2016年9月1日 星期四
VyOS+OpenVPN+MFA
從 雙因子認證/雙因素認證/ 到 多因子認證/多因素認證
https://en.wikipedia.org/wiki/Multi-factor_authentication
Multi-factor authentication
Multi-factor authentication (MFA) is a method of computer access control in which a user is
only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism - typically at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).[1][2]
Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity
by utilizing a combination of two different components. Two-factor authentication is a type of
multi-factor authentication.
Two-Factor Authentication (2FA) / Multi-Factor Authentication (MFA)
http://www.darkreading.com/endpoint/pci-dss-32-3-things-you-need-to-know-/d/d-id/1325292
Additional multi-factor authentication.
Verizon’s 2016 Data Breach Investigations Report found that 63 percent of confirmed breaches
involved weak, default or stolen passwords.The report goes on to recommend that company’s
avoid single-factor authentication. PCI’s Leach says the trend outlined in the Verizon report
is why PCI DSS 3.2 requires that system administrators working internally who access a Cardholder
Data Environment (CDE) must utilize multi-factor authentication. He says with the threat landscape
as dangerous as it is today,single-factor authentication for local access to a CDE is no longer
acceptable. Leach adds that multi-factor authentication for remote access to a CDE has been a
part of the PCI DSS standard from the outset. Organizations have until February 1, 2018 to comply
with this new requirement.
為強化 VPN 認證機制,故需將 VyOS 上的 OpenVPN 由原 2FA 改為 MFA
預計會採 帳密 + 憑證 + OTP token 的三因子認證以符合安控需求.
在網路上已有許多人在談論及使用 google-authenticator.
它可以用在 linxu ssh login 或 sudo 或 OpenVPN 及 freeradius...等等等
google 一下應該可以看到不同的運用.
github URL 如下:
https://github.com/google/google-authenticator
但由於 最新版本的 VyOS 為 1.1.7
而 1.1.7 的 linux kernel 預設的版本為 Debian 6.0 (squeeze)
http://wiki.vyos.net/wiki/Main_Page
Get the Software
Current stable release: VyOS 1.1.7 (Helium)
Read about the versioning scheme.
Downloads: http://mirror.vyos.net/iso/release/1.1.7.
所以為了方便加裝 Debian 軟體及相關套件,
故參考 https://github.com/vyos/vyos-build/
將 VyOS build 為 Debian 8 (jessie) kernel.
https://www.debian.org/releases/
發行版目錄
下一代 Debian 正式發行版的代號爲 stretch — 發佈時間尚未確定
Debian 8 (jessie) — 當前的穩定版
Debian 7 (wheezy) — 被淘汰的穩定版
Debian 6.0 (squeeze) — 被淘汰的穩定版
.......
VyOS build 的方式可參考
https://github.com/vyos/vyos-build/
所以我以 debian-8.5.0-amd64-netinst.iso ,裝了一台 debian 8.5 的 linux
再透過它去 build VyOS ISO..
#cd /usr/local/src
#git clone https://github.com/vyos/vyos-build.git
#cd vyos-build/
#apt-get install python-pystache
#./configure
#make iso
#cd build
root@debian:/usr/local/src/vyos-build/build# ls -la
total 276060
drwxr-sr-x 9 root staff 4096 Sep 1 22:01 .
drwxr-sr-x 8 root staff 4096 Sep 1 21:35 ..
drwxr-sr-x 2 root staff 4096 Sep 1 21:36 auto
drwxr-sr-x 5 root staff 4096 Sep 1 22:01 binary
drwxr-sr-x 2 root staff 4096 Sep 1 22:01 .build
-rw-r--r-- 1 root staff 326 Sep 1 21:36 build-config.json
-rw-r--r-- 1 root staff 351053 Sep 1 22:01 build.log
drwxr-sr-x 7 root staff 4096 Sep 1 21:44 cache
drwxr-xr-x 22 root root 4096 Sep 1 22:01 chroot
-rw-r--r-- 1 root staff 3797140 Sep 1 21:55 chroot.files
-rw-r--r-- 1 root staff 16634 Sep 1 21:55 chroot.packages.install
-rw-r--r-- 1 root staff 16679 Sep 1 21:55 chroot.packages.live
drwxr-sr-x 18 root staff 4096 Sep 1 21:36 config
-rw-r--r-- 1 root staff 483 Sep 1 22:01 live-image-amd64.contents
-rw-r--r-- 1 root staff 3797140 Sep 1 21:59 live-image-amd64.files
-rw-r--r-- 1 root root 273678336 Sep 1 22:01 live-image-amd64.hybrid.iso
-rw-r--r-- 1 root root 935650 Sep 1 22:01 live-image-amd64.hybrid.iso.zsync
-rw-r--r-- 1 root staff 16679 Sep 1 21:59 live-image-amd64.packages
drwxr-sr-x 3 root staff 4096 Sep 1 21:36 local
-rw-r--r-- 1 root staff 17 Sep 1 21:36 version
lrwxrwxrwx 1 root staff 27 Sep 1 22:01 vyos-999.201609012136-amd64.iso -> live-image-amd64.hybrid.iso
root@debian:/usr/local/src/vyos-build/build#
在 IOS 檔 完成後,再拿它來裝 VyOS ...
然後就可以新增 sources.list 去裝一些有沒的...
root@vyos:~# cat /etc/debian_version
8.5
root@vyos:~# uname -r -a
Linux vyos 4.4.5-amd64-vyos #1 SMP Fri Mar 11 06:56:45 EST 2016 x86_64 GNU/Linux
root@vyos:~#
root@vyos:/etc/apt# pwd
/etc/apt
root@vyos:/etc/apt# cat sources.list
#deb http://dl.google.com/linux/deb/ stable non-free
deb http://ftp.tw.debian.org/debian stable main contrib non-free
root@vyos:/etc/apt#
root@vyos:/etc/apt# apt-get update
root@vyos:/etc/apt# apt-get install libpam-google-authenticator
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
libqrencode3
The following NEW packages will be installed:
libpam-google-authenticator libqrencode3
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 65.8 kB of archives.
After this operation, 216 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.tw.debian.org/debian/ stable/main libqrencode3 amd64 3.4.3-1 [33.8 kB]
Get:2 http://ftp.tw.debian.org/debian/ stable/main libpam-google-authenticator amd64 20130529-2 [32.1 kB]
Fetched 65.8 kB in 0s (292 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libqrencode3:amd64.
(Reading database ... 48920 files and directories currently installed.)
Preparing to unpack .../libqrencode3_3.4.3-1_amd64.deb ...
Unpacking libqrencode3:amd64 (3.4.3-1) ...
Selecting previously unselected package libpam-google-authenticator.
Preparing to unpack .../libpam-google-authenticator_20130529-2_amd64.deb ...
Unpacking libpam-google-authenticator (20130529-2) ...
Setting up libqrencode3:amd64 (3.4.3-1) ...
Setting up libpam-google-authenticator (20130529-2) ...
Processing triggers for libc-bin (2.19-18+deb8u4) ...
root@vyos:/etc/apt#
這樣就可以用 VyOS + OpenVPN + MFA 了..
MFA (帳密 + 憑證 + OTP token)
================
需配合在手機上先安裝該 APP:
APP名稱為 : Google Authenticator 可以在 google 商店內 Search 到它.
URL https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=zh_TW
待 VOS 完成後, 會再補上一個 QR供使用者 掃描, 透過手機上的 google authenticator app 讀取 QR Code 即會產出該 Token.
那個數字即為 VPN OTP 的 Token 了 !
往後 VPN的密碼已異動為A B part的型態.
A 即為系統密碼,
B則為 Token ,
連在一起則為VPN的完整密碼.如下圖示!
===================
憑證制作
root@vyos:/usr/share/easy-rsa# pwd
/usr/share/easy-rsa
root@vyos:/usr/share/easy-rsa# ls -la
total 55
drwxr-xr-x 2 root root 406 Sep 2 09:54 .
drwxr-xr-x 1 root root 4096 Sep 2 10:45 ..
-rwxr-xr-x 1 root root 119 Jan 7 2014 build-ca
-rwxr-xr-x 1 root root 352 Jan 7 2014 build-dh
-rwxr-xr-x 1 root root 188 Jan 7 2014 build-inter
-rwxr-xr-x 1 root root 163 Jan 7 2014 build-key
-rwxr-xr-x 1 root root 157 Jan 7 2014 build-key-pass
-rwxr-xr-x 1 root root 249 Jan 7 2014 build-key-pkcs12
-rwxr-xr-x 1 root root 268 Jan 7 2014 build-key-server
-rwxr-xr-x 1 root root 213 Jan 7 2014 build-req
-rwxr-xr-x 1 root root 158 Jan 7 2014 build-req-pass
-rwxr-xr-x 1 root root 449 Jan 7 2014 clean-all
-rwxr-xr-x 1 root root 1471 Jan 7 2014 inherit-inter
-rwxr-xr-x 1 root root 302 Jan 7 2014 list-crl
-rw-r--r-- 1 root root 7859 Jan 7 2014 openssl-0.9.6.cnf
-rw-r--r-- 1 root root 8416 Jan 7 2014 openssl-0.9.8.cnf
-rw-r--r-- 1 root root 8313 Jan 7 2014 openssl-1.0.0.cnf
-rwxr-xr-x 1 root root 13246 Jan 7 2014 pkitool
-rwxr-xr-x 1 root root 1035 Jan 7 2014 revoke-full
-rwxr-xr-x 1 root root 178 Jan 7 2014 sign-req
-rw-r--r-- 1 root root 2077 Jan 7 2014 vars
-rwxr-xr-x 1 root root 740 Jan 7 2014 whichopensslcnf
root@vyos:/usr/share/easy-rsa#
其它參考資訊
http://xrcd2.blogspot.tw/2016/01/cisco-radius-otp.html
http://xrcd2.blogspot.tw/2015/03/vyos-openvpn-plugin-otp-sop.html
VyOS ( fork of Vyatta Core )
https://en.wikipedia.org/wiki/Vyatta
https://en.wikipedia.org/wiki/VyOS
http://wiki.vyos.net/wiki/Main_Page
https:///vyos.io
訂閱:
張貼留言 (Atom)
沒有留言:
張貼留言