码迷,mamicode.com
首页 > 其他好文 > 详细

CentOS 7 使用Google-Authenticator进行多因素认证

时间:2017-08-01 09:16:28      阅读:1417      评论:0      收藏:0      [点我收藏+]

标签:linux centos mfa 多因素认证

什么是多因素认证(Multi-Factor Authentication, MFA)?

MFA,顾名思义使用多种独立的验证机制,对用户进行身份验证,只有全部通过时才能授权访问。MFA的目的是建立一个多层次的防御,使未经授权的人访问计算机系统或网络更加困难。验证机制可以分为:

  • Sth. you know 用户知道什么(知识型的身份验证)

  • Sth. you have 用户有什么(安全性令牌或者智能卡)

  • Sth. you are 用户是什么(生物识别验证)

以我们去ATM取款为例,我们需要插入卡片(sth. you have)并输入密码(sth. you know)才能成功提款。

适用于Linux Server的多因素认证

日常中常见的做法是使用public key 和 password的方式进行认证,但是由于public key通常都是直接存储在控制台上,导致知道控制台密码(sth. you know) + 远程服务器密码 (sth. you know) 就可以访问服务器了,只使用了sth. you know 一种验证方式。破解方式有两种:

  • 使用生物识别验证的控制台(sth. you are) + 远程服务器密码(sth. you know)

  • 使用密码认证的控制台 (sth. you know) + 远程服务器安全令牌认证(sth. you have)

这里着重讲一下sth. you have的免费的认证方式google-authenticator,无需翻墙在手机上即可安装google authenticator软件. 从在手机上安装软件开始吧……


Google-authenticator在CentOS 7上的配置

  • 安装所需的软件:  

yum install -y  autoconf automake libtool pam-devel git qrencode
  • 安装google-authenticator

git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam/
./bootstrap.sh
./configure
make
make install
ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
  • 配置openssh, vi /etc/pam.d/sshd

auth    required        pam_google_authenticator.so nullok
#auth       substack     password-auth

编辑/etc/ssh/sshd_config为

. . .
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
. . .
AuthenticationMethods publickey,password publickey,keyboard-interactive

重启sshd

systemctl restart sshd.service
  • 为用户启用google-authenticator

google-authenticator

1)屏幕提示Do you want authentication tokens to be time-based (y/n) ,回答y选用基于时间的token

2)屏幕提示二维码,拿出手机打开google authenticator软件,点击+后选择“条形码扫描"添加认证条目。

注意:将屏幕显示的secret key, verification code 和 recovery codes 保存在安全的地方,供密码恢复使用。

3)Do you want me to update your "/home/sammy/.google_authenticator" file (y/n) y

4)Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

4)By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens). Do you want to do so? (y/n) n

5)If the computer that you are logging into isn‘t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

  • 新建ssh连接(不要关闭当前的防止无法访问)测试配置是否成功。



CentOS 7 使用Google-Authenticator进行多因素认证

标签:linux centos mfa 多因素认证

原文地址:http://41084.blog.51cto.com/31084/1952500

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!