diff --git a/VM_APACHE.sh b/VM_APACHE.sh deleted file mode 100644 index ccf0a58..0000000 --- a/VM_APACHE.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -source VM_CONFIG.sh -if_dentro="enp0s8" -ip_dentro="10.60.0.2" -sudo yum install -y openssl apache -ifconfig $if_dentro $ip_dentro netmask 255.255.255.0 -cp conf/httpd.conf /etc/httpd/conf/ -cp conf/ssl.conf /etc/httpd/conf.d/ diff --git a/VM_CONFIG.sh b/VM_CONFIG.sh index b92ff4a..f84e2d8 100755 --- a/VM_CONFIG.sh +++ b/VM_CONFIG.sh @@ -7,7 +7,7 @@ if [[ "$USER" != "root" ]]; then fi yum install -y epel-release -yum install -y openvpn iptables-services +yum install -y openvpn iptables-services dhcp-client systemctl stop firewalld systemctl disable firewalld systemctl mask firewalld diff --git a/VM_OPENSSL.sh b/VM_OPENSSL.sh deleted file mode 100644 index d712c60..0000000 --- a/VM_OPENSSL.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -# configuracao -source VM_CONFIG.sh -if_dentro="enp0s8" -ip_dentro="10.60.0.1" -ifconfig $if_dentro $ip_dentro netmask 255.255.255.0 -cp conf/openssl.cnf /etc/pki/tls/ - -# copiar ca para esta VM -cp ca/index.txt $CA_DIR -cp ca/ca.crt $CA_DIR -cp ca/ca.key $CA_DIR -cp ca/serial $CA_DIR -cp ca/dh2048.pem $CA_DIR - -# correr oscp -killall openssl 2>/dev/null -openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text & diff --git a/VM_OPENSSL_APACHE.sh b/VM_OPENSSL_APACHE.sh new file mode 100644 index 0000000..c1fc501 --- /dev/null +++ b/VM_OPENSSL_APACHE.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +# configuracao +source VM_CONFIG.sh + +sudo yum install -y epel-release +sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator + +if_dentro="enp0s8" +ip_dentro="10.60.0.1" +ifconfig $if_dentro $ip_dentro netmask 255.255.255.0 + +cp conf/openssl.cnf /etc/pki/tls/ + +# copiar ca para esta VM +cp ca/index.txt $CA_DIR +cp ca/ca.crt $CA_DIR +cp ca/ca.key $CA_DIR +cp ca/serial $CA_DIR +cp ca/dh2048.pem $CA_DIR + +# correr oscp +openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text & + + +# apache +mkdir -p /etc/httpd/ssl +cp ca/ca.crt /etc/httpd/ssl/ +cp ca/apache.crt /etc/httpd/ssl/ +cp ca/apache.key /etc/httpd/ssl/ +cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf +cp conf/httpd-pam /etc/pam.d/httpd-totp + +# NOTA(vasco) é preciso desativar home protection outra vez +mkdir -p /etc/systemd/system/httpd.service.d +echo -e "[Service]\nProtectHome=false" > /etc/systemd/system/httpd.service.d/override.conf +systemctl daemon-reload + +# serviço !!! +systemctl enable --now httpd diff --git a/ca/create_all_keys.sh b/ca/create_all_keys.sh index 86167e8..0ddf3f6 100755 --- a/ca/create_all_keys.sh +++ b/ca/create_all_keys.sh @@ -3,6 +3,7 @@ cert_ca="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=CoimbraVPN" cert_vpn="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=gateway" cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior" +cert_apache="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=apache" [[ -e "serial" ]] || echo 1000 > serial [[ -e "index.txt" ]] || touch index.txt @@ -16,3 +17,6 @@ cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior" [[ -e "user.key" ]] || openssl genrsa -out user.key [[ -e "user.csr" ]] || openssl req -new -key user.key -out user.csr -subj "$cert_user" [[ -e "user.crt" ]] || openssl ca -batch -in "user.csr" -cert "ca.crt" -keyfile "ca.key" -out "user.crt" -config cheese.cfg +[[ -e "apache.key" ]] || openssl genrsa -out apache.key +[[ -e "apache.csr" ]] || openssl req -new -key apache.key -out apache.csr -subj "$cert_apache" +[[ -e "apache.crt" ]] || openssl ca -batch -in "apache.csr" -cert "ca.crt" -keyfile "ca.key" -out "apache.crt" -config cheese.cfg diff --git a/conf/httpd-pam b/conf/httpd-pam new file mode 100644 index 0000000..10fa5ab --- /dev/null +++ b/conf/httpd-pam @@ -0,0 +1,3 @@ +auth required pam_google_authenticator.so forward_pass +auth required pam_unix.so use_first_pass +account required pam_unix.so diff --git a/conf/ssl.conf b/conf/ssl.conf index e69de29..8aec562 100644 --- a/conf/ssl.conf +++ b/conf/ssl.conf @@ -0,0 +1,28 @@ +Listen 443 https + + ServerName 10.60.0.2 + DocumentRoot /var/www/html + + SSLEngine on + SSLCertificateFile /etc/httpd/ssl/apache.crt + SSLCertificateKeyFile /etc/httpd/ssl/apache.key + SSLCACertificateFile /etc/httpd/ssl/ca.crt + + # Mutual Authentication (Client Cert) + SSLVerifyClient require + SSLVerifyDepth 1 + + # OCSP Validation against CA + SSLOCSPEnable on + SSLOCSPDefaultResponder "http://10.60.0.1:8888" + SSLOCSPOverrideResponder on + + # PAM + TOTP Authentication + + AuthType Basic + AuthName "Enter UNIX Password + Google Authenticator Code" + AuthBasicProvider PAM + AuthPAMService httpd-totp + Require valid-user + + diff --git a/relatorio/relatorio.tex b/relatorio/relatorio.tex index 12e741a..0c31300 100644 --- a/relatorio/relatorio.tex +++ b/relatorio/relatorio.tex @@ -67,6 +67,18 @@ su john google-authenticator \end{lstlisting} +\section{Revocation e OCSP} + +\subsection{Testar OSCP via revoke} +1. Conectar ao VPN e ver que funciona +2. Na maquina host, nao nas vms, na repo mesmo. +3. revogar o certificado via openssl + -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt +4.Fechae OSCP e correr VM_OPENSSL novamente (copiar index.txt e serial?) +5. Tentar outra vez e ver que de facto falha + + + \section{Conclusion} Conclusão!!!