Enhance Linux Account Security through Google authenticator

The recent successive major and far-reaching security incidents have made information security more and more important. Personal privacy protection is one aspect. Considering the national conditions, personal privacy is not much lost, but how much can be retained. In many cases, it cannot be left or right, so most people are indifferent. However, as a system administrator, you cannot think like this. The security of the server you manage cannot be underestimated. If the server is lost, the impact will be huge.

 
It is also based on national conditions. We know that the hardware verification codes launched in domestic financial fields are quite effective. each time you use online banking, you must insert a small device, the Random verification code generated by the device must be entered as an important logon condition before the system function can be used properly.
 
For diaosi administrators, we are unlikely to apply for such devices for the servers we manage. However, through some technical applications, we can convert our cell phones into a Random verification code generator (thanks to Google ), each time you log on to the system, in addition to regular user/password verification, you also need to bind the verification code generated on the mobile phone with the specified key to log on to the system smoothly. If this mechanism is in place, even if the key is disclosed, you will not be able to log on to and execute the command because it does not have a verification code, unless the person who obtained the password also obtains your mobile phone, the system is secure. Students, I'm tempted. If my curiosity is not completely destroyed, let's continue.

 
Take a Linux server at hand as an example. Download the Google authentication module:

# Wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
 
Perform the following steps to decompress and compile and install the SDK:

# tar xvf libpam-google-authenticator-1.0-source.tar.bz2 # cd libpam-google-authenticator-1.0# make# make install

Then, google's authentication module will be copied to the/lib64/security directory, and the executable program used to generate the key: google-authenticator, copy to the/usr/local/bin directory for convenient calling.
 
Tip: The pam-devel dependency package is required for compiling and installing google-authenticator. If not, install the dependency package first.

For example, if you want to add an additional authentication mechanism to a jss user, use google-authenticator to generate the key:

[Www.linuxidc.com @ localhost ~] $ Google-authenticator

 

Do you want authentication tokens to be time-based (y/n) y

First, you will be prompted whether to generate a token based on the time, select Y, and then it will generate the key, and the verification code used in the emergency state (there are five, you can use it when you cannot obtain the verification code, note that these emergency verification codes are missing at a time, so these emergency verification codes must be saved and must be useful at critical times.) The details are as follows:
 
 

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/jss@localhost.localdomain%3Fsecret%3D3V7K2ONO55DE56SD Your new secret key is: 3V7K2ONO55DE56SDYour verification code is 424380Your emergency scratch codes are:  96307775  87311306  56915688  84694809   27875014

Then you will be prompted if you want to update the verification file, which must be updated:

Do you want me to update your "/home/jss/. google_authenticator" file (y/n) y

Whether to prohibit multiple logins using the same token:

Do you want to disallow multiple uses of the same authentication

Token? This restricts you to one login about every 30 s, but it increases

Your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, the token is valid only within 30 seconds. Because the time between the client and the server is inconsistent, you can increase the time window to a maximum of 4 minutes. Do you want to do this:

By default, tokens are good for 30 seconds and in order to compensate forpossible time-skew between the client and the server, we allow an extratoken before and after the current time. If you experience problems with poortime synchronization, you can increase the window from its defaultsize of 1:30min to about 4min. Do you want to do so (y/n) y

Whether to limit the number of attempts. You can only try up to three times per 30 seconds:

If the computer that you are logging into isn't hardened against brute-forcelogin attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s.Do you want to enable rate-limiting (y/n) y

After the key is generated, modify the ssh configuration in PAM and edit the/etc/pam. d/sshd file:

# Vim/etc/pam. d/sshd

Add a row:

Auth required pam_google_authenticator.so

Next, modify the ssh configuration file and edit the/etc/ssh/sshd_config file:

# Vim/etc/ssh/sshd_config

Change ChallengeResponseAuthentication no to ChallengeResponseAuthentication yes

Then restart the ssh service:

 

When a jss user logs on via SSH again, the following message is displayed:

 

[Root @ mysqldb02 ~] # Ssh jss@192.168.30.249

Verification code:

So, where did the verification code come from, friend. Take out your mobile phone and install an app named Google authenticator. Add an account on the open application interface. Then, two options are displayed: scan the barcode (QR code), or select the output key. Select either of them.
Some may ask where the two items come from. Students, please take a closer look at the information that is first output after the google-authenticator command is executed, the http url, open it and you will find that it is an image QR code. scan it. It doesn't matter if the website cannot be opened. Just select the key.
After the account is added, you should be able to see the verification code generated by it on your mobile phone. Enter the verification code first, and then the password. Only when the verification code and password are entered correctly can you log on normally.

Password:

Last login: Tue Jan 14 10:14:33 2014 from 192.168.30.246

Note: It takes up to 30 seconds to enter the verification code. After the verification code times out, it becomes invalid. You need to obtain a new verification code on your mobile phone.