CentOS 7 使用Google-Authenticator進行多因素認證
什麽是多因素認證(Multi-Factor Authentication, MFA)?
MFA,顧名思義使用多種獨立的驗證機制,對用戶進行身份驗證,只有全部通過時才能授權訪問。MFA的目的是建立一個多層次的防禦,使未經授權的人訪問計算機系統或網絡更加困難。驗證機制可以分為:
Sth. you know 用戶知道什麽(知識型的身份驗證)
Sth. you have 用戶有什麽(安全性令牌或者智能卡)
Sth. you are 用戶是什麽(生物識別驗證)
以我們去ATM取款為例,我們需要插入卡片(sth. you have)並輸入密碼(sth. you know)才能成功提款。
適用於Linux Server的多因素認證
日常中常見的做法是使用public key 和 password的方式進行認證,但是由於public key通常都是直接存儲在控制臺上,導致知道控制臺密碼(sth. you know) + 遠程服務器密碼 (sth. you know) 就可以訪問服務器了,只使用了sth. you know 一種驗證方式。破解方式有兩種:
使用生物識別驗證的控制臺(sth. you are) + 遠程服務器密碼(sth. you know)
使用密碼認證的控制臺 (sth. you know) + 遠程服務器安全令牌認證(sth. you have)
這裏著重講一下sth. you have的免費的認證方式google-authenticator,無需翻墻
Google-authenticator在CentOS 7上的配置
安裝所需的軟件:
yum install -y autoconf automake libtool pam-devel git qrencode
安裝google-authenticator
git clone https://github.com/google/google-authenticator-libpam.git cd google-authenticator-libpam/ ./bootstrap.sh ./configure make make install ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
配置openssh, vi /etc/pam.d/sshd
auth required pam_google_authenticator.so nullok #auth substack password-auth
編輯/etc/ssh/sshd_config為
. . . # Change to no to disable s/key passwords ChallengeResponseAuthentication yes #ChallengeResponseAuthentication no . . . AuthenticationMethods publickey,password publickey,keyboard-interactive
重啟sshd
systemctl restart sshd.service
為用戶啟用google-authenticator
google-authenticator
1)屏幕提示Do you want authentication tokens to be time-based (y/n) ,回答y選用基於時間的token
2)屏幕提示二維碼,拿出手機打開google authenticator軟件,點擊+後選擇“條形碼掃描"添加認證條目。
註意:將屏幕顯示的secret key, verification code 和 recovery codes 保存在安全的地方,供密碼恢復使用。
3)Do you want me to update your "/home/sammy/.google_authenticator" file (y/n) y
4)Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
4)By default, tokens are good for 30 seconds. In order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default
size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens).
Do you want to do so? (y/n) n
5)If the computer that you are logging into isn‘t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
新建ssh連接(不要關閉當前的防止無法訪問)測試配置是否成功。
CentOS 7 使用Google-Authenticator進行多因素認證