Различия

Показаны различия между двумя версиями страницы.

--- russianway:adds_join [2025/02/14 15:51] – создано root
+++ russianway:adds_join [2025/02/18 19:14] (текущий) – [Rutoken 2fa] root
@@ Строка 20: / Строка 20: @@
 sudo apt install astra-ad-sssd-client -y
 sudo astra-ad-sssd-client -y -d {{ server.domain }} -u {{ defaults.domainadmin }}
+</code>
+====== Rutoken 2fa ======
+<code bash>
+sudo apt install libccid pcscd libpcsclite1 pcsc-tools opensc libengine-pkcs11-openssl1.1 -y
+sudo apt install libnss3-tools krb5-pkinit libpam-krb5 -y
+</code>
+<code bash>
+sudo cp rutoken_pub.key /etc/digsig/keys/ -v
+sudo update-initramfs -u -k all
+</code>
+<code bash>
+sudo reboot
+</code>
+<code bash>
+sudo apt install -f ./librtpkcs11ecp_2.17.1.0-1_amd64.deb
+sudo apt install -f ./ifd-rutokens_1.0.4_amd64.deb
+</code>
+<code bash>
+sudo mkdir /etc/pki/nssdb -p
+sudo chmod 777 /etc/pki/nssdb
+sudo certutil -N -d /etc/pki/nssdb --empty-password
+sudo certutil -d /etc/pki/nssdb -A -n 'CA-ROOT-CERT' -t CT,CT,CT -a -i cacert.pem
+</code>
+<code bash>
+sudo modutil -dbdir /etc/pki/nssdb -add "Rutoken PKCS11" -libfile librtpkcs11ecp.so
+#проверка:
+sudo certutil -L -d /etc/pki/nssdb -h all
+</code>
+<code bash>
+sudo mkdir /etc/krb5/
+sudo cp cacert.pem /etc/krb5/ -v
+</code>
+<code bash | /etc/krb5.conf>
+[libdefaults]
+...
+ pkinit_anchors = FILE:/etc/krb5/cacert.pem
+ pkinit_kdc_hostname = ipa.virt.int
+ pkinit_eku_checking = kpServerAuth
+ pkinit_identities = PKCS11:librtpkcs11ecp.so
+</code>
+<code bash | /etc/sssd/sssd.conf>
+[pam]
+pam_cert_auth = True
+</code>
+<code bash | /etc/pam.d/common-auth>
+auth    [success=6 default=ignore]      pam_krb5.so minimum_uid=2500 try_pkinit
+</code>
+<code bash | /usr/share/pam-configs/krb5>
+Auth-Initial:
+        [success=end default=ignore]    pam_krb5.so minimum_uid=2500 try_pkinit
 </code>