Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ How to ensure the Linux SSH login security with one-time password     - Use in Linux ipmitool tool (Linux)

- Security of data to create a safe .mdb database (Linux)

- Linux System Getting Started Learning: compile and install ixgbe driver in Ubuntu or Debian (Linux)

- CentOS permanently banned from running in the background PackageKit (Linux)

- Nginx Module Development - get user ip (Server)

- File encryption and decryption of Linux security mechanisms (Linux)

- ARM platform compiler installation Golang (Linux)

- MNIST presentation and database conversion (Database)

- About ORA-02391 solution (Database)

- Story timestamp and time zones: daily programmer (Programming)

- KVM usb passthrough configuration (Linux)

- RealVNC Server 5.2.3 Installation and Configuration In Fedora (Server)

- Use mysqldump MySQL database backup - Linux Shell Scripting (Database)

- Java 8 stream parsed into SQL (Programming)

- Linux Basic Course: Install the software from source code (Linux)

- Iptables on the request URL for IP access control (Linux)

- Java code JIT compiler-friendly Mody (Programming)

- Compiled version of Android Opus audio codec library method (Programming)

- The maximum subsequence algorithm and optimization problems (Programming)

- MySQL full-index scan bug (Database)

 
         
  How to ensure the Linux SSH login security with one-time password
     
  Add Date : 2018-11-21      
         
         
         
  As the saying goes, security is not a product, but a process. Although the SSH protocol itself is designed to use a password, which is very safe, but if it is not properly managed: Whether it is a weak password, key is compromised or outdated SSH client software, someone will be on your SSH service is severely damaged.

As for SSH authentication, public key authentication is more secure than is generally considered to password authentication. However, if you are from a public or shared computer to log in, and in fact key authentication is not desirable, or even less secure. Because in such computer, there is always a possibility lurking invisible keylogger malware crawling or memory (memory scraper) threat and the like. If you can not trust the local computer, it is best to use a different password. At this time, "a one-time password" Just come in handy. As the name suggests, each of the one-time password can only be used once. This one-time password can be safely used in untrusted environments, because even being stolen, they can not be used again.

One way is to generate a one-time password authenticator by Google (Google Authenticator). Another method in this tutorial, I will demonstrate create a one-time password to SSH login: OTPW (http://www.cl.cam.ac.uk/~mgk25/otpw.html), this is a password of the package. Unlike Google authenticator, you do not rely on any third party to generate and verify the one-time password.

OTPW Profile

OTPW consists of two parts: a one-time password generator and integrated PAM authentication utility routines. In OTPW, the one-time password generated by the generator reasoning by the user to safely carry (such as printing on paper). The generated password is then stored on a cryptographic hash SSH server host. When a user logs in with a one-time password, OTPW PAM module will verify the password, use a password to make void, to prevent re-use.

Step 1: Install and configure OTPW on Linux

On Debian, Ubuntu or Linux Mint:

OTPW with apt-get install package.

$ Sudo apt-get install libpam-otpw otpw-bin
Using a text editor, open SSH PAM configuration file (/etc/pam.d/sshd), comment out the following line of code (to disable password authentication).

# @ Include common-auth
Then add the following two lines of code (to enable one-time password authentication):

auth required pam_otpw.so
session optional pam_otpw.so

On Fedora or CentOS / RHEL:

On Red Hat-based systems, not as OTPW prefabricated package. So, we adopted the method to build from source code, installation OTPW.

First, install basic components:

$ Sudo yum git gcc pam-devel
$ Git clone https://www.cl.cam.ac.uk/~mgk25/git/otpw
$ Cd otpw
Use a text editor to open the Makefile, edited to "PAMLIB =" line at the beginning, as shown below.

On 64-bit systems:

PAMLIB = / usr / lib64 / security
On 32-bit systems:

PAMLIB = / usr / lib / security
Compiled after installation. Note: The installation links will automatically restart SSH server. So if you are using SSH connection, we must be ready disconnected.

$ Make
$ Sudo make install
Now you need to update the SELinux policy, because the / usr / sbin / sshd attempt to write to the user's home directory, and the default SELinux policy does not allow this operation. The following commands update policy can play a role. If you do not use SELinux, skip this step as well.

$ Sudo grep sshd /var/log/audit/audit.log | audit2allow -M mypol
$ Sudo semodule -i mypol.pp
Next, open the PAM configuration file for SSH (/etc/pam.d/sshd) with a text editor, comment out the following line of code (to disable password authentication).

#auth substack password-auth
Then add the following two lines of code (to enable one-time password authentication):

auth required pam_otpw.so
session optional pam_otpw.so
 

Step Two: Configure SSH server for one-time password

The next step is to configure the SSH server to accept the one-time password.

Open the / etc / ssh / sshd_config with a text editor, set the following three parameters. Make sure you do not add these lines more than once, because that will cause SSH server failure.

UsePrivilegeSeparation yes
ChallengeResponseAuthentication yes
UsePAM yes
You also need to disable the default password authentication. As the case may be disabled public secret verification, so in case you do not have a one-time password, you can return to the key-based authentication.

PubkeyAuthentication yes
PasswordAuthentication no
Now, restart the SSH server.

On Debian, Ubuntu or Linux Mint:

$ Sudo service ssh restart
On Fedora or CentOS / RHEL 7:

$ Sudo systemctl restart sshd
 

Step 3: OTPW generate one-time passwords

As mentioned earlier, you need to create one-time passwords beforehand, and the SSH server on the remote host they are stored in. To this end, as a user you are logged in with the run otpw-gen tool.

$ Cd ~
$ Otpw-gen> temporary_password.txt

It will ask you to set a prefix code. When you log in later, you need to enter this prefix password and one-time password. In fact, the prefix code is another layer of protection. Even if the password table fell to the hands of criminals, prefix code will force the other to use brute-force attack.

Once the prefix password is set, the command will generate 280 one-time password and store them in the output text file (such as temporary_password.txt) in. In front of each password (default length is eight characters) is the three-digit index number. You can print documents on paper, carry.

You will also see ~ / .otpw file has been created, these password hashes of passwords stored in it. Each row of the first three shows will be used for SSH login password index.

$ More ~ ​​/ .otpw
OTPW1
2803128
191ai +: ENwmMqwn
218tYRZc% PIY27a
241ve8ns% NsHFmf
055W4 / YCauQJkr:
102ZnJ4VWLFrk5N
2273Xww55hteJ8Y
1509d4b5 = A64jBT
168FWBXY% ztm9j%
000rWUSdBYr% 8UE
037NvyryzcI + YRX
122rEwA3GXvOk = z
Test time password for SSH login

Now, we might as usual to log in to the SSH server:

$ Ssh user @ remote_host
If OTPW set successfully, you will see a slightly different password prompt:

Password 191:
Now open the password table, find the password table index "191."

023 kBvp tq / G 079 jKEw / HRM 135 oW / c / UeB 191 fOO + PeiD 247 vAnZ EgUt
According to the password above table shows the number "191" one-time password is "fOO + PeiD". You need to add the prefix in front of the password. For example, if your password is the prefix "000", the actual one-time password to enter the "000fOO + PeiD".

Once you have successfully logged in, the password used will automatically expire. If you look at ~ / .otpw, you will notice that the first line is replaced by "---------------", which means that the password "191" is no longer valid.

OTPW1
2803128
---------------
218tYRZc% PIY27a
241ve8ns% NsHFmf
055W4 / YCauQJkr:
102ZnJ4VWLFrk5N
2273Xww55hteJ8Y
1509d4b5 = A64jBT
168FWBXY% ztm9j%
000rWUSdBYr% 8UE
037NvyryzcI + YRX
122rEwA3GXvOk = z
Conclusion

I demonstrated how to use OTPW package in this tutorial, set up one-time password for SSH login. You may know that the password table print is like two-factor authentication security tokens, but relatively modest Bale. However, it is easier, you do not rely on any third party can be realized. Whether you use what mechanism to create a one-time password when you need never trusted public computer to log in to the SSH server, they are of great help. Welcome messages exchange.
     
         
         
         
  More:      
 
- Install and configure GO 1.2.1 under CentOS 6.5 (Linux)
- Ubuntu Tutorial: How to Upgrade a New Linux Kernel 3.12.7 on Ubuntu (Linux)
- By creating a personal technology blog Detailed GitHub (Linux)
- Spring3 + SpringMVC + Hibernate4 full annotation environment configuration (Server)
- Joseph Central Java implementation (Programming)
- MySQL view (Database)
- systemd Power Management (Linux)
- Ubuntu manually set the DSL broadband connection (Linux)
- Docker study notes (Server)
- Linux, set and view environment variables (Linux)
- Install VMware Tools in Debian (Linux)
- C ++ stderr / stdout redirected to a file (Programming)
- MySQL stored procedures execute dynamic sql statement (Database)
- S5PV210 development board for embedded development environment to build under Ubuntu (Linux)
- OpenCV 3.0 + Python 2.7 installation and testing under Ubuntu 14.04 (Linux)
- MySQL is configured to access external networks under Ubuntu (Database)
- Ubuntu install image browser and manager Phototonic 1.6.17 (Linux)
- Android float ball and boot from the start (Programming)
- Android Studio interface-related settings (Linux)
- Linux linux system security (Linux)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.