Linux uses Google Authenticator to achieve user two-factor authentication

Others 2021-03-18 22:25:52 views: null

1. Introduction: What is two-factor authentication

Two-factor identity authentication is an identity authentication system that only works by combining what you know and what you can have. Two-factor authentication is a system that uses time synchronization technology. It uses a one-time password based on the three variables of time, event and key to replace the traditional static password. Each dynamic password card has a unique key, which is stored on the server side at the same time. The dynamic password card and the server are respectively based on the same key, the same random parameters (time, event) and the same The algorithm calculates the dynamic password for authentication, so as to ensure the consistency of the password, thus realizing the authentication of the user.

To put it bluntly, just like the mouth token we sent to the bank to apply for a card a few years ago, and the general order in the NetEase game, when you use online banking or log in to the game, you will be asked to enter the dynamic password again.

2. Product Classification

There are hardware-based and software-based products on the market. You can search separately for details. I like open source Dongdong and found Google’s open source secondary authentication system Google Authenticator OpenSource, which can be used to produce 30-second dynamic passwords with smart phones. Log in to the Linux system, the authenticator provides a six-digit one-time password. Currently, both ios and Android have clients for downloading.

3. Purpose

1. When logging in to the linux server, first enter the dynamic password. After the authentication is successful, enter the user password in the next step. If the password fails, the next local password authentication will not be performed.

2. After the deployment is completed, even if the server cannot access the Internet, or the mobile client cannot access the Internet, the entire two-step verification system can still operate normally.

Four, basic + deployment steps

4.1 Basic environment:

OS: Centos 7 (minimal installation)

IP :192.168.1.125

4.2 Required software:

chrony
pam-devel
libpam-google-authenticator-1.0-source.tar.bz2
qrencode-3.4.4
libpng、libpng-devel

4.3 Deployment

4.3.1 Install the developer tools, the main follow-up needs to be compiled, there are compilers such as gcc, and the libraries that need to be used

[root@test ~]# yum groupinstall "Development Tools" -y

4.3.2 Install pam development kit

[root@test ~]# yum install pam-devel -y

4.3.3 Install the chrony software, because the dynamic password re-verification takes time, so it is necessary to maintain time consistency. Simply put chrony: chrony is another implementation of the Network Time Protocol (NTP). Unlike the Network Time Protocol daemon (ntpd), it can synchronize the system more quickly and accurately. If you want to use ntp, you need to install it separately.

The following is to install and modify the configuration file of chronyd to add (probably after the 6th line) the most useful ntp server in China: https://www.pool.ntp.org/zone/cn

[root@test ~]# yum install chrony -y
[root@test ~]# vim /etc/chrony.conf 
…
server 2.cn.pool.ntp.org iburst

Restart the service and use the command to view the synchronization (Note: 202.118.1.130 is the ntp server we added in the previous step)

[root@test ~]# systemctl restart chronyd
[root@test ~]# chronyc sources
210 Number of sources = 3
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 202.118.1.130                 2   6    17    54    -58us[ +132us] +/-   85ms
^+ news.neu.edu.cn               2   6    17    54   +542us[ +732us] +/-   89ms
^- dns1.synet.edu.cn             2   6   251    46    +25ms[  +25ms] +/-   60ms

If the time zone is wrong, you can copy the time zone of your current location to the time zone of the system operation, as follows:

cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

4.3.4 Now go to google's git hub to download the source file

[root@test ~]# git clone https://github.com/google/google-authenticator-libpam.git

Enter the directory just downloaded by git, compile and install

[root@test ~]# cd google-authenticator/libpam/

[root@test libpam]# ./bootstrap.sh 
[root@test libpam]# make && make install

After the installation is complete, now we go to configure the system P AM module to modify sshd to support Google authentication, which requires all users to use Google to verify SSH authentication. In the first line of the sshd file, the content is as follows:

[root@test ~]# vim /etc/pam.d/sshd 
auth       required pam_google_authenticator.so no_increment_hotp

Configure the sshd service, /etc/ssh/sshd_config, mainly modify the following 3 values:

[root@test ~]# vim /etc/ssh/sshd_config 
...
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes

**Note:** Insert an error record here, which occurred during the test.

[root@test ~]# tail -40f /var/log/secure
....
May 21 13:43:01 test sshd[3344]: PAM unable to dlopen(/usr/lib64/security/pam_google_authenticator.so): /usr/lib64/security/pam_google_authenticator.so: cannot open shared object file: No such file or directory
May 21 13:43:01 test sshd[3344]: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.so
May 21 13:43:03 test sshd[3346]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"

**Modification method: ** Just create a soft link, it must be created, or it can be copied directly.

[root@test ~]# ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so

After that, restart the sshd service

[root@test ~]# systemctl restart sshd

4.3.5 Install the QR code generation tool. This step ✌ can also be omitted. If you don’t install it, the QR code generated in the next step will become a link. Copy the link to your browser at that time, and the QR code can also appear. Use smart Open google author on the phone to scan.

[root@test ~]# wget -c http://fukuchi.org/works/qrencode/qrencode-3.4.4.tar.gz
[root@test ~]# tar zxvf qrencode-3.4.4.tar.gz 
[root@test ~]# cd qrencode-3.4.4
[root@test qrencode-3.4.4]# yum install libpng libpng-devel
[root@test qrencode-3.4.4]# ./configure 
[root@test qrencode-3.4.4]# make && make install

4.3.6 To set up a user, proceed as follows:

Run the google-authenticator command, it will generate a new key in the home directory of the currently logged in user ()

[root@test qrencode-3.4.4]# cd ~
[root@test ~]# google-authenticator

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@test%3Fsecret%3DSLZTXLFJ5KT5TWMP%26issuer%3Dtest

Reference link:

https://mp.weixin.qq.com/s/sTh3xJRemRdIJecTEPqlmg

Guess you like

Origin blog.csdn.net/qq_40907977/article/details/114694066
Recommended
Ranking
How cascading public network servers and network companies with free softether, forming a network penetration
axios package
C implementation creates multiple txt file and named to the natural numbers, then the resulting decimal data written txt file
ctfhub技能树 信息泄露 目录遍历 PHPINFO 备份文件下载
The real version of graduation = #"Massey University graduation certificate in New Zealand" is exactly the same as the original MQU certificate
Examples of simple web application architecture
MATLAB graphics drawing-polar and logarithmic images
java里的this和super关键字使用(附代码实例操作)
Markdown을 사용하여 다양한 플랫폼과 호환되고 보기 쉽고 매우 아름다운 Readme 또는 기사를 작성하는 방법은 무엇입니까? 자세한 그림, 도구, 예제가 포함된 템플릿이 첨부되어 있습니다.
What does java startup hardcode correspond to?
Daily
More
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)
2024-04-16(23)
2024-04-15(5)
2024-04-14(0)

Code World

© 2018 codetd.com