如何在CentOS 8上安装Passbolt自主机密码管理器

如何在CentOS 8上安装Passbolt自主机密码管理器

Passbolt是一个开源密码管理器,可让您安全地存储和共享密码。它是为中小型组织设计的,用于存储登录凭据并在团队成员之间共享。它是自托管的,并且在社区版本和基于订阅的版本中均可用。

本教程显示了如何使用Nginx在CentOS 8上安装Passbolt Password Manager和加密SSL。

先决条件

  • 运行CentOS的服务器8。
  • 指向服务器IP的有效域名。
  • 服务器具有root密码。

安装LEMP服务器

首先,使用以下命令安装Nginx和MariaDB数据库服务器:

dnf install nginx mariadb-server -y

接下来,您需要在服务器上安装最新版本的PHP和其他必需的PHP扩展。默认情况下,最新版本的PHP在CentOS默认存储库中不可用。因此,您需要向系统中添加EPEL和REMI存储库。

您可以使用以下命令添加两个存储库:

dnf install epel-release -ydnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm -y

然后使用以下命令禁用默认的PHP存储库并启用REMI存储库。

dnf module reset phpdnf module enable php:remi-7.4

然后运行以下命令以安装具有其他必需依赖项的PHP。

dnf install php php-fpm php-intl php-gd php-mysqli php-json php-pear php-devel php-mbstring php-fpm git make unzip -y

安装所有软件包后,您需要编辑PHP-FPM配置文件,并将用户和组更改为Nginx。

nano /etc/php-fpm.d/www.conf

更改以下行。

user = nginx
group = nginx

保存并关闭文件,然后更改会话目录的所有权。

chgrp nginx /var/lib/php/session

然后启动Nginx,MariaDB,PHP-FPM服务,以便可以使用以下命令在系统重新启动时启动它们:

systemctl start mariadb nginx php-fpmsystemctl enable mariadb nginx php-fpm

接下来,您需要在系统上安装GNU PG扩展。您可以通过运行以下命令来安装它。

dnf config-manager --set-enabled powertoolsdnf install gpgme-develpecl install gnupgecho "extension=gnupg.so" > /etc/php.d/gnupg.ini

然后重新启动PHP-FPM服务以应用更改。

systemctl restart php-fpm

安装作曲家

Composer是PHP的依赖管理器。必须安装在系统上。

首先,使用以下命令下载Composer设置文件:

php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

然后使用以下命令安装Composer:

php composer-setup.php --install-dir=/usr/local/bin --filename=composer

您应该获得以下输出:

All settings correct for using Composer
Downloading...

Composer (version 2.0.11) successfully installed to: /usr/local/bin/composer
Use it: php /usr/local/bin/composer

然后使用以下命令检查Composer版本:

composer -V

您应该获得以下输出:

Composer version 2.0.11 2021-02-24 14:57:23

建立资料库

接下来,您需要创建Passbolt数据库和用户。

首先,使用以下命令连接到MariaDB:

mysql

连接后,使用以下命令创建数据库和用户。

MariaDB [(none)]> CREATE DATABASE passbolt DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;MariaDB [(none)]> GRANT ALL ON passbolt.* TO 'passbolt'@'localhost' IDENTIFIED BY 'password';

然后刷新特权并使用以下命令退出MariaDB:

MariaDB [(none)]> FLUSH PRIVILEGES;MariaDB [(none)]> EXIT;

完成后,您可以继续下一步。

安装和配置密码

首先,将目录更改为Nginx Web根目录,并使用以下命令下载最新版本的Passbolt。

cd /var/wwwgit clone https://github.com/passbolt/passbolt_api.git passbolt

下载完成后,将目录更改为passbolt并使用以下命令安装所有必需的依赖项。

cd passboltcomposer install --no-dev

接下来,您需要先进行安装才能生成GPG密钥。首先,使用以下命令安装Haveged:

dnf install haveged

然后使用以下命令启动Haveged服务: systemctl已启动

然后使用以下命令生成GPG密钥。

gpg --full-generate-key

请仔细回答所有问题。如果提示您设置密码,请将密码字段留空。

gpg (GnuPG) 2.2.9; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Hitesh
Email address: [email protected]
Comment: Welcome
You selected this USER-ID:
    "Hitesh (Welcome) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 1A0448FECA43E1F9 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/40733A5076D11E86EF2FE5B51A0448FECA43E1F9.rev'
public and secret key created and signed.

pub   rsa2048 2021-03-12 [SC]
      40733A5076D11E86EF2FE5B51A0448FECA43E1F9
uid                      Hitesh (Welcome) <[email protected]>
sub   rsa2048 2021-03-12 [E]

警告:请记住上面生成的私钥。

然后,使用以下命令将私钥导出到serverkey_private.asc和serverkey.asc文件。

gpg --armor --export-secret-keys [email protected] > /var/www/passbolt/config/gpg/serverkey_private.ascgpg --armor --export [email protected] > /var/www/passbolt/config/gpg/serverkey.asc

然后在passbolt目录中设置适当的所有权。

chown -R nginx:nginx /var/www/passbolt

然后使用以下命令初始化Nginx密钥环:

sudo su -s /bin/bash -c "gpg --list-keys" nginx

输出:

gpg: directory '/var/lib/nginx/.gnupg' created
gpg: keybox '/var/lib/nginx/.gnupg/pubring.kbx' created
gpg: /var/lib/nginx/.gnupg/trustdb.gpg: trustdb created

然后重命名Passbolt默认配置文件。

cp config/passbolt.default.php config/passbolt.php

然后编辑passbolt.php文件以定义数据库设置和基本URL。

nano config/passbolt.php

更改以下行。

                                'fullBaseUrl'=>'https://passbolt.linuxbuz.com',//数据库配置。  '数据源'=> [
        'default' => [
            'host' => 'localhost',
            //'port' => 'non_standard_port_number',
            'username' => 'passbolt',
            'password' => 'password',
            'database' => 'passbolt',
            'serverKey' => [
                // Server private key fingerprint.
                'fingerprint' => '40733A5076D11E86EF2FE5B51A0448FECA43E1F9',
                'public' => CONFIG . 'gpg' . DS . 'serverkey.asc',
                'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',

Save and close the file then install the Passbolt with the following command:

cd /var/www/passboltsudo su -s /bin/bash -c "./bin/cake passbolt install --no-admin" nginx

You should get the following output:

All Done. Took 0.9595s

Import the server private key in the keyring
---------------------------------------------------------------
Importing /var/www/passbolt/config/gpg/serverkey_private.asc
Keyring init OK

Passbolt installation success! Enjoy! ?

Configure Nginx for Passbolt

Next, you will need to create an Nginx configuration file for Passbolt. You can create it with the following command:

nano /etc/nginx/conf.d/passbolt.conf

Add the following lines:

server {
  listen 80;
  server_name passbolt.linuxbuz.com;
  root /var/www/passbolt;
  
  location / {
    try_files $uri $uri/ /index.php?$args;
    index index.php;
  }
  
  location ~ .php$ {
    fastcgi_index           index.php;
    fastcgi_pass            unix:/var/run/php-fpm/www.sock;
    fastcgi_split_path_info ^(.+.php)(.+)$;
    include                 fastcgi_params;
    fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param           SERVER_NAME $http_host;
  }
       
  location ~* .(jpe?g|woff|woff2|ttf|gif|png|bmp|ico|css|js|json|pdf|zip|htm|html|docx?|xlsx?|pptx?|txt|wav|swf|svg|avi|mpd)$ {
    access_log off;
    log_not_found off;
    try_files $uri /webroot/$uri /index.php?$args;
  }
}

Save and close the file then verify the Nginx for any syntax error:

nginx -t

Output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Next, restart the Nginx to apply the changes:

systemctl restart nginx

Secure Passbolt with Let’s Encrypt SSL

Next, you will need to install the Certbot client to install the Let’s Encrypt SSL for Passbolt. You can install it with the following command:

dnf install letsencrypt python3-certbot-nginx

Next, obtain and install an SSL certificate for your lets domain with the following command:

certbot --nginx -d passbolt.linuxbuz.com

You will be asked to provide your email address and accept the term of service:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]

----------- ------ ---- ---- ---- ---- ---- ---- --------- ------------------------- --- --------------------- --- --- --- --------------------- --- --- --- ------/letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf。 您必须同意在ACME服务器上注册。你同意吗?  ----------- ------ ---- ---- ---- ---- ---- ----(是/否:Y ---- ----- ----- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ----- ---- ---- ---- ----------------开发了Certbot,Let's Encrypt项目的创始合伙人已成功发布以共享您的电子邮件与非营利组织电子前沿基金会(Electron Frontier Foundation)进行通讯吗? ―――――――――――――――――――――――――――――――――――――――――――――――――――― ―――――――――(是/否:是/否:已注册Y帐户。执行以下质询以请求passbolt.linuxbuz.com证书。在http-01passbolt.linuxbuz.com上等待质询验证...挑战清理VirtualHost将证书部署到/etc/nginx/conf.d/passbolt.conf重定向/etc/nginx/conf.d/passbolt.conf所有从端口80到ssl的流量----------- ----- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ----恭喜!您已成功启用https://passbolt.linuxbuz.com。---- ---订阅EFF邮件列表(电子邮件: [email protected])。重要说明:恭喜!证书和链存储在以下位置:/etc/letsencrypt/live/passbolt.linuxbuz.com/fullchain.pem密钥文件存储在以下位置:/ etc / letsencrypt / live / passbolt .linuxbuz.com / privkey.pem证书将于2021-06-09过期。要将来获得该证书的更新版本或微调版本,只需使用“ certonly”选项再次运行certbot。要以非交互方式更新所有*证书,请运行“ certbot续订”-如果您喜欢Certbot,则捐赠给ISRG /让我们加密:https://letsencrypt.org/donate EFF捐赠:https://eff.org/捐赠

使用Passbolt注册用户

接下来,您需要向Passbolt注册用户。您可以使用以下命令运行它:

cd /var/www/passboltsudo su -s /bin/bash -c "./bin/cake passbolt register_user -u [email protected] -f howtoforge -l Demo -r admin" nginx

您应该获得以下输出:

     ____                  __          ____  
    / __ ____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ / __ / / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    __,_/____/____/_.___/____/_/__/   

 Open source password manager for teams
---------------------------------------------------------------
User saved successfully.
To start registration follow the link provided in your mailbox or here: 
https://passbolt.linuxbuz.com/setup/install/f81227bc-b0b6-44b5-99a7-6b490a4ba262/5a112de0-6ca4-4e1b-97c8-26453ef3828b

您可以使用上面的链接访问Paabolt。

配置防火墙

接下来,您需要允许端口80和443通过防火墙。您可以使用以下命令运行它:

firewall-cmd --permanent --add-port=80/tcpfirewall-cmd --permanent --add-port=443/tcp

然后重新加载firewalld以应用更改。

firewall-cmd --reload

访问Passbolt Web UI

然后打开网络浏览器并输入URL https://passbolt.linuxbuz.com/setup/install/f81227bc-b0b6-44b5-99a7-6b490a4ba262/5a112de0-6ca4-4e1b-97c8-26453ef3828b..您将被重定向到下一页。

在这里,您需要下载并安装Passbolt浏览器扩展并刷新页面。显示下一页。

设置密码

指定安全密码,然后单击 下一个 按钮。显示下一页。

选择一种颜色

选择一种颜色,输入您的安全令牌, 下一个 按钮。您将被重定向到下一页的Passbolt仪表板。

密码密码管理器

结论

恭喜!您已经使用Nginx和Let’s Encrypt SSL在CentOS 8上成功安装了Passbolt Password Manager。现在,您可以在组织中实施Passbolt,并安全地开始在团队成员之间存储和共享您的登录凭据。

Sidebar