Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Server \ Teach you the Ubuntu Server enabled SSH multifactor authentication     - How to ensure the Linux SSH login security with one-time password (Linux)

- APR for Tomcat installation under Linux (Server)

- init level settings for Linux / etc / inittab file into six (restart) or does not support the level of solution (Linux)

- Linux package management operations Basic entry (Linux)

- Mount and unloading disks under Linux (Linux)

- Ubuntu 14.04 Docker installation (Linux)

- How to find an IP address through the command line (Linux)

- Oracle user password problem (Database)

- Linux fast set ip bond (Linux)

- Linux user management (Linux)

- WebLogic administrator account and reset the password (Database)

- C ++ sequence containers basics summary (Programming)

- Java multi-threaded shared communications variables (Programming)

- CentOS6 installed Tomcat (Server)

- MongoDB upgrade to 2.6 (Database)

- Use ldap implement Windows Remote Desktop Ubuntu Linux (Linux)

- How to install PlayOnLinux 4.2.5 under Ubuntu 14.04 / 12.04 (Linux)

- Ubuntu 14.04 Solution login interface infinite loop (Linux)

- Oracle table of nested loop connection (Database)

- Two kinds of agents of Spring AOP (Programming)

  Teach you the Ubuntu Server enabled SSH multifactor authentication
  Add Date : 2018-11-21      
  Authentication for server management is a very important step, through the verification process can prove your power and authority, such as: Who are you? what can you do? Under normal circumstances, we have by way of account and password to log in SSH, cautious of Linux administrators using the key to a way to verify the SSH user.

As we all know, it is to use the default SSH password approach to authentication, even if you use SSH keys instead of passwords. Since a single factor or authentication method, once the key is leaked, the same server or to compromise security.

To solve this problem, in this article we will describe how to enable the SSH Ubuntu Server multifactor authentication (MFA, Multi-factor authentication). When enabled, when you log onto the SSH authentication is required to bind computer or mobile phone and other different factors to verify a successful login. Of course, multiple authentication factors may include:

Password or security question
Verification procedures or security token
Fingerprint or voice
Common authentication method is the use of OATH-TOTP applications, such as Google Authenticator (Microsoft Account-step verification feature is the use of it). OATH-TOTP (based on a one-time password open time) is an open protocol that is used to generate a different single-use password, generate a new six verification code every 30 seconds, as is usually the case.

Here we will describe how to use the OATH-TOTP application SSH login authentication system to replace lost original SSH key authentication or password, make server management more secure.

Installation libpam-google-authenticator

In this step we will install and configure Google PAM.

Authentication system known as Linux friends all know, PAM is a Linux system to authenticate the user and infrastructure authentication module. Google developed OATH-TOTP security applications are compatible PAM, so we can use Google Authenticator to complete multiple SSH authentication.

1. Use the following command to update the Ubuntu software repository cache:

sudo apt-get update
2. Install Google PAM:

sudo apt-get install libpam-google-authenticator
Teach you the Ubuntu Server enabled SSH multifactor authentication

After libpam-google-authenticator installed, we need to generate TOTP key for each to be re-authenticated users. The Key is generated based on the user, rather than system-wide. That is, to use the program to log TOTP SSH user authentication required to obtain and maintain their own individual key.

After executing the above command, the program will ask questions, the first question is to ask whether to generate time-based authentication token. Google PAM supports access to time-based token or sequence is based. The token sequence based on the use, you need to visit each token code increments; access token will be within a certain period of time based on random variation, use more like Google Authenticator, so we are here to choose yes.

Do you want authentication tokens to be time-based (y / n) y

Teach you the Ubuntu Server enabled SSH multifactor authentication

After answering the first question, it will output a lot of information immediately. Including: QR codes, new security password, authentication code and five eight emergency code. Be sure to keep this information, is very important.

Teach you the Ubuntu Server enabled SSH multifactor authentication

In this case please use the Google Authenticator scan output of two-dimensional code to add it to Google's OATH-TOTP application which, once added successfully, there will be a new entry and a 6-digit token refresh every 30 seconds.

Teach you the Ubuntu Server enabled SSH multifactor authentication

The rest is tell Google PAM works, step by step we see.

Do you want me to update your "~ / .google_authenticator" file (y / n) y

It represents the key configuration options and write .google_authenticator files, we select yes.

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y / n) y

If the used password is configured to expire immediately, where usually choose yes, to prevent people from interception.

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1: 30min to about 4min Do you want to do so (y / n) n.

The default token is valid for 30 seconds and automatically compensates for time servers and clients difference between the option indicates whether or not the time allowance to four minutes, we select No.

If the computer that you are logging into is not hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y / n) y

Only three attempts to log within 30 seconds whether the limit, we have chosen yes to prevent people brute force.

Teach you the Ubuntu Server enabled SSH multifactor authentication

After completing the above steps, all of Google PAM configuration work has been completed.

Configuring OpenSSH support MFA

Next, we want to configure SSH to use TOTP key, which need to tell SSH to use Google PAM for authentication.

1. /etc/pam.d/sshd file add the following:

auth required pam_google_authenticator.so nullok
Teach you the Ubuntu Server enabled SSH multifactor authentication

Last nullok this is to tell PAM authentication method is optional, then the user can still use the password and SSH key way to log on. When we tested the use of OATH-TOTP key can correctly log on, it will be deleted to indicate mandatory use nullo MFA.

2. Next we need to configure SSH support this mode of authentication. Edit / etc / ssh / sshd_config configuration file, which ChallengeResponseAuthentication configured to yes, and then restart the SSH service:

sudo service ssh restart
At this point, we can use the Google Authenticator SSH already verified, it is not very good. Finally, in order to ensure server security, we recommend that you turn on two-factor authentication SSH key + MFA way to renounce the use of SSH password authentication method.

Edit / etc / ssh / sshd_config configuration file:

PasswordAuthentication no

UsePAM yes # add the following
AuthenticationMethods publickey, keyboard-interactive
Important: Be sure everyone in the configuration process will test the use of Google Authenticator can log off again after the SSH password or SSH key authentication. Otherwise, the result can not connect on Over.
- OpenvSwitch 2.1.2 shell script to start and stop (Linux)
- Oracle table space rename and delete table space (Database)
- Linux GCC 5.1.0 compiler installation (Linux)
- Linux and SELinux Exploration Program Manager (Linux)
- The Gitlab migrated to Docker container (Server)
- Achieve camera preview by ffplay (Linux)
- Java learning problems encountered (Programming)
- Install and use automated tools Ansible in CentOS 7 (Linux)
- Two alert log ORA Errors (Database)
- configuration ssh without password under Linux (Linux)
- Python extension module Ganglia 3.1.x (Linux)
- Btrfs file system creation and their characteristics in Linux (Linux)
- Linux System Getting Started Learning: Linux common log file (Linux)
- Acting on JavaScript events (Programming)
- Getting CentOS Learning Notes (Linux)
- To assign multiple IP addresses NIC on the CentOS 7 (Linux)
- Install KVM on Ubuntu and build a virtual environment (Linux)
- Linux Basics Tutorial: Combining awk delete data before the specified date hdfs (Linux)
- Enterprise Hadoop cluster architecture - NFS installation (Server)
- The formatted Linux hard drive and mount (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.