IT/보안

FreeRadius OTP 인증 서버 만들기

알콩달콩아빠 2024. 5. 30. 19:30
728x90
반응형

FreeRadius

 

 

1.     서비스 서버 접속 요청 ( ssh )

2.     Radius 서버에 계정 인증 ( otp / AD )

3.     서비스 서버 접속

 

 

구성 정보

Name OS IP
Radius Server CentOS 7.4 172.17.110.100
Client Server CentOS 7.4 172.17.110.102
AD Server Windows 2012 R2 172.17.110.101

 

Port 정보

출발지 도착지 포트
Client Radius 1812/UDP
Radius AD 53/UDP
389/TCP

(AD 포트 추가 파악 필요)

 

 

필수사항

!!FreeRadius 취약점 발견!!

해결책 : 3.0.14 이상 버전 설치

 

참고자료)

http://blog.alyac.co.kr/1130

http://securityaffairs.co/wordpress/59553/hacking/freeradius-tls-resumption-authentication-bypass.html

http://seclists.org/oss-sec/2017/q2/342

본 매뉴얼은 3.0.17 버전으로 테스트 하였음.

 

CentOS Yum repository (가장 최신 버전 설치)

[networkradius]
name=NetworkRADIUS-$releasever
baseurl=http://packages.networkradius.com/centos/$releasever/repo/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/packages.networkradius.com.gpg

 

>> 안되면 gpgkey 주석 후  gpgcheck=0으로 변경, 재 실행

 

참고

http://networkradius.com/freeradius-packages/index.html

 

firewalld 끄기 / selinux 끄기 or permissive

Radius Server

# yum install freeradius freeradius-utils

 

# vi /etc/raddb/radiusd.conf

#user = radiusd
#group = radiusd
user = root
group = root
 

>> root권한으로 실행

 

# vi /etc/raddb/sites-enabled/default

#  Pluggable Authentication Modules.
pam
 

>> 인증 모듈 선택 pam

 

# ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam

>> 링크

# vi /etc/raddb/clients.conf

client 172.17.110.100 {
ipaddr = 172.17.110.100
secret = secret123
require_message_authenticator = no
nas_type = other
}
client 172.17.110.0/24 {
secret = secret123
require_message_authenticator = no
nas_type = other
}


# vi /etc/raddb/users

DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
 

>> 주석 해제 및 추가

 

# radiusd -X

>> 디버깅 모드 실행

 

# useradd raduser

# passwd raduser

>> 테스트 유저 생성

 

# radtest raduser test localhost 0 testing123

Received Access-Accept Id 194 from 127.0.0.1:1812 to 127.0.0.1:39289 length 20

>>Accept 확인 localhost testing123 default secret키임

 

 

 

Client Server

download : https://freeradius.org/sub_projects/

 

pam_radius 설치

 

# tar xvzf pam_radius-x.x.x.tar.gz

# cd pam_radius-x.x.x

# ./configure

# make

>> make 에러 무시

 

cp pam_radius_auth.so /lib64/security/

 

# vi /etc/ssh/sshd_config

ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
          
#UsePAM no
UsePAM yes
 

          

# mkdir -p /etc/raddb

# vi /etc/raddb/server

#Server            Secret      Timeout
172.17.110.100     secret123    60
 

 

 

# vi /etc/pam.d/sshd

#%PAM-1.0
auth       sufficient   pam_radius_auth.so
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

>> 추가

 

# useradd raduser

>> 패스워드는 지정 해주지 않아도 됨 radius 서버에서 인증 받아 사용

 

# ssh raduser@localhost

>> 패스워드는 radius 서버에서 지정했던 패스워드 입력

로그인 성공

 

 

Google OTP

 

radius Server

download : https://github.com/google/google-authenticator-libpam

 

# mkdir down

# unzip google-authenticator-libpam-master.zip

 

# cd google-authenticator-libpam-master

# yum -y install epel-release

# yum -y install dh-autoreconf.noarch pam-devel

 

# ./bootstrap.sh

# ./configure

# vi Makefile

VERSION=1.x
LDFLAGS="-lpam"  /*추가*/

# make

# make install

 

# cd ./.libs

# cp pam_google_authenticator.so /lib64/security/.

 

# cp /etc/pam.d/radiusd /etc/pam.d/radiusd.org

 

 

# vi /etc/pam.d/radiusd

#%PAM-1.0
auth       required    pam_google_authenticator.so forward_pass
account    required     pam_nologin.so
account    include      password-auth
session    include      password-auth

 

# useradd raduser1

# passwd raduser1

 

# su - raduser1

# google-authenticator

Do you want authentication tokens to be time-based (y/n) y
 
Enter code from app (-1 to skip): -1
 
Do you want me to update your "/home/raduser1/.google_authenticator" file? (y/n) y
 
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
 
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
 
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

 

# radiusd -X

 

# radtest raduser1 test644920 localhost 0 testing123

Received Access-Accept Id 188 from 127.0.0.1:1812 to 127.0.0.1:46369 length 20

>>radtest <ID> <OS P/W + OTP> localhost 0 testing123

 

 

Client Server

# useradd raduser1

 

# ssh raduser1@localhosts

 >> radius 서버에서 설정한 < OS P/W + Google OTP >

 

Log

# vi /etc/raddb/sites-enabled/default

#
        #  If you want to have a log of authentication requests,
        #  un-comment the following line, and the 'detail auth_log'
        #  section, above.
       auth_log
…..
#
        #  If you want to have a log of authentication replies,
        #  un-comment the following line, and the 'detail reply_log'
        #  section, above.
       reply_log
…..

           주석 해제

 

# cd /var/log/radius

drwx------. 4 radiusd radiusd   45 Dec  5 09:54 radacct

rw-r-----. 1 root    root    3517 Dec  5 09:55 radius.log

 

radius.log  - 서버 데몬에 대한 로그 / 로그인 실패 로그

radacct - 접속 한 사용자 및  시간 ( IP 별로 분류 되어 있음 )

Wed Dec  5 09:55:34 2018
        Packet-Type = Access-Request
        User-Name = "raduser1"
        NAS-IP-Address = 172.17.110.100
        NAS-Identifier = "sshd"
        NAS-Port = 30351
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "10.5.5.16"
        Event-Timestamp = "Dec  5 2018 09:55:34 KST"
        Timestamp = 1543971334

 

참고

radius repository

http://networkradius.com/freeradius-packages/

 

Server 설정

https://github.com/rharmonson/richtech/wiki/CentOS-7-Minimal-&-Two-factor-Authentication-using-FreeRADIUS-3,-SSSD-1.12,-&-Google-Authenticator

http://iprize.tistory.com/669

http://webs.co.kr/index.php?mid=linux_1&document_srl=19898&sort_index=readed_count&order_type=desc (Ubuntu)

 

Client 설정

https://docs.secureauth.com/display/82docs/PAM+RADIUS+Installation+and+Configuration+Guide

 

SSH-OTP

http://blog.seabow.pe.kr/?p=7056

 

Radius SSH PAM 설정

https://99linux.wordpress.com/2013/05/03/ssh-authentication-using-pam-and-radius-in-linux/

 

Google OTP module

https://github.com/google/google-authenticator-libpam/tree/master

 

Pam_radius 설치

https://freeradius.org/sub_projects/

 

SSSD / Realmd

https://outsideit.net/realmd-sssd-ad-authentication/

 

syslog 추가하기

http://www.npartnertech.com/download/tech/N-Partner_FreeRadius_audit_to_syslog-en.pdf

 

 

출처 : WE STUDY LOG :: FreeRadius OTP 인증 서버 만들기 (tistory.com)

728x90
반응형