再延續PrivacyIDEA Radius 外掛這個主題
前導如下:
https://xrcd2.blogspot.com/2026/05/privacyidea-radius-plugin-part-2.html
privacyIDEA 帳號的取得方式,常見的有
(1) Create a new Passwd Resolver (/etc/passwd)
(2) Create a new LDAP Resolver (如 Windows AD(Active Directory) )
(3) Create a new SQL Resolver
先建立 Resolvers 解析器 ,再建 Realm 領域 與其建立連結.
如要建立(或取得)一個 privacyIDEA 的使用者,它可以來自(1) privacyIDEA Linux 本機上的使用者.
可自行參考 https://xrcd2.blogspot.com/2025/04/privacyidea.html
或 (2) LDAP 上的帳號 可自行參考 https://xrcd2.blogspot.com/2025/04/privacyidea-2fardp-test.html
如(1)透過本機的/etc/passwd的作法,密碼只能透過設定 PIN 碼取代之,因為 privacyIDEA 無權去讀解寫/etc/shadow
[root@2FA src]# ls -la /etc/shadow
---------- 1 root root 1327 May 23 19:45 /etc/shadow
[root@2FA src]# ls -la /etc/passwd
-rw-r--r-- 1 root root 2955 May 23 19:45 /etc/passwd
[root@2FA src]#
(2) LDAP Resolver 對 privacyIDEA 而言它,簡單的說他只負責驗證,使用者跟Token/OTP的配對關連及登入驗證部份.
如上所述,如需更簡單的管理 privacyIDEA 上的使用者,透過 MySQL 是一個不錯的選擇.
使用情境假設. privacyIDEA 用於 VPN 及 Windows RDP 登入控管.那使用者在[遠端連回公司辦公]的安控,就是有二段完全獨立的雙因子驗證 (2FA) ,如第一階段 VPN 的部份可以用 privacyIDEA SQL 身份及OTP,第二階段 RDP 的部份,可以用 privacyIDE Windows AD 身份及OTP.這樣應該更安全了吧.
以下筆記為建立 privacyIDEA SQL 使用者帳戶的小筆記
[root@2FA src]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 184
Server version: 10.11.15-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE vpn_users;
Query OK, 1 row affected (0.005 sec)
MariaDB [(none)]> CREATE USER 'pi_resolver'@'localhost' IDENTIFIED BY 'Passw0rd';
Query OK, 0 rows affected (0.003 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON vpn_users.* TO 'pi_resolver'@'localhost';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> use vpn_users;
Database changed
MariaDB [vpn_users]> CREATE TABLE pi_users (
-> id INT AUTO_INCREMENT PRIMARY KEY,
-> username VARCHAR(64) NOT NULL UNIQUE,
-> password_hash VARCHAR(255),
-> email VARCHAR(100),
-> mobile VARCHAR(20),
-> description VARCHAR(255)
-> ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
Query OK, 0 rows affected (0.005 sec)
MariaDB [vpn_users]> INSERT INTO pi_users (username, email, mobile) VALUES ('testuser', 'testuser@vlab.tw', '0912345678');
Query OK, 1 row affected (0.001 sec)
MariaDB [vpn_users]> SELECT * FROM pi_users\G;
*************************** 1. row ***************************
id: 1
username: testuser
password_hash: NULL
email: testuser@vlab.tw
mobile: 0912345678
description: NULL
1 row in set (0.000 sec)
ERROR: No query specified
MariaDB [vpn_users]> UPDATE pi_users SET description = 'TEST User' WHERE id = 1;
Query OK, 1 row affected (0.001 sec)
Rows matched: 1 Changed: 1 Warnings: 0
MariaDB [vpn_users]> SELECT * FROM pi_users\G;
*************************** 1. row ***************************
id: 1
username: testuser
password_hash: NULL
email: testuser@vlab.tw
mobile: 0912345678
description: TEST User
1 row in set (0.000 sec)
ERROR: No query specified
MariaDB [vpn_users]>
=======================
==>
{"userid":"id","username":"username","password":"password_hash","email":"email","mobile":"mobile","description":"description"}
======================
CREATE TABLE pi_users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(64) NOT NULL UNIQUE,
password_hash VARCHAR(255),
email VARCHAR(100),
mobile VARCHAR(20),
description VARCHAR(255)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
==========================
[root@2FA ~]# vi /etc/privacyidea/rlm_perl.ini
[Default]
URL = https://localhost/validate/check
#REALM = defrealm
#RESCONF = deflocal
REALM = mysql
RESCONF = SQL
===================================
MariaDB [(none)]> use vpn_users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [vpn_users]> SELECT * FROM pi_users\G;
*************************** 1. row ***************************
id: 1
username: testuser
password_hash: NULL
email: testuser@vlab.tw
mobile: 0912345678
description: TEST User
*************************** 2. row ***************************
id: 2
username: vpn.sqluser
password_hash: {SSHA256}p5yVX9/7OX0TrPdHlQhrm4rPZyi5F/8KbnPPPP/qFqsTAuA8
email: vpn.sqluser@vlab.tw
mobile: 0939000000
description: VPN User in SQL
2 rows in set (0.000 sec)
ERROR: No query specified
MariaDB [vpn_users]>
======================================
沒有留言:
張貼留言