Configuring two-factor authentication in the Astra Linux Directory domain
In this post, we decided to talk about domain authentication in Linux, using JaCarta PKI smart cards and USB tokens as the second authentication factor. While there is quite a lot of information about local authentication through the PAM module, the issue of domain infrastructure and Kerberos ticket authentication in Linux are poorly considered, especially in Russian. We take Astra Linux as the operating system and show it with the example of Astra Linux Directory (ALD).
The benefit of this solution is obvious - it allows you to abandon password authentication of the user, which will help to drastically reduce the impact of the "human factor" on the security of the system. Plus, this will give a number of advantages from the use of electronic keys inside the operating system, after authentication in the domain.
Domain Astra Linux Directory (ALD) is designed to organize a single user space (domain local area network) in automated systems.
ALD uses LDAP, Kerberos5, Samba / CIFS technologies and provides:
The PKI JaCarta - a line of PKI-tokens for strong user authentication for enterprise applications, secure storage of key containers CPS software and digital certificates Russian manufacturer - company "Aladdin RD" .
In the Astra Linux Directory (ALD) environment, JaCarta PKI electronic keys can be used for two-factor authentication of a user in the ALD domain and refusal of passwords. In addition, with the same electronic keys, you can execute various scripts inside the OS, after authentication, such as: electronic signature, storage of key containers, access to Web resources, key forwarding in a MS Windows session. Access to VDI services such as VmWare or Citrix.
It is assumed that ALD has already been deployed, there is at least one domain user that can authenticate with a password, the time of the client and server are the same.
To ensure working with the JaCarta PKI smart card on the client and server, install the following packages: libccid, pcscd, libpcsclite1 . After installing these required packages, install the IDProtectClient driver package , which can be downloaded from the Aladdin R.D. official site.
To ensure working with the Kerberos subsystem smart card, in addition to the pre-installed ald / kerberos packages, install the krb5-pkinit package on the client and server.
To enable the issuance of keys and certificates on JaCarta PKI on the server, also install the libengine-pkcs11-openssl and opensc packages .
OpenSSL will be used as a certification authority (CA) . OpenSSL is an open source cryptographic package for working with SSL / TLS. Allows you to create RSA, DH, DSA keys and X.509 certificates, sign them, generate CSR and CRT. All settings in the manual are performed for the test domain EXAMPLE.RU. Assume that the server and client belong to the EXAMPLE.RU domain, the server name is kdc, and the client is client. When setting up, use the name of your domain, server, and client. Follow these steps.
The contents of the pkinit_extensions file (it should be put in the directory where you execute the commands from):
Make sure the libengine-pkcs11-openssl and opensc packages are installed . Connect the device to be prepared.
Initialize the device, set the user PIN. Remember that initializing the device will delete all data on the JaCarta PKI without the possibility of recovery.
To initialize, you need to use the pkcs11-tool utility .
pkcs11-tool --slot 0 --init-token --so-pin 00000000 --label 'JaCarta PKI' --module /lib64/libASEP11.so,
where:
--slot 0 - indicates which virtual slot the device is connected to . Typically, this is slot 0, but there may be other values - 1.2, etc .;
--init-token - token initialization command;
--so-pin 00000000 - JaCarta PKI admin PIN. The default value is 00000000;
--label 'JaCarta PKI' - device label;
--module /lib64/libASEP11.so - indicates the path to the libASEP11.so library. It is installed as part of the idprotectclient package, see the “Installing drivers on the server and client” section.
To set the user PIN, use the command:
pkcs11-tool --slot 0 --init-pin --so-pin 00000000 --login --pin 11111111 --module /lib64/libASEP11.so,
where:
--slot 0 - indicates which virtual slot the device is connected to. Typically, this is slot 0, but there may be other values - 1.2, etc .;
--init-pin - command to set the user's PIN code;
--so-pin 00000000 - JaCarta PKI admin PIN. The default value is 00000000;
--login - login command;
--pin 11111111 - user PIN to be set;
--module /lib64/libASEP11.so - indicates the path to the libASEP11.so library. It is installed as part of the idprotectclient package, see the “Installing drivers on the server and client” section.
Generate keys on the device by entering the following command:
pkcs11-tool --slot 0 --login --pin 11111111 --keypairgen --key-type rsa: 2048 --id 42 --label “test1 key” --module /lib64/libASEP11.so,
where:
--slot 0- indicates which virtual slot the device is connected to. Typically, this is slot 0, but there may be other values - 1.2, etc .;
--login --pin 11111111 - indicates that a login should be made under the user with the PIN code "11111111". If your card has a different user PIN, enter it;
--keypairgen --key-type rsa: 2048 - indicates that keys with a length of 2048 bits should be generated;
--id 42 - sets the attribute CKA_ID of the key. CKA_ID can be any;
Remember this value! It is necessary for further steps in preparing the device for operation.
--label “test1 key” - sets the attribute CKA_LABEL of the key. The attribute can be any;
--module /lib64/libASEP11.so- indicates the path to the libASEP11.so library. It is installed as part of the idprotectclient package, see the “Installing drivers on the server and client” section.
Generate a certificate request using the openssl utility. To do this, enter the following commands:
Pay attention to -new -key 0:42 , where 0 is the number of the virtual slot with the device, 42 is the attribute CKA_ID of the keys generated earlier.
Information that must be specified in the request should be specified in the field "/ C = RU / ST = Moscow / L = Moscow / O = Aladdin / OU = dev / CN = test1 (! Your_User!) / EmailAddress=test1@mail.com "
It is necessary to set environment variables
$ export REALM = EXAMPLE.RU # your domain
$ export CLIENT = test1 # your user
and issue a certificate for the user.
$ openssl x509 -CAkey cakey.pem -CA cacert.pem -req -in client.req -extensions client_cert -extfile pkinit_extensions -out client.pem –days 365
Next, encode the received certificate from PEM to DER.
# openssl x509 -in client.pem -out client.cer -inform PEM -outform DER
Record the received token certificate.
pkcs11-tool --slot 0 --login --pin 11111111 --write-object client.cer --type 'cert' --label 'Certificate' --id 42 --module /lib/libASEP11.so,
where:
--slot 0 - indicates which virtual slot the device is connected to. Typically, this is slot 0, but there may be other values - 1.2, etc .;
--login --pin 11111111 - indicates that a login should be made under the user with the PIN code "11111111". If your card has a different user PIN, enter it;
--write-object ./client.cer - indicates that it is necessary to write the object and the path to it;
--type 'cert'- indicates that the type of object being recorded is a certificate;
'cert' --label 'Certificate' - sets the CKA_LABEL attribute of the certificate. The attribute can be any;
- id 42 - sets the attribute CKA_ID of the certificate. The same CKA_ID must be specified as for keys;
- module /lib64/libASEP11.so - indicates the path to the libASEP11.so library.
Create the directory / etc / krb5 / on the client . Copy the CA certificate (cacert.pem) from the server into / etc / krb5 / . Configure kerberos in /etc/krb5.conf. The [libdefaults] section is completed with the following lines.
Check:
kinit When the PIN-code request line for the card appears, enter it.
To verify that the kerberos ticket was successfully received for the user, enter the klist command. To delete a ticket - kdestroy.
To enter the domain using a smart card, on the OS login screen, instead of a password, enter the PIN code from the smart card.
This completes the setup. Yes, unfortunately, the system itself will not change or adjust the login window for a smart card, and it will be standard, but if you make a little secret effort, you can achieve a beautiful result.
The benefit of this solution is obvious - it allows you to abandon password authentication of the user, which will help to drastically reduce the impact of the "human factor" on the security of the system. Plus, this will give a number of advantages from the use of electronic keys inside the operating system, after authentication in the domain.
A bit of intro about Astra Linux Directory (ALD) and JaCarta PKI
Domain Astra Linux Directory (ALD) is designed to organize a single user space (domain local area network) in automated systems.
ALD uses LDAP, Kerberos5, Samba / CIFS technologies and provides:
- centralized storage and management of user and group accounts;
- end-to-end user authentication in the domain using the Kerberos5 protocol;
- functioning of a global repository of home directories accessible via Samba / CIFS;
- automatic configuration of UNIX, LDAP, Kerberos, Samba, PAM configuration files;
- support for LDAP and Kerberos database compliance;
- Creating backup copies of the LDAP and Kerberos databases with the possibility of recovery;
- integration into the domain of the DBMS included in the distribution package, e-mail servers, Web servers, print servers, and other features.
The PKI JaCarta - a line of PKI-tokens for strong user authentication for enterprise applications, secure storage of key containers CPS software and digital certificates Russian manufacturer - company "Aladdin RD" .
In the Astra Linux Directory (ALD) environment, JaCarta PKI electronic keys can be used for two-factor authentication of a user in the ALD domain and refusal of passwords. In addition, with the same electronic keys, you can execute various scripts inside the OS, after authentication, such as: electronic signature, storage of key containers, access to Web resources, key forwarding in a MS Windows session. Access to VDI services such as VmWare or Citrix.
Setup process
Demo Zone Example
- Server - Astra Linux Smolensk SE 1.5 4.2.0-23-generic, x86_64, with installed packages:
- JaCarta IDProtect 6.37 ;
- libccid
- pcscd;
- libpcsclite1;
- krb5-pkinit;
- libengine-pkcs11-openssl;
- opensc.
- JaCarta IDProtect 6.37 ;
- Client - Astra Linux Smolensk SE 1.5 4.2.0-23-generic, x86_64, with installed packages:
- JaCarta IDProtect 6.37 ;
- libccid
- pcscd;
- libpcsclite1;
- krb5-pkinit.
- JaCarta IDProtect 6.37 ;
It is assumed that ALD has already been deployed, there is at least one domain user that can authenticate with a password, the time of the client and server are the same.
Installing drivers on the server and client
To ensure working with the JaCarta PKI smart card on the client and server, install the following packages: libccid, pcscd, libpcsclite1 . After installing these required packages, install the IDProtectClient driver package , which can be downloaded from the Aladdin R.D. official site.
To ensure working with the Kerberos subsystem smart card, in addition to the pre-installed ald / kerberos packages, install the krb5-pkinit package on the client and server.
To enable the issuance of keys and certificates on JaCarta PKI on the server, also install the libengine-pkcs11-openssl and opensc packages .
Install and configure a certificate authority on a server
OpenSSL will be used as a certification authority (CA) . OpenSSL is an open source cryptographic package for working with SSL / TLS. Allows you to create RSA, DH, DSA keys and X.509 certificates, sign them, generate CSR and CRT. All settings in the manual are performed for the test domain EXAMPLE.RU. Assume that the server and client belong to the EXAMPLE.RU domain, the server name is kdc, and the client is client. When setting up, use the name of your domain, server, and client. Follow these steps.
- Create the CA directory with the command mkdir / etc / ssl / CA and navigate to it. Generated keys and certificates will be placed in this directory.
- Create a key and a CA certificate:
$ openssl genrsa -out cakey.pem 2048
$ openssl req -key cakey.pem -new -x509 –days 365 -out cacert.pem
In the dialog, fill out the necessary information about your certification authority. In the Common name, specify EXAMPLE.RU. - Create a key and a KDC certificate:
$ openssl genrsa -out kdckey.pem 2048
$ openssl req -new -out kdc.req -key kdckey.pem
In the dialog, fill out the necessary information about your server. In the Common name, specify kdc. - Set environment variables. Environment variables are set within the session and are not set for other sessions and are not saved after the session closes.
export REALM = EXAMPLE.RU - your domain
export CLIENT = kdc - your server - Download the pkinit_extensions file - http://dms.aladdin-rd.ru/970c5538-afbf-4a26-a7ef-d76550cbc435
The contents of the pkinit_extensions file (it should be put in the directory where you execute the commands from):
[ kdc_cert ]
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
#Pkinit EKU
extendedKeyUsage = 1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# Copy subject details
issuerAltName=issuer:copy
# Add id-pkinit-san (pkinit subjectAlternativeName)
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals
[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::REALM}
[ client_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
# Copy subject details
issuerAltName=issuer:copy
[princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:principal_seq
[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals
[principals]
princ1 = GeneralString:${ENV::CLIENT}
- Issue a KDC certificate:
$ openssl x509 -req -in kdc.req -CAkey cakey.pem -CA cacert.pem -out kdc.pem -extfile pkinit_extensions -extensions kdc_cert –CAcreateserial –days 365 - Files kdc.pem, kdckey.pem, cacert.pem transfer to / var / lib / krb5kdc /
- Back up the /etc/krb5kdc/kdc.conf file. Edit /etc/krb5kdc/kdc.conf to add the [kdcdefaults] section with the following entries:
pkinit_identity = FILE: /var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
pkinit_ch var lib / krb5kdc / cacert.pem
The first entry specifies the keys and server certificate, and the second indicates the root certificate of the certification authority. - To accept the changes, run:
/etc/init.d/krb5-admin-server restart
/etc/init.d/krb5-kdc restart
Preparing a smart card. Issue keys and user certificate
Make sure the libengine-pkcs11-openssl and opensc packages are installed . Connect the device to be prepared.
Initialize the device, set the user PIN. Remember that initializing the device will delete all data on the JaCarta PKI without the possibility of recovery.
To initialize, you need to use the pkcs11-tool utility .
pkcs11-tool --slot 0 --init-token --so-pin 00000000 --label 'JaCarta PKI' --module /lib64/libASEP11.so,
where:
--slot 0 - indicates which virtual slot the device is connected to . Typically, this is slot 0, but there may be other values - 1.2, etc .;
--init-token - token initialization command;
--so-pin 00000000 - JaCarta PKI admin PIN. The default value is 00000000;
--label 'JaCarta PKI' - device label;
--module /lib64/libASEP11.so - indicates the path to the libASEP11.so library. It is installed as part of the idprotectclient package, see the “Installing drivers on the server and client” section.
To set the user PIN, use the command:
pkcs11-tool --slot 0 --init-pin --so-pin 00000000 --login --pin 11111111 --module /lib64/libASEP11.so,
where:
--slot 0 - indicates which virtual slot the device is connected to. Typically, this is slot 0, but there may be other values - 1.2, etc .;
--init-pin - command to set the user's PIN code;
--so-pin 00000000 - JaCarta PKI admin PIN. The default value is 00000000;
--login - login command;
--pin 11111111 - user PIN to be set;
--module /lib64/libASEP11.so - indicates the path to the libASEP11.so library. It is installed as part of the idprotectclient package, see the “Installing drivers on the server and client” section.
Generate keys on the device by entering the following command:
pkcs11-tool --slot 0 --login --pin 11111111 --keypairgen --key-type rsa: 2048 --id 42 --label “test1 key” --module /lib64/libASEP11.so,
where:
--slot 0- indicates which virtual slot the device is connected to. Typically, this is slot 0, but there may be other values - 1.2, etc .;
--login --pin 11111111 - indicates that a login should be made under the user with the PIN code "11111111". If your card has a different user PIN, enter it;
--keypairgen --key-type rsa: 2048 - indicates that keys with a length of 2048 bits should be generated;
--id 42 - sets the attribute CKA_ID of the key. CKA_ID can be any;
Remember this value! It is necessary for further steps in preparing the device for operation.
--label “test1 key” - sets the attribute CKA_LABEL of the key. The attribute can be any;
--module /lib64/libASEP11.so- indicates the path to the libASEP11.so library. It is installed as part of the idprotectclient package, see the “Installing drivers on the server and client” section.
Generate a certificate request using the openssl utility. To do this, enter the following commands:
#openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/ssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/lib64/libASEP11.so
OpenSSL> req -engine pkcs11 -new -key 0:42 -keyform engine -out client.req -subj "/C=RU/ST=Moscow/L=Moscow/O=Aladdin/OU=dev/CN=test1 (!Ваш_Пользователь!)/emailAddress=test1@mail.com"
OpenSSL>quit.
Pay attention to -new -key 0:42 , where 0 is the number of the virtual slot with the device, 42 is the attribute CKA_ID of the keys generated earlier.
Information that must be specified in the request should be specified in the field "/ C = RU / ST = Moscow / L = Moscow / O = Aladdin / OU = dev / CN = test1 (! Your_User!) / EmailAddress=test1@mail.com "
It is necessary to set environment variables
$ export REALM = EXAMPLE.RU # your domain
$ export CLIENT = test1 # your user
and issue a certificate for the user.
$ openssl x509 -CAkey cakey.pem -CA cacert.pem -req -in client.req -extensions client_cert -extfile pkinit_extensions -out client.pem –days 365
Next, encode the received certificate from PEM to DER.
# openssl x509 -in client.pem -out client.cer -inform PEM -outform DER
Record the received token certificate.
pkcs11-tool --slot 0 --login --pin 11111111 --write-object client.cer --type 'cert' --label 'Certificate' --id 42 --module /lib/libASEP11.so,
where:
--slot 0 - indicates which virtual slot the device is connected to. Typically, this is slot 0, but there may be other values - 1.2, etc .;
--login --pin 11111111 - indicates that a login should be made under the user with the PIN code "11111111". If your card has a different user PIN, enter it;
--write-object ./client.cer - indicates that it is necessary to write the object and the path to it;
--type 'cert'- indicates that the type of object being recorded is a certificate;
'cert' --label 'Certificate' - sets the CKA_LABEL attribute of the certificate. The attribute can be any;
- id 42 - sets the attribute CKA_ID of the certificate. The same CKA_ID must be specified as for keys;
- module /lib64/libASEP11.so - indicates the path to the libASEP11.so library.
Client setup Health Check
Create the directory / etc / krb5 / on the client . Copy the CA certificate (cacert.pem) from the server into / etc / krb5 / . Configure kerberos in /etc/krb5.conf. The [libdefaults] section is completed with the following lines.
[libdefaults]
default_realm = EXAMPLE.RU
pkinit_anchors = FILE:/etc/krb5/cacert.pem
# для аутентификации по токену
pkinit_identities = PKCS11:/lib64/libASEP11.so
Check:
kinit When the PIN-code request line for the card appears, enter it.
To verify that the kerberos ticket was successfully received for the user, enter the klist command. To delete a ticket - kdestroy.
To enter the domain using a smart card, on the OS login screen, instead of a password, enter the PIN code from the smart card.
This completes the setup. Yes, unfortunately, the system itself will not change or adjust the login window for a smart card, and it will be standard, but if you make a little secret effort, you can achieve a beautiful result.