| |
For the company concerned, VPN remote access systems to meet the staff at home and travel on the way to access company IT resources has become a trend. However, the staff password management awareness is weak, and the attacker using social database attacks and other issues, often to the attacker provides a convenient channel. Use two-factor authentication system is a very effective means of password authentication strengthen. This current system more secure authentication, there are well-known RSA Security authentication system provides.
RSA offers a complete authentication solution, particularly RSA SecurID two-factor authentication solutions, has become the de facto standard in the field of the solution is easy to implement, mature, and reliable win broad trust in the field of information security. RSA's product coverage is very wide, in addition to the traditional hardware token device, or a soft token on a smart device use, very convenient.
But for small and medium sized companies in terms of this commercial use RSA authentication solutions costly. Often because IT budgets restricted the business-to-two-factor scheme choice.
Google Authenticator project is available for multiple mobile platforms generated one-time password software contains Pluggable Authentication Modules (PAM) implementation. By using open standards Initiative for Open Authentication (OATH, and OAuth different) to generate a one-time password. RFC 4226 support document defines HMAC-based one-time password (HOTP) algorithm and defined by the RFC 6238 document-based one-time password time (TOTP) algorithm.
With google-authenticator mature, openvpn and use two-factor authentication system combined, so entirely based on open source software to build secure remote access system possible.
OpenVPN is used to create a virtual private network (Virtual Private Network) encryption channel free and open source software. Use OpenVPN can easily between home, office space, hotels and other accommodation in different places to build LAN-like network access private network channel.
To use Google Authenticator PAM, and provide two-factor authentication has been achieved. However, management and maintenance is very troublesome, is not intuitive. Users must be a system account user to modify or pin code needed to generate a new token landing system, execute the command, for white users to use some difficulties, there will log a potential security risk. For administrators concerned, can not use the company's existing accounting system, you need to create another set of account management system on the authentication system.
PrivacyIDEA is a modular authentication system, an authentication server. Use privacyIDEA can enhance local login, VPN, remote access, SSH connection during authentication visit the website or portal is a good use of two-factor, improve the security of existing applications. It was originally used for OTP (One Time Password), OTP authentication device as a server. But the challenge other "devices" like the response, SSH keys and X509 certificates are also available. It can run on Linux systems and is completely open source.
PrivacyIDEA have a friendly management interface. Whether or system administrators to manage user administration, it can be very easy and convenient to complete the operation on the Web. PrivacyIDEA can read local files in the user database, users can also be read in the LDAP user. So that you can complete and the company's accounting system linkage, very convenient.
PrivacyIDEA of HOTP, TOTP use Google Authenticator. Thus, we use Google Authenticator of APP on your smartphone will be very convenient.
PrivacyIDEA provides three ways and OpenVPN integration. First, using PAM privacyidea_pam.py module. OpneVPN use PAM authentication, PAM module and call privacyidea_pam.py PrivacyIDEA do verification. Second, direct integration OpenVPN and FreeRADIUS. OpenVPN using radius authentication, FreeRADIUS to PrivacyIDEA verification. Third, the use of PAM RADIUS module in OpenVPN.
First, the principle of the program
Considering we use the second method: OpenVPN + FreeRADIUS + PrivacyIDEA. This program is very easy to debug, versatility is much better.
Schematic:
OpenVPN
Related is the first step to initiate remote user VPN connections that provide authentication information. Then, OpenVPN FreeRADIUS to do the authentication and provide user authentication information. Then, FreeRADIUS by perl script to verify that the information is correct or not PrivacyIDEA. Then, PrivacyIDEA the verification results to FreeRADIUS, FreeRADIUS authentication and then send the result OpenvVPN. Finally, OpenvVPN view the results, authentication connection is successfully established. If authentication fails, disconnect, failed to send messages.
Second, the software installation and configuration
We operate on a specific operating system Ubuntu-Server14.04.
1. Installation Management PrivacyIDEA
1.1 System Time
TOTP one-time password is the same time, time-based or not directly related to the success or failure of authentication and token code. So, we need a terminal (mobile phone) and must privacyidea system clock synchronization.
Set the local time zone, open the ntp service.
1.2 Add PrivacyIDEA source
Command to add a warehouse or write directly in /etc/apt/sources.list.
## Add-apt-repository ppa: privacyidea / privacyidea
Or: vi /etc/apt/sources.list add warehouse.
deb http://ppa.launchpad.net/privacyidea/privacyidea/ubuntu trusty main
deb-src http://ppa.launchpad.net/privacyidea/privacyidea/ubuntu trusty main
Warehouse upgrade: apt-get update.
1.3 Installation PrivacyIDEA
# Apt-get install privacyidea-apache2
After successful installation, you need to install dependencies, generate some certificates web use.
System administrators create privacyidea
# Pi-manager admin add ideauser -e ideauser@gmail.com
The default system administration page: https: // , login Web interface management system.
The installation is complete you can log management interface, manage your PrivacyIDEA up.
2. Installation and Configuration FreeRADIUS
PrivacyIDEA provides PrivacyIDEA version of FreeRADIUS. In fact, it is to do some configuration of FreeRADIUS. You can also directly install FreeRADIUS, and then do the configuration. We installed PrivacyIDEA version of FreeRADIUS.
2.1 Installation privacyidea-radius
# Apt-get install privacyidea-radius
Authentication type FreeRADIUS configuration is the Perl program, PrivacyIDEA use POST way Perl and interactive programs.
The default Perl program is /usr/share/privacyidea/freeradius/privacyidea_radius.pm.
In the FreeRADIUS configuration can be viewed.
2.2 Configuring FreeRADIUS
Configuration of RADIUS clients file.
# Vim /etc/freeradius/clients.conf
Default native 127.0.0.1 is the RADIUS client, if there are other devices, added to the clients in.
Installation can test the service radius is normal.
3. Installation and Configuration OpenVPN.
3.1 Installing the software generates easy-rsa convenient certificate.
# Apt-get install easy-rsa
# Apt-get install openvpn
Install easy-rsa, convenient to generate the certificate.
3.2 Generating a Certificate
# Modify vars file
cd /usr/share/easy-rsa/2.0/
vim vars
# Modify the certificate information.
export KEY_COUNTRY = "CN"
export KEY_PROVINCE = "BeiJing"
export KEY_CITY = "BeiJing"
export KEY_ORG = "NetOps"
export KEY_EMAIL = "netops@netops.com"
export KEY_OU = "netops"
# Initialize the environment variables
source vars
# Generate a root certificate, root key, the server certificate, server key, Diffie-Hellman key, ta.key file.
./clean-all
./build-ca
./build-key-server OpenVPN
./build-dh
openvpn --genkey --secret keys / ta.key
Certificate file will be generated in the current directory under the keys.
3.3 Configure OpenVPN
# Copy the server configuration file to / etc / openvpn.
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf / etc / openvpn /
# Edit the configuration file
According to the needs, modify the protocol, network segment, the certificate key, push routing, DNS and so on. as follows:
port 1194
proto tcp
dev tun
ca /usr/share/easy-rsa/2.0/keys/ca.crt
cert /usr/share/easy-rsa/2.0/keys/server.crt
key /usr/share/easy-rsa/2.0/keys/server.key
dh /usr/share/easy-rsa/2.0/keys/dh2048.pem
server 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.10.10.10"
keepalive 10 120
tls-auth /usr/share/easy-rsa/2.0/keys/ta.key 0
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 5
Start OpenVPN, testing can start, early resolve.
3.4 Configuring packet forwarding and firewall
3.4.1 Open packet forwarding
# Echo "1"> / proc / sys / net / ipv4 / ip_forward
# Vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
3.4.2 Configure the firewall
#iptables -I INPUT -p tcp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
#iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
Remember to save iptables and boot from Kai.
4. Install Radiusplugin
Radiusplugin is OpenVPN support RADIUS authentication plug-ins.
In http://www.nongnu.org Download radiusplugin the package.
4.1 install gcc c ++ libgcrypt
# Apt-get install gcc g ++ libgcrypt11
4.2 compiler Radiusplugin
Unzip the package into the directory, use the command make to compile.
4.3 Configuring Radiusplugin
Copy files and directories radiusplugin.cnf radiusplugin.so file to the / etc / under openvpn.
Modify radiusplugin.cnf file.
# Vim radiusplugin.cnf
server
{
acctport = 1813
authport = 1812
name = 127.0.0.1
retry = 1
wait = 1
sharedsecret = testing123
}
sharedsecret must freeradius clients.conf in sharedsecret consistent.
5. Modify OpenVPN configuration file again
Modify OpenVPN configuration file, the client uses username and password authentication. OpenVPN use RADIUS authentication:
5.1 modify the configuration file server.conf
# Vim /etc/openvpn/server.conf
client-cert-not-required
username-as-common-name
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
6. Restart the service test
6.1 Restart Services
/etc/init.d/radiusd restart
/etc/init.d/openvpn restart
6.2 Configuring OpenVPN client
Install OpenVPN client. Download the root certificate ca.crt, ta.key directory OpenVPN config file to the installation directory, and then configure the client xx.ovpn file.
Message as follows:
client
dev tun
proto tcp
remote 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
auth-user-pass
Note: If the client when installed on a Windows system, open to use administrator privileges, otherwise the system will not push to add VPN routes. If there are multiple VPN services, you can root certificate ca.crt, ta.key xx.ovpn files and client files to the same place under the same directory config.
6.3 Test
PrivacyIDEA specific use, you can view the official documentation, you can also view my finishing .
Recommended test three steps: 1 Test PrivacyIDEA services are functioning correctly, token authentication is successful. 2. Test RADIUS service is normal, RADIUS and PrivacyLDEA verification was successful. 3. Test OpenVPN authentication is successful. Follow the prompts to be able to determine the basic problem, then we can solve.
Install google-authtication in the smart phone to generate a two-dimensional code on the PrivacyIDEA. Then, open google-authtication, sweep the Add Account. This time you will be able to see 30 seconds changed once the token code. Then, in the [Tokens] interface, test token pin code or token code is correct PrivacyIDEA of.
Command radtest test FreeRADIUS and PrivacyIDEA is normal. You can also use the debug mode on FreeRADIUS FreeRADIUS service, easier troubleshooting.
Then use the OpenVPN client to test whether authentication is successful. Problems can view the OpenVPN log.
Note: Radiusplugin sometimes a problem because the version given on CentOS. You can change a version of the compiler.
Because the version of the problem, you need to install FreeRADIUS directly, then you need to modify the FreeRADIUS authentication type privacyidea_radius.pm bit Perl program and download the file. The best configuration changes FreeRADIUS, I remember versions 2.x and 3.x versions are not the same. |
|
|
|