Bii o ṣe le Ṣeto Ijeri-ifosiwewe meji (Olutọju Google) fun Awọn ibuwolu SSH

Nipa aiyipada, SSH tẹlẹ nlo ibaraẹnisọrọ data to ni aabo laarin awọn ero latọna jijin, ṣugbọn ti o ba fẹ ṣafikun diẹ ninu aabo fẹlẹfẹlẹ si awọn isopọ SSH rẹ, o le ṣafikun modulu Google Authenticator (afọwọsi ifosiwewe meji) ti o fun ọ laaye lati tẹ ọkan laileto kan koodu ijerisi-akoko (TOTP) koodu ijerisi lakoko sisopọ si awọn olupin SSH. Iwọ yoo ni lati tẹ koodu ijẹrisi lati foonuiyara rẹ tabi PC nigbati o ba sopọ.

Oluṣayẹwo Google jẹ module ṣiṣi-orisun ti o ni awọn imuse ti awọn koodu iwọle akoko-kan (TOTP) ami idanimọ ti idagbasoke nipasẹ Google. O ṣe atilẹyin ọpọlọpọ awọn iru ẹrọ alagbeka, bii PAM (Module Ijeri Pipọsi). Awọn koodu iwọle akoko kan wọnyi jẹ ipilẹṣẹ nipa lilo awọn iṣedede ṣiṣi ti a ṣẹda nipasẹ ipilẹṣẹ OATH fun Ijeri Ṣi i).

Ninu nkan yii Emi yoo fi ọ han bi o ṣe le ṣeto ati tunto SSH fun ijẹrisi ifosiwewe meji labẹ Red Hat, CentOS, Fedora ati Ubuntu, Linux Mint ati Debian.

Fifi Module Ijeri Google sori

Ṣii ẹrọ ti o fẹ ṣeto ijẹrisi ifosiwewe meji ati fi sii atẹle awọn ile-ikawe PAM pẹlu awọn ile ikawe idagbasoke ti o nilo fun module PAM lati ṣiṣẹ ni pipe pẹlu modulu idanimọ Google.

Lori Hat Hat, awọn ọna CentOS ati Fedora fi sori ẹrọ package ‘pam-devel’.

# yum install pam-devel make automake libtool gcc-c++ wget

Lori Ubuntu, Linux Mint ati awọn eto Debian fi sori ẹrọ package ‘libpam0g-dev’.

# apt-get install libpam0g-dev make automake libtool gcc-c++ wget

Bayi ẹda oniye ki o fi sori ẹrọ modulu onigbagbọ Google labẹ itọsọna Ile (ro pe o ti ibuwolu wọle tẹlẹ ninu itọsọna ile ti gbongbo) ni lilo pipaṣẹ git atẹle.

# git clone https://github.com/google/google-authenticator-libpam.git
# cd google-authenticator-libpam/
# ./bootstrap.sh
# ./configure
# make
# make install
# google-authenticator

Ni kete ti o ba ṣiṣẹ ‘google-authenticator’ pipaṣẹ, yoo tọ ọ pẹlu ibeere pataki kan. Nìkan tẹ “y” (bẹẹni) bi idahun ni ipo pupọ. Ti nkan kan ba jẹ aṣiṣe, o le tẹ lẹẹkansi ‘google-authenticator’ pipaṣẹ lati tun awọn eto naa to.

1. Ṣe o fẹ awọn ami idanimọ lati jẹ orisun akoko (y/n) y

Lẹhin ibeere yii, iwọ yoo gba ‘bọtini ikoko’ ati ‘awọn koodu pajawiri’. Kọ awọn alaye wọnyi silẹ si ibikan, a yoo nilo ‘bọtini aṣiri’ nigbamii lati ṣeto ohun elo Google Authenticator.

 google-authenticator

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email %3Fsecret%3DXEKITDTYCBA2TLPL
Your new secret key is: XEKITDTYCBA2TLPL
Your verification code is 461618
Your emergency scratch codes are:
  65083399
  10733609
  47588351
  71111643
  92017550

Nigbamii, tẹle oluṣeto oso ati ni ọpọlọpọ awọn iru tẹ idahun bi “y” (bẹẹni) bi a ṣe han ni isalẹ.

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Tito leto SSH lati lo Module Ijeri Google

Ṣii faili iṣeto PAM '/etc/pam.d/sshd' ki o ṣafikun laini atẹle si oke faili naa.

auth       required     pam_google_authenticator.so

Nigbamii, ṣii faili iṣeto SSH '/ ati be be/ssh/sshd_config' ki o yi lọ si isalẹ lati wa laini ti o sọ.

ChallengeResponseAuthentication no

Yi pada si “bẹẹni“. Nitorina, o di bi eleyi.

ChallengeResponseAuthentication yes

Ni ipari, tun bẹrẹ iṣẹ SSH lati mu awọn ayipada tuntun.

# /etc/init.d/sshd restart

Ṣiṣatunṣe App Authenticator Google

Lọlẹ app Authenticator app ninu foonuiyara rẹ. Tẹ Akojọ aṣyn ki o yan “Ṣeto akọọlẹ kan“. Ti o ko ba ni ohun elo yii, o le ṣe igbasilẹ ati fi sori ẹrọ ohun elo Authenticator Google lori awọn ẹrọ Android/iPhone/Blackberry rẹ.

Tẹ\"Bọtini ti a pese sii".

Ṣafikun akọọlẹ rẹ ‘Orukọ’ ki o tẹ ‘bọtini ikoko’ ti ipilẹṣẹ ni iṣaaju.

Yoo ṣe igbaniwọle ọrọ igbaniwọle kan (koodu ijerisi) ti yoo yipada nigbagbogbo ni gbogbo 30sec lori foonu rẹ.

Bayi gbiyanju lati buwolu wọle nipasẹ SSH, iwọ yoo ti ṣetan pẹlu koodu Aut Autator Google (koodu Imudaniloju) ati Ọrọigbaniwọle nigbakugba ti o ba gbiyanju lati wọle nipasẹ SSH. O ni awọn aaya 30 nikan lati tẹ koodu ijẹrisi yii sii, ti o ba padanu rẹ yoo tun ṣe koodu ijerisi tuntun.

login as: tecmint
Access denied
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Password:
Last login: Tue Apr 23 13:58:29 2013 from 172.16.25.125

Ti o ko ba ni foonuiyara, o tun le lo afikun Firefox ti a pe ni GAuth Authenticator lati ṣe idaniloju ifosiwewe meji.

Pataki: Ijeri ifosiwewe meji ṣiṣẹ pẹlu iwọle ọrọigbaniwọle orisun wiwọle SSH. Ti o ba nlo eyikeyi ikọkọ/bọtini gbangba igba SSH, yoo foju fojusi ifosiwewe meji ati wọle si taara.