Openconnect双因素认证 - 蜷缩的蜗牛

kbsonlong

2022-09-11 约 400 字预计阅读 1 分钟

目录

修改认证方式

1
2
# vim /etc/ocserv/ocserv.conf
auth = "plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/ocserv.otp]"

配置 pam

1
echo "auth requisite pam_oath.so debug usersfile=/etc/ocserv/ocserv.otp window=20" >> /etc/pam.d/ocserv

创建用户 OTP

1
2
3
4
5
6
7
8
9
username="zengshenglong"
company="Company"
site_name="Site"
key=$(head -c 16 /dev/urandom |xxd -c 256 -ps)
echo "HOTP/T30 ${username} - ${key}" >>/etc/ocserv/ocserv.otp 
oathtool --totp -w 5 $key
secret=$(echo 0x${key}|xxd -r -c 256|base32)
echo "otpauth://hotp/${username}@${site_name}?secret=${secret}&issuer=${company}" | qrencode -o - -t UTF8
echo "https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://hotp/${username}@${site_name}?secret=$(echo ${secret}|cut -d = -f 1)&issuer=${company}"

完整配置

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
auth = "plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/ocserv.otp]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt/live/myvpn.alongparty.cn/fullchain.pem
server-key = /etc/letsencrypt/live/myvpn.alongparty.cn/privkey.pem
isolate-workers = false
banner = "Welcome PCI DSS environment, please proceed with caution ! !"
pre-login-banner = "You will enter the PCI DSS environment, please proceed with caution ! !"
max-clients = 16
max-same-clients = 2
rate-limit-ms = 100
server-stats-reset-time = 604800
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 10.255.255.0
ipv4-netmask = 255.255.255.0
tunnel-all-dns = true
dns = 8.8.8.8
dns = 4.2.2.4
dns = 2001:4860:4860::8888
dns = 2001:4860:4860::8844
ping-leases = false
config-per-group = /etc/ocserv/group
default-group-config = /etc/ocserv/group/default
default-select-group = default
auto-select-group = false
cisco-client-compat = true
dtls-legacy = true

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题

FixIt 主题