User Tools
2fa_на_предприятии
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
2fa_на_предприятии [2025/09/15 07:44] val |
2fa_на_предприятии [2025/10/07 08:34] (current) val [Шаг 1. Настраиваем SSH доступ с 2FA] |
||
|---|---|---|---|
| Line 4: | Line 4: | ||
| * [[https://datatracker.ietf.org/doc/html/rfc6238]] | * [[https://datatracker.ietf.org/doc/html/rfc6238]] | ||
| - | * [[https://2fa.zone/|Get 2FA Verification Code]] | + | * [[https://play.google.com/store/apps/details?id=ru.yandex.key&hl=en|Yandex Key – Google Play]] |
| + | * [[https://2fa.zone/]] | ||
| * [[https://2fa.fb.rip/]] | * [[https://2fa.fb.rip/]] | ||
| * [[https://2fa.live/]] | * [[https://2fa.live/]] | ||
| Line 28: | Line 29: | ||
| ===== Запись вебинара ===== | ===== Запись вебинара ===== | ||
| - | * Тэги: | + | * https://youtu.be/VMIi5-XY7Gk |
| + | * https://rutube.ru/video/private/7fb7b99656ae3819fcabccc090412065/ | ||
| + | * https://ok.ru/specialistru/topic/158109049773425 | ||
| + | * https://vk.com/video-2190892_456239493 | ||
| + | |||
| + | * Тэги: 2FA, OTP, TOTP, SSH, PAM, OpenVPN | ||
| ===== История вопроса ===== | ===== История вопроса ===== | ||
| - | * [[https://youtu.be/-fcJ8MkoLts|Использование одноразовых паролей OPIE]] | + | * [[https://youtu.be/-fcJ8MkoLts|Использование одноразовых паролей OPIE]] (youtube) |
| - | * [[https://habr.com/ru/articles/713582/|Безопасное подключение с чужого компьютера]] | + | * [[https://habr.com/ru/articles/713582/|Безопасное подключение с чужого компьютера]] (habr) |
| ===== Шаг 1. Настраиваем SSH доступ с 2FA ===== | ===== Шаг 1. Настраиваем SSH доступ с 2FA ===== | ||
| Line 40: | Line 46: | ||
| <code> | <code> | ||
| - | # apt-get install libpam-google-authenticator | + | $ timedatectl status #!!! |
| + | |||
| + | $ sudo apt-get install libpam-google-authenticator | ||
| </code> | </code> | ||
| * Сделать окно терминала на 82x41 символ | * Сделать окно терминала на 82x41 символ | ||
| Line 56: | Line 64: | ||
| ... | ... | ||
| NNNNNNNN | NNNNNNNN | ||
| + | </code><code> | ||
| + | student@debian:~$ more .google_authenticator | ||
| + | ... | ||
| </code><code> | </code><code> | ||
| debian:~# cat /etc/pam.d/sshd | debian:~# cat /etc/pam.d/sshd | ||
| + | </code><code> | ||
| ... | ... | ||
| # Enable MFA using Google Authenticator PAM | # Enable MFA using Google Authenticator PAM | ||
| Line 63: | Line 75: | ||
| </code><code> | </code><code> | ||
| debian:~# cat /etc/ssh/sshd_config | debian:~# cat /etc/ssh/sshd_config | ||
| + | </code><code> | ||
| ... | ... | ||
| KbdInteractiveAuthentication yes | KbdInteractiveAuthentication yes | ||
| Line 76: | Line 89: | ||
| <code> | <code> | ||
| debian:~# nft flush ruleset | debian:~# nft flush ruleset | ||
| + | |||
| + | debian:~# ip r | ||
| </code> | </code> | ||
| ===== Шаг 3. Настраиваем OpenVPN доступ с 2FA ===== | ===== Шаг 3. Настраиваем OpenVPN доступ с 2FA ===== | ||
| + | * [[Пакет OpenSSL#Создание самоподписанного сертификата]] | ||
| * [[Пакет OpenVPN]] | * [[Пакет OpenVPN]] | ||
| * [[Пакет OpenVPN#Использование PAM аутентификации]] | * [[Пакет OpenVPN#Использование PAM аутентификации]] | ||
| - | <code> | ||
| - | debian:~# cp /etc/pam.d/login /etc/pam.d/openvpn | ||
| - | debian:~# cat /etc/pam.d/openvpn | + | ===== Шаг 4. Настраиваем 2FA доступ к GitLab ===== |
| - | </code><code> | + | |
| - | auth required pam_google_authenticator.so authtok_prompt=pin | + | |
| - | #auth required pam_google_authenticator.so authtok_prompt=pin user=root secret=/etc/openvpn/google-auth/${USER} | + | |
| - | ... | + | |
| - | </code><code> | + | |
| - | # apt install pamtester | + | |
| - | # pamtester openvpn student authenticate | + | * [[https://docs.gitlab.com/user/profile/account/two_factor_authentication/|GitLab Two-factor authentication]] |
| - | pin | + | |
| - | Password: | + | |
| - | pamtester: successfully authenticated | + | |
| - | </code><code> | + | |
| - | # cat /etc/openvpn/openvpn1.conf | + | |
| - | </code><code> | + | |
| - | ... | + | |
| - | plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP" | + | |
| - | ... | + | |
| - | </code><code> | + | |
| - | debian:~# systemctl enable openvpn@openvpn1 --now | + | |
| - | debian:~# journalctl -f | + | ===== Проблемы ===== |
| - | ... | + | |
| - | Aug 29 09:45:09 debian openvpn(pam_google_authenticator)[2483]: Failed to read "/home/student/.google_authenticator" for "student" | + | |
| - | ... | + | |
| - | </code><code> | + | |
| - | # systemctl edit openvpn@openvpn1 | + | |
| - | </code><code> | + | |
| - | [Service] | + | |
| - | ProtectHome=no | + | |
| - | </code> | + | |
| - | ===== Шаг 4. Настраиваем 2FA доступ к GitLab ===== | + | |
| - | * [[https://docs.gitlab.com/user/profile/account/two_factor_authentication/|GitLab Two-factor authentication]] | + | * [[https://docs.user.com/imap-for-account-with-2-step-verification/|How to configure IMAP/SMTP for account with a 2-step verification]] |
| + | |||
| + | ===== Итоги/Вопросы ===== | ||
2fa_на_предприятии.1757911483.txt.gz · Last modified: 2025/09/15 07:44 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
