Linux SSO ( Single Sign-On ) + OTP [ OpenSource Solution ]
Linux IPA Server (類似 Windows AD ),
可使用個人的 Domain 帳號 SSO( Single Sign-On )到 Join IPA Domain 的任何 Linux
(另支援IPA Client端的 OS 有 Linux / AIX / HP-UX / Windows ..)
Windows http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
Configuring a Microsoft Windows System to Join the FreeIPA Realm
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_Microsoft_Windows.html
Linux SSO 的 Solution IPA
關於 IPA (identity policy audit )
http://www.freeipa.org/page/Main_Page
或稱 IdM Server (Identity Management Server)
架構簡圖
http://sexysexypenguins.com/wp-content/uploads/2014/10/ipa-components-590x444.png
關於 OTP ( TOTP https://tools.ietf.org/html/rfc6238 )
OTP 的 Solution
可使用 freeotp (freeotp https://fedorahosted.org/freeotp/)
加手機版 Token
IPA 4.0 可搭配 OTP (freeotp https://fedorahosted.org/freeotp/)
變成 SSO + OTP的帳密控管環境
在 IPA 4.0 版就開始支援較完整的 OTP ( http://www.freeipa.org/page/V4/OTP )
以 CentOS 7.x 為例,可能安裝的套件如下:
[root@centos7 /]# rpm -qa | grep ipa
device-mapper-multipath-0.4.9-77.el7.x86_64
libipa_hbac-python-1.12.2-58.el7_1.6.x86_64
python-iniparse-0.4-9.el7.noarch
device-mapper-multipath-libs-0.4.9-77.el7.x86_64
ipa-admintools-4.1.0-18.el7.centos.3.x86_64
ipa-client-4.1.0-18.el7.centos.3.x86_64
libipa_hbac-1.12.2-58.el7_1.6.x86_64
ipa-server-4.1.0-18.el7.centos.3.x86_64
ipa-python-4.1.0-18.el7.centos.3.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
[root@centos7 /]#
安裝與設定完成後,可透過下列方式去查看 IPA 是否有正常運行
關於 ipa server status
[root@centos7 /]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@centos7 /]#
關於 ipa server listen port
[root@centos7 /]# nmap 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-14 16:26 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000010s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
389/tcp open ldap
443/tcp open https
464/tcp open kpasswd5
636/tcp open ldapssl
749/tcp open kerberos-adm
8009/tcp open ajp13
8080/tcp open http-proxy
8443/tcp open https-alt
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
[root@centos7 /]#
其它相關資訊如下:
CentOS IPA Server 的安裝與設定可參考
Red Hat Enterprise Linux 6 Identity Management Guide
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
或
Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
或 freeipa 的 url
https://www.freeipa.org/page/Documentation
如 RHEL/CentOS 6.x migrating 到 7.x [IPA 3.xx --> IPA 4.xx ]
(MIGRATING THE IDM SERVER TO RED HAT ENTERPRISE LINUX 7)
可參考下面的 URL
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
關於 IPA WBE UI 的 OTP 設定畫面
登入 IPA Server
宣告使用 OTP (即登入時的密碼為 系統的密碼+FreeOTP 的 Token 連在一起)
即 SSO 密碼的全部內容:前段為系統端密碼後段為FreeOTP的Token [PWDToken]
新增該帳號的 OTP Token
選擇 Type 為 TOTP 的型態
使用手機版的 freeotp 的 App 去將 Token 的 QR Code 拍下來
Sync OTP Token
輸入該 ID 的 登入資訊及 Toke ID 等資訊,輸入完成後再點選 Sync OTP Token 即可
FreeOTP 的畫面 及 Token 密碼