FreeRadius
1. 서비스 서버 접속 요청 ( ssh )
2. Radius 서버에 계정 인증 ( otp / AD )
3. 서비스 서버 접속
구성 정보
Name | OS | IP |
Radius Server | CentOS 7.4 | 172.17.110.100 |
Client Server | CentOS 7.4 | 172.17.110.102 |
AD Server | Windows 2012 R2 | 172.17.110.101 |
Port 정보
출발지 | 도착지 | 포트 |
Client | Radius | 1812/UDP |
Radius | AD | 53/UDP 389/TCP |
(AD 포트 추가 파악 필요)
필수사항
!!FreeRadius 취약점 발견!!
해결책 : 3.0.14 이상 버전 설치
참고자료)
http://seclists.org/oss-sec/2017/q2/342
본 매뉴얼은 3.0.17 버전으로 테스트 하였음.
CentOS Yum repository (가장 최신 버전 설치)
[networkradius] name=NetworkRADIUS-$releasever baseurl=http://packages.networkradius.com/centos/$releasever/repo/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/packages.networkradius.com.gpg |
>> 안되면 gpgkey 주석 후 gpgcheck=0으로 변경, 재 실행
참고
http://networkradius.com/freeradius-packages/index.html
firewalld 끄기 / selinux 끄기 or permissive
Radius Server
# yum install freeradius freeradius-utils
# vi /etc/raddb/radiusd.conf
#user = radiusd #group = radiusd user = root group = root |
>> root권한으로 실행
# vi /etc/raddb/sites-enabled/default
# Pluggable Authentication Modules. pam |
>> 인증 모듈 선택 pam
# ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam
>> 링크
# vi /etc/raddb/clients.conf
client 172.17.110.100 { ipaddr = 172.17.110.100 secret = secret123 require_message_authenticator = no nas_type = other } client 172.17.110.0/24 { secret = secret123 require_message_authenticator = no nas_type = other } |
# vi /etc/raddb/users
DEFAULT Group == "disabled", Auth-Type := Reject Reply-Message = "Your account has been disabled." DEFAULT Auth-Type := PAM |
>> 주석 해제 및 추가
# radiusd -X
>> 디버깅 모드 실행
# useradd raduser
# passwd raduser
>> 테스트 유저 생성
# radtest raduser test localhost 0 testing123
Received Access-Accept Id 194 from 127.0.0.1:1812 to 127.0.0.1:39289 length 20
>>Accept 확인 localhost는 testing123이 default secret키임
Client Server
download : https://freeradius.org/sub_projects/
pam_radius 설치
# tar xvzf pam_radius-x.x.x.tar.gz
# cd pam_radius-x.x.x
# ./configure
# make
>> make 에러 무시
cp pam_radius_auth.so /lib64/security/
# vi /etc/ssh/sshd_config
ChallengeResponseAuthentication yes #ChallengeResponseAuthentication no #UsePAM no UsePAM yes |
# mkdir -p /etc/raddb
# vi /etc/raddb/server
#Server Secret Timeout 172.17.110.100 secret123 60 |
# vi /etc/pam.d/sshd
#%PAM-1.0 auth sufficient pam_radius_auth.so auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare |
>> 추가
# useradd raduser
>> 패스워드는 지정 해주지 않아도 됨 radius 서버에서 인증 받아 사용
# ssh raduser@localhost
>> 패스워드는 radius 서버에서 지정했던 패스워드 입력
로그인 성공
Google OTP
radius Server
download : https://github.com/google/google-authenticator-libpam
# mkdir down
# unzip google-authenticator-libpam-master.zip
# cd google-authenticator-libpam-master
# yum -y install epel-release
# yum -y install dh-autoreconf.noarch pam-devel
# ./bootstrap.sh
# ./configure
# vi Makefile
VERSION=1.x LDFLAGS="-lpam" /*추가*/ |
# make
# make install
# cd ./.libs
# cp pam_google_authenticator.so /lib64/security/.
# cp /etc/pam.d/radiusd /etc/pam.d/radiusd.org
# vi /etc/pam.d/radiusd
#%PAM-1.0 auth required pam_google_authenticator.so forward_pass account required pam_nologin.so account include password-auth session include password-auth |
# useradd raduser1
# passwd raduser1
# su - raduser1
# google-authenticator
Do you want authentication tokens to be time-based (y/n) y Enter code from app (-1 to skip): -1 Do you want me to update your "/home/raduser1/.google_authenticator" file? (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y |
# radiusd -X
# radtest raduser1 test644920 localhost 0 testing123
Received Access-Accept Id 188 from 127.0.0.1:1812 to 127.0.0.1:46369 length 20 |
>>radtest <ID> <OS P/W + OTP> localhost 0 testing123
Client Server
# useradd raduser1
# ssh raduser1@localhosts
>> radius 서버에서 설정한 < OS P/W + Google OTP >
Log
# vi /etc/raddb/sites-enabled/default
# # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. auth_log ….. # # If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. reply_log ….. |
주석 해제
# cd /var/log/radius
drwx------. 4 radiusd radiusd 45 Dec 5 09:54 radacct
rw-r-----. 1 root root 3517 Dec 5 09:55 radius.log
radius.log - 서버 데몬에 대한 로그 / 로그인 실패 로그
radacct - 접속 한 사용자 및 시간 ( IP 별로 분류 되어 있음 )
Wed Dec 5 09:55:34 2018 Packet-Type = Access-Request User-Name = "raduser1" NAS-IP-Address = 172.17.110.100 NAS-Identifier = "sshd" NAS-Port = 30351 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "10.5.5.16" Event-Timestamp = "Dec 5 2018 09:55:34 KST" Timestamp = 1543971334 |
참고
radius repository
http://networkradius.com/freeradius-packages/
Server 설정
http://webs.co.kr/index.php?mid=linux_1&document_srl=19898&sort_index=readed_count&order_type=desc (Ubuntu)
Client 설정
https://docs.secureauth.com/display/82docs/PAM+RADIUS+Installation+and+Configuration+Guide
SSH-OTP
http://blog.seabow.pe.kr/?p=7056
Radius SSH PAM 설정
https://99linux.wordpress.com/2013/05/03/ssh-authentication-using-pam-and-radius-in-linux/
Google OTP module
https://github.com/google/google-authenticator-libpam/tree/master
Pam_radius 설치
https://freeradius.org/sub_projects/
SSSD / Realmd
https://outsideit.net/realmd-sssd-ad-authentication/
syslog 추가하기
http://www.npartnertech.com/download/tech/N-Partner_FreeRadius_audit_to_syslog-en.pdf
'IT > 보안' 카테고리의 다른 글
[vRL] OTP Log(Free Raiusd) Log 포워딩 구성 (0) | 2024.05.30 |
---|---|
우분투에서 squid프록시에서 clamAV와 c-icap 연동 (0) | 2024.05.19 |
ICAP 서비스 리디렉션 (0) | 2024.05.19 |
스퀴드(Squid)로 프록시 서버 구축하기 (0) | 2024.05.19 |
GnuPG 사용 하기 ( 윈도우 환경 gpg4win ) (0) | 2024.04.17 |