Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Server \ Teach you the Ubuntu Server enabled SSH multifactor authentication     - When Vim create Python scripts, vim autocomplete interpreter and encoding method (Programming)

- Ubuntu server 8.04 Firewall Guide (Linux)

- Distributed Firewall Design on Linux platform (Linux)

- Go constructed using an interpreted language (Programming)

- Use LKM change the default linux security level (Linux)

- Use the top command (Linux)

- How to use static, class, abstract method in Python (Programming)

- MySQL master-slave database configuration and error handling Raiders (Database)

- Spring AOP for logging (Programming)

- Redis data types Introduction (Database)

- After Ubuntu Password Forgot your way back (Linux)

- Let OS X support NTFS write file (Linux)

- DIY security of Linux platform (Linux)

- Linux settings Java_home (Linux)

- SYN attack hacker attack and defense of the basic principles and prevention technology (Linux)

- CentOS 6.5 minimal installation and configuration VMware tools (Linux)

- Analyzing Linux server architecture is 32-bit / 64-bit (Server)

- Oracle database physical file backup / restore (Database)

- MySQL 5.7 perfectly distributed transaction support (Database)

- SSH security note (Linux)

  Teach you the Ubuntu Server enabled SSH multifactor authentication
  Add Date : 2018-11-21      
  Authentication for server management is a very important step, through the verification process can prove your power and authority, such as: Who are you? what can you do? Under normal circumstances, we have by way of account and password to log in SSH, cautious of Linux administrators using the key to a way to verify the SSH user.

As we all know, it is to use the default SSH password approach to authentication, even if you use SSH keys instead of passwords. Since a single factor or authentication method, once the key is leaked, the same server or to compromise security.

To solve this problem, in this article we will describe how to enable the SSH Ubuntu Server multifactor authentication (MFA, Multi-factor authentication). When enabled, when you log onto the SSH authentication is required to bind computer or mobile phone and other different factors to verify a successful login. Of course, multiple authentication factors may include:

Password or security question
Verification procedures or security token
Fingerprint or voice
Common authentication method is the use of OATH-TOTP applications, such as Google Authenticator (Microsoft Account-step verification feature is the use of it). OATH-TOTP (based on a one-time password open time) is an open protocol that is used to generate a different single-use password, generate a new six verification code every 30 seconds, as is usually the case.

Here we will describe how to use the OATH-TOTP application SSH login authentication system to replace lost original SSH key authentication or password, make server management more secure.

Installation libpam-google-authenticator

In this step we will install and configure Google PAM.

Authentication system known as Linux friends all know, PAM is a Linux system to authenticate the user and infrastructure authentication module. Google developed OATH-TOTP security applications are compatible PAM, so we can use Google Authenticator to complete multiple SSH authentication.

1. Use the following command to update the Ubuntu software repository cache:

sudo apt-get update
2. Install Google PAM:

sudo apt-get install libpam-google-authenticator
Teach you the Ubuntu Server enabled SSH multifactor authentication

After libpam-google-authenticator installed, we need to generate TOTP key for each to be re-authenticated users. The Key is generated based on the user, rather than system-wide. That is, to use the program to log TOTP SSH user authentication required to obtain and maintain their own individual key.

After executing the above command, the program will ask questions, the first question is to ask whether to generate time-based authentication token. Google PAM supports access to time-based token or sequence is based. The token sequence based on the use, you need to visit each token code increments; access token will be within a certain period of time based on random variation, use more like Google Authenticator, so we are here to choose yes.

Do you want authentication tokens to be time-based (y / n) y

Teach you the Ubuntu Server enabled SSH multifactor authentication

After answering the first question, it will output a lot of information immediately. Including: QR codes, new security password, authentication code and five eight emergency code. Be sure to keep this information, is very important.

Teach you the Ubuntu Server enabled SSH multifactor authentication

In this case please use the Google Authenticator scan output of two-dimensional code to add it to Google's OATH-TOTP application which, once added successfully, there will be a new entry and a 6-digit token refresh every 30 seconds.

Teach you the Ubuntu Server enabled SSH multifactor authentication

The rest is tell Google PAM works, step by step we see.

Do you want me to update your "~ / .google_authenticator" file (y / n) y

It represents the key configuration options and write .google_authenticator files, we select yes.

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y / n) y

If the used password is configured to expire immediately, where usually choose yes, to prevent people from interception.

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1: 30min to about 4min Do you want to do so (y / n) n.

The default token is valid for 30 seconds and automatically compensates for time servers and clients difference between the option indicates whether or not the time allowance to four minutes, we select No.

If the computer that you are logging into is not hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y / n) y

Only three attempts to log within 30 seconds whether the limit, we have chosen yes to prevent people brute force.

Teach you the Ubuntu Server enabled SSH multifactor authentication

After completing the above steps, all of Google PAM configuration work has been completed.

Configuring OpenSSH support MFA

Next, we want to configure SSH to use TOTP key, which need to tell SSH to use Google PAM for authentication.

1. /etc/pam.d/sshd file add the following:

auth required pam_google_authenticator.so nullok
Teach you the Ubuntu Server enabled SSH multifactor authentication

Last nullok this is to tell PAM authentication method is optional, then the user can still use the password and SSH key way to log on. When we tested the use of OATH-TOTP key can correctly log on, it will be deleted to indicate mandatory use nullo MFA.

2. Next we need to configure SSH support this mode of authentication. Edit / etc / ssh / sshd_config configuration file, which ChallengeResponseAuthentication configured to yes, and then restart the SSH service:

sudo service ssh restart
At this point, we can use the Google Authenticator SSH already verified, it is not very good. Finally, in order to ensure server security, we recommend that you turn on two-factor authentication SSH key + MFA way to renounce the use of SSH password authentication method.

Edit / etc / ssh / sshd_config configuration file:

PasswordAuthentication no

UsePAM yes # add the following
AuthenticationMethods publickey, keyboard-interactive
Important: Be sure everyone in the configuration process will test the use of Google Authenticator can log off again after the SSH password or SSH key authentication. Otherwise, the result can not connect on Over.
- Linux the best download manager uGet (Linux)
- The basic principle of pointers in C ++ (Programming)
- Oracle Execute to Parse perform analytical Ratio Analysis (Database)
- Python maketrans () method (Programming)
- I like Linux Security (Linux)
- Why is the ibdata1 file growing in MySQL? (Database)
- C # mobile side and PC-side data exchange (Database)
- C language function pointer and a callback function (Programming)
- expdp reported ORA-39181 Export Processing Method (Database)
- Replace font under Linux (Linux)
- Ubuntu install Geary (Linux)
- Getting Started with Linux system to learn: how to install autossh (Linux)
- Linux uses a screen recording under RecordMyDesktop (Linux)
- How to clean up your Ubuntu 14.10 / 14.04 / 13.10 system (Linux)
- Linux system performance and usage activity monitoring tools -Sysstat (Linux)
- Linux account management add relevant directives (Linux)
- MD5 and simple to use (Linux)
- Build Eclipse + Maven + Scala-IDEA the Scala Web development environment (Server)
- Nginx + Tomcat static and dynamic load balancing and separation configuration essentials under Linux (Server)
- Installation and configuration under Linux SVN server - Backup - Recovery - Scheduled Tasks (Server)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.