Cisco Radius + OTP
關於 google-authenticator
https://github.com/google/google-authenticator
[root@otp shell]# yum info google-authenticator.x86_64
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* atomic: www5.atomicorp.com
* base: mirrors.nwsuaf.edu.cn
* epel: ftp.jaist.ac.jp
* extras: ftp.twaren.net
* updates: mirrors.zju.edu.cn
Available Packages
Name : google-authenticator
Arch : x86_64
Version : 0
Release : 0.3.20110830.hgd525a9bab875.el6
Size : 26 k
Repo : epel
Summary : One-time passcode support using open standards
URL : http://code.google.com/p/google-authenticator/
License : ASL 2.0
Description : The Google Authenticator package contains a pluggable authentication
: module (PAM) which allows login using one-time passcodes conforming to
: the open standards developed by the Initiative for Open Authentication
: (OATH) (which is unrelated to OAuth).
:
: Passcode generators are available (separately) for several mobile
: platforms.
:
: These implementations support the HMAC-Based One-time Password (HOTP)
: algorithm specified in RFC 4226 and the Time-based One-time Password
: (TOTP) algorithm currently in draft.
[root@otp shell]#
QR Code
[root@otp src]# yum info qrencode
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* atomic: www5.atomicorp.com
* base: mirrors.nwsuaf.edu.cn
* epel: ftp.jaist.ac.jp
* extras: ftp.twaren.net
* updates: mirrors.zju.edu.cn
Available Packages
Name : qrencode
Arch : x86_64
Version : 3.4.2
Release : 1.el6
Size : 17 k
Repo : epel
Summary : Generate QR 2D barcodes
URL : http://fukuchi.org/works/qrencode/
License : LGPLv2+
Description : Qrencode is a utility software using libqrencode to encode string data in
: a QR Code and save as a PNG image.
[root@otp src]#
安裝 google-authenticator
#yum install make gcc pam-devel
# cd /tmp
# wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
# bunzip2 libpam-google-authenticator-1.0-source.tar.bz2
# tar xf libpam-google-authenticator-1.0-source.tar
# cd libpam-google-authenticator-1.0
# make
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o google-authenticator.o google-authenticator.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o base32.o base32.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o hmac.o hmac.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o sha1.o sha1.c
gcc -g -o google-authenticator google-authenticator.o base32.o hmac.o sha1.o -ldl
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator.o pam_google_authenticator.c
gcc -shared -g -o pam_google_authenticator.so pam_google_authenticator.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o demo.o demo.c
gcc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator_demo.o pam_google_authenticator.c
gcc -g -rdynamic -o demo demo.o pam_google_authenticator_demo.o base32.o hmac.o sha1.o -ldl
gcc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden \
-o pam_google_authenticator_testing.o pam_google_authenticator.c
gcc -shared -g -o pam_google_authenticator_testing.so pam_google_authenticator_testing.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
gcc -g -rdynamic -o pam_google_authenticator_unittest pam_google_authenticator_unittest.o base32.o hmac.o sha1.o -lc -ldl
# make install
cp pam_google_authenticator.so /lib64/security
cp google-authenticator /usr/local/bin
#看到這樣的訊息即代表 google-authenticator 安裝完成
或使用 git 方式安裝也行,如下
======================
mkdir /usr/local/src/google
cd /usr/local/src/google
git clone https://code.google.com/p/google-authenticator/
cd google-authenticator/libpam/
make install
=====================
freeradius 安裝方式使用 yum install 即可
[root@otp #yum install freeradius freeradius-utils freeradius-mysql
[root@otp shell]# yum info freeradius
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* atomic: www5.atomicorp.com
* base: mirrors.nwsuaf.edu.cn
* epel: ftp.jaist.ac.jp
* extras: ftp.twaren.net
* updates: mirrors.zju.edu.cn
Installed Packages
Name : freeradius
Arch : x86_64
Version : 2.2.6
Release : 6.el6_7
Size : 6.3 M
Repo : installed
From repo : updates
Summary : High-performance and highly configurable free RADIUS server
URL : http://www.freeradius.org/
License : GPLv2+ and LGPLv2+
Description : The FreeRADIUS Server Project is a high performance and highly configurable
: GPL'd free RADIUS server. The server is similar in some respects to
: Livingston's 2.0 server. While FreeRADIUS started as a variant of the
: Cistron RADIUS server, they don't share a lot in common any more. It now has
: many more features than Cistron or Livingston, and is much more configurable.
:
: FreeRADIUS is an Internet authentication daemon, which implements the RADIUS
: protocol, as defined in RFC 2865 (and others). It allows Network Access
: Servers (NAS boxes) to perform authentication for dial-up users. There are
: also RADIUS clients available for Web servers, firewalls, Unix logins, and
: more. Using RADIUS allows authentication and authorization for a network to
: be centralized, and minimizes the amount of re-configuration which has to be
: done when adding or deleting new users.
[root@otp #
[root@otp shell]# rpm -qa | grep radius
freeradius-client-devel-1.1.7-6.el6.x86_64
freeradius-postgresql-2.2.6-6.el6_7.x86_64
pam_radius-1.4.0-2.el6.x86_64
freeradius-unixODBC-2.2.6-6.el6_7.x86_64
freeradius-client-utils-1.1.7-6.el6.x86_64
freeradius-python-2.2.6-6.el6_7.x86_64
freeradius-2.2.6-6.el6_7.x86_64
freeradius-krb5-2.2.6-6.el6_7.x86_64
freeradius-perl-2.2.6-6.el6_7.x86_64
freeradius-mysql-2.2.6-6.el6_7.x86_64
freeradius-utils-2.2.6-6.el6_7.x86_64
freeradius-client-1.1.7-6.el6.x86_64
freeradius-ldap-2.2.6-6.el6_7.x86_64
[root@otp shell]#
Radius 的設定說明及需要異動的檔案
主要設定目錄如下:
[root@otp raddb]# pwd
/etc/raddb
[root@otp raddb]# ll
......
clients.conf ## Radiusd Client 端設定檔 (4)
radiusd.conf ## radius 主要設定檔 (1)
sites-enabled ## 目錄內的 default 檔為 authorize / Authentication 的設定檔 (2)
users ## 帳號設定檔 (3)
..........
[root@otp raddb]#
(1) radiusd.conf
radiusd.conf
# 改由 root 的身份 去啟用 radius 的服務
#user = radiusd
#group = radiusd
user = root
group = root
# 啟用 authentication Log
log {
.....
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = yes
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = yes
auth_goodpass = yes
}
(2) default
default
# 宣告可使用 pam 認證方式
authenticate {
....
pam
.....
}
(3) users
users
# 宣告使用者的認證方式與相關權限 (該帳號使用PAM)
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
vlab Cleartext-Password := "mypasswd"
Reply-Message = "Hello, %{User-Name}"
admin Auth-Type := PAM
Service-Type = "Shell-User",
Cisco-AVPair += "shell:priv-lvl=15"
user Auth-Type := PAM
Service-Type = "NAS-Prompt-User",
Cisco-AVPair += "shell:priv-lvl=1"
DEFAULT Auth-Type := PAM
#宣告 Cisco 設備 Radiusd Client 端設定檔
(4) clients.conf
clients.conf
client 192.168.1.0/24 {
secret = Cisco168
shortname = lab-network
nastype = cisco
require_message_authenticator = no
}
#本機的 pam 設檔位置
#這裡的主要設定為 Radius 串接 google_authenticator 的方式
[root@otp pam.d]# pwd
/etc/pam.d
[root@otp pam.d]# ll
....
-rw-r--r-- 1 root root 529 Dec 9 11:02 radiusd
...
#宣告 radius 使用 pam_google_authenticator.so
[root@otp pam.d]# vi radiusd
#%PAM-1.0
#auth include password-auth
#account required pam_nologin.so
#account include password-auth
#password include password-auth
#session include password-auth
# 這種方式為宣告使用 OTP (即登入時的密碼為 系統的密碼 + Google OTP 的 Token 連在一起)
# 即 Cisco login SSO 密碼的全部內容:
# 前段為系統端密碼後段為 Google 的 Token [PWDToken]
auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
account required pam_unix.so
session required pam_unix.so
# 這種方式為宣告使用 OTP (即登入時的密碼僅需要 Google OTP 的 Token)
#
#auth requisite pam_google_authenticator.so
#account required pam_permit.so
#session required pam_permit.so
=================
重啟 radiusd 服務
[root@otp raddb]# service radiusd start
Starting radiusd: [ OK ]
[root@otp raddb]#
==================
Cicso 設備的設定參考
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
!
!
aaa session-id common
....
!
!
radius server 1
address ipv4 192.168.1.x auth-port 1812 acct-port 1813
key Cisco168
!
!
或
#aaa new-model
#aaa authentication login default group radius local
#aaa authorization exec default group radius local
#radius-server host 192.168.1.x auth-port 1812 acct-port 1813 key testing123
===========
參考文件
PAM
http://linux.die.net/man/8/pam_unix
Two-Step Authentication for SSH on CentOS 6 Using Google Authenticator
http://blog.nowherelan.com/2014/01/04/two-step-authentication-for-ssh-on-centos-6-using-google-authenticator/
FreeRADIUS Google Dual Factor Authenticator
http://www.supertechguy.com/help/security/freeradius-google-auth
VyOS OpenVpn Plugin OTP ( SOP )
http://xrcd2.blogspot.tw/2015/03/vyos-openvpn-plugin-otp-sop.html
Linux SSO ( Single Sign-On ) + OTP
http://xrcd2.blogspot.tw/2015/04/linix-sso-single-sign-on-otp-opensource.html
Cisco
Configuring RADIUS
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrad.html
其它的變型應用 如 VPN + Radius + OTP