美文网首页
GoogleAuthenticator+SSH双因子(2FA)认

GoogleAuthenticator+SSH双因子(2FA)认

作者: StarDustMrsu | 来源:发表于2019-08-22 14:25 被阅读0次

    最近在某保三级中遇到的一个小问题,系统的双因子登陆,这种问题怎么说呢?如果系统想要绝对的安全就别嫌麻烦,下面的例子我将通过安装GoogleAuthenticator来实现基于GoogleAuthenticator+SSH双因子(2FA)认证登陆CentOS7系统。并且记录了一点点我的使用心得和体会。
    1.关于系统

    1.查看系统版本
    [root@localhost ~]# cat /etc/redhat-release 
    CentOS Linux release 7.4.1708 (Core) 
    2.临时关闭selinux
    [root@localhost ~]# getenforce 
    Enforcing
    [root@localhost ~]# setenforce 0
    [root@localhost ~]# getenforce 
    Permissive
    

    2.安装所需要的软件以及google-authenticator

    1.yum安装基础软件
    yum install -y  autoconf automake libtool pam-devel git qrencode
    2.使用git安装pam_google_authenticator.so
    git clone https://github.com/google/google-authenticator-libpam.git
    cd google-authenticator-libpam/
    ./bootstrap.sh && ./configure && make && make install
    3.设置软链接
    ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
    

    3.修改sshd相关的配置

    1.在/etc/pam.d/sshd文件第二行中写入auth required pam_google_authenticator.so
    2.修改/etc/ssh/sshd_config,将ChallengeResponseAuthentication no改为yes
    3.重启ssh服务
    systemctl restart sshd.service
    

    4.新建普通用户kevin用来测试验证

    [root@localhost google-authenticator-libpam]# useradd kevin
    [root@localhost google-authenticator-libpam]# echo "hello@kevin." | passwd kevin --stdin
    Changing password for user kevin.
    passwd: all authentication tokens updated successfully.
    [root@localhost src]# su - kevin
    [kevin@localhost ~]$ cd /usr/local/src/google-authenticator-libpam/
    [kevin@localhost google-authenticator-libpam]$ google-authenticator
    Do you want authentication tokens to be time-based (y/n) y
    Warning: pasting the following URL into your browser exposes the OTP secret to Google:
      https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/kevin@localhost.localdomain%3Fsecret%3DPUBBTOPXYCKCWQ7YWEA772D6LQ%26issuer%3Dlocalhost.localdomain
    Your new secret key is: PUBBTOPXYCKCWQ7YWEA772D6LQ
    这块儿可以在手机上用APP扫码或使用上面这个key来添加身份验证器!
    Enter code from app (-1 to skip): -1
    Code confirmation skipped
    Your emergency scratch codes are:
      78689108
      30050290
      74404163
      38329651
      15638477
    
    Do you want me to update your "/home/kevin/.google_authenticator" file? (y/n) y
    
    Do you want to disallow multiple uses of the same authentication
    token? This restricts you to one login about every 30s, but it increases
    your chances to notice or even prevent man-in-the-middle attacks (y/n) y
    
    By default, a new token is generated every 30 seconds by the mobile app.
    In order to compensate for possible time-skew between the client and the server,
    we allow an extra token before and after the current time. This allows for a
    time skew of up to 30 seconds between authentication server and client. If you
    experience problems with poor time synchronization, you can increase the window
    from its default size of 3 permitted codes (one previous code, the current
    code, the next code) to 17 permitted codes (the 8 previous codes, the current
    code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
    between client and server.
    Do you want to do so? (y/n) y
    
    If the computer that you are logging into isn't hardened against brute-force
    login attempts, you can enable rate-limiting for the authentication module.
    By default, this limits attackers to no more than 3 login attempts every 30s.
    Do you want to enable rate-limiting? (y/n) y
    上面的问题我都点的y,不懂英文的同学可以用有道自己翻译下。
    
    开始用其他机器登陆测试
    MacBookPro-v587:~$ssh kevin@172.16.12.66
    Verification code:
    Password:
    Last failed login: Thu Aug 22 02:06:12 EDT 2019 from 172.16.13.251 on ssh:notty
    There was 1 failed login attempt since the last successful login.
    Last login: Thu Aug 22 01:59:31 2019
    -bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
    [kevin@localhost ~]$
    

    总结

    其实很简单,但是我觉得有俩个问题需要大家注意下!

    1.linux系统的selinux记的一定要关闭!否则你会遇到奇怪的权限问题。
    2.如果是在重要的正式环境,身份验证相关的信息比如key,二维码记得保存好!不然登不了服务器那就尴尬了!
    

    最后,感谢大家观看这篇短文,记得点赞哦😂

    相关文章

      网友评论

          本文标题:GoogleAuthenticator+SSH双因子(2FA)认

          本文链接:https://www.haomeiwen.com/subject/irunsctx.html