vasco/FSI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

kill me

Browse Source
This commit is contained in:
Vasco
2026-04-28 11:20:26 +01:00
parent 0b337a2117
commit 288b10550c
10 changed files with 172 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
VM_CONFIG.sh
View File

@@ -28,9 +28,3 @@ mkdir -p /etc/openvpn/client
systemctl stop chronyd systemctl stop chronyd
ntpdate pool.ntp.org ntpdate pool.ntp.org
systemctl start chronyd systemctl start chronyd
# NOTE(vasco): o openvpn não consegui aceder ao home e ler os secrets
# do google authenticator, por isso fiz isto:
mkdir -p /etc/systemd/system/openvpn-server@.service.d
echo -e "[Service]\nProtectHome=false" > /etc/systemd/system/openvpn-server@.service.d/override.conf
systemctl daemon-reload

13
VM_OPENSSL_APACHE.sh
View File

@@ -11,11 +11,6 @@ sudo yum install -y mod_session
id -u john &>/dev/null || useradd john id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john echo "password" | passwd --stdin john
# dar acesso ao apache para ler o .google_authenticator
usermod -aG apache john
sudo chown apache:apache /home/john/.google_authenticator
sudo chmod 660 /home/john/.google_authenticator
if_dentro="enp0s8" if_dentro="enp0s8"
ip_dentro="10.60.0.1" ip_dentro="10.60.0.1"
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0 ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
@@ -36,7 +31,6 @@ cp ca/dh2048.pem $CA_DIR
killall openssl 2>/dev/null killall openssl 2>/dev/null
openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text & openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &
# apache # apache
mkdir -p /etc/httpd/ssl mkdir -p /etc/httpd/ssl
cp ca/ca.crt /etc/httpd/ssl/ cp ca/ca.crt /etc/httpd/ssl/
@@ -46,11 +40,6 @@ cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
cp conf/httpd.conf /etc/httpd/conf/httpd.conf cp conf/httpd.conf /etc/httpd/conf/httpd.conf
cp conf/httpd-totp /etc/pam.d/httpd-totp cp conf/httpd-totp /etc/pam.d/httpd-totp
# NOTA(vasco) é preciso desativar home protection outra vez
mkdir -p /etc/systemd/system/httpd.service.d
echo -e "[Service]\nProtectHome=false" > /etc/systemd/system/httpd.service.d/override.conf
systemctl daemon-reload
# sim, é preciso fazer isto para carregar serviços # sim, é preciso fazer isto para carregar serviços
echo "LoadModule session_module modules/mod_session.so" > /etc/httpd/conf.modules.d/01-session.conf echo "LoadModule session_module modules/mod_session.so" > /etc/httpd/conf.modules.d/01-session.conf
echo "LoadModule session_cookie_module modules/mod_session_cookie.so" >> /etc/httpd/conf.modules.d/01-session.conf echo "LoadModule session_cookie_module modules/mod_session_cookie.so" >> /etc/httpd/conf.modules.d/01-session.conf
@@ -60,4 +49,4 @@ echo "LoadModule auth_form_module modules/mod_auth_form.so" > /etc/httpd/conf.mo
cp -r www/* /var/www/html/ cp -r www/* /var/www/html/
chown -R apache:apache /var/www/html/ chown -R apache:apache /var/www/html/
systemctl enable --now httpd httpd -X

1
VM_ROAD_WARRIOR.sh
View File

@@ -16,4 +16,5 @@ cp ca/ca.crt $vpn_dir
cp ca/user.key $vpn_dir cp ca/user.key $vpn_dir
cp ca/user.crt $vpn_dir cp ca/user.crt $vpn_dir
cp conf/client.conf $vpn_dir cp conf/client.conf $vpn_dir
openvpn --config "${vpn_dir}/client.conf" openvpn --config "${vpn_dir}/client.conf"

6
VM_VPN_GATEWAY.sh
View File

@@ -40,11 +40,9 @@ cp ca/dh2048.pem $vpn_dir
cp conf/vpn.conf $vpn_dir cp conf/vpn.conf $vpn_dir
cp conf/ocsp-verify.sh $vpn_dir cp conf/ocsp-verify.sh $vpn_dir
cp conf/totp /etc/pam.d/ cp conf/totp /etc/pam.d/
systemctl enable --now openvpn-server@vpn.service
# --- utilizador --- # # --- utilizador --- #
id -u john &>/dev/null || useradd john id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john echo "password" | passwd --stdin john
usermod -aG openvpn john
sudo chown john:openvpn /home/john/.google_authenticator openvpn --config /etc/openvpn/server/vpn.conf
sudo chmod 660 /home/john/.google_authenticator

2
conf/httpd-totp
View File

@@ -1,3 +1,3 @@
auth required pam_google_authenticator.so forward_pass secret=/home/${USER}/.google_authenticator user=apache auth required pam_google_authenticator.so forward_pass secret=/etc/httpd/totp/${USER} user=apache
auth required pam_unix.so use_first_pass auth required pam_unix.so use_first_pass
account required pam_unix.so account required pam_unix.so

18
relatorio/relatorio.aux
View File

@@ -14,17 +14,17 @@
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{8}{subsection.3.4}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{7}{subsection.3.4}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}\protected@file@percent } \@writefile{toc}{\contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}\protected@file@percent } \@writefile{toc}{\contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{9}{subsection.5.1}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{10}{subsection.5.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{9}{subsection.5.2}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{10}{subsection.5.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.2.1}Testes}{9}{subsubsection.5.2.1}\protected@file@percent } \@writefile{toc}{\contentsline {subsubsection}{\numberline {5.2.1}Testes}{10}{subsubsection.5.2.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{9}{subsection.5.3}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{11}{subsection.5.3}\protected@file@percent }
\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.3.1}Testes}{10}{subsubsection.5.3.1}\protected@file@percent } \@writefile{toc}{\contentsline {subsubsection}{\numberline {5.3.1}Testes}{11}{subsubsection.5.3.1}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {6}Teste Integrado}{10}{section.6}\protected@file@percent } \@writefile{toc}{\contentsline {section}{\numberline {6}Teste Integrado}{11}{section.6}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {7}Conclusão}{10}{section.7}\protected@file@percent } \@writefile{toc}{\contentsline {section}{\numberline {7}Conclusão}{11}{section.7}\protected@file@percent }
\gdef \@abspage@last{10} \gdef \@abspage@last{11}

81
relatorio/relatorio.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.4.13) 27 APR 2026 22:37 This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.4.13) 28 APR 2026 11:20
entering extended mode entering extended mode
\write18 enabled. \write18 enabled.
%&-line parsing enabled. %&-line parsing enabled.
@@ -1160,16 +1160,16 @@ LaTeX Font Info: Font shape `T1/Raleway-OsF/b/n' will be
LaTeX Font Info: Font shape `T1/Raleway-OsF/m/it' will be LaTeX Font Info: Font shape `T1/Raleway-OsF/m/it' will be
(Font) scaled to size 10.95pt on input line 26. (Font) scaled to size 10.95pt on input line 26.
LaTeX Font Info: Font shape `T1/Raleway-OsF/bold/n' aliased to LaTeX Font Info: Font shape `T1/Raleway-OsF/bold/n' aliased to
(Font) `T1/Raleway-OsF/b/n' on input line 60. (Font) `T1/Raleway-OsF/b/n' on input line 59.
LaTeX Font Info: Font shape `T1/Raleway-OsF/b/n' will be LaTeX Font Info: Font shape `T1/Raleway-OsF/b/n' will be
(Font) scaled to size 12.0pt on input line 60. (Font) scaled to size 12.0pt on input line 59.
\g__tcobox_out_iow=\write6 \g__tcobox_out_iow=\write6
\openout6 = `relatorio.listing'. \openout6 = `relatorio.listing'.
LaTeX Font Info: Font shape `T1/cmtt/bx/n' in size <10.95> not available LaTeX Font Info: Font shape `T1/cmtt/bx/n' in size <10.95> not available
(Font) Font shape `T1/cmtt/m/n' tried instead on input line 92. (Font) Font shape `T1/cmtt/m/n' tried instead on input line 91.
LaTeX Font Info: Font shape `T1/cmtt/bx/n' in size <9> not available LaTeX Font Info: Font shape `T1/cmtt/bx/n' in size <9> not available
(Font) Font shape `T1/cmtt/m/n' tried instead on input line 92. (Font) Font shape `T1/cmtt/m/n' tried instead on input line 91.
(/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty (/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2025/11/14 1.11b listings language file File: lstlang1.sty 2025/11/14 1.11b listings language file
@@ -1200,38 +1200,49 @@ LaTeX Font Info: Font shape `T1/Raleway-OsF/m/n' will be
\openout6 = `relatorio.listing'. \openout6 = `relatorio.listing'.
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing)
\openout6 = `relatorio.listing'.
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [6] (/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [6]
\openout6 = `relatorio.listing'. \openout6 = `relatorio.listing'.
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [7]
<google-authenticator.jpg, id=284, 225.84375pt x 447.6725pt>
File: google-authenticator.jpg Graphic file (type jpg)
<use google-authenticator.jpg>
Package pdftex.def Info: google-authenticator.jpg used on input line 314.
(pdftex.def) Requested size: 87.59998pt x 173.64207pt.
\openout6 = `relatorio.listing'.
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) (/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing)
\openout6 = `relatorio.listing'. Overfull \hbox (30.82649pt too wide) in paragraph at lines 281--287
[]\T1/Raleway-OsF/m/n/10.95 Adicionalmente, de-vido às res-tri-ções de se-gu-ra
nça do \T1/Raleway-OsF/m/it/10.95 sys-temd\T1/Raleway-OsF/m/n/10.95 , ten-ta-mo
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) s de-sa-ti-var o \T1/cmtt/m/n/10.95 ProtectHome
Overfull \hbox (2.06862pt too wide) in paragraph at lines 352--356
\T1/Raleway-OsF/m/n/10.95 Para ve-ri-fi-car que o OCSP fun-ci-ona cor-rec-ta-me
nte, o cli-ente co-nec-tou ao ser-vi-dor OpenVPN:
[] []
[8 </home/raw/uni/fsi/trabalho/relatorio/google-authenticator.jpg>] <google-authenticator.jpg, id=244, 225.84375pt x 447.6725pt>
File: google-authenticator.jpg Graphic file (type jpg)
<use google-authenticator.jpg>
Package pdftex.def Info: google-authenticator.jpg used on input line 297.
(pdftex.def) Requested size: 87.59998pt x 173.64207pt.
LaTeX Warning: `h' float specifier changed to `ht'.
\openout6 = `relatorio.listing'.
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing)
\openout6 = `relatorio.listing'. \openout6 = `relatorio.listing'.
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [7]
\openout6 = `relatorio.listing'.
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [8 </home/raw/uni/fsi/
trabalho/relatorio/google-authenticator.jpg>]
Overfull \hbox (2.06862pt too wide) in paragraph at lines 373--377
[]\T1/Raleway-OsF/m/n/10.95 Para ve-ri-fi-car que o OCSP fun-ci-ona cor-rec-ta-
mente, o cli-ente co-nec-tou ao ser-vi-dor OpenVPN:
[]
\openout6 = `relatorio.listing'.
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [9] [10] (/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [9] [10]
\openout6 = `relatorio.listing'.
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [11]
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.aux) (/home/raw/uni/fsi/trabalho/relatorio/relatorio.aux)
*********** ***********
LaTeX2e <2025-11-01> LaTeX2e <2025-11-01>
@@ -1248,10 +1259,10 @@ Package rerunfilecheck Info: Checksums for `relatorio.out':
(rerunfilecheck) After: FCCD2EDF8B7B6A2528F85719166C3546;3316. (rerunfilecheck) After: FCCD2EDF8B7B6A2528F85719166C3546;3316.
) )
Here is how much of TeX's memory you used: Here is how much of TeX's memory you used:
32007 strings out of 469495 32120 strings out of 469495
629242 string characters out of 5470098 630845 string characters out of 5470098
1506188 words of memory out of 5000000 1463188 words of memory out of 5000000
59884 multiletter control sequences out of 15000+600000 59935 multiletter control sequences out of 15000+600000
790677 words of font info for 87 fonts, out of 8000000 for 9000 790677 words of font info for 87 fonts, out of 8000000 for 9000
16 hyphenation exceptions out of 8191 16 hyphenation exceptions out of 8191
113i,8n,122p,500b,1792s stack positions out of 10000i,1000n,20000p,200000b,200000s 113i,8n,122p,500b,1792s stack positions out of 10000i,1000n,20000p,200000b,200000s
@@ -1260,11 +1271,11 @@ hare/texmf-dist/fonts/type1/impallari/raleway/Raleway-Italic.pfb></usr/share/te
xmf-dist/fonts/type1/impallari/raleway/Raleway-Regular.pfb></usr/share/texmf-di xmf-dist/fonts/type1/impallari/raleway/Raleway-Regular.pfb></usr/share/texmf-di
st/fonts/type1/public/cm-super/sftt0900.pfb></usr/share/texmf-dist/fonts/type1/ st/fonts/type1/public/cm-super/sftt0900.pfb></usr/share/texmf-dist/fonts/type1/
public/cm-super/sftt1095.pfb> public/cm-super/sftt1095.pfb>
Output written on /home/raw/uni/fsi/trabalho/relatorio/relatorio.pdf (10 pages, Output written on /home/raw/uni/fsi/trabalho/relatorio/relatorio.pdf (11 pages,
169461 bytes). 176542 bytes).
PDF statistics: PDF statistics:
387 PDF objects out of 1000 (max. 8388607) 465 PDF objects out of 1000 (max. 8388607)
336 compressed objects within 4 object streams 412 compressed objects within 5 object streams
214 named destinations out of 1000 (max. 500000) 274 named destinations out of 1000 (max. 500000)
162 words of extra memory for PDF output out of 10000 (max. 10000000) 162 words of extra memory for PDF output out of 10000 (max. 10000000)

BIN
relatorio/relatorio.pdf
View File

Binary file not shown.

144
relatorio/relatorio.tex
View File

@@ -48,7 +48,6 @@ pois esta contém o \textit{certificate authority} CA.
% e de uma password temporária (TOTP) de 6 dígitos. O servidor de Apache implementa a mesma autenticação. % e de uma password temporária (TOTP) de 6 dígitos. O servidor de Apache implementa a mesma autenticação.
\begin{tabular}{l l l} \begin{tabular}{l l l}
{\bf Nome} & {\bf Script} & {\bf Rede} \\\toprule {\bf Nome} & {\bf Script} & {\bf Rede} \\\toprule
Road Warrior & VM\_ROAD\_WARRIOR.sh & Rede Externa 193.168.0.0/24 \\ Road Warrior & VM\_ROAD\_WARRIOR.sh & Rede Externa 193.168.0.0/24 \\
VPN Gateway & VM\_OPENVPN\_GATEWAY.sh & Router \\ VPN Gateway & VM\_OPENVPN\_GATEWAY.sh & Router \\
@@ -165,6 +164,7 @@ de IP (NAT).
\begin{codeblock}[bash]{VM\_VPN\_GATEWAY.sh} \begin{codeblock}[bash]{VM\_VPN\_GATEWAY.sh}
#!/bin/bash #!/bin/bash
# --- configuracao --- # # --- configuracao --- #
source VM_CONFIG.sh source VM_CONFIG.sh
yum install -y google-authenticator qrencode ntpsec yum install -y google-authenticator qrencode ntpsec
@@ -201,7 +201,12 @@ cp ca/dh2048.pem $vpn_dir
cp conf/vpn.conf $vpn_dir cp conf/vpn.conf $vpn_dir
cp conf/ocsp-verify.sh $vpn_dir cp conf/ocsp-verify.sh $vpn_dir
cp conf/totp /etc/pam.d/ cp conf/totp /etc/pam.d/
systemctl enable --now openvpn-server@vpn.service
# --- utilizador --- #
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
openvpn --config /etc/openvpn/server/vpn.conf
\end{codeblock} \end{codeblock}
\subsection{Configuração do Serviço OpenVPN} \subsection{Configuração do Serviço OpenVPN}
@@ -252,38 +257,17 @@ e verifica o resultado.
\begin{codeblock}{ocsp\_verify.sh} \begin{codeblock}{ocsp\_verify.sh}
#!/bin/bash #!/bin/bash
# fonte: https://github.com/OpenVPN/openvpn/blob/master/contrib/OCSP_check/OCSP_check.sh depth=$1
if [ "$depth" -eq 0 ]; then
ocsp_url="http://10.60.0.1:8888" if [ -n "$tls_serial_0" ]; then
issuer="/etc/openvpn/server/ca.crt" # e preciso converter o serial para hexadecimal porque o openssl espera em hex
nonce="-no_nonce" hex_serial=$(printf '%x' "$tls_serial_0")
verify="/etc/openvpn/server/ca.crt" status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
check_depth=0 if echo "$status" | grep -q "good"; then
exit 0 # sucesso
cur_depth=$1
common_name=$2
if [ -z "$issuer" ] || [ ! -e "$issuer" ] || [ -z "$verify" ] || [ ! -e "$verify" ] || [ -z "$ocsp_url" ]; then
exit 1
fi
if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
eval serial="\$tls_serial_${cur_depth}"
if [ -n "$serial" ]; then
status=$(openssl ocsp -issuer "$issuer" "$nonce" -CAfile "$verify" -url "$ocsp_url" -serial "${serial}" 2>&1)
if [ $? -eq 0 ]; then
if echo "$status" | grep -Eq "(error|fail)"; then
exit 1
fi fi
exit 1 # revogado ou nao encontrado
if echo "$status" | grep -Eq "^${serial}: good" && echo "$status" | grep -Eq "^Response verify OK"; then
exit 0
fi fi
fi
fi
exit 1 exit 1
fi fi
\end{codeblock} \end{codeblock}
@@ -294,16 +278,12 @@ Um dos erros que encontramos pelo caminho foi que o OpenSSL OCSP espera que o
\textit{serial} esteja num formato diferente do que o esperado. Foi necessário \textit{serial} esteja num formato diferente do que o esperado. Foi necessário
converter para hexadecimal primeiro. converter para hexadecimal primeiro.
Adicionalmente, devido às restrições de segurança do \textit{systemd}, Adicionalmente, devido às restrições de segurança do \textit{systemd},
foi necessário desativar o \texttt{ProtectHome} no serviço do OpenVPN tentamos desativar o \texttt{ProtectHome} no serviço do OpenVPN
para que o plugin PAM consiga ler os ficheiros de segredo do Google Authenticator para que o plugin PAM consiga ler os ficheiros de segredo do Google Authenticator
localizados nas diretorias \textit{home} dos utilizadores. localizados nas diretorias \textit{home} dos utilizadores. Mas isto não
foi suficiente, por isso acabamos por correr os serviços pela linha
\begin{codeblock}{override.conf} de comandoos.
[Service]
ProtectHome=false
\end{codeblock}
\subsection{Configurar o utilizador com TOTP} \subsection{Configurar o utilizador com TOTP}
@@ -326,30 +306,39 @@ google-authenticator
\subsection{Configuração da Máquina} \subsection{Configuração da Máquina}
Para a configuração da Máquina, configuramos o edereço, o default gateway e adicionamos apache aos Hosts: Para a configuração da Máquina, configuramos o edereço, o default gateway e adicionamos apache aos Hosts:
\begin{codeblock}{VM_ROAD_WARRIOR.sh}
\begin{codeblock}{VM\_ROAD\_WARRIOR.sh}
#!/bin/bash
# --- configuracao --- #
source VM_CONFIG.sh
ifconfig enp0s8 193.136.212.10 netmask 255.255.255.0 ifconfig enp0s8 193.136.212.10 netmask 255.255.255.0
route add default gw 193.136.212.1 route add default gw 193.136.212.1
if ! grep -q "apache" /etc/hosts; then if ! grep -q "apache" /etc/hosts; then
echo "10.60.0.1 apache" >> /etc/hosts echo "10.60.0.1 apache" >> /etc/hosts
fi fi
\end{codeblock}
Esta configuração foi necessaria, porque sem edereço a VM não conseguia-se identificar na rede. Sem o default gateway # --- vpn client --- #
os edereços desconhecidos seriam enviados para a porta da internet, e adicionamos apache aos Hosts para que fosse igual
ao domain para não haver erros.
%(I dunno about this Apache part??) Also sinto que ainda precisa de mais um bocado.
Também foram movidos os certificados e chaves necessarias para as pastas do serviço openvpn, para que o Road Warrior
consiga comunicar e ser validado pela gateway.
\begin{codeblock}{VM_ROAD_WARRIOR.sh}
vpn_dir="/etc/openvpn/client/" vpn_dir="/etc/openvpn/client/"
cp ca/ta.key $vpn_dir cp ca/ta.key $vpn_dir
cp ca/ca.crt $vpn_dir cp ca/ca.crt $vpn_dir
cp ca/user.key $vpn_dir cp ca/user.key $vpn_dir
cp ca/user.crt $vpn_dir cp ca/user.crt $vpn_dir
cp conf/client.conf $vpn_dir cp conf/client.conf $vpn_dir
openvpn --config "${vpn_dir}/client.conf" openvpn --config "${vpn_dir}/client.conf"
\end{codeblock} \end{codeblock}
% Esta configuração foi necessaria, porque sem edereço a VM não conseguia-se identificar na rede. Sem o default gateway
% os edereços desconhecidos seriam enviados para a porta da internet, e adicionamos apache aos Hosts para que fosse igual
% ao domain para não haver erros.
%(I dunno about this Apache part??) Also sinto que ainda precisa de mais um bocado.
Também foram movidos os certificados e chaves necessarias para as pastas do serviço openvpn, para que o Road Warrior
consiga comunicar e ser validado pela gateway.
\subsection{Configuração do Cliente OpenVPN} \subsection{Configuração do Cliente OpenVPN}
O cliente encontra-se na rede externa (\texttt{193.136.212.10}) e liga-se à VPN O cliente encontra-se na rede externa (\texttt{193.136.212.10}) e liga-se à VPN
@@ -391,6 +380,61 @@ podemos autenticar; e com OCSP mas com certificado revogado, a autenticação fa
\section{Servidor Apache e OCSP} \section{Servidor Apache e OCSP}
\begin{codeblock}{VM\_OPENSSL\_APACHE.sh}
#!/bin/bash
# configuracao
source VM_CONFIG.sh
sudo yum install -y epel-release
sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator
sudo yum install -y mod_session
# utilizador
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
if_dentro="enp0s8"
ip_dentro="10.60.0.1"
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
# route de volta para comunicar com o warrior
route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.60.0.3
cp conf/openssl.cnf /etc/pki/tls/
# copiar ca para esta VM
cp ca/index.txt $CA_DIR
cp ca/ca.crt $CA_DIR
cp ca/ca.key $CA_DIR
cp ca/serial $CA_DIR
cp ca/dh2048.pem $CA_DIR
# correr oscp
killall openssl 2>/dev/null
openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &
# apache
mkdir -p /etc/httpd/ssl
cp ca/ca.crt /etc/httpd/ssl/
cp ca/apache.crt /etc/httpd/ssl/
cp ca/apache.key /etc/httpd/ssl/
cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
cp conf/httpd.conf /etc/httpd/conf/httpd.conf
cp conf/httpd-totp /etc/pam.d/httpd-totp
# sim, e preciso fazer isto para carregar servicos
echo "LoadModule session_module modules/mod_session.so" > /etc/httpd/conf.modules.d/01-session.conf
echo "LoadModule session_cookie_module modules/mod_session_cookie.so" >> /etc/httpd/conf.modules.d/01-session.conf
echo "LoadModule auth_form_module modules/mod_auth_form.so" > /etc/httpd/conf.modules.d/01-auth_form.conf
# mega paginas webs
cp -r www/* /var/www/html/
chown -R apache:apache /var/www/html/
httpd -X
\end{codeblock}
\subsection{Configuração da Máquina} \subsection{Configuração da Máquina}
asd asd
@@ -414,7 +458,7 @@ da autoridade de certificação.
\begin{enumerate} \begin{enumerate}
\item Estabelecer a ligação VPN e verificar a conectividade à rede interna. \item Estabelecer a ligação VPN e verificar a conectividade à rede interna.
\item No diretório da autoridade de certificação (máquina \textit{host}), revogar o certificado do utilizador: \item No diretório da autoridade de certificação (máquina \textit{host}), revogar o certificado do utilizador:
\begin{codeblock}[bash]{revoke.sh} \begin{codeblock}[bash]{revoke.sh}
openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt
\end{codeblock} \end{codeblock}
\item Atualizar o ficheiro \texttt{index.txt} no servidor OCSP e reiniciar o serviço para carregar o novo estado de revogação. \item Atualizar o ficheiro \texttt{index.txt} no servidor OCSP e reiniciar o serviço para carregar o novo estado de revogação.

16
relatorio/relatorio.toc
View File

@@ -7,16 +7,16 @@
\contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}% \contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}%
\contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}% \contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}%
\contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}% \contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}%
\contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{8}{subsection.3.4}% \contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{7}{subsection.3.4}%
\contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}% \contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}%
\contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}% \contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}%
\contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}% \contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}%
\contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}% \contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}%
\contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}% \contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}%
\contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{9}{subsection.5.1}% \contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{10}{subsection.5.1}%
\contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{9}{subsection.5.2}% \contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{10}{subsection.5.2}%
\contentsline {subsubsection}{\numberline {5.2.1}Testes}{9}{subsubsection.5.2.1}% \contentsline {subsubsection}{\numberline {5.2.1}Testes}{10}{subsubsection.5.2.1}%
\contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{9}{subsection.5.3}% \contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{11}{subsection.5.3}%
\contentsline {subsubsection}{\numberline {5.3.1}Testes}{10}{subsubsection.5.3.1}% \contentsline {subsubsection}{\numberline {5.3.1}Testes}{11}{subsubsection.5.3.1}%
\contentsline {section}{\numberline {6}Teste Integrado}{10}{section.6}% \contentsline {section}{\numberline {6}Teste Integrado}{11}{section.6}%
\contentsline {section}{\numberline {7}Conclusão}{10}{section.7}% \contentsline {section}{\numberline {7}Conclusão}{11}{section.7}%