As you know, SSH defaults to authentication by default, even if you use an SSH key instead of a password. As a single factor in the way of authentication, once the key leaks, the same will also compromise the security of the server.
To address this issue, we will show you how to enable SSH multi-authentication for Ubuntu Server (mfa,multi-factor authentication). When enabled, you need to verify that you have a different authentication factor for your computer or mobile phone when you log on to SSH to successfully log on. Of course, multiple authentication factors can include:
Password or security issues
Validator or security token
Fingerprint or voice
......
A common way to authenticate is to use a OATH-TOTP application, such as Google authenticator (which is the two-step verification feature of Microsoft account). OATH-TOTP (one-time open password based on time) is an open protocol that is used to generate a different one-time-use password, typically a 6-bit captcha for every 30 seconds.
Below we will explain how to use the OATH-TOTP application to complete SSH login authentication, so as to replace the system's original SSH password or key authentication mode, make server management more secure.
Install Libpam-google-authenticator
In this step, we will install and configure Google PAM.
Friends familiar with the Linux authentication system know that PAM is the infrastructure and authentication module that authenticates the user in the Linux system. Google has developed OATH-TOTP applications that are also securely compatible with PAM, so we can use Google Authenticator to complete SSH multiple authentication.
1. Update the Ubuntu software warehouse cache with the following command:
sudo apt-get update
2. Install Google PAM:
sudo apt-get install Libpam-google-authenticator
Once the Libpam-google-authenticator is installed, we need to generate TOTP key for each user who is going to be authenticated. This Key is generated on a user basis, not the system global. That is, users who want to use the TOTP authentication program to log on to SSH must individually acquire and maintain their own keys.
Google-authenticator
After you execute the above command, the program asks a question, and the first question is whether to generate a time based authentication token. Google PAM supports time-based or sequential access tokens. When using a sequence based token, the token code is incremented for each access, and the time based access token changes randomly over a certain period of time and is more like Google authenticator, so we choose yes here.
Do your want authentication tokens to be time-based (y/n) y
After answering the first question, a large amount of information is immediately exported. Includes QR code, new security password, verification code, and 5 8-bit emergency codes. This information must be kept properly and is very important.
At this point please use Google Authenticator scan output two-dimensional code to add it to Google's OATH-TOTP application, once added success, will appear a new entry and refresh every 30 seconds a 6-digit token.
The rest is to tell Google PAM how to work, and we'll look at it step-by-step.
Do and want me to update your "~/.google_authenticator" file (y/n) y
Indicates that the key and configuration options are written to the. google_authenticator file, and we choose Yes.
Do your want to disallow multiple uses of the same authentication
Token? This is restricts to one login about every 30s, but it increases
Your chances to notice or even prevent man-in-the-middle attacks (y/n) y
If the password used is configured to expire immediately, yes is usually selected here to prevent interception.
By default, tokens are good of seconds and in order to compensate for
Possible time-skew between the client and the server, we allow an extra
Token before and after the current time. If you are experience problems with poor
Time synchronization, your can increase the window from its default
Size of 1:30min to about 4min. Do and want to does so (y/n) n
The default token has a valid time of 30 seconds and automatically compensates for the difference between the server and the client, which indicates whether the time tolerance is changed to 4 minutes, and we select No.
If the computer that you are logging into isn ' t hardened against
Login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do your want to enable rate-limiting (y/n) y
Whether to limit 30 seconds to only 3 attempts to log in, we choose Yes to prevent people from violent cracking.
After completing these steps, all of Google PAM's configuration work has been completed.
Configure OpenSSH support MFA
Next, we're going to configure SSH to use TOTP key, which tells SSH to use Google PAM for authentication.
1. At the end of the/etc/pam.d/sshd file, add the following:
Auth Required pam_google_authenticator.so Nullok
The final Nullok is to tell PAM this authentication is optional, at which point the user can still log in using the SSH password and key. When we test the use of OATH-TOTP key to log in correctly, the Nullo can be deleted to indicate the forced use of MFA.
2. Next we need to configure SSH support this way of authentication. Edit the/etc/ssh/sshd_config configuration file, configure the challengeresponseauthentication to Yes, and then restart the SSH service:
sudo service ssh restart
At this point, our SSH has been able to use Google authenticator to verify that is not very good. Finally, in order to ensure the security of the server, we recommend that you open SSH key + MFA dual authentication mode, discard the SSH password Authentication mode of use.
To edit the/etc/ssh/sshd_config configuration file:
Passwordauthentication No
Usepam Yes #下面增加
Authenticationmethods publickey,keyboard-interactive
Important: In the configuration process, you must test the use of Google authenticator can be logged in SSH and then deactivate the SSH password or key authentication mode, or cause can not connect over the.