最近在某保三级中遇到的一个小问题,系统的双因子登陆,这种问题怎么说呢?如果系统想要绝对的安全就别嫌麻烦,下面的例子我将通过安装GoogleAuthenticator来实现基于GoogleAuthenticator+SSH双因子(2FA)认证登陆CentOS7系统。并且记录了一点点我的使用心得和体会。
1.关于系统
1.查看系统版本
[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
2.临时关闭selinux
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive
2.安装所需要的软件以及google-authenticator
1.yum安装基础软件
yum install -y autoconf automake libtool pam-devel git qrencode
2.使用git安装pam_google_authenticator.so
git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam/
./bootstrap.sh && ./configure && make && make install
3.设置软链接
ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
3.修改sshd相关的配置
1.在/etc/pam.d/sshd文件第二行中写入auth required pam_google_authenticator.so
2.修改/etc/ssh/sshd_config,将ChallengeResponseAuthentication no改为yes
3.重启ssh服务
systemctl restart sshd.service
4.新建普通用户kevin用来测试验证
[root@localhost google-authenticator-libpam]# useradd kevin
[root@localhost google-authenticator-libpam]# echo "hello@kevin." | passwd kevin --stdin
Changing password for user kevin.
passwd: all authentication tokens updated successfully.
[root@localhost src]# su - kevin
[kevin@localhost ~]$ cd /usr/local/src/google-authenticator-libpam/
[kevin@localhost google-authenticator-libpam]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/kevin@localhost.localdomain%3Fsecret%3DPUBBTOPXYCKCWQ7YWEA772D6LQ%26issuer%3Dlocalhost.localdomain
Your new secret key is: PUBBTOPXYCKCWQ7YWEA772D6LQ
这块儿可以在手机上用APP扫码或使用上面这个key来添加身份验证器!
Enter code from app (-1 to skip): -1
Code confirmation skipped
Your emergency scratch codes are:
78689108
30050290
74404163
38329651
15638477
Do you want me to update your "/home/kevin/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
上面的问题我都点的y,不懂英文的同学可以用有道自己翻译下。
开始用其他机器登陆测试
MacBookPro-v587:~$ssh kevin@172.16.12.66
Verification code:
Password:
Last failed login: Thu Aug 22 02:06:12 EDT 2019 from 172.16.13.251 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Thu Aug 22 01:59:31 2019
-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
[kevin@localhost ~]$
总结
其实很简单,但是我觉得有俩个问题需要大家注意下!
1.linux系统的selinux记的一定要关闭!否则你会遇到奇怪的权限问题。
2.如果是在重要的正式环境,身份验证相关的信息比如key,二维码记得保存好!不然登不了服务器那就尴尬了!
最后,感谢大家观看这篇短文,记得点赞哦😂
网友评论