2016年9月1日 星期四

VyOS+OpenVPN+MFA



從 雙因子認證/雙因素認證/ 到 多因子認證/多因素認證

https://en.wikipedia.org/wiki/Multi-factor_authentication

Multi-factor authentication


Multi-factor authentication (MFA) is a method of computer access control in which a user is
only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism - typically at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).[1][2]

Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity
by utilizing a combination of two different components. Two-factor authentication is a type of
multi-factor authentication.



Two-Factor Authentication (2FA) / Multi-Factor Authentication (MFA)



http://www.darkreading.com/endpoint/pci-dss-32-3-things-you-need-to-know-/d/d-id/1325292


Additional multi-factor authentication.

Verizon’s 2016 Data Breach Investigations Report found that 63 percent of confirmed breaches
involved weak, default or stolen passwords.The report goes on to recommend that company’s
avoid single-factor authentication. PCI’s Leach says the trend outlined in the Verizon report
is why PCI DSS 3.2 requires that system administrators working internally who access a Cardholder
Data Environment (CDE) must utilize multi-factor authentication. He says with the threat landscape
as dangerous as it is today,single-factor authentication for local access to a CDE is no longer
acceptable. Leach adds that multi-factor authentication for remote access to a CDE has been a
part of the PCI DSS standard from the outset. Organizations have until February 1, 2018 to comply
with this new requirement.


為強化 VPN 認證機制,故需將 VyOS 上的 OpenVPN 由原 2FA 改為 MFA


預計會採 帳密 + 憑證 + OTP token 的三因子認證以符合安控需求.
在網路上已有許多人在談論及使用 google-authenticator.
它可以用在 linxu ssh login 或 sudo 或 OpenVPN 及 freeradius...等等等

google 一下應該可以看到不同的運用.

github URL 如下:

https://github.com/google/google-authenticator


但由於 最新版本的 VyOS 為 1.1.7
而 1.1.7 的 linux kernel 預設的版本為  Debian 6.0 (squeeze)

http://wiki.vyos.net/wiki/Main_Page

Get the Software
Current stable release: VyOS 1.1.7 (Helium)

Read about the versioning scheme.

Downloads: http://mirror.vyos.net/iso/release/1.1.7.


所以為了方便加裝  Debian  軟體及相關套件,
故參考 https://github.com/vyos/vyos-build/
將 VyOS build 為 Debian 8 (jessie)  kernel.


https://www.debian.org/releases/

發行版目錄

下一代 Debian 正式發行版的代號爲 stretch — 發佈時間尚未確定
Debian 8 (jessie) — 當前的穩定版
Debian 7 (wheezy) — 被淘汰的穩定版
Debian 6.0 (squeeze) — 被淘汰的穩定版

.......


VyOS build 的方式可參考

https://github.com/vyos/vyos-build/

所以我以 debian-8.5.0-amd64-netinst.iso ,裝了一台  debian 8.5 的 linux
再透過它去 build VyOS ISO..


#cd /usr/local/src
#git clone https://github.com/vyos/vyos-build.git
#cd vyos-build/
#apt-get install python-pystache
#./configure
#make iso
#cd build

root@debian:/usr/local/src/vyos-build/build# ls -la
total 276060
drwxr-sr-x  9 root staff      4096 Sep  1 22:01 .
drwxr-sr-x  8 root staff      4096 Sep  1 21:35 ..
drwxr-sr-x  2 root staff      4096 Sep  1 21:36 auto
drwxr-sr-x  5 root staff      4096 Sep  1 22:01 binary
drwxr-sr-x  2 root staff      4096 Sep  1 22:01 .build
-rw-r--r--  1 root staff       326 Sep  1 21:36 build-config.json
-rw-r--r--  1 root staff    351053 Sep  1 22:01 build.log
drwxr-sr-x  7 root staff      4096 Sep  1 21:44 cache
drwxr-xr-x 22 root root       4096 Sep  1 22:01 chroot
-rw-r--r--  1 root staff   3797140 Sep  1 21:55 chroot.files
-rw-r--r--  1 root staff     16634 Sep  1 21:55 chroot.packages.install
-rw-r--r--  1 root staff     16679 Sep  1 21:55 chroot.packages.live
drwxr-sr-x 18 root staff      4096 Sep  1 21:36 config
-rw-r--r--  1 root staff       483 Sep  1 22:01 live-image-amd64.contents
-rw-r--r--  1 root staff   3797140 Sep  1 21:59 live-image-amd64.files
-rw-r--r--  1 root root  273678336 Sep  1 22:01 live-image-amd64.hybrid.iso
-rw-r--r--  1 root root     935650 Sep  1 22:01 live-image-amd64.hybrid.iso.zsync
-rw-r--r--  1 root staff     16679 Sep  1 21:59 live-image-amd64.packages
drwxr-sr-x  3 root staff      4096 Sep  1 21:36 local
-rw-r--r--  1 root staff        17 Sep  1 21:36 version
lrwxrwxrwx  1 root staff        27 Sep  1 22:01 vyos-999.201609012136-amd64.iso -> live-image-amd64.hybrid.iso
root@debian:/usr/local/src/vyos-build/build# 



在 IOS 檔 完成後,再拿它來裝 VyOS ...





然後就可以新增 sources.list 去裝一些有沒的...


root@vyos:~# cat /etc/debian_version
8.5
root@vyos:~# uname -r -a
Linux vyos 4.4.5-amd64-vyos #1 SMP Fri Mar 11 06:56:45 EST 2016 x86_64 GNU/Linux
root@vyos:~#



root@vyos:/etc/apt# pwd
/etc/apt
root@vyos:/etc/apt# cat sources.list
#deb http://dl.google.com/linux/deb/ stable non-free
deb http://ftp.tw.debian.org/debian stable main contrib non-free
root@vyos:/etc/apt#

root@vyos:/etc/apt# apt-get update


root@vyos:/etc/apt# apt-get install libpam-google-authenticator
Reading package lists... Done
Building dependency tree    
Reading state information... Done
The following extra packages will be installed:
  libqrencode3
The following NEW packages will be installed:
  libpam-google-authenticator libqrencode3
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 65.8 kB of archives.
After this operation, 216 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.tw.debian.org/debian/ stable/main libqrencode3 amd64 3.4.3-1 [33.8 kB]
Get:2 http://ftp.tw.debian.org/debian/ stable/main libpam-google-authenticator amd64 20130529-2 [32.1 kB]
Fetched 65.8 kB in 0s (292 kB/s)                    
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libqrencode3:amd64.
(Reading database ... 48920 files and directories currently installed.)
Preparing to unpack .../libqrencode3_3.4.3-1_amd64.deb ...
Unpacking libqrencode3:amd64 (3.4.3-1) ...
Selecting previously unselected package libpam-google-authenticator.
Preparing to unpack .../libpam-google-authenticator_20130529-2_amd64.deb ...
Unpacking libpam-google-authenticator (20130529-2) ...
Setting up libqrencode3:amd64 (3.4.3-1) ...
Setting up libpam-google-authenticator (20130529-2) ...
Processing triggers for libc-bin (2.19-18+deb8u4) ...
root@vyos:/etc/apt#


這樣就可以用 VyOS + OpenVPN + MFA 了..

 MFA (帳密 + 憑證 + OTP token)

================


需配合在手機上先安裝該 APP:

APP名稱為 : Google Authenticator 可以在 google 商店內 Search 到它.

URL https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=zh_TW

待 VOS 完成後, 會再補上一個 QR供使用者 掃描, 透過手機上的 google authenticator app 讀取 QR Code 即會產出該 Token.
那個數字即為 VPN OTP 的 Token 了 !

往後 VPN的密碼已異動為A B part的型態.
A 即為系統密碼,
B則為 Token ,
 連在一起則為VPN的完整密碼.如下圖示!





===================

憑證制作

root@vyos:/usr/share/easy-rsa# pwd
/usr/share/easy-rsa
root@vyos:/usr/share/easy-rsa# ls -la
total 55
drwxr-xr-x 2 root root   406 Sep  2 09:54 .
drwxr-xr-x 1 root root  4096 Sep  2 10:45 ..
-rwxr-xr-x 1 root root   119 Jan  7  2014 build-ca
-rwxr-xr-x 1 root root   352 Jan  7  2014 build-dh
-rwxr-xr-x 1 root root   188 Jan  7  2014 build-inter
-rwxr-xr-x 1 root root   163 Jan  7  2014 build-key
-rwxr-xr-x 1 root root   157 Jan  7  2014 build-key-pass
-rwxr-xr-x 1 root root   249 Jan  7  2014 build-key-pkcs12
-rwxr-xr-x 1 root root   268 Jan  7  2014 build-key-server
-rwxr-xr-x 1 root root   213 Jan  7  2014 build-req
-rwxr-xr-x 1 root root   158 Jan  7  2014 build-req-pass
-rwxr-xr-x 1 root root   449 Jan  7  2014 clean-all
-rwxr-xr-x 1 root root  1471 Jan  7  2014 inherit-inter
-rwxr-xr-x 1 root root   302 Jan  7  2014 list-crl
-rw-r--r-- 1 root root  7859 Jan  7  2014 openssl-0.9.6.cnf
-rw-r--r-- 1 root root  8416 Jan  7  2014 openssl-0.9.8.cnf
-rw-r--r-- 1 root root  8313 Jan  7  2014 openssl-1.0.0.cnf
-rwxr-xr-x 1 root root 13246 Jan  7  2014 pkitool
-rwxr-xr-x 1 root root  1035 Jan  7  2014 revoke-full
-rwxr-xr-x 1 root root   178 Jan  7  2014 sign-req
-rw-r--r-- 1 root root  2077 Jan  7  2014 vars
-rwxr-xr-x 1 root root   740 Jan  7  2014 whichopensslcnf
root@vyos:/usr/share/easy-rsa#


其它參考資訊


http://xrcd2.blogspot.tw/2016/01/cisco-radius-otp.html

http://xrcd2.blogspot.tw/2015/03/vyos-openvpn-plugin-otp-sop.html

VyOS ( fork of Vyatta Core )

https://en.wikipedia.org/wiki/Vyatta

https://en.wikipedia.org/wiki/VyOS

http://wiki.vyos.net/wiki/Main_Page

https:///vyos.io





沒有留言:

張貼留言