구글 OTP & LINE OTP

구글 OTP

dnf install epel-release -y  > 확장 
dnf install google-authenticator -y
dnf install qrencode

google-authenticator

y
-1
qr코드 스캔
다 스캔 후 다 y로 바꿔야 정상 사용 가능 

휴대폰에 google otp 설치 
로그인 없이 사용 

cd ~
cat .google_authenticator

ssh 설정
vi /etc/ssh/sshd_config
73번째 줄 주석 해제 >  ChallengeResponseAuthentication yes
74번째 줄 주석 처리 

pam 설정 
모든 사용자 
vi /etc/pam.d/sshd
두번째 줄에 (무조건 두번째 줄)
auth       required     pam_google_authenticator.so nullok secret=${HOME}/.google_authenticator

service sshd restart
putty로 새 화면 킨 후 root로 접속 
Verification code: qr 코드 찍고 나온 번호 입력

 

pam 설정 
otp 사용자만 
vi /etc/pam.d/sshd
두번째 줄에 (무조건 두번째 줄)
auth       required     pam_google_authenticator.so secret=${HOME}/.google_authenticator 
service sshd restart
putty로 새 화면 킨 후 root로 접속 
Verification code: qr 코드 찍고 나온 번호 입력
root로 접속

sevas로 접속 

 

required >> 트랜젝션 방식
1 2 3 4 5
   성공 
requsite >>  1 2 3 실패하면 4 5 x

sufficent  >>  1 2 3 성공하면 4 5 0

---

Line OTP

otp 서버 제작 
mini로 시작

Linotp 설치 

0.network 설정 
vi /etc/sysconfig/network-scripts/ifcfg-ens33
DEVICE=ens33
IPADDR=192.168.10.100
NETMASK=255.255.255.0
GATEWAY=192.168.10.2
ONBOOT=yes
DNS1=168.126.63.1

service network restart
ip addr 

vi /etc/selinux/config
#SELINUX=enforcing <<< 주석처리
SELINUX=disabled


1.GUI 환경구현
yum grouplist
yum groupinstall  "GNOME Desktop" "Development tools"


systemctl get-default
systemctl set-default graphical.target
init 6

---

vi CentOS-Base.repo
아래 설정 정상 작동되면 굳이 할 필요 없음

[base]
name=CentOS-7 - Base
baseurl=http://vault.centos.org/centos/7/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
enabled=1

[updates]
name=CentOS-7 - Updates
baseurl=http://vault.centos.org/centos/7/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
enabled=1

[extras]
name=CentOS-7 - Extras
baseurl=http://vault.centos.org/centos/7/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
enabled=1

---

1.repo확장
yum install epel-release.noarch

yum localinstall http://dist.linotp.org/rpm/el7/linotp/x86_64/Packages/LinOTP_repos-1.3-1.el7.x86_64.rpm



yum install mariadb-server
yum install LinOTP
yum install LinOTP_mariadb
yum install LinOTP_apache

service httpd restart
service mariadb restart

 systemctl enable httpd
systemctl enable mariadb

db 한글 설정 
vi /etc/my.cnf 

service mariadb restart
 mysql -u root -p
\s
utf8 확인 

---

*** LINOTP 서버설정 ***
cd /etc/linotp2
cp -a linotp.ini.example  linotp.ini

linotp-create-mariadb
mysql_secure_installation"? [Y/n] y  [보안설정]
Enter current password for root (enter for none):[엔터]
Set root password? [Y/n] n  [ root 비번 ]
Remove anonymous users? [Y/n] Y  [익명사용자 삭제여부]
Disallow root login remotely?  y   [원격루트 제한]
Remove test database and access to it? [Y/n] y [testDB삭제여부]
Reload privilege tables now? [Y/n] y [적용하시겠습니까?]
Would you like to start MariaDB at server startup? [Y/n] y
[서버 재시작 ]

Please enter in the next line the MariaDB root password!
Enter password:  [root 비번 설정안했으면 엔터 ]

***DB인스톨****
 paster  setup-app /etc/linotp2/linotp.ini
(잘만들어지는거 확인할것 2번실행  주르륵 나옴 실패) 


**암호화키생성**
dd if=/dev/urandom of=/etc/linotp2/enckey bs=1 count=96
linotp-create-enckey -f /etc/linotp2/linotp.ini

**방화벽해제**
systemctl stop firewalld
systemctl disable firewalld


*** 구동 ***
paster serve /etc/linotp2/linotp.ini

*** 웹브라우저 ***
http://192.168.10.200:5001/manage  확인

---

LinOTP Config 
USERIDResolvers

new
sql 클릭

server2 이동 (192.168.10.20)
mysql -u root -p 
asd123
use sevas 
권한 주기 
grant all privileges on sevas.* to master@'192.168.10.30'identified by 'asd123' with grant option;
grant all privileges on sevas.* to master@'otp.sevas10.com'identified by 'asd123' with grant option;
flush privileges;
service mariadb restart
Test SQL connection 눌러서 

메세지가 길게 나오면 error 

위 사진처럼 한 이유가 token view에 매칭 시키기 위해서 
save

---

Realms 클릭 
new
sevas 적기
save
user view 이동 
좌측 +Enroll

pin
abcd 적기 
qr 찍기 
Token View에서 확인 

주의사항
user view에서 
생성하고 싶은 계정명 클릭 후 +Enroll 하기 계정명 틀리면 문제 발생 

url에 입력
http://otp.sevas10.com:5001/validate/check?pass=a=[PIN][OTP번호]&user=[계정명]
http://otp.sevas10.com:5001/validate/check?pass=abcd167288&user=sevas

확인
status
value가 true냐 false에 따라 otp가 정상 동작하는지 확인 가능