vasco/FSI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

grupo totp

Browse Source
This commit is contained in:
Vasco
2026-04-27 23:24:27 +01:00
parent 53e24aa2ea
commit 10e2db0f38
7 changed files with 51 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
VM_OPENSSL_APACHE.sh
View File

@@ -7,6 +7,18 @@ sudo yum install -y epel-release
sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator
sudo yum install -y mod_session sudo yum install -y mod_session
# utilizador
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
# dar acesso ao apache para ler o .google_authenticator
groupadd -f totp
usermod -aG totp apache
usermod -aG totp john
sudo chown apache:totp /home/john/.google_authenticator
sudo chmod 660 /home/john/.google_authenticator
if_dentro="enp0s8" if_dentro="enp0s8"
ip_dentro="10.60.0.1" ip_dentro="10.60.0.1"
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0 ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
@@ -34,6 +46,7 @@ cp ca/ca.crt /etc/httpd/ssl/
cp ca/apache.crt /etc/httpd/ssl/ cp ca/apache.crt /etc/httpd/ssl/
cp ca/apache.key /etc/httpd/ssl/ cp ca/apache.key /etc/httpd/ssl/
cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
cp conf/httpd.conf /etc/httpd/conf/httpd.conf
cp conf/httpd-totp /etc/pam.d/httpd-totp cp conf/httpd-totp /etc/pam.d/httpd-totp
# NOTA(vasco) é preciso desativar home protection outra vez # NOTA(vasco) é preciso desativar home protection outra vez
@@ -51,12 +64,3 @@ cp -r www/* /var/www/html/
chown -R apache:apache /var/www/html/ chown -R apache:apache /var/www/html/
systemctl enable --now httpd systemctl enable --now httpd
# acho ?????
sudo chgrp apache /etc/shadow
sudo chmod o+x /home/john
sudo chown apache /home/john/.google_authenticator
sudo chmod 400 /home/john/.google_authenticator
sudo chmod o+x /home/user
sudo chown apache /home/user/.google_authenticator
sudo chmod 400 /home/user/.google_authenticator

24
VM_VPN_GATEWAY.sh
View File

@@ -8,7 +8,6 @@
source VM_CONFIG.sh source VM_CONFIG.sh
yum install -y google-authenticator qrencode ntpsec yum install -y google-authenticator qrencode ntpsec
# --- forwarding --- # # --- forwarding --- #
if_fora="enp0s8" if_fora="enp0s8"
ip_fora="193.136.212.1" ip_fora="193.136.212.1"
@@ -23,13 +22,13 @@ ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf sysctl -p /etc/sysctl.conf
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT # :O iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT # :P iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT
iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT # ;) iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT # faltava isto ? iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT
iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT # faltava isto ? iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE # :D iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE
iptables-save > /etc/sysconfig/iptables # :3 iptables-save > /etc/sysconfig/iptables
# --- vpn server --- # # --- vpn server --- #
vpn_dir="/etc/openvpn/server" vpn_dir="/etc/openvpn/server"
@@ -42,3 +41,12 @@ cp conf/vpn.conf $vpn_dir
cp conf/ocsp-verify.sh $vpn_dir cp conf/ocsp-verify.sh $vpn_dir
cp conf/totp /etc/pam.d/ cp conf/totp /etc/pam.d/
systemctl enable --now openvpn-server@vpn.service systemctl enable --now openvpn-server@vpn.service
# --- utilizador --- #
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
groupadd -f totp
usermod -aG totp john
usermod -aG totp openvpn
sudo chown john:totp /home/john/.google_authenticator
sudo chmod 660 /home/john/.google_authenticator

2
relatorio/relatorio.aux
View File

@@ -24,7 +24,7 @@
\@writefile{toc}{\contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{9}{subsection.5.2}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{9}{subsection.5.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.2.1}Testes}{9}{subsubsection.5.2.1}\protected@file@percent } \@writefile{toc}{\contentsline {subsubsection}{\numberline {5.2.1}Testes}{9}{subsubsection.5.2.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{9}{subsection.5.3}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{9}{subsection.5.3}\protected@file@percent }
\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.3.1}Testes}{9}{subsubsection.5.3.1}\protected@file@percent } \@writefile{toc}{\contentsline {subsubsection}{\numberline {5.3.1}Testes}{10}{subsubsection.5.3.1}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {6}Teste Integrado}{10}{section.6}\protected@file@percent } \@writefile{toc}{\contentsline {section}{\numberline {6}Teste Integrado}{10}{section.6}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {7}Conclusão}{10}{section.7}\protected@file@percent } \@writefile{toc}{\contentsline {section}{\numberline {7}Conclusão}{10}{section.7}\protected@file@percent }
\gdef \@abspage@last{10} \gdef \@abspage@last{10}

13
relatorio/relatorio.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.4.13) 27 APR 2026 20:43 This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.4.13) 27 APR 2026 22:37
entering extended mode entering extended mode
\write18 enabled. \write18 enabled.
%&-line parsing enabled. %&-line parsing enabled.
@@ -1221,8 +1221,13 @@ Package pdftex.def Info: google-authenticator.jpg used on input line 314.
\openout6 = `relatorio.listing'. \openout6 = `relatorio.listing'.
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [8 </home/raw/uni/fsi/ (/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing)
trabalho/relatorio/google-authenticator.jpg>] Overfull \hbox (2.06862pt too wide) in paragraph at lines 352--356
\T1/Raleway-OsF/m/n/10.95 Para ve-ri-fi-car que o OCSP fun-ci-ona cor-rec-ta-me
nte, o cli-ente co-nec-tou ao ser-vi-dor OpenVPN:
[]
[8 </home/raw/uni/fsi/trabalho/relatorio/google-authenticator.jpg>]
\openout6 = `relatorio.listing'. \openout6 = `relatorio.listing'.
@@ -1256,7 +1261,7 @@ xmf-dist/fonts/type1/impallari/raleway/Raleway-Regular.pfb></usr/share/texmf-di
st/fonts/type1/public/cm-super/sftt0900.pfb></usr/share/texmf-dist/fonts/type1/ st/fonts/type1/public/cm-super/sftt0900.pfb></usr/share/texmf-dist/fonts/type1/
public/cm-super/sftt1095.pfb> public/cm-super/sftt1095.pfb>
Output written on /home/raw/uni/fsi/trabalho/relatorio/relatorio.pdf (10 pages, Output written on /home/raw/uni/fsi/trabalho/relatorio/relatorio.pdf (10 pages,
168978 bytes). 169461 bytes).
PDF statistics: PDF statistics:
387 PDF objects out of 1000 (max. 8388607) 387 PDF objects out of 1000 (max. 8388607)
336 compressed objects within 4 object streams 336 compressed objects within 4 object streams

BIN
relatorio/relatorio.pdf
View File

Binary file not shown.

11
relatorio/relatorio.tex
View File

@@ -346,6 +346,17 @@ auth SHA256
\subsection{Testes} \subsection{Testes}
% TODO: screenshots? dizer que erros exatos nos obtemos a cada etapa
% TODO: erros ortograficos lol
Para verificar que o OCSP funciona correctamente, o cliente conectou ao servidor OpenVPN:
primeiro, sem o servidor OCSP a correr, uma segunda vez com ele a correr e com o certificado correcto
e uma terceira vez com um certificado revogado. Fizemos estes testes sabendo que o
cliente e o servidor já estavam correctamente configurados.
Verificamos que, como é suposto: sem OCSP não é possivel autenticar; com OCSP e com certificado válido,
podemos autenticar; e com OCSP mas com certificado revogado, a autenticação falha.
\section{Servidor Apache e OCSP} \section{Servidor Apache e OCSP}
\subsection{Configuração da Máquina} \subsection{Configuração da Máquina}

2
relatorio/relatorio.toc
View File

@@ -17,6 +17,6 @@
\contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{9}{subsection.5.2}% \contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{9}{subsection.5.2}%
\contentsline {subsubsection}{\numberline {5.2.1}Testes}{9}{subsubsection.5.2.1}% \contentsline {subsubsection}{\numberline {5.2.1}Testes}{9}{subsubsection.5.2.1}%
\contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{9}{subsection.5.3}% \contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{9}{subsection.5.3}%
\contentsline {subsubsection}{\numberline {5.3.1}Testes}{9}{subsubsection.5.3.1}% \contentsline {subsubsection}{\numberline {5.3.1}Testes}{10}{subsubsection.5.3.1}%
\contentsline {section}{\numberline {6}Teste Integrado}{10}{section.6}% \contentsline {section}{\numberline {6}Teste Integrado}{10}{section.6}%
\contentsline {section}{\numberline {7}Conclusão}{10}{section.7}% \contentsline {section}{\numberline {7}Conclusão}{10}{section.7}%