使用FreeIPA和FreeRadius搭建双因子认证服务器

审计啊审计,公司使用的华为防火墙需要配置双因子登录认证,这下麻烦了。

查了一下华为手册,支持 Radius 认证,那么没办法,最省钱的办法就是用 FreeIPA 和 FreeRadius 搭一套 OTP 双因子认证了。

系统是 CentOS 7 ,已关闭防火墙服务,方法如下:

一、搭建FreeIPA

首先设置 hostname

1hostnamectl set-hostname freeipa.rendoumi.local
2
3echo "192.168.1.5 freeipa.rendoumi.local" >> /etc/hosts

然后安装 FreeIPA,注意要回答的几个问题

  • 不装bind,无论是 dnsmasq 或 coredns,都比 bind 轻,要装也装那两个。
  • server hostname 是 freeipa.rendoumi.local
  • domian name 是 rendoumi.local
  • realm name 是大写的 RENDOUMI.LOCAL
  • 有两个密码,第一个是 LDAP 的密码,第二个是 IPA 的密码
 1yum -y install deltarpm
 2yum update
 3
 4yum -y install freeipa-server
 5ipa-server-install
 6
 7This program will set up the IPA Server.
 8
 9This includes:
10  * Configure a stand-alone CA (dogtag) for certificate management
11  * Configure the Network Time Daemon (ntpd)
12  * Create and configure an instance of Directory Server
13  * Create and configure a Kerberos Key Distribution Center (KDC)
14  * Configure Apache (httpd)
15
16To accept the default shown in brackets, press the Enter key.
17
18WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd
19
20Do you want to configure integrated DNS (BIND)? [no]:no
21
22Server host name [freeipa.rendoumi.local]:
23
24Please confirm the domain name [rendoumi.local]:
25
26Please provide a realm name [RENDOUMI.LOCAL]:
27
28Directory Manager password:
29Password (confirm):
30...
31IPA admin password:
32Password (confirm):
33
34The IPA Master Server will be configured with:
35Hostname:       freeipa.rendoumi.local
36IP address(es): 192.168.1.5
37Domain name:    rendoumi.local
38Realm name:     RENDOUMI.LOCAL
39
40Continue to configure the system with these values? [no]: yes
41
42The following operations may take some minutes to complete.
43Please wait until the prompt is returned.
44
45Configuring NTP daemon (ntpd)
46
47...
48
49Setup complete
50
51Next steps:
52        1. You must make sure these network ports are open:
53                TCP Ports:
54                  * 80, 443: HTTP/HTTPS
55                  * 389, 636: LDAP/LDAPS
56                  * 88, 464: kerberos
57                UDP Ports:
58                  * 88, 464: kerberos
59                  * 123: ntp
60
61        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
62           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
63           and the web user interface.
64
65Be sure to back up the CA certificate stored in /root/cacert.p12
66This file is required to create replicas. The password for this file is the Directory Manager password
67

以上,就装好了 FreeIPA,配置文件在 /etc/ipa/default.conf

验证一下:

1# 输入ipa密码
2kinit admin
3klist
4
5ipactl status
6# sn 输入 01
7ipa cert-show

登录: http://freeipa.rendoumi.com ,(注意你访问的机器必须能解析到这个域名)用户名 admin ,密码是上面填入的 ipa 密码,建立一个新用户

image-20211124084419289

然后给这个用户添加 OTP Token:

image-20211124085039193

缺省什么都不用填,直接选 Add:

image-20211124084933037

会蹦出来一个二维码,建议是用 FreeOTP 扫描:

image-20211124085010519

我们在手机上装上 FreeOTP 软件,扫描添加:

image-20211124085227951

这样就ok了。下次登录的时候密码就是预设密码+FreeOTP密码合在一起。中间没有加号哦

比如预设密码是 Fuck,otp密码是762405,合在一起就是 Fuck762405,一起输入即可。

那 FreeIPA 的部分就完成了。

二、搭建FreeRadius

上面的部分其实是 FreeIPA 充当了用户数据库,用 LDAP 存放数据,而 Radius 需要从 IPA 拿到用户信息。

安装:

1yum -y install freeradius freeradius-utils freeradius-ldap freeradius-krb5

Radius 的配置都在 /etc/raddb 目录下:

编辑 /etc/raddb/client.conf ,增加一个网段的认证,允许 172.0.0.0/8 访问

 1client localnet {
 2        ipaddr = 172.0.0.0/8
 3        proto = *
 4        secret = Fuck2021
 5        nas_type = other
 6        limit {
 7                max_connections = 16
 8                lifetime = 0
 9                idle_timeout = 30
10        }
11}

同时修改下面的 clinet localhost 部分,修改 secret,之后我们要从本地登录做测试

1client localhost {
2        secret = ChinaBank2021
3        

再修改 /etc/raddb/sites-enabled/default and /etc/raddb/sites-enabled/inner-tunnel ,支持 LDAP,有二处地方

1        #
2        #  The ldap module reads passwords from the LDAP database.
3        -ldap

换成:

1        #
2        #  The ldap module reads passwords from the LDAP database.
3        ldap
4        if ((ok || updated) && User-Password) {
5            update {
6                control:Auth-Type := ldap
7            }
8        }

1#       Auth-Type LDAP {
2#               ldap
3#       }

换成:

1        Auth-Type LDAP {
2                ldap
3        }

然后 ldap 模块配置一下

1ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/

我们先用 ldapsearch 搜索一下,看看具体的 dn 信息,这里输入之前设置的 ldap 密码

1ldapsearch -x -v -W -D 'cn=Directory Manager'  uid=test|grep test
2ldap_initialize( <DEFAULT> )
3Enter LDAP Password: 
4filter: uid=test
5requesting: All userApplication attributes
6memberOf: cn=test,cn=groups,cn=accounts,dc=rendoumi,dc=local

得到 cn=accounts,dc=rendoumi,dc=local

再去修改 /etc/raddb/mods-enabled/ldap 文件,修改 server 和 base_dn 与之对应:

1        server = 'freeipa.rendoumi.local'
2        base_dn = 'cn=accounts,dc=rendoumi,dc=local'

注意,上面我们没装 bind,所以必须在 /etc/hosts 存在记录,否则本地就访问不到了

启动 radiusd 的调试模式:

 1radiusd –X
 2...
 3Listening on auth address * port 1812 as server default
 4Listening on acct address * port 1813 as server default
 5Listening on auth address :: port 1812 as server default
 6Listening on acct address :: port 1813 as server default
 7Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
 8Opening new proxy socket 'proxy address * port 0'
 9Listening on proxy address * port 36752
10Ready to process requests

再开一个终端测试一下,注意,我们是从本地(127.0.0.1)发起测试的,所以对应要用到上面设置的 secret,用 admin 登录,就避免要用到 freeotp 的口令,这里 xxxxxxxx 是 admin 的密码:

1radtest admin xxxxxxxx freeipa.rendoumi.local 1812 ChinaBank2021
2Sent Access-Request Id 57 from 0.0.0.0:45247 to 172.18.31.41:1812 length 75
3        User-Name = "admin"
4        User-Password = "xxxxxxxx"
5        NAS-IP-Address = 172.18.31.41
6        NAS-Port = 1812
7        Message-Authenticator = 0x00
8        Cleartext-Password = "xxxxxxxx"
9Received Access-Accept Id 57 from 172.18.31.41:1812 to 0.0.0.0:0 length 20

看到上面 Access-Accept 就ok了,ctrl-c 终止 radiusd 的运行,开启 radiusd 服务。

1systemctl enable --now radiusd

然后在华为防火墙设置这个 radiusd 服务器就可以了。

参考资料:

https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7


KVM下附加硬盘的passthrough直通
Ansible Vault加密的使用
comments powered by Disqus