VyOS OpenVpn Plugin OTP SOP
關於 OTP
http://zh.wikipedia.org/wiki/%E4%B8%80%E6%AC%A1%E6%80%A7%E5%AF%86%E7%A2%BC
一次性密碼[編輯]
一次性密碼(One Time Password,簡稱OTP),又稱動態密碼,是指只能使用
一次的密碼。一般的靜態密碼在安全性上容易因為木馬與鍵盤側錄程式等而被
竊取,而只要花上相當程度的時間,也有可能被暴力破解。為了解決一般密碼
容易遭到破解情況,因此開發出一次性密碼的解決方案。
原理[編輯]
一次性密碼的產生方式,主要是以時間差做為伺服器與密碼產生器的同步條件
。在需要登錄的時候,就利用密碼產生器產生一次性密碼,OTP一般分為計次
使用以及計時使用兩種,計次使用的OTP產出後,可在不限時間內使用;計時
使用的OTP則可設定密碼有效時間,從30秒到兩分鐘不等[1],而OTP在進行認
證之後即廢棄不用,下次認證必須使用新的密碼,增加了試圖不經授權存取有
限制資源的難度。
優勢[編輯]
一次性密碼的解決方案有以下幾個優點:
解決使用者在密碼的記憶與保存上的困難性。
由於密碼只能使用一次,而且因為是動態產生,所以不可預測,也只有一次的
使用有效性,可以大為提升使用的安全程度。
基於這些優點,有越來越多的銀行金融業甚至是遊戲業使用OTP解決方案,來
提升保護其使用者的安全性
在 VyOS 上新增 Debian APT repository
參考
http://vyos.net/wiki/FAQ 加入 repository
Usage
How do I install debian packages?
First configure repositories. The Hydrogen release will be based on Debian Squeeze so:
set system package repository squeeze components 'main contrib non-free'
set system package repository squeeze distribution 'squeeze'
set system package repository squeeze url 'http://mirrors.kernel.org/debian'
Squeeze is not supported anymore, however Helium has some packages from Squeeze Long Term Support so:
set system package repository squeeze-lts components 'main contrib non-free'
set system package repository squeeze-lts distribution 'squeeze-lts'
set system package repository squeeze-lts url 'http://mirrors.kernel.org/debian'
In case you need more modern software or software that standard isn't available in squeeze, add
set system package repository squeeze-backports components main
set system package repository squeeze-backports distribution squeeze-backports
set system package repository squeeze-backports url 'http://backports.debian.org/debian-backports'
Then do "sudo apt-get update" and you can install packages with "sudo apt-get install xxxxxxx" as usual
安裝 Google Authenticator Module
參考 https://www.linux.com/community/blogs/133-general-linux/783135-securing-ssh-with-two-factor-authentication-using-google-authenticator
#apt-get install libpam0g-dev
#apt-get install make gcc wget
安裝 libpam-google-authenticator-1.0-source.tar.bz2
先安裝 bzip2 用它來解 .tar.bz2 的檔案
root@vyos:/home/vyos# apt-get install bzip2
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
bzip2-doc
The following NEW packages will be installed:
bzip2
0 upgraded, 1 newly installed, 0 to remove and 40 not upgraded.
Need to get 47.4 kB of archives.
After this operation, 160 kB of additional disk space will be used.
Get:1 http://mirrors.kernel.org/debian/ squeeze/main bzip2 i386 1.0.5-6+squeeze1 [47.4 kB]
Fetched 47.4 kB in 0s (48.7 kB/s)
Selecting previously deselected package bzip2.
(Reading database ... 40785 files and directories currently installed.)
Unpacking bzip2 (from .../bzip2_1.0.5-6+squeeze1_i386.deb) ...
Processing triggers for man-db ...
Setting up bzip2 (1.0.5-6+squeeze1) ...
root@vyos:/home/vyos#
下載與安裝 libpam-google-authenticator-1.0-source.tar.bz2
root@vyos:/home/vyos# wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
--2015-03-30 17:34:56-- http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
Resolving google-authenticator.googlecode.com... 173.194.72.82, 2404:6800:4008:c05::52
Connecting to google-authenticator.googlecode.com|173.194.72.82|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32708 (32K) [application/x-bzip2]
Saving to: `libpam-google-authenticator-1.0-source.tar.bz2'
100%[======================================================================================================================================>] 32,708 128K/s in 0.2s
2015-03-30 17:34:56 (128 KB/s) - `libpam-google-authenticator-1.0-source.tar.bz2' saved [32708/32708]
解壓縮
root@vyos:/home/vyos# tar -xjvf libpam-google-authenticator-1.0-source.tar.bz2
libpam-google-authenticator-1.0/base32.c
libpam-google-authenticator-1.0/demo.c
libpam-google-authenticator-1.0/google-authenticator.c
libpam-google-authenticator-1.0/hmac.c
libpam-google-authenticator-1.0/pam_google_authenticator.c
libpam-google-authenticator-1.0/pam_google_authenticator_unittest.c
libpam-google-authenticator-1.0/sha1.c
libpam-google-authenticator-1.0/base32.h
libpam-google-authenticator-1.0/hmac.h
libpam-google-authenticator-1.0/sha1.h
libpam-google-authenticator-1.0/totp.html
libpam-google-authenticator-1.0/Makefile
libpam-google-authenticator-1.0/FILEFORMAT
libpam-google-authenticator-1.0/README
libpam-google-authenticator-1.0/utc-time/
libpam-google-authenticator-1.0/utc-time/app.yaml
libpam-google-authenticator-1.0/utc-time/utc-time.py
root@vyos:/home/vyos# cd libpam-google-authenticator-1.0/
root@vyos:/home/vyos/libpam-google-authenticator-1.0#
root@vyos:/home/vyos# cd libpam-google-authenticator-1.0/
root@vyos:/home/vyos/libpam-google-authenticator-1.0# ls -la
total 180
drwxr-xr-x 3 root root 4096 Mar 30 17:35 .
drwxr-xr-x 4 vyos users 4096 Mar 30 17:35 ..
-rw-rw-r-- 1 root root 2632 May 15 2012 FILEFORMAT
-rw-rw-r-- 1 root root 4915 May 15 2012 Makefile
-rw-rw-r-- 1 root root 4519 May 15 2012 README
-rw-rw-r-- 1 root root 2471 May 15 2012 base32.c
-rw-rw-r-- 1 root root 1387 May 15 2012 base32.h
-rw-rw-r-- 1 root root 4737 May 15 2012 demo.c
-rw-rw-r-- 1 root root 24608 May 15 2012 google-authenticator.c
-rw-rw-r-- 1 root root 2495 May 15 2012 hmac.c
-rw-rw-r-- 1 root root 919 May 15 2012 hmac.h
-rw-rw-r-- 1 root root 48300 May 15 2012 pam_google_authenticator.c
-rw-rw-r-- 1 root root 19257 May 15 2012 pam_google_authenticator_unittest.c
-rw-rw-r-- 1 root root 11201 May 15 2012 sha1.c
-rw-rw-r-- 1 root root 1189 May 15 2012 sha1.h
-rw-rw-r-- 1 root root 9422 May 15 2012 totp.html
drwxrwxr-x 2 root root 4096 May 15 2012 utc-time
root@vyos:/home/vyos/libpam-google-authenticator-1.0#
接者就是 #make & make install
成功的話就會出現這樣的提示
cp pam_google_authenticator.so /lib/security
cp google-authenticator /usr/local/bin
那就代表 google-authenticator 已經可以被使用了
接下來就是宣告它可以被 openvpn 使用
參考 http://joepaetzel.com/2014/05/20/enable-multi-factor-authentication-for-openvpn/
root@vyos:/etc/pam.d# pwd
/etc/pam.d
root@vyos:/etc/pam.d# vi openvpn
auth required /lib/security/pam_google_authenticator.so
root@vyos:/etc/pam.d#
接下來則是開個別帳號的 OTP
root@vyos:/home/vyos/libpam-google-authenticator-1.0# sudo su - xxtony
ebtony@vyos:~$ pwd
/home/xxtony
xxtony@vyos:~$ google-authenticator
VyOS 的 openvpn 設定
Xshell:\> ssh 192.168.xxx.xxx
Connecting to 192.168.xxx.xxx:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Welcome to VyOS
Linux vyos 3.13.11-1-586-vyos #1 SMP Fri Feb 27 21:24:23 UTC 2015 i686
Welcome to VyOS.
This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the individual
files in /usr/share/doc/*/copyright.
Last login: Mon Mar 30 16:52:23 2015 from 192.168.xxx.xxx
vyos@vyos:~$ show configuration commands
set interfaces ethernet eth0 address '192.168.xxx.xxx/24'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:0c:29:69:2c:9b'
set interfaces ethernet eth0 smp_affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces loopback 'lo'
set interfaces openvpn vtun0 encryption 'aes128'
set interfaces openvpn vtun0 hash 'sha1'
set interfaces openvpn vtun0 local-port '1194'
set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 openvpn-option '--reneg-sec 0 --duplicate-cn --comp-lzo --inactive 120 --plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn --username-as-common-name'
set interfaces openvpn vtun0 protocol 'tcp-passive'
set interfaces openvpn vtun0 server push-route '192.168.1xx.0/24'
set interfaces openvpn vtun0 server push-route '192.168.1.0/24'
set interfaces openvpn vtun0 server subnet '192.168.200.0/28'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/keys/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/keys/vpn01.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/keys/dh1024.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/keys/vpn01.key'
set nat source rule 10 destination address '0.0.0.0/0'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 protocol 'all'
set nat source rule 10 source address '192.168.200.0/24'
set nat source rule 10 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop '192.168.xxx.254'
set service ssh 'allow-root'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system host-name 'vyos'
set system login user xxtony authentication encrypted-password '$6$fQ3aoaQ.AwIwMx$g53v4npApNW9ueefVoZ8QvEwcGZZQwvuu7xG6S9mYhyKBoGIA0HVHasbUbDQz9TxW726RagOZlVL.Th/8FhUc.'
set system login user xxtony authentication plaintext-password ''
set system login user xxtony level 'admin'
set system login user vyos authentication encrypted-password '$1$WEiLV3hz$rVSlk.8f2iRTs99rhWI1t.'
set system login user vyos level 'admin'
set system name-server '168.95.1.1'
set system ntp server 168.95.195.12 'prefer'
set system package auto-sync '1'
set system package repository community components 'main'
set system package repository community distribution 'helium'
set system package repository community password ''
set system package repository community url 'http://packages.vyos.net/vyos'
set system package repository community username ''
set system package repository squeeze components 'main contrib non-free'
set system package repository squeeze distribution 'squeeze'
set system package repository squeeze password ''
set system package repository squeeze url 'http://mirrors.kernel.org/debian'
set system package repository squeeze username ''
set system package repository squeeze-backports components 'main'
set system package repository squeeze-backports distribution 'squeeze-backports'
set system package repository squeeze-backports password ''
set system package repository squeeze-backports url 'http://backports.debian.org/debian-backports'
set system package repository squeeze-backports username ''
set system package repository squeeze-lts components 'main contrib non-free'
set system package repository squeeze-lts distribution 'squeeze-lts'
set system package repository squeeze-lts password ''
set system package repository squeeze-lts url 'http://mirrors.kernel.org/debian'
set system package repository squeeze-lts username ''
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system time-zone 'Asia/Taipei'
手機安裝 google authenticator app
https://support.google.com/accounts/answer/1066447?hl=zh-Hant
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=zh_TW
透過手機上的 google authenticator app 讀取 OS 透過 google-authenticator 產出的 QR Code
那個 密碼就是 OpenVPN 的 OTP 了 ..
結束