Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Server \ Teach you the Ubuntu Server enabled SSH multifactor authentication     - Use smartmontools view the health status of hard disk (Linux)

- Depth understanding of the TCP protocol (Database)

- Windows 8.1 and Ubuntu 14.04 dual system uninstall Ubuntu Tutorial (Linux)

- Linux performance optimization features Tuned and ktune (Linux)

- Nginx Load Balancing (standby) + Keepalived (Server)

- Linux directory permissions to read and execute permissions difference (Linux)

- Getting Started with Linux system to learn: how to configure a static IP address for CentOS7 (Linux)

- Linux filtration empty file command summary (Linux)

- How to deploy Icinga server (Server)

- MySQL database master never solve the synchronization method (Database)

- Java method to read and write files summary (Programming)

- Security matters and practical Linux System (Linux)

- Guide: Trickle restrict application bandwidth usage (Linux)

- View and modify Linux machine name (Linux)

- Protobuf compiled and used on the Ubuntu 14.04 (Programming)

- Let your PHP 7 faster (GCC PGO) (Linux)

- Vim plugin installation YouCompleteMe (Linux)

- CentOS 7 open ports (Linux)

- Implicit conversion from Java type conversion compare MySQL and Oracle (Database)

- Hive handle count distinct inclination to produce data processing (Database)

 
         
  Teach you the Ubuntu Server enabled SSH multifactor authentication
     
  Add Date : 2018-11-21      
         
         
         
  Authentication for server management is a very important step, through the verification process can prove your power and authority, such as: Who are you? what can you do? Under normal circumstances, we have by way of account and password to log in SSH, cautious of Linux administrators using the key to a way to verify the SSH user.

As we all know, it is to use the default SSH password approach to authentication, even if you use SSH keys instead of passwords. Since a single factor or authentication method, once the key is leaked, the same server or to compromise security.

To solve this problem, in this article we will describe how to enable the SSH Ubuntu Server multifactor authentication (MFA, Multi-factor authentication). When enabled, when you log onto the SSH authentication is required to bind computer or mobile phone and other different factors to verify a successful login. Of course, multiple authentication factors may include:

Password or security question
Verification procedures or security token
Fingerprint or voice
......
Common authentication method is the use of OATH-TOTP applications, such as Google Authenticator (Microsoft Account-step verification feature is the use of it). OATH-TOTP (based on a one-time password open time) is an open protocol that is used to generate a different single-use password, generate a new six verification code every 30 seconds, as is usually the case.

Here we will describe how to use the OATH-TOTP application SSH login authentication system to replace lost original SSH key authentication or password, make server management more secure.

Installation libpam-google-authenticator

In this step we will install and configure Google PAM.

Authentication system known as Linux friends all know, PAM is a Linux system to authenticate the user and infrastructure authentication module. Google developed OATH-TOTP security applications are compatible PAM, so we can use Google Authenticator to complete multiple SSH authentication.

1. Use the following command to update the Ubuntu software repository cache:

sudo apt-get update
2. Install Google PAM:

sudo apt-get install libpam-google-authenticator
Teach you the Ubuntu Server enabled SSH multifactor authentication

After libpam-google-authenticator installed, we need to generate TOTP key for each to be re-authenticated users. The Key is generated based on the user, rather than system-wide. That is, to use the program to log TOTP SSH user authentication required to obtain and maintain their own individual key.

google-authenticator
After executing the above command, the program will ask questions, the first question is to ask whether to generate time-based authentication token. Google PAM supports access to time-based token or sequence is based. The token sequence based on the use, you need to visit each token code increments; access token will be within a certain period of time based on random variation, use more like Google Authenticator, so we are here to choose yes.

Do you want authentication tokens to be time-based (y / n) y

Teach you the Ubuntu Server enabled SSH multifactor authentication

After answering the first question, it will output a lot of information immediately. Including: QR codes, new security password, authentication code and five eight emergency code. Be sure to keep this information, is very important.

Teach you the Ubuntu Server enabled SSH multifactor authentication

In this case please use the Google Authenticator scan output of two-dimensional code to add it to Google's OATH-TOTP application which, once added successfully, there will be a new entry and a 6-digit token refresh every 30 seconds.



Teach you the Ubuntu Server enabled SSH multifactor authentication


The rest is tell Google PAM works, step by step we see.

Do you want me to update your "~ / .google_authenticator" file (y / n) y

It represents the key configuration options and write .google_authenticator files, we select yes.

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y / n) y

If the used password is configured to expire immediately, where usually choose yes, to prevent people from interception.

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1: 30min to about 4min Do you want to do so (y / n) n.

The default token is valid for 30 seconds and automatically compensates for time servers and clients difference between the option indicates whether or not the time allowance to four minutes, we select No.

If the computer that you are logging into is not hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y / n) y

Only three attempts to log within 30 seconds whether the limit, we have chosen yes to prevent people brute force.

Teach you the Ubuntu Server enabled SSH multifactor authentication

After completing the above steps, all of Google PAM configuration work has been completed.

Configuring OpenSSH support MFA

Next, we want to configure SSH to use TOTP key, which need to tell SSH to use Google PAM for authentication.

1. /etc/pam.d/sshd file add the following:

auth required pam_google_authenticator.so nullok
Teach you the Ubuntu Server enabled SSH multifactor authentication

Last nullok this is to tell PAM authentication method is optional, then the user can still use the password and SSH key way to log on. When we tested the use of OATH-TOTP key can correctly log on, it will be deleted to indicate mandatory use nullo MFA.

2. Next we need to configure SSH support this mode of authentication. Edit / etc / ssh / sshd_config configuration file, which ChallengeResponseAuthentication configured to yes, and then restart the SSH service:

sudo service ssh restart
At this point, we can use the Google Authenticator SSH already verified, it is not very good. Finally, in order to ensure server security, we recommend that you turn on two-factor authentication SSH key + MFA way to renounce the use of SSH password authentication method.

Edit / etc / ssh / sshd_config configuration file:

PasswordAuthentication no

UsePAM yes # add the following
AuthenticationMethods publickey, keyboard-interactive
Important: Be sure everyone in the configuration process will test the use of Google Authenticator can log off again after the SSH password or SSH key authentication. Otherwise, the result can not connect on Over.
     
         
         
         
  More:      
 
- Php and MySQL command add to the environment variable method in Linux system (Linux)
- Getting Started with Linux system to learn: how to install autossh (Linux)
- RHEL 6.6 install GNOME desktop environment (Linux)
- Puppet Detailed centralized configuration management system (Server)
- CentOS5 installation Nodejs (Linux)
- LAN Deployment Docker-- from scratch to create your own private warehouse Docker (Linux)
- Configuring a Linux operating system security management services (Linux)
- CentOS 6.6 source compiler GCC upgrade to 4.8.2 (Linux)
- Linux server network penetration testing (Linux)
- Setting Wetty do not need an account login command line operations (Linux)
- How comprehensive resist attacks from the network (Linux)
- Why you should choose Python Programming (Programming)
- Linux command Detailed chpasswd bulk edit user password (Linux)
- Netfilter / Iptables Comments (Linux)
- iTerm - let your command line can also be colorful (Linux)
- 10 Codes of good practice PHP (Programming)
- Use Visual Studio to compile and use WinGDB remote debugging embedded Linux programs (Programming)
- Shell Common Command Summary (Programming)
- Oracle Database Restore (Database)
- The principle Httpclient4.4 (HttpClient Interface) (Programming)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.