| |
Authentication for server management is a very important step, through the verification process can prove your power and authority, such as: Who are you? what can you do? Under normal circumstances, we have by way of account and password to log in SSH, cautious of Linux administrators using the key to a way to verify the SSH user.
As we all know, it is to use the default SSH password approach to authentication, even if you use SSH keys instead of passwords. Since a single factor or authentication method, once the key is leaked, the same server or to compromise security.
To solve this problem, in this article we will describe how to enable the SSH Ubuntu Server multifactor authentication (MFA, Multi-factor authentication). When enabled, when you log onto the SSH authentication is required to bind computer or mobile phone and other different factors to verify a successful login. Of course, multiple authentication factors may include:
Password or security question
Verification procedures or security token
Fingerprint or voice
......
Common authentication method is the use of OATH-TOTP applications, such as Google Authenticator (Microsoft Account-step verification feature is the use of it). OATH-TOTP (based on a one-time password open time) is an open protocol that is used to generate a different single-use password, generate a new six verification code every 30 seconds, as is usually the case.
Here we will describe how to use the OATH-TOTP application SSH login authentication system to replace lost original SSH key authentication or password, make server management more secure.
Installation libpam-google-authenticator
In this step we will install and configure Google PAM.
Authentication system known as Linux friends all know, PAM is a Linux system to authenticate the user and infrastructure authentication module. Google developed OATH-TOTP security applications are compatible PAM, so we can use Google Authenticator to complete multiple SSH authentication.
1. Use the following command to update the Ubuntu software repository cache:
sudo apt-get update
2. Install Google PAM:
sudo apt-get install libpam-google-authenticator
Teach you the Ubuntu Server enabled SSH multifactor authentication
After libpam-google-authenticator installed, we need to generate TOTP key for each to be re-authenticated users. The Key is generated based on the user, rather than system-wide. That is, to use the program to log TOTP SSH user authentication required to obtain and maintain their own individual key.
google-authenticator
After executing the above command, the program will ask questions, the first question is to ask whether to generate time-based authentication token. Google PAM supports access to time-based token or sequence is based. The token sequence based on the use, you need to visit each token code increments; access token will be within a certain period of time based on random variation, use more like Google Authenticator, so we are here to choose yes.
Do you want authentication tokens to be time-based (y / n) y
Teach you the Ubuntu Server enabled SSH multifactor authentication
After answering the first question, it will output a lot of information immediately. Including: QR codes, new security password, authentication code and five eight emergency code. Be sure to keep this information, is very important.
Teach you the Ubuntu Server enabled SSH multifactor authentication
In this case please use the Google Authenticator scan output of two-dimensional code to add it to Google's OATH-TOTP application which, once added successfully, there will be a new entry and a 6-digit token refresh every 30 seconds.
Teach you the Ubuntu Server enabled SSH multifactor authentication
The rest is tell Google PAM works, step by step we see.
Do you want me to update your "~ / .google_authenticator" file (y / n) y
It represents the key configuration options and write .google_authenticator files, we select yes.
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y / n) y
If the used password is configured to expire immediately, where usually choose yes, to prevent people from interception.
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1: 30min to about 4min Do you want to do so (y / n) n.
The default token is valid for 30 seconds and automatically compensates for time servers and clients difference between the option indicates whether or not the time allowance to four minutes, we select No.
If the computer that you are logging into is not hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y / n) y
Only three attempts to log within 30 seconds whether the limit, we have chosen yes to prevent people brute force.
Teach you the Ubuntu Server enabled SSH multifactor authentication
After completing the above steps, all of Google PAM configuration work has been completed.
Configuring OpenSSH support MFA
Next, we want to configure SSH to use TOTP key, which need to tell SSH to use Google PAM for authentication.
1. /etc/pam.d/sshd file add the following:
auth required pam_google_authenticator.so nullok
Teach you the Ubuntu Server enabled SSH multifactor authentication
Last nullok this is to tell PAM authentication method is optional, then the user can still use the password and SSH key way to log on. When we tested the use of OATH-TOTP key can correctly log on, it will be deleted to indicate mandatory use nullo MFA.
2. Next we need to configure SSH support this mode of authentication. Edit / etc / ssh / sshd_config configuration file, which ChallengeResponseAuthentication configured to yes, and then restart the SSH service:
sudo service ssh restart
At this point, we can use the Google Authenticator SSH already verified, it is not very good. Finally, in order to ensure server security, we recommend that you turn on two-factor authentication SSH key + MFA way to renounce the use of SSH password authentication method.
Edit / etc / ssh / sshd_config configuration file:
PasswordAuthentication no
UsePAM yes # add the following
AuthenticationMethods publickey, keyboard-interactive
Important: Be sure everyone in the configuration process will test the use of Google Authenticator can log off again after the SSH password or SSH key authentication. Otherwise, the result can not connect on Over. |
|
|
|