审计啊审计,公司使用的华为防火墙需要配置双因子登录认证,这下麻烦了。
查了一下华为手册,支持 Radius 认证,那么没办法,最省钱的办法就是用 FreeIPA 和 FreeRadius 搭一套 OTP 双因子认证了。
系统是 CentOS 7 ,已关闭防火墙服务,方法如下:
一、搭建FreeIPA
首先设置 hostname
1hostnamectl set-hostname freeipa.rendoumi.local
2
3echo "192.168.1.5 freeipa.rendoumi.local" >> /etc/hosts
然后安装 FreeIPA,注意要回答的几个问题
- 不装bind,无论是 dnsmasq 或 coredns,都比 bind 轻,要装也装那两个。
- server hostname 是 freeipa.rendoumi.local
- domian name 是 rendoumi.local
- realm name 是大写的 RENDOUMI.LOCAL
- 有两个密码,第一个是 LDAP 的密码,第二个是 IPA 的密码
1yum -y install deltarpm
2yum update
3
4yum -y install freeipa-server
5
6sysctl net.ipv6.conf.all.disable_ipv6=0
7
8ipa-server-install
9
10This program will set up the IPA Server.
11
12This includes:
13 * Configure a stand-alone CA (dogtag) for certificate management
14 * Configure the Network Time Daemon (ntpd)
15 * Create and configure an instance of Directory Server
16 * Create and configure a Kerberos Key Distribution Center (KDC)
17 * Configure Apache (httpd)
18
19To accept the default shown in brackets, press the Enter key.
20
21WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd
22
23Do you want to configure integrated DNS (BIND)? [no]:no
24
25Server host name [freeipa.rendoumi.local]:
26
27Please confirm the domain name [rendoumi.local]:
28
29Please provide a realm name [RENDOUMI.LOCAL]:
30
31Directory Manager password:
32Password (confirm):
33...
34IPA admin password:
35Password (confirm):
36
37The IPA Master Server will be configured with:
38Hostname: freeipa.rendoumi.local
39IP address(es): 192.168.1.5
40Domain name: rendoumi.local
41Realm name: RENDOUMI.LOCAL
42
43Continue to configure the system with these values? [no]: yes
44
45The following operations may take some minutes to complete.
46Please wait until the prompt is returned.
47
48Configuring NTP daemon (ntpd)
49
50...
51
52Setup complete
53
54Next steps:
55 1. You must make sure these network ports are open:
56 TCP Ports:
57 * 80, 443: HTTP/HTTPS
58 * 389, 636: LDAP/LDAPS
59 * 88, 464: kerberos
60 UDP Ports:
61 * 88, 464: kerberos
62 * 123: ntp
63
64 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
65 This ticket will allow you to use the IPA tools (e.g., ipa user-add)
66 and the web user interface.
67
68Be sure to back up the CA certificate stored in /root/cacert.p12
69This file is required to create replicas. The password for this file is the Directory Manager password
以上,就装好了 FreeIPA,配置文件在 /etc/ipa/default.conf
验证一下:
1# 输入ipa密码
2kinit admin
3klist
4
5ipactl status
6# sn 输入 01
7ipa cert-show
登录: http://freeipa.rendoumi.com ,(注意你访问的机器必须能解析到这个域名)用户名 admin ,密码是上面填入的 ipa 密码,建立一个新用户
然后给这个用户添加 OTP Token:
缺省什么都不用填,直接选 Add:
会蹦出来一个二维码,建议是用 FreeOTP 扫描:
我们在手机上装上 FreeOTP 软件,扫描添加:
这样就ok了。下次登录的时候密码就是预设密码+FreeOTP密码合在一起。中间没有加号哦
比如预设密码是 Fuck,otp密码是762405,合在一起就是 Fuck762405,一起输入即可。
那 FreeIPA 的部分就完成了。
二、搭建FreeRadius
上面的部分其实是 FreeIPA 充当了用户数据库,用 LDAP 存放数据,而 Radius 需要从 IPA 拿到用户信息。
安装:
1yum -y install freeradius freeradius-utils freeradius-ldap freeradius-krb5
Radius 的配置都在 /etc/raddb 目录下:
编辑 /etc/raddb/client.conf ,增加一个网段的认证,允许 172.0.0.0/8 访问
1client localnet {
2 ipaddr = 172.0.0.0/8
3 proto = *
4 secret = Fuck2021
5 nas_type = other
6 limit {
7 max_connections = 16
8 lifetime = 0
9 idle_timeout = 30
10 }
11}
同时修改下面的 clinet localhost 部分,修改 secret,之后我们要从本地登录做测试
1client localhost {
2 secret = ChinaBank2021
3
再修改 /etc/raddb/sites-enabled/default and /etc/raddb/sites-enabled/inner-tunnel ,支持 LDAP,有二处地方
把
1 #
2 # The ldap module reads passwords from the LDAP database.
3 -ldap
换成:
1 #
2 # The ldap module reads passwords from the LDAP database.
3 ldap
4 if ((ok || updated) && User-Password) {
5 update {
6 control:Auth-Type := ldap
7 }
8 }
把
1# Auth-Type LDAP {
2# ldap
3# }
换成:
1 Auth-Type LDAP {
2 ldap
3 }
然后 ldap 模块配置一下
1ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/
我们先用 ldapsearch 搜索一下,看看具体的 dn 信息,这里输入之前设置的 ldap 密码
1ldapsearch -x -v -W -D 'cn=Directory Manager' uid=test|grep test
2ldap_initialize( <DEFAULT> )
3Enter LDAP Password:
4filter: uid=test
5requesting: All userApplication attributes
6memberOf: cn=test,cn=groups,cn=accounts,dc=rendoumi,dc=local
得到 cn=accounts,dc=rendoumi,dc=local
再去修改 /etc/raddb/mods-enabled/ldap 文件,修改 server 和 base_dn 与之对应:
1 server = 'freeipa.rendoumi.local'
2 base_dn = 'cn=accounts,dc=rendoumi,dc=local'
注意,上面我们没装 bind,所以必须在 /etc/hosts 存在记录,否则本地就访问不到了
启动 radiusd 的调试模式:
1radiusd –X
2...
3Listening on auth address * port 1812 as server default
4Listening on acct address * port 1813 as server default
5Listening on auth address :: port 1812 as server default
6Listening on acct address :: port 1813 as server default
7Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
8Opening new proxy socket 'proxy address * port 0'
9Listening on proxy address * port 36752
10Ready to process requests
再开一个终端测试一下,注意,我们是从本地(127.0.0.1)发起测试的,所以对应要用到上面设置的 secret,用 admin 登录,就避免要用到 freeotp 的口令,这里 xxxxxxxx 是 admin 的密码:
1radtest admin xxxxxxxx freeipa.rendoumi.local 1812 ChinaBank2021
2Sent Access-Request Id 57 from 0.0.0.0:45247 to 172.18.31.41:1812 length 75
3 User-Name = "admin"
4 User-Password = "xxxxxxxx"
5 NAS-IP-Address = 172.18.31.41
6 NAS-Port = 1812
7 Message-Authenticator = 0x00
8 Cleartext-Password = "xxxxxxxx"
9Received Access-Accept Id 57 from 172.18.31.41:1812 to 0.0.0.0:0 length 20
看到上面 Access-Accept 就ok了,ctrl-c 终止 radiusd 的运行,开启 radiusd 服务。
1systemctl enable --now radiusd
然后在华为防火墙设置这个 radiusd 服务器就可以了。
参考资料:
