2016年1月28日 星期四

Cisco Radius + OTP

Cisco Radius + OTP  架構圖解如下


















Cisco Radius + OTP


關於 google-authenticator

https://github.com/google/google-authenticator


[root@otp shell]# yum info google-authenticator.x86_64
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * atomic: www5.atomicorp.com
 * base: mirrors.nwsuaf.edu.cn
 * epel: ftp.jaist.ac.jp
 * extras: ftp.twaren.net
 * updates: mirrors.zju.edu.cn
Available Packages
Name        : google-authenticator
Arch        : x86_64
Version     : 0
Release     : 0.3.20110830.hgd525a9bab875.el6
Size        : 26 k
Repo        : epel
Summary     : One-time passcode support using open standards
URL         : http://code.google.com/p/google-authenticator/
License     : ASL 2.0
Description : The Google Authenticator package contains a pluggable authentication
            : module (PAM) which allows login using one-time passcodes conforming to
            : the open standards developed by the Initiative for Open Authentication
            : (OATH) (which is unrelated to OAuth).
            :
            : Passcode generators are available (separately) for several mobile
            : platforms.
            :
            : These implementations support the HMAC-Based One-time Password (HOTP)
            : algorithm specified in RFC 4226 and the Time-based One-time Password
            : (TOTP) algorithm currently in draft.

[root@otp shell]#

QR Code

[root@otp src]# yum info qrencode
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * atomic: www5.atomicorp.com
 * base: mirrors.nwsuaf.edu.cn
 * epel: ftp.jaist.ac.jp
 * extras: ftp.twaren.net
 * updates: mirrors.zju.edu.cn
Available Packages
Name        : qrencode
Arch        : x86_64
Version     : 3.4.2
Release     : 1.el6
Size        : 17 k
Repo        : epel
Summary     : Generate QR 2D barcodes
URL         : http://fukuchi.org/works/qrencode/
License     : LGPLv2+
Description : Qrencode is a utility software using libqrencode to encode string data in
            : a QR Code and save as a PNG image.

[root@otp src]#


安裝 google-authenticator

#yum install make gcc pam-devel


# cd /tmp
# wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
# bunzip2 libpam-google-authenticator-1.0-source.tar.bz2
# tar xf libpam-google-authenticator-1.0-source.tar
# cd libpam-google-authenticator-1.0
# make
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o google-authenticator.o google-authenticator.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o base32.o base32.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o hmac.o hmac.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o sha1.o sha1.c
gcc -g   -o google-authenticator google-authenticator.o base32.o hmac.o sha1.o  -ldl
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator.o pam_google_authenticator.c
gcc -shared -g   -o pam_google_authenticator.so pam_google_authenticator.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o demo.o demo.c
gcc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_demo.o pam_google_authenticator.c
gcc -g   -rdynamic -o demo demo.o pam_google_authenticator_demo.o base32.o hmac.o sha1.o  -ldl
gcc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden        \
              -o pam_google_authenticator_testing.o pam_google_authenticator.c
gcc -shared -g   -o pam_google_authenticator_testing.so pam_google_authenticator_testing.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
gcc -g   -rdynamic -o pam_google_authenticator_unittest pam_google_authenticator_unittest.o base32.o hmac.o sha1.o -lc  -ldl

# make install
cp pam_google_authenticator.so /lib64/security
cp google-authenticator /usr/local/bin


#看到這樣的訊息即代表 google-authenticator 安裝完成

或使用 git 方式安裝也行,如下


======================


mkdir /usr/local/src/google
cd /usr/local/src/google
git clone https://code.google.com/p/google-authenticator/
cd google-authenticator/libpam/
make install

=====================

freeradius 安裝方式使用 yum install 即可


[root@otp #yum install freeradius  freeradius-utils  freeradius-mysql

[root@otp shell]# yum info freeradius
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * atomic: www5.atomicorp.com
 * base: mirrors.nwsuaf.edu.cn
 * epel: ftp.jaist.ac.jp
 * extras: ftp.twaren.net
 * updates: mirrors.zju.edu.cn
Installed Packages
Name        : freeradius
Arch        : x86_64
Version     : 2.2.6
Release     : 6.el6_7
Size        : 6.3 M
Repo        : installed
From repo   : updates
Summary     : High-performance and highly configurable free RADIUS server
URL         : http://www.freeradius.org/
License     : GPLv2+ and LGPLv2+
Description : The FreeRADIUS Server Project is a high performance and highly configurable
            : GPL'd free RADIUS server. The server is similar in some respects to
            : Livingston's 2.0 server.  While FreeRADIUS started as a variant of the
            : Cistron RADIUS server, they don't share a lot in common any more. It now has
            : many more features than Cistron or Livingston, and is much more configurable.
            :
            : FreeRADIUS is an Internet authentication daemon, which implements the RADIUS
            : protocol, as defined in RFC 2865 (and others). It allows Network Access
            : Servers (NAS boxes) to perform authentication for dial-up users. There are
            : also RADIUS clients available for Web servers, firewalls, Unix logins, and
            : more.  Using RADIUS allows authentication and authorization for a network to
            : be centralized, and minimizes the amount of re-configuration which has to be
            : done when adding or deleting new users.

[root@otp #

[root@otp shell]# rpm -qa | grep radius
freeradius-client-devel-1.1.7-6.el6.x86_64
freeradius-postgresql-2.2.6-6.el6_7.x86_64
pam_radius-1.4.0-2.el6.x86_64
freeradius-unixODBC-2.2.6-6.el6_7.x86_64
freeradius-client-utils-1.1.7-6.el6.x86_64
freeradius-python-2.2.6-6.el6_7.x86_64
freeradius-2.2.6-6.el6_7.x86_64
freeradius-krb5-2.2.6-6.el6_7.x86_64
freeradius-perl-2.2.6-6.el6_7.x86_64
freeradius-mysql-2.2.6-6.el6_7.x86_64
freeradius-utils-2.2.6-6.el6_7.x86_64
freeradius-client-1.1.7-6.el6.x86_64
freeradius-ldap-2.2.6-6.el6_7.x86_64
[root@otp shell]#                                  


Radius 的設定說明及需要異動的檔案

主要設定目錄如下:

[root@otp raddb]# pwd
/etc/raddb
[root@otp raddb]# ll

......

clients.conf    ## Radiusd Client 端設定檔 (4)

radiusd.conf    ## radius 主要設定檔 (1)

sites-enabled   ## 目錄內的 default 檔為 authorize / Authentication 的設定檔 (2)

users               ## 帳號設定檔  (3)
..........


[root@otp raddb]#

(1) radiusd.conf

radiusd.conf

# 改由 root 的身份 去啟用 radius 的服務

#user = radiusd
#group = radiusd

user = root
group = root


#  啟用   authentication Log

log {

.....


#  Log authentication requests to the log file.
        #
        #  allowed values: {no, yes}
        #
        auth = yes

        #  Log passwords with the authentication requests.
        #  auth_badpass  - logs password if it's rejected
        #  auth_goodpass - logs password if it's correct
        #
        #  allowed values: {no, yes}
        #
        auth_badpass = yes
        auth_goodpass = yes


}


(2) default

default

# 宣告可使用 pam 認證方式

authenticate {

....


       pam


.....



}

(3) users

users

# 宣告使用者的認證方式與相關權限 (該帳號使用PAM)


DEFAULT Group == "disabled", Auth-Type := Reject
                Reply-Message = "Your account has been disabled."



vlab         Cleartext-Password := "mypasswd"
               Reply-Message = "Hello, %{User-Name}"




admin      Auth-Type := PAM
                Service-Type = "Shell-User",
                Cisco-AVPair += "shell:priv-lvl=15"


user          Auth-Type := PAM
                Service-Type = "NAS-Prompt-User",
                Cisco-AVPair += "shell:priv-lvl=1"


DEFAULT        Auth-Type := PAM


#宣告 Cisco 設備 Radiusd Client 端設定檔

(4) clients.conf

clients.conf

client 192.168.1.0/24 {
        secret = Cisco168
        shortname = lab-network
        nastype = cisco
        require_message_authenticator = no
}


#本機的 pam 設檔位置
#這裡的主要設定為 Radius 串接 google_authenticator 的方式


[root@otp pam.d]# pwd
/etc/pam.d
[root@otp pam.d]# ll

....

-rw-r--r--  1 root root 529 Dec  9 11:02 radiusd

...

#宣告 radius 使用 pam_google_authenticator.so


[root@otp pam.d]# vi radiusd
#%PAM-1.0
#auth       include     password-auth
#account    required    pam_nologin.so
#account    include     password-auth
#password   include     password-auth
#session    include     password-auth


# 這種方式為宣告使用 OTP (即登入時的密碼為 系統的密碼 + Google OTP 的 Token 連在一起)
# 即 Cisco login SSO 密碼的全部內容:
# 前段為系統端密碼後段為 Google 的 Token  [PWDToken]


auth    requisite       pam_google_authenticator.so     forward_pass
auth    required        pam_unix.so                     use_first_pass
account required        pam_unix.so
session required        pam_unix.so


# 這種方式為宣告使用 OTP (即登入時的密碼僅需要   Google OTP 的 Token)


#
#auth    requisite       pam_google_authenticator.so
#account required        pam_permit.so
#session required        pam_permit.so

=================

重啟 radiusd 服務

[root@otp raddb]# service radiusd start
Starting radiusd:                                          [  OK  ]
[root@otp raddb]#



==================

Cicso 設備的設定參考

aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
!
!
aaa session-id common
....

!
!
radius server 1
 address ipv4 192.168.1.x auth-port 1812 acct-port 1813
 key Cisco168
!
!




#aaa new-model
#aaa authentication login default group radius local
#aaa authorization exec default group radius local
#radius-server host 192.168.1.x auth-port 1812 acct-port 1813 key testing123


===========


參考文件


PAM

http://linux.die.net/man/8/pam_unix

Two-Step Authentication for SSH on CentOS 6 Using Google Authenticator

http://blog.nowherelan.com/2014/01/04/two-step-authentication-for-ssh-on-centos-6-using-google-authenticator/

FreeRADIUS Google Dual Factor Authenticator

http://www.supertechguy.com/help/security/freeradius-google-auth


VyOS OpenVpn Plugin OTP ( SOP )

http://xrcd2.blogspot.tw/2015/03/vyos-openvpn-plugin-otp-sop.html

Linux SSO ( Single Sign-On ) + OTP

http://xrcd2.blogspot.tw/2015/04/linix-sso-single-sign-on-otp-opensource.html


Cisco

Configuring RADIUS

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrad.html


其它的變型應用 如 VPN + Radius + OTP 




2016年1月21日 星期四

Cisco IOS 設備 configuration 自動版本管理的方式 ( cisco config auto to svn )


最近一個朋友在問我關於 rancid + viewvc 的事.
我就 Google 一下,看這個組合包有什麼功能,
後來我發現,以前我曾寫過類似這樣的東西.
只是程式不知道丟去哪了,只好重寫過.

簡單的說 rancid + viewvc ,
就是 Cisco IOS 設備的版控套件.

簡單的圖示說明如下,下圖抄改的來始原始 URL 為
( 在本 LAB 中的圖示皆修改自該 URL )

http://aimless.jp/blog/archives/1545/
http://aimless.jp/blog/images/diagram.png























但這種做法是利用系統的 排程作業 去完成版控管理.
有另一種做法是利用 log monitor 的機制 如上述的 URL 中提到的組合包.

rsyslog + logsurfer + rancid + viewvc

logsurfer
http://www.crypt.gen.nz/logsurfer/

http://aimless.jp/blog/archives/1545/
http://aimless.jp/blog/images/diagram.png






















我想到的另一種變型的做法是

rsyslog + swatch + perl + websvn




有興趣的人請自行參閱下面的 URL.

這個組合包做出來的樣子如下:















































































































待續.. SOP 缺 Source Code 補


============================

Swatch

http://sourceforge.net/projects/swatch/

http://www.vlab.com.tw/index.php/forum/network-management/12771-forward-cisco-syslog-to-msn-syslog2msn-ver-1


perl telnet cisco

http://search.cpan.org/~joshua/Net-Telnet-Cisco-1.10/Cisco.pm

http://www.vlab.com.tw/index.php/forum/network-management/13204-cisco-perl

or

http://xrcd2.blogspot.tw/2013/02/cisco-show-run-config-perl.html

web svn

http://www.websvn.info/



===========================

RANCID - Really Awesome New Cisco confIg Differ

http://www.shrubbery.net/rancid/

viewvc -- ViewVC is a browser interface for CVS and Subversion version control repositories

http://www.viewvc.org/


http://www.shrubbery.net/rancid/

http://evilttl.com/wiki/RANCID

http://ciscoskills.net/2015/01/03/install-rancid-and-viewvc-on-centos-7/