LinOTP Two-Factor Authorization Server
Today I want to share how to configure a two-factor authentication server to protect the corporate network, sites, services, ssh. The server will run a bunch: LinOTP + FreeRadius.
Why do we need it?
This is a completely free, convenient solution within your network, independent of third-party providers.
This service is very convenient, quite visual, unlike other open source products, and also supports a huge number of functions and policies (for example, login + password + (PIN + OTPToken)). Through the API it integrates with sms sending services (LinOTP Config-> Provider Config-> SMS Provider), generates codes for mobile applications such as Google Autentificator and much more. I think it is more convenient than the service considered in the article .
This server works fine with Cisco ASA, OpenVPN server, Apache2, and indeed with almost everything that supports authentication via a RADIUS server (for example, for SSH in the data center).
It is required:
1) Debian 8 (jessie) - Required! (a trial installation on debian 9 is described at the end of the article)
Start:
Installing Debian 8.
Add LinOTP repository:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list
Add keys:
# gpg --search-keys 913DFF12F86258E5
Sometimes with a “clean” installation, after executing this command, Debian issues:
gpg: `/root/.gnupg' gpg: `/root/.gnupg/gpg.conf' gpg: : `/root/.gnupg/gpg.conf' gpg: `/root/.gnupg/secring.gpg' gpg: `/root/.gnupg/pubring.gpg' gpg: ( --keyserver) gpg: : URI
This is the initial setup of gnupg. Nothing wrong. Just run the command again.
Asked by Debiana:
gpg: "913DFF12F86258E5" hkp keys.gnupg.net (1) LSE LinOTP2 Packaging <linotp2@lsexperts.de> 2048 bit RSA key F86258E5, : 2010-05-10 Keys 1-1 of 1 for "913DFF12F86258E5". , N) Q) >
Answer: 1
Further:
# gpg --export 913DFF12F86258E5 | apt-key add -
# apt-get update
Install mysql. In theory, you can use a different sql server, but for simplicity I will use it as recommended for LinOTP.
(additional information, including about reconfiguring the LinOTP database, can be found in the official documentation at the link . In the same place, you can find the command: dpkg-reconfigure linotp to change the settings if you already installed mysql).
# apt-get install mysql-server
# apt-get update
(Checking updates again will not hurt)
Install LinOTP and add-on modules:
# apt-get install linotp
We answer the questions of the installer:
Use Apache2: yes
Create a password for admin Linotp: "YourPassword"
Generate self-signed certificate ?: yes
Use MySQL ?: yes
Where is the database: localhost
Create the LinOTP database (database name) on the server: LinOTP2
Create a separate user for the database: LinOTP2
We set the password to the user: "YourPassword"
Should I create a base now? (something like “Are you sure you want ...”): yes
Enter the MySQL root password that was created during its installation: “YourPassword”
Done.
(optional, you can not set)
# apt-get install linotp-adminclient-cli
(optional, you can not set)
# apt-get install libpam-linotp
And so our Linotp web interface is now available at:
"<b>https</b>: //IP_/manage"
I’ll talk about the settings in the web interface a bit later.
Now, the most important thing! Raise FreeRadius and link it to Linotp.
Install FreeRadius and the LinOTP module
# apt-get install freeradius linotp-freeradius-perl
backup client and Users radius configs.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old
# mv /etc/freeradius/users /etc/freeradius/users.old
Create an empty client file:
# touch /etc/freeradius/clients.conf
We edit our new config file (a backup config can be used as an example)
# nano /etc/freeradius/clients.conf
client 192.168.188.0/24 { secret = passwd # }
Next, create the users file:
# touch /etc/freeradius/users
We edit the file, telling the radius that we will use perl for authentication.
# nano /etc/freeradius/users
DEFAULT Auth-type := perl
Next, edit the file / etc / freeradius / modules / perl
# nano /etc/freeradius/modules/perl
We need to write the path to the perl linotp script in the module parameter:
Perl { ....... ......... <source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
.....
Next, we create a file in which we say from which (domain, database or file) to take data.
# touch /etc/linotp2/rlm_perl.ini
# nano /etc/linotp2/rlm_perl.ini
URL=https://IP__LinOTP_(192.168.XX)/validate/simplecheck REALM=webusers1c RESCONF=LocalUser Debug=True SSL_CHECK=False
Here I will dwell in more detail, since this is important:
Full description of the file with comments:
#IP of the linotp server (IP address of our LinOTP server)
URL = https: //172.17.14.103/validate/simplecheck
# Our area that we will create in the LinOTP web interface.)
REALM = rearm1
# The name of the juzverej group that is created in the LinOTP webmord.
RESCONF = flat_file
#optional: comment out if everything seems to work fine
Debug = True
#optional: use this, if you have selfsigned certificates, otherwise comment out (SSL if we create our certificate and want to verify it)
SSL_CHECK = False
Next, create the file / etc / freeradius / sites-available / linotp
# touch /etc/freeradius/sites-available/linotp
# nano /etc/freeradius/sites-available/linotp
And copy the config into it (edit nothing inappropriately):
authorize { #normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess') preprocess # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. #allows a list of realm (see '/etc/freeradius/modules/realm') IPASS #understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm') suffix #understands USER\REALM and can tell the components apart (see '/etc/freeradius/modules/realm') ntdomain # Read the 'users' file to learn about special configuration which should be applied for # certain users (see '/etc/freeradius/modules/files') files # allows to let authentification to expire (see '/etc/freeradius/modules/expiration') expiration # allows to define valid service-times (see '/etc/freeradius/modules/logintime') logintime # We got no radius_shortname_map! pap } #here the linotp perl module is called for further processing authenticate { perl }
Next, make a sim link:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled
Personally, I kill the default radius sites, but if you need them, you can either edit their config or disable them.
# rm /etc/freeradius/sites-enabled/default
# rm /etc/freeradius/sites-enabled/inner-tunnel
# service freeradius reload
Now back to the web face and consider it in more detail:
In the upper right corner, click LinOTP Config -> UserIdResolvers -> New
Choose what we want: LDAP (AD win, LDAP samba), or SQL, or local Flatfile users.
Fill in the required fields.
Next, create REALMS:
In the upper right corner, click LinOTP Config -> Realms -> New.
and give a name to our REALMS, as well as click on the UserIdResolvers created earlier.
FreeRadius needs all this data in the /etc/linotp2/rlm_perl.ini file, which I wrote about above, so if you have not edited it then do it now.
All server is configured.
Addition:
Setting up LinOTP on Debian 9 :
Installation:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list
# apt-get install dirmngr
# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update
# apt-get install mysql-server
(by default, in Debian 9 mysql (mariaDB) does not offer to set a root password, of course you can leave it blank, but if you read the news, very often this leads to “epic files”, so we will install it anyway)
# mysql -u root -p
use mysql;
UPDATE user SET Password = PASSWORD('_') WHERE User = 'root';
exit
# apt-get install linotp
# apt-get install linotp-adminclient-cli
# apt-get install python-ldap
# apt install freeradius
# nano /etc/freeradius/3.0/sites-enabled/linotp
We paste the code (sent by JuriM, for which thanks to him!):
server linotp {
listen {
ipaddr = *
port = 1812
type = auth
}
listen {
ipaddr = *
port = 1813
type = acct
}
authorize {
preprocess
update {
& control: Auth-Type: = Perl
}
}
authenticate {
Auth-Type Perl {
perl
}
}
accounting {
unix
}
}
Editing /etc/freeradius/3.0/mods-enabled/perl
perl {
filename = /usr/share/linotp/radius_linotp.pm
func_authenticate = authenticate
func_authorize = authorize
}
Unfortunately, in debian 9, the radius_linotp.pm library is not installed from the repositories so we will take it from github.
# apt install git
# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl
# cd linotp-auth-freeradius-perl/
# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm
now tweak /etc/freeradius/3.0/clients.conf
client servers {
ipaddr = 192.168.188.0/24
secret = your password
}
now tweak nano /etc/linotp2/rlm_perl.ini
We paste the same code there as when installing on debian 8 (described above)
on the idea of everything. (not tested yet)
I will leave below a few links on setting up systems, which most often need to be protected by two-factor authentication:
Configuring two-factor authentication in Apache2
Setup with Cisco ASA (another token generation server is used there, but the settings of the ASA itself are the same).
VPN with two-factor authentication
Setting up two-factor authentication in ssh (LinOTP is also used there) - thanks to the author. You can also find interesting things about configuring LiOTP policies there.
Also, cms of many sites support two-factor authentication (for Wordpress, LinOTP even has its own special module on github ), for example, if you want to create a secure section for company employees on your corporate website.
IMPORTANT FACT! DO NOT check the box "Google autenteficator" to use Google Authenticator! The QR code cannot be read then ... (strange fact)
To write the article, information was used from the following articles:
itnan.ru/post.php?c=1&p=270571
www.digitalbears.net/?p=469
Thanks to the authors.
All Articles