Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Server \ Teach you the Ubuntu Server enabled SSH multifactor authentication     - shell script: the number of characters in the text to print no more than 6 words (Programming)

- VirtualBox snapshots (Linux)

- Linux script commands - terminal recorder (Linux)

- Linux bash: scp: command not found the problem (Linux)

- Experience CoreCLR stack unwinding characteristics of initial implementation on Linux / Mac (Linux)

- pdf.js Tutorial (Linux)

- Android custom ViewPager create kaleidoscopic image transition effects (Programming)

- Oracle 11g user rights management study notes (Database)

- Iptables command in detail (Linux)

- Snort build a secure Linux server (Linux)

- RHEL 7.1 compile and install Ganglia 3.7.1 (Server)

- VSFTPD Security (Linux)

- Linux SVN installation and configuration graphic tutorials (Server)

- C language function pointer and a callback function (Programming)

- Android developers learning Adapter (data adapter) (Programming)

- DataGuard Standby backup error RMAN-06820 ORA-17629 to solve (Database)

- Linux system security settings after installation (Linux)

- 25 Git Advanced Skills (Linux)

- Close and limit unused ports computer server security protection (Linux)

- Configuring Allatori code confusion when developing general Java applications in NetBeans (Programming)

 
         
  Teach you the Ubuntu Server enabled SSH multifactor authentication
     
  Add Date : 2018-11-21      
         
         
         
  Authentication for server management is a very important step, through the verification process can prove your power and authority, such as: Who are you? what can you do? Under normal circumstances, we have by way of account and password to log in SSH, cautious of Linux administrators using the key to a way to verify the SSH user.

As we all know, it is to use the default SSH password approach to authentication, even if you use SSH keys instead of passwords. Since a single factor or authentication method, once the key is leaked, the same server or to compromise security.

To solve this problem, in this article we will describe how to enable the SSH Ubuntu Server multifactor authentication (MFA, Multi-factor authentication). When enabled, when you log onto the SSH authentication is required to bind computer or mobile phone and other different factors to verify a successful login. Of course, multiple authentication factors may include:

Password or security question
Verification procedures or security token
Fingerprint or voice
......
Common authentication method is the use of OATH-TOTP applications, such as Google Authenticator (Microsoft Account-step verification feature is the use of it). OATH-TOTP (based on a one-time password open time) is an open protocol that is used to generate a different single-use password, generate a new six verification code every 30 seconds, as is usually the case.

Here we will describe how to use the OATH-TOTP application SSH login authentication system to replace lost original SSH key authentication or password, make server management more secure.

Installation libpam-google-authenticator

In this step we will install and configure Google PAM.

Authentication system known as Linux friends all know, PAM is a Linux system to authenticate the user and infrastructure authentication module. Google developed OATH-TOTP security applications are compatible PAM, so we can use Google Authenticator to complete multiple SSH authentication.

1. Use the following command to update the Ubuntu software repository cache:

sudo apt-get update
2. Install Google PAM:

sudo apt-get install libpam-google-authenticator
Teach you the Ubuntu Server enabled SSH multifactor authentication

After libpam-google-authenticator installed, we need to generate TOTP key for each to be re-authenticated users. The Key is generated based on the user, rather than system-wide. That is, to use the program to log TOTP SSH user authentication required to obtain and maintain their own individual key.

google-authenticator
After executing the above command, the program will ask questions, the first question is to ask whether to generate time-based authentication token. Google PAM supports access to time-based token or sequence is based. The token sequence based on the use, you need to visit each token code increments; access token will be within a certain period of time based on random variation, use more like Google Authenticator, so we are here to choose yes.

Do you want authentication tokens to be time-based (y / n) y

Teach you the Ubuntu Server enabled SSH multifactor authentication

After answering the first question, it will output a lot of information immediately. Including: QR codes, new security password, authentication code and five eight emergency code. Be sure to keep this information, is very important.

Teach you the Ubuntu Server enabled SSH multifactor authentication

In this case please use the Google Authenticator scan output of two-dimensional code to add it to Google's OATH-TOTP application which, once added successfully, there will be a new entry and a 6-digit token refresh every 30 seconds.



Teach you the Ubuntu Server enabled SSH multifactor authentication


The rest is tell Google PAM works, step by step we see.

Do you want me to update your "~ / .google_authenticator" file (y / n) y

It represents the key configuration options and write .google_authenticator files, we select yes.

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y / n) y

If the used password is configured to expire immediately, where usually choose yes, to prevent people from interception.

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1: 30min to about 4min Do you want to do so (y / n) n.

The default token is valid for 30 seconds and automatically compensates for time servers and clients difference between the option indicates whether or not the time allowance to four minutes, we select No.

If the computer that you are logging into is not hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y / n) y

Only three attempts to log within 30 seconds whether the limit, we have chosen yes to prevent people brute force.

Teach you the Ubuntu Server enabled SSH multifactor authentication

After completing the above steps, all of Google PAM configuration work has been completed.

Configuring OpenSSH support MFA

Next, we want to configure SSH to use TOTP key, which need to tell SSH to use Google PAM for authentication.

1. /etc/pam.d/sshd file add the following:

auth required pam_google_authenticator.so nullok
Teach you the Ubuntu Server enabled SSH multifactor authentication

Last nullok this is to tell PAM authentication method is optional, then the user can still use the password and SSH key way to log on. When we tested the use of OATH-TOTP key can correctly log on, it will be deleted to indicate mandatory use nullo MFA.

2. Next we need to configure SSH support this mode of authentication. Edit / etc / ssh / sshd_config configuration file, which ChallengeResponseAuthentication configured to yes, and then restart the SSH service:

sudo service ssh restart
At this point, we can use the Google Authenticator SSH already verified, it is not very good. Finally, in order to ensure server security, we recommend that you turn on two-factor authentication SSH key + MFA way to renounce the use of SSH password authentication method.

Edit / etc / ssh / sshd_config configuration file:

PasswordAuthentication no

UsePAM yes # add the following
AuthenticationMethods publickey, keyboard-interactive
Important: Be sure everyone in the configuration process will test the use of Google Authenticator can log off again after the SSH password or SSH key authentication. Otherwise, the result can not connect on Over.
     
         
         
         
  More:      
 
- The Java development environment to build under Ubuntu 14.04 (Linux)
- 10 Codes of good practice PHP (Programming)
- CentOS / RHEL 6 was repeated prohibited under the SNMP connection log (Server)
- CentOS7 management of systemd (Linux)
- Swift notes - let you two hours to learn Swift (Programming)
- CKEditor + SWFUpload achieve a more powerful editor (Linux)
- Related to optimize the use of Btrfs file system on SSD (Linux)
- OpenSUSE installation on CentOS6 (GUI) (Linux)
- CentOS 6.5 three ways to configure the IP address (Linux)
- CentOS7 install MySQL5.6.22 (Linux)
- C # assembly calls across constants, variables and functions (Programming)
- Linux script commands - terminal recorder (Linux)
- MySQL root password reset under CentOS (Database)
- Repair CentOS 6.4 Grub boot (Linux)
- Linux nice program origin of the name (Linux)
- Go powerful development server simple example (Server)
- How Mutt mail client to use cipher text password (Linux)
- Ubuntu Apache2 setting, problem solving css, pictures, etc. can not be displayed (Server)
- Linux environment variable settings and save places (Linux)
- About phpwind 5.01-5.3 0day analysis of the article (Linux)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.