什么是多因素认证(Multi-Factor Authentication, MFA)?
MFA,顾名思义使用多种独立的验证机制,对用户进行身份验证,只有全部通过时才能授权访问。MFA的目的是建立一个多层次的防御,使未经授权的人访问计算机系统或网络更加困难。验证机制可以分为:
Sth. you know 用户知道什么(知识型的身份验证)
Sth. you have 用户有什么(安全性令牌或者智能卡)
Sth. you are 用户是什么(生物识别验证)
以我们去ATM取款为例,我们需要插入卡片(sth. you have)并输入密码(sth. you know)才能成功提款。
适用于Linux Server的多因素认证
日常中常见的做法是使用public key 和 password的方式进行认证,但是由于public key通常都是直接存储在控制台上,导致知道控制台密码(sth. you know) + 远程服务器密码 (sth. you know) 就可以访问服务器了,只使用了sth. you know 一种验证方式。破解方式有两种:
使用生物识别验证的控制台(sth. you are) + 远程服务器密码(sth. you know)
使用密码认证的控制台 (sth. you know) + 远程服务器安全令牌认证(sth. you have)
这里着重讲一下sth. you have的免费的认证方式google-authenticator,无需翻墙在手机上即可安装google authenticator软件. 从在手机上安装软件开始吧……
Google-authenticator在CentOS 7上的配置
安装所需的软件:
yum install -y autoconf automake libtool pam-devel git qrencode
安装google-authenticator
git clone https://github.com/google/google-authenticator-libpam.git cd google-authenticator-libpam/ ./bootstrap.sh ./configure make make install ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
配置openssh, vi /etc/pam.d/sshd
auth required pam_google_authenticator.so nullok #auth substack password-auth
编辑/etc/ssh/sshd_config为
. . . # Change to no to disable s/key passwords ChallengeResponseAuthentication yes #ChallengeResponseAuthentication no . . . AuthenticationMethods publickey,password publickey,keyboard-interactive
重启sshd
systemctl restart sshd.service
为用户启用google-authenticator
google-authenticator
1)屏幕提示Do you want authentication tokens to be time-based (y/n) ,回答y选用基于时间的token
2)屏幕提示二维码,拿出手机打开google authenticator软件,点击+后选择“条形码扫描"添加认证条目。
注意:将屏幕显示的secret key, verification code 和 recovery codes 保存在安全的地方,供密码恢复使用。
3)Do you want me to update your "/home/sammy/.google_authenticator" file (y/n) y
4)Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
4)By default, tokens are good for 30 seconds. In order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default
size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens).
Do you want to do so? (y/n) n
5)If the computer that you are logging into isn‘t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
新建ssh连接(不要关闭当前的防止无法访问)测试配置是否成功。
CentOS 7 使用Google-Authenticator进行多因素认证
原文地址:http://41084.blog.51cto.com/31084/1952500