Abstract: Using the Google Authenticator strengthen SSH login security
Foreword
Google Authenticator is a one-time password generator,
Support the HOTP (the HMAC-based One Time password, defined by RFC 4226) and TOTP (Time One Time-based password).
Google Authenticator on Android, iOS and Blackberry above all Native Client end,
As well as people developed j2me version of Client-side,
So basically all smart phones available in the market, handheld devices (mobile devices) can be used.
Google Authenticator while also providing a PAM module, so it can be used for Unix / Linux validation work.
We just use Google Authenticator to authenticate SSH PAM module.
Linux Server Configuration
CentOS release 6.2 x86_64 Final
1. SSH authentication configuration
a. vim /etc/pam.d/sshd
The first line added
auth required pam_google_authenticator.so
b. vim /etc/ssh/sshd_config
Find 'ChallengeResponseAuthentication' and 'UsePAM'
Confirm all set to 'yes'
ChallengeResponseAuthentication yes
UsePAM yes ( Note: The default is yes)
Save and then restart the service
service sshd restart
2. Installation related modules
a. yum -y install gcc pam-devel libpng-devel
3. Installation qrencode
This tool can generate QRCode , Google Authenticator command line generated QRCode is to call it.
wget http://fukuchi.org/works/qrencode/qrencode-3.3.1.tar.gz
tar zxvf qrencode-3.3.1.tar.gz
cd qrencode-3.3.1
./configure --prefix=/usr
make && make install
Note: Follow the instructions can be output, but I did not yield when tested, it still uses QRCode Google Chart API output to use,
This tool is therefore dispensable.
4. install the Google Authenticator PAM
wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
cd libpam-google-authenticator-1.0
make && make install
5. Google Authenticator配置
You first need to switch to the corresponding User (because I am currently testing, the first to operate in the root), if and only if a User,
This step can be omitted.
a. google-authenticator
输入‘google-authenticator’后,会询问‘Do you want authentication tokens to be time-based (y/n)’,
Is basically a time-based codes generated select 'y'.
The results similar to the following (my qrencode did not execute successfully, so there is no QRCode):
qrencode have executed successful, as shown below:
First highlighted key FIGS URL into the browser, which is used QRCode Google Chare API output, can be scanned (see below).
Can also be entered manually key in accordance with the following URL key words.
When Google Authenticator After identifying the account, verify that it is configured. The code provides several emergency key in text,
When this is lost or not around when the phone is used, it should keep.
b. Save settings
At this time, Google Authenticator Although performing, but just outputs text verification code and emergency key and other related settings have not been saved,
所以会问‘Do you want me to update your “/root/.google_authenticator” file (y/n)’ ,选择‘y’。
c. people use
Whether to restrict people use the same authentication key for security, of course, selected from the 'y'.
d. time difference
Whether to open the set to prevent the Client and Server because of the time gap is too big to cause a validation failure, it can be set according to the actual situation. I choose 'n',
Unless Server often time allowed (you should want to change the motherboard)
Or not set ntp, mobile phones and other mobile devices or the Internet infrequently, it would have to choose 'y' the.
e. 次数限制
不用说,一定选‘y’。
以上设定完毕后,目录中会多一个文件‘.google_authenticator’(默认为400),此时系统已经完整运行了,
之后除非为新User产生或是需要重新产生,否则不需再执行google-authenticator。
Server登入测试图
Client端设置
Android:https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
或到Google Play 搜寻并安装 Google Authenticator
iOS:http://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
其他:请自行搜寻下载安装或参考http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447
我是使用Android手机,扫完QRCode后,每30秒产生一组新验证码,如下图:
注意事项
1. Selinux:需设定为disabled
2. 可与rsa公私钥认证一起使用,但只差别在与电脑里有没有rsa key而已,如果没有的话才会用到。
3. 同一个‘.google_authenticator’可用在别台Server上,所以在安全性上仍须注意。
4. 商用OTP系统一般是C/S网络版方式,有一个统一的Authentication Server,为了保证高可用性,
一般会有一主一备两台服务器。
5. Google Authenticator是一个基于时间的产生验证码的程序,因此不管是服务器端还是手机用户端,
对时间的要求都是非常严格的,要时刻保持与NTP服务器同步。
6. Google Authenticator和条型码扫描仪默认是不会产生任何GPRS和WIFI流量的。
7. 如果不需要使用者登入时输入OTP密码,而是在使用者su到root时要求输入,
可以把PAM认证语句加入到‘/etc/pam.d/su’中。
8. 当服务器启用PAM认证之后,所有使用者都是要求输入TOTP密码,
所以需要每个使用者在自己的目录下产生一个‘.google_authenticator’文件。
参考数据来源
http://code.google.com/p/google-authenticator/
http://m114.org/system/google-authenticator-strengthen-ssh-login-security.html
https://wzyboy.im/post/765.html
http://www.ipcpu.com/2012/07/google-auth-sshd/
http://blog.onovps.com/archives/centos-ssh-google-authenticator.html
http://heikezhi.com/2011/09/26/simple-two-factor-ssh-authentication-with-google-authenticator/
原文:大专栏 使用 Google Authenticator 加强SSH登入安全性