusebenza ne-LinOTP
# apt-get install freeradius linotp-freeradius-perlyenza isipele iklayenti kanye nezilungiselelo zerediyasi yabasebenzisi.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old# mv /etc/freeradius/users /etc/freeradius/users.oldDala ifayela leklayenti elingenalutho:
# touch /etc/freeradius/clients.confUkuhlela ifayela lethu elisha lokumisa (ukulungiselelwa okwenziwe isipele kungasetshenziswa njengesibonelo)
# nano /etc/freeradius/clients.confclient 192.168.188.0/24 {
secret = passwd # пароль для подключения клиентов
}Okulandelayo, dala ifayela labasebenzisi:
# touch /etc/freeradius/usersSihlela ifayela, sitshela irediyasi ukuthi sizosebenzisa i-perl ukufakazela ubuqiniso.
# nano /etc/freeradius/usersDEFAULT Auth-type := perlOkulandelayo, hlela ifayela /etc/freeradius/modules/perl
# nano /etc/freeradius/modules/perlSidinga ukucacisa indlela eya kusikripthi se-perl linotp kupharamitha yemojula:
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
… ..
Okulandelayo, sakha ifayela lapho sithi (isizinda, isizindalwazi noma ifayela) ukuthatha idatha kulo.
# touch /etc/linotp2/rlm_perl.ini# nano /etc/linotp2/rlm_perl.iniURL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=FalseNgizongena emininingwaneni eyengeziwe lapha ngoba ibalulekile:
Incazelo egcwele yefayela enamazwana:
#IP yeseva ye-linOTP (ikheli le-IP leseva yethu ye-LinOTP)
URL=https://172.17.14.103/validate/simplecheck
#Indawo yethu esizoyidala ku-inthanethi ye-LinOTP.)
INDAWO=ingalo1
#Igama leqembu labasebenzisi elakhiwe kumabhomu wewebhu we-LinOTP.
RESCONF=flat_file
#ongakukhetha: phawula uma yonke into ibonakala isebenza kahle
Debug=Iqiniso
#ongakukhetha: sebenzisa lokhu, uma unezitifiketi ozibhalisele, uma kungenjalo phawula (i-SSL uma sidala esethu isitifiketi futhi sifuna ukusiqinisekisa)
SSL_CHECK=Amanga
Okulandelayo, dala ifayela /etc/freeradius/sites-available/linop
# touch /etc/freeradius/sites-available/linotp# nano /etc/freeradius/sites-available/linotpFuthi kopisha ukulungiselelwa kuyo (asikho isidingo sokuhlela noma yini):
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}Okulandelayo sizodala isixhumanisi se-SIM:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabledNgokwami, ngibulala amasayithi weRadius azenzakalelayo, kepha uma uwadinga, ungahlela ukulungiselelwa kwawo noma uwakhubaze.
# rm /etc/freeradius/sites-enabled/default# rm /etc/freeradius/sites-enabled/inner-tunnel# service freeradius reload
Manje ake sibuyele ebusweni bewebhu futhi siyibheke ngemininingwane eyengeziwe:
Ekhoneni eliphezulu kwesokudla chofoza i-LinOTP Config -> UserIdResolvers -> Okusha
Sikhetha esikufunayo: i-LDAP (i-AD win, i-LDAP samba), noma i-SQL, noma abasebenzisi bendawo besistimu ye-Flatfile.
Gcwalisa izinkambu ezidingekayo.
Okulandelayo sidala i-REALMS:
Ekhoneni eliphezulu kwesokudla, chofoza i-LinOTP Config -> Realms -> New.
futhi unikeze igama ku-REALMS yethu, futhi uchofoze ku-UserIdResolvers edalwe ngaphambilini.
I-FreeRadius idinga yonke le datha kufayela /etc/linopt2/rlm_perl.ini, njengoba ngibhale ngenhla, ngakho-ke uma ungazange uyihlele ngaleso sikhathi, yenza manje.
Iseva ilungisiwe konke.
Ukwengeza:
Ukusetha i-LinOTP ku-Debian 9:
Ukufaka:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list # apt-get install dirmngr# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update# apt-get install mysql-server(ngokuzenzakalelayo, ku-Debian 9 mysql (mariaDB) ayinikezi ukusetha iphasiwedi yempande, yebo ungayishiya ingenalutho, kodwa uma ufunda izindaba, lokhu kuvame ukuholela "ku-epic ehluleka", ngakho-ke sizoyibeka. noma kunjalo)
# mysql -u root -puse mysql;UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';
exit# apt-get install linotp# apt-get install linotp-adminclient-cli# apt-get install python-ldap# apt install freeradius# nano /etc/freeradius/3.0/sites-enabled/linotpNamathisela ikhodi (ethunyelwe ngu-JuriM, ngiyabonga ngalokho!):
iseva linotp {
lalela {
ipaddr = *
ichweba = 1812
uhlobo=igunya
}
lalela {
ipaddr = *
ichweba = 1813
uhlobo = act
}
gunyaza {
inqubo
buyekeza {
&control:Auth-Type := Perl
}
}
qinisekisa {
I-Auth-Type Perl {
i-perl
}
}
ukubalwa kwezimali {
unix
}
}
Hlela /etc/freeradius/3.0/mods-enabled/perl
perl {
Igama lefayela = /usr/share/linopp/radius_linopt.pm
func_authenticate = qinisekisa
func_authorize = gunyaza
}
Ngeshwa, ku-Debian 9 umtapo wezincwadi we-radius_linopt.pm awufakiwe kumakhosombe, ngakho-ke sizowuthatha ku-github.
# apt install git# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl# cd linotp-auth-freeradius-perl/# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pmmanje ake sihlele /etc/freeradius/3.0/clients.conf
amaseva weklayenti {
ipaddr = 192.168.188.0/24
secret = iphasiwedi yakho
}
Manje ake silungise i-nano /etc/linopt2/rlm_perl.ini
Sinamathisela ikhodi efanayo lapho lapho sifaka i-debian 8 (echazwe ngenhla)
konke lokho kuhambisana nombono. (ayikahlolwa okwamanje)
Ngizoshiya ngezansi izixhumanisi ezimbalwa zokusetha amasistimu adinga kakhulu ukuvikelwa ngokuqinisekiswa kwezinto ezimbili:
Isetha ukuqinisekiswa kwezinto ezimbili ku
(iseva ehlukile yokukhiqiza ithokheni isetshenziswa lapho, kodwa izilungiselelo ze-ASA ngokwayo ziyefana).
Yenza ngokwezifiso (LinOTP isetshenziswa lapho) - sibonga umbhali. Lapho ungathola nezinto ezithakazelisayo mayelana nokusetha izinqubomgomo ze-LiOTP.
Futhi, ama-cms wamasayithi amaningi asekela ukuqinisekiswa kwezinto ezimbili (Nge-WordPress, i-LinOTP inemodyuli yayo ekhethekile ), isibonelo, uma ufuna ukwenza ingxenye evikelwe kuwebhusayithi yakho yenkampani yabasebenzi benkampani.
IQINISO ELIBALULEKILE! UNGATHI umaki ibhokisi elithi “Google autenteficator” ukuze usebenzise i-Google Authenticator! Ikhodi ye-QR ayifundeki ngaleso sikhathi... (iqiniso elimangalisayo)
Ukubhala lesi sihloko, kusetshenziswe ulwazi oluvela ezihlokweni ezilandelayo:
Siyabonga kubabhali.
Source: www.habr.com