Jinsi ya Kusanidi Uthibitishaji wa Mambo Mbili (Kithibitishaji cha Google) kwa Kuingia kwa SSH
Kwa chaguo-msingi, SSH tayari hutumia mawasiliano salama ya data kati ya mashine za mbali, lakini ikiwa unataka kuongeza safu ya ziada ya usalama kwenye miunganisho yako ya SSH, unaweza kuongeza Kithibitishaji cha Google (uthibitishaji wa mambo mawili) ambayo hukuruhusu kuingiza moja kwa moja. nenosiri la wakati (TOTP) nambari ya uthibitishaji wakati wa kuunganisha kwenye seva za SSH. Utalazimika kuingiza nambari ya uthibitishaji kutoka kwa simu mahiri au Kompyuta yako unapounganisha.
Kithibitishaji cha Google ni sehemu ya programu huria inayojumuisha utekelezaji wa tokeni ya uthibitishaji ya mara moja ya nenosiri (TOTP) iliyotengenezwa na Google. Inaauni majukwaa kadhaa ya rununu, pamoja na PAM (Moduli ya Uthibitishaji Inayoweza Kuchomekwa). Nambari hizi za siri za mara moja zinatolewa kwa kutumia viwango vilivyo wazi vilivyoundwa na Mpango wa OATH wa Uthibitishaji Huria).
Katika makala hii nitakuonyesha jinsi ya kusanidi na kusanidi SSH kwa uthibitishaji wa sababu mbili chini ya Red Hat, CentOS, Fedora na Ubuntu, Linux Mint na Debian.
Inasakinisha Moduli ya Kithibitishaji cha Google
Fungua mashine ambayo ungependa kusanidi uthibitishaji wa vipengele viwili na usakinishe maktaba zinazofuata za PAM pamoja na maktaba za usanidi ambazo zinahitajika ili moduli ya PAM ifanye kazi ipasavyo na sehemu ya kithibitishaji cha Google.
Kwenye Red Hat, mifumo ya CentOS na Fedora husakinisha kifurushi cha 'pam-devel'.
# yum install pam-devel make automake libtool gcc-c++ wget
Kwenye Ubuntu, Linux Mint na mifumo ya Debian husakinisha kifurushi cha 'libpam0g-dev'.
# apt-get install libpam0g-dev make automake libtool gcc-c++ wget
Sasa unganisha na usakinishe moduli ya uthibitishaji wa Google chini ya saraka ya Nyumbani (fikiria kuwa tayari umeingia kwenye saraka ya nyumbani ya mzizi) kwa kutumia amri ifuatayo ya git.
# git clone https://github.com/google/google-authenticator-libpam.git # cd google-authenticator-libpam/ # ./bootstrap.sh # ./configure # make # make install # google-authenticator
Mara tu unapoendesha amri ya 'google-authenticator', itakuuliza swali zito. Andika kwa urahisi y (ndiyo) kama jibu katika hali nyingi. Ikiwa kitu kitaenda vibaya, unaweza kuandika tena amri ya 'google-authenticator' ili kuweka upya mipangilio.
- Je, unataka tokeni za uthibitishaji ziwe kulingana na wakati (y/n) y
Baada ya swali hili, utapata 'ufunguo wako wa siri' na 'misimbo ya dharura'. Andika maelezo haya mahali fulani, tutahitaji 'ufunguo wa siri' baadaye ili kusanidi programu ya Kithibitishaji cha Google.
google-authenticator Do you want authentication tokens to be time-based (y/n) y https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email %3Fsecret%3DXEKITDTYCBA2TLPL Your new secret key is: XEKITDTYCBA2TLPL Your verification code is 461618 Your emergency scratch codes are: 65083399 10733609 47588351 71111643 92017550
Ifuatayo, fuata mchawi wa kusanidi na mara nyingi uandike jibu kama y (ndiyo) kama inavyoonyeshwa hapa chini.
Do you want me to update your "/root/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Inasanidi SSH ili kutumia Moduli ya Kithibitishaji cha Google
Fungua faili ya usanidi ya PAM ‘/etc/pam.d/sshd’ na uongeze laini ifuatayo juu ya faili.
auth required pam_google_authenticator.so
Ifuatayo, fungua faili ya usanidi wa SSH ‘/etc/ssh/sshd_config‘ na usogeze chini ili kupata mstari unaosema.
ChallengeResponseAuthentication no
Ibadilishe kuwa ndio. Kwa hivyo, inakuwa hivi.
ChallengeResponseAuthentication yes
Hatimaye, anzisha upya huduma ya SSH ili kuchukua mabadiliko mapya.
# /etc/init.d/sshd restart
Inasanidi Programu ya Kithibitishaji cha Google
Fungua programu ya Kithibitishaji cha Google kwenye simu yako mahiri. Bonyeza Menyu na uchague Weka akaunti. Ikiwa huna programu hii, unaweza kupakua na kusakinisha programu ya Kithibitishaji cha Google kwenye vifaa vyako vya Android/iPhone/Blackberry.
Bonyeza \Ingiza ufunguo uliotolewa.
Ongeza akaunti yako 'Jina' na uweke 'kitufe cha siri' kilichotolewa mapema.
Itazalisha nenosiri la wakati mmoja (msimbo wa uthibitishaji) ambayo itabadilika kila mara kila sekunde 30 kwenye simu yako.
Sasa jaribu kuingia kupitia SSH, utaulizwa msimbo wa Kithibitishaji cha Google (Msimbo wa Uthibitishaji) na Nenosiri wakati wowote unapojaribu kuingia kupitia SSH. Una sekunde 30 pekee za kuingiza nambari hii ya kuthibitisha, ukikosa itazalisha upya nambari mpya ya kuthibitisha.
login as: tecmint Access denied Using keyboard-interactive authentication. Verification code: Using keyboard-interactive authentication. Password: Last login: Tue Apr 23 13:58:29 2013 from 172.16.25.125
Ikiwa huna simu mahiri, unaweza pia kutumia programu jalizi ya Firefox inayoitwa GAuth Authenticator kufanya uthibitishaji wa mambo mawili.
Muhimu: Uthibitishaji wa vipengele viwili hufanya kazi na kuingia kwa nenosiri kulingana na SSH. Ikiwa unatumia kipindi chochote cha ufunguo wa faragha/umma wa SSH, kitapuuza uthibitishaji wa mambo mawili na kukuingiza moja kwa moja.