Jinsi ya Kusanidi Uthibitishaji wa Mambo Mbili (Kithibitishaji cha Google) kwa Kuingia kwa SSH

Kwa chaguo-msingi, SSH tayari hutumia mawasiliano salama ya data kati ya mashine za mbali, lakini ikiwa unataka kuongeza safu ya ziada ya usalama kwenye miunganisho yako ya SSH, unaweza kuongeza Kithibitishaji cha Google (uthibitishaji wa mambo mawili) ambayo hukuruhusu kuingiza moja kwa moja. nenosiri la wakati (TOTP) nambari ya uthibitishaji wakati wa kuunganisha kwenye seva za SSH. Utalazimika kuingiza nambari ya uthibitishaji kutoka kwa simu mahiri au Kompyuta yako unapounganisha.

Kithibitishaji cha Google ni sehemu ya programu huria inayojumuisha utekelezaji wa tokeni ya uthibitishaji ya mara moja ya nenosiri (TOTP) iliyotengenezwa na Google. Inaauni majukwaa kadhaa ya rununu, pamoja na PAM (Moduli ya Uthibitishaji Inayoweza Kuchomekwa). Nambari hizi za siri za mara moja zinatolewa kwa kutumia viwango vilivyo wazi vilivyoundwa na Mpango wa OATH wa Uthibitishaji Huria).

Katika makala hii nitakuonyesha jinsi ya kusanidi na kusanidi SSH kwa uthibitishaji wa sababu mbili chini ya Red Hat, CentOS, Fedora na Ubuntu, Linux Mint na Debian.

Inasakinisha Moduli ya Kithibitishaji cha Google

Fungua mashine ambayo ungependa kusanidi uthibitishaji wa vipengele viwili na usakinishe maktaba zinazofuata za PAM pamoja na maktaba za usanidi ambazo zinahitajika ili moduli ya PAM ifanye kazi ipasavyo na sehemu ya kithibitishaji cha Google.

Kwenye Red Hat, mifumo ya CentOS na Fedora husakinisha kifurushi cha 'pam-devel'.

# yum install pam-devel make automake libtool gcc-c++ wget

Kwenye Ubuntu, Linux Mint na mifumo ya Debian husakinisha kifurushi cha 'libpam0g-dev'.

# apt-get install libpam0g-dev make automake libtool gcc-c++ wget

Sasa unganisha na usakinishe moduli ya uthibitishaji wa Google chini ya saraka ya Nyumbani (fikiria kuwa tayari umeingia kwenye saraka ya nyumbani ya mzizi) kwa kutumia amri ifuatayo ya git.

# git clone https://github.com/google/google-authenticator-libpam.git
# cd google-authenticator-libpam/
# ./bootstrap.sh
# ./configure
# make
# make install
# google-authenticator

Mara tu unapoendesha amri ya 'google-authenticator', itakuuliza swali zito. Andika kwa urahisi y (ndiyo) kama jibu katika hali nyingi. Ikiwa kitu kitaenda vibaya, unaweza kuandika tena amri ya 'google-authenticator' ili kuweka upya mipangilio.

1. Je, unataka tokeni za uthibitishaji ziwe kulingana na wakati (y/n) y

Baada ya swali hili, utapata 'ufunguo wako wa siri' na 'misimbo ya dharura'. Andika maelezo haya mahali fulani, tutahitaji 'ufunguo wa siri' baadaye ili kusanidi programu ya Kithibitishaji cha Google.

 google-authenticator

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email %3Fsecret%3DXEKITDTYCBA2TLPL
Your new secret key is: XEKITDTYCBA2TLPL
Your verification code is 461618
Your emergency scratch codes are:
  65083399
  10733609
  47588351
  71111643
  92017550

Ifuatayo, fuata mchawi wa kusanidi na mara nyingi uandike jibu kama y (ndiyo) kama inavyoonyeshwa hapa chini.

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Inasanidi SSH ili kutumia Moduli ya Kithibitishaji cha Google

Fungua faili ya usanidi ya PAM ‘/etc/pam.d/sshd’ na uongeze laini ifuatayo juu ya faili.

auth       required     pam_google_authenticator.so

Ifuatayo, fungua faili ya usanidi wa SSH ‘/etc/ssh/sshd_config‘ na usogeze chini ili kupata mstari unaosema.

ChallengeResponseAuthentication no

Ibadilishe kuwa ndio. Kwa hivyo, inakuwa hivi.

ChallengeResponseAuthentication yes

Hatimaye, anzisha upya huduma ya SSH ili kuchukua mabadiliko mapya.

# /etc/init.d/sshd restart

Inasanidi Programu ya Kithibitishaji cha Google

Fungua programu ya Kithibitishaji cha Google kwenye simu yako mahiri. Bonyeza Menyu na uchague Weka akaunti. Ikiwa huna programu hii, unaweza kupakua na kusakinisha programu ya Kithibitishaji cha Google kwenye vifaa vyako vya Android/iPhone/Blackberry.

Bonyeza \Ingiza ufunguo uliotolewa.

Ongeza akaunti yako 'Jina' na uweke 'kitufe cha siri' kilichotolewa mapema.

Itazalisha nenosiri la wakati mmoja (msimbo wa uthibitishaji) ambayo itabadilika kila mara kila sekunde 30 kwenye simu yako.

Sasa jaribu kuingia kupitia SSH, utaulizwa msimbo wa Kithibitishaji cha Google (Msimbo wa Uthibitishaji) na Nenosiri wakati wowote unapojaribu kuingia kupitia SSH. Una sekunde 30 pekee za kuingiza nambari hii ya kuthibitisha, ukikosa itazalisha upya nambari mpya ya kuthibitisha.

login as: tecmint
Access denied
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Password:
Last login: Tue Apr 23 13:58:29 2013 from 172.16.25.125

Ikiwa huna simu mahiri, unaweza pia kutumia programu jalizi ya Firefox inayoitwa GAuth Authenticator kufanya uthibitishaji wa mambo mawili.

Muhimu: Uthibitishaji wa vipengele viwili hufanya kazi na kuingia kwa nenosiri kulingana na SSH. Ikiwa unatumia kipindi chochote cha ufunguo wa faragha/umma wa SSH, kitapuuza uthibitishaji wa mambo mawili na kukuingiza moja kwa moja.