在CentOS上使用privacyIDEA和FreeRADIUS对OTP进行双因素认证
在本文中,我们将展示如何在Cent OS 6.5上设置一个双因素身份验证和管理系统privacyIDEA 。 privacyIDEA是一种可以管理认证设备的系统,特别是任何类型的OTP令牌。
我们将通过Apache2设置系统,将令牌信息存储在MySQL数据库中,并通过FreeRADIUS服务器提供身份验证,从而可以通过RADIUS(如SSL VPN和pam_radius)访问所有可以访问的服务。
先决条件
我们需要一些特殊的perl模块来运行FreeRADIUS和privacyIDEA之间的连接,可以在EPEL中找到。 所以我们需要安装EPEL存储库:
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6*.rpm
安装依赖关系
安装必要的软件包:
yum install -y mysql-server httpd mod_wsgi mod_ssl python-devel gcc mysql-devel libjpeg-devel freeradius freeradius-utils freeradius-perl openldap-devel perl-libwww-perl perl-Config-IniFiles perl-Try-Tiny perl-Data-Dump python-virtualenv
配置启动时启动的服务:
/sbin/chkconfig radiusd on
/sbin/chkconfig mysqld on
/sbin/chkconfig httpd on
创建数据库
现在我们创建一个保存令牌数据的数据库privacyidea 。 我们选择数据库密码未知 :
/etc/init.d/mysqld restart
echo 'create database privacyidea;' | mysql
echo 'grant all privileges on privacyidea.* to "privacyidea"@"localhost" identified by "unknown";' | mysql
创建虚拟python环境并安装privacyIDEA
privacyIDEA将安装到/ opt / privacyIDEA上的一个virtualenv 。 因此,我们可以使用所需的所有python模块,并可以简单地备份完整的文件夹。
virtualenv /opt/privacyIDEA
现在我们进入虚拟环境并安装privacyIDEA:
cd /opt/privacyIDEA
source bin/activate
pip install privacyIDEA
pip install MySQL-python
创建配置文件
仍然在python virtualenv中,我们创建一个服务帐户和一些配置文件:
mkdir -p /var/log/privacyidea
useradd -r privacyidea -d /opt/privacyIDEA
创建ini文件
ini文件包含数据库的配置和一些其他基本的东西。 我们将以下文件复制到/opt/privacyIDEA/etc/privacyidea/privacyidea.ini :
# privacyIDEA - Pylons development environment configuration # # The %(here)s variable will be replaced with the parent directory of this file # [DEFAULT] debug = false profile = false # Uncomment and replace with the address which should receive any error reports #email_to = you@yourdomain.com smtp_server = localhost error_email_from = paste@localhost # default audit trail set to SQL Audit privacyideaAudit.type = privacyidea.lib.auditmodules.sqlaudit privacyideaAudit.key.private = %(here)s/private.pem privacyideaAudit.key.public = %(here)s/public.pem #privacyideaAudit.sql.url = mysql://privacyidea:privacyidea@localhost/privacyidea #privacyideaAudit.sql.url = sqlite:///%(here)s/token.sqlite # One entry for SQL audit might take about 1K privacyideaAudit.sql.highwatermark = 10000 #privacyideaAudit.sql.lowwatermark = 5000 # If true, OTP values can be retrieved via the getotp controller privacyideaGetotp.active = True privacyideaSecretFile = %(here)s/encKey # This file contains the token administrators. # It can be created like this: # % tools/privacyidea-create-pwidresolver-user -u admin -p test -i 1000 >> config/admin-users privacyideaSuperuserFile = %(here)s/admin-users # list of realms, that are admins privacyideaSuperuserRealms = superuser, 2ndsuperusers privacyIDEASessionTimout = 1200 # This is the server, where this system is running. # This is need to issue a request during login to the # management with an OTP token. privacyideaURL = https://localhost # # This determines if the SSL certificate is checked during the login to # privacyIDEA. Set to True, if you have a self signed certificate. privacyideaURL.disable_ssl = False #privacyidea.useridresolver = privacyidea.lib.resolvers.PasswdIdResolver.IdResolver # This is only used for testnig purposes for running the selftests. #privacyidea.selfTest = True # These are the settings for the RADIUS Token # The location of the RADIUS dictionary file radius.dictfile= %(here)s/dictionary # The NAS Identifier of your privacyIDEA server, # that is sent to the RADIUS server radius.nas_identifier = privacyIDEA [server:main] use = egg:Paste#http #host = 172.16.200.100 host = 0.0.0.0 #host = localhost port = 5001 #ssl_pem = * [app:main] use = egg:privacyIDEA sqlalchemy.url = mysql://privacyidea:unknown@localhost/privacyidea #sqlalchemy.url = sqlite:///%(here)s/token.sqlite sqlalchemy.pool_recycle = 3600 full_stack = true static_files = true # We do not need a who.config, since we do the config in the # code at config/middleware.py #who.config_file = %(here)s/who.ini who.log_level = debug who.log_file = /var/log/privacyidea/privacyidea.log cache_dir = %(here)s/data custom_templates = %(here)s/custom-templates/ #beaker.session.key = privacyidea #beaker.session.secret = somesecret # If you'd like to fine-tune the individual locations of the cache data dirs # for the Cache data, or the Session saves, un-comment the desired settings # here: #beaker.cache.data_dir = %(here)s/data/cache #beaker.session.data_dir = %(here)s/data/sessions # # Note: You should change the Logging Level from DEGUB to WARN # # Logging configuration [loggers] keys = root, privacyidea, sqlalchemy #keys = root, privacyidea, sqlalchemy, controllers [logger_root] level = WARNING handlers = file [logger_privacyidea] level = INFO handlers = file qualname = privacyidea #[logger_controllers] #level = DEBUG #handlers = file #qualname = privacyidea.controllers.account [logger_sqlalchemy] level = ERROR handlers = file qualname = sqlalchemy.engine # "level = INFO" logs SQL queries. # "level = DEBUG" logs SQL queries and results. # "level = WARN" logs neither. (Recommended for production systems.) [handlers] keys = file [handler_file] class = handlers.RotatingFileHandler # Make the logfiles 10 MB # and rotate 4 files #args = ('%(here)s/privacyidea.log','a', 10000000, 4) # # Please note, that the %(here)s parameter will not work, when # running in wsgi. args = ('/var/log/privacyidea/privacyidea.log','a', 10000000, 4) level = INFO formatter = generic [formatters] keys = generic [formatter_generic] class = privacyidea.lib.log.SecureFormatter format = %(asctime)s %(levelname)-5.5s {%(thread)d} [%(name)s][%(funcName)s #%(lineno)d] %(message)s datefmt = %Y/%m/%d - %H:%M:%S
创建加密密钥和签名密钥
privacyidea-create-enckey -f /opt/privacyIDEA/etc/privacyidea/privacyidea.ini
privacyidea-create-auditkeys -f /opt/privacyIDEA/etc/privacyidea/privacyidea.ini
创建数据库表
mkdir -p /var/log/privacyidea
paster setup-app /opt/privacyIDEA/etc/privacyidea/privacyidea.ini
创建管理员用户
现在我们创建第一个管理员用户,可以登录privacyIDEA管理:
privacyidea-create-pwidresolver-user -u admin -i 1000 >> /opt/privacyIDEA/etc/privacyidea/admin-users
输入密码并记住。
安装Apache
privacyIDEA是一个通过WSGI模块运行的python应用程序。 此模块需要一个额外的运行目录。 我们创建它:
mkdir -p /var/run/wsgi
WSGI与SELinux不兼容。 因此,对于初学者,我们需要禁用强制 。 在/ etc / selinux / config文件中,我们需要更改:
SELINUX=permissive
...并重启系统启用此功能。
重启后,我们再次进入virtualenv。
cd /opt/privacyIDEAy
source bin/activate
Apache配置
在apache目录/etc/httpd/conf.d中,我们需要编辑两个文件:
ssl.conf ,它激活ssl:
LoadModule ssl_module modules/mod_ssl.so Listen 443 SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin
和privacyidea.conf ,这是虚拟主机的配置。
脚本将帮助您创建服务器证书:
privacyidea-create-certificate -f /etc/httpd/conf.d/privacyidea.conf
修复访问权限
在安装过程中,为root用户生成文件。 但是我们将在Apache中运行privacyIDEA,使用服务帐户privacyidea 。 所以我们需要更改这些文件的权限。 一个脚本帮助我们完成这个任务:
privacyidea-fix-access-rights -f /opt/pirvacyIDEA/etc/privacyidea/privacyidea.ini -u privacyidea
那么我们需要重新启动apache服务:
service httpd restart
防火墙
https端口443可能已关闭。 我们可以这样打开它:
iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT
service iptables save
现在我们可以通过服务器上的https访问管理界面,并创建用户角色,一个领域,并注册第一个令牌。 另一个导师解释如何做到这一点。
安装FreeRADIUS
privacyIDEA github repo包含一个FreeRADIUS插件,该插件尚未包含在privacyIDEA 1.1版本中。 所以我们需要手动复制
curl -o /opt/privacyIDEA/privacyidea_radius.pm https://raw.githubusercontent.com/privacyidea/privacyidea/master/authmodules/FreeRADIUS/privacyidea_radius.pm
组态
在文件/ etc / radddb / users中,我们需要以下条目:
DEFAULT Auth-Type := perl
这将为perl的每个请求设置auth类型。 因此,请求将由perl模块处理。
因此,文件/ etc / raddb / modules / perl需要如下所示:
perl { module = /opt/privacyIDEA/privacyidea_radius.pm }
记住要根据您的需要配置文件/etc/raddb/clients.conf 。 您至少可以添加本地主机进行测试:
client 127.0.0.1/32 {
shortname = local
secret = topsecret
}
最后,我们需要创建一个文件/ etc / raddb / sites-available / privacyidea ,在导入和部分授权和验证中看起来像这样:
authorize { preprocess chap mschap digest suffix eap { ok = return } files expiration logintime pap } authenticate { perl Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap }
(大概我们只是在认证部分添加了“perl”;-)
您也可以在这里下载文件。
我们通过从站点 - 可用 站点启用的链接启用站点privacyidea 。
ln -s /etc/raddb/sites-available/privacyidea /etc/raddb/sites-enabled
我们应该删除启用了站点的其他站点。
测试RADIUS
要测试RADIUS配置,我们停止FreeRADIUS并在调试输出模式下启动它:
service radiusd stop
radiusd -X
然后我们使用radclient命令进行测试:
echo "User-Name=user, Password=pin123456" | radclient -sx localhost auth topsecret
输出将显示总批准或拒绝的验证。
在FreeRADIUS输出中,我们可以看到像这样一个成功认证的行:
rlm_perl: privacyIDEA access granted
问题? 答案!
如果您遇到任何问题,请给我留言或您也可以向Google群组询问。