How to use a one-time password to securely log on to Linux through SSH, and use a password to log on to linux through ssh
Some people say that security is not a product, but a process. Although the SSH protocol is designed to use encryption technology to ensure security, if improperly used, others can still damage your system, such as weak passwords, key leaks, and outdated SSH clients, can cause security issues. Therefore, in terms of security, you must use authoritative and professional security service providers. In terms of mobile application security, love encryption is undoubtedly a good choice.
When considering the SSH authentication scheme, public key authentication is generally considered safer than password authentication. However, the public key authentication technology is not set for the public environment. If you use public key authentication on a public computer to log on to the SSH server, your server is no longer secure, A public computer may record your public key or read the public key from your memory. If you do not trust your local computer, you 'd better use other methods to log on to the server. Now it's time for "one-time password (OTP)" to come in handy. As shown in the name, one-time password can only be used once. This one-time password is suitable for playing a role in an insecure environment. Even if it is stolen, it cannot be used again.
One method to generate a one-time password is through Google authenticator, but in this article, I will introduce another SSH Login solution: OTPW, it is a one-time password login software package. Unlike Google authentication, OTPW does not need to rely on any third-party libraries.
What is OTPW?
OTPW consists of a one-time password generator and PAM Authentication rules. One-time password in OTPW is generated by the generator in advance and then obtained by the user in a certain safe way (such as printing on paper ). On the other hand, these passwords are stored on the SSH server through Hash encryption. When a user uses a one-time password to log on to the system, the PAM module of OTPW authenticates these passwords and ensures that they cannot be used again.
Step 1: install and configure OTPW On Debian, Ubuntu, or Linux Mint release
Install with apt-get:
$ sudo apt-get install libpam-otpw otpw-bin
Open the PAM Configuration file (/etc/pam. d/sshd) for the SSH service and comment out the following line (to disable the PAM password authentication function ):
#@include common-auth
Add the following two lines (to enable the one-time password authentication function ):
auth required pam_otpw.sosession optional pam_otpw.so
On the ora or CentOS/RHEL release
The RedHat-based release version does not have compiled OTPW, so we need to use the source code to install it.
First, install the compiling environment:
$ sudo yum git gcc pam-devel$ git clone https://www.cl.cam.ac.uk/~mgk25/git/otpw$ cd otpw
Open the Makefile file and edit the configuration line starting with "PAMLIB =:
64-bit system:
PAMLIB=/usr/lib64/security
32-bit system:
PAMLIB=/usr/lib/security
Compile and install. Note that the SSH service will be automatically restarted during the installation process. If you are using SSH to connect to the server, be prepared to be disconnected, even if the connection is disconnected, use the original method to reconnect. Currently, the password has not been changed to one-time .).
$ make$ sudo make install
Now you need to update the SELinux policy, because/usr/sbin/sshd will write data to your home directory, which is not allowed by SELinux by default. If the SELinux service is not used (LCTT Note: Use the getenforce command to view the result. If it is enforcing, The SELinux service is enabled), skip this step.
$ sudo grep sshd /var/log/audit/audit.log | audit2allow -M mypol$ sudo semodule -i mypol.pp
Next, open the PAM Configuration file (/etc/pam. d/sshd) and comment out the following line (To Disable password authentication ):
#auth substack password-auth
Add the following two lines (to enable the one-time password authentication function ):
auth required pam_otpw.sosession optional pam_otpw.so
Step 2: configure the SSH server and use the one-time password
Open the/etc/ssh/sshd_config file and set the following three parameters. Make sure that the following parameters do not exist repeatedly. Otherwise, an exception may occur on the SSH server.
UsePrivilegeSeparation yesChallengeResponseAuthentication yesUsePAM yes
You also need to disable the default password authentication function. In addition, you can enable the public key authentication function, so that you can use the public key for authentication without a one-time password.
PubkeyAuthentication yesPasswordAuthentication no
Restart the SSH server.
Debian, Ubuntu or Linux Mint release:
$ sudo service ssh restart
Fedora or CentOS/RHEL 7 release:
$ sudo systemctl restart sshd
Although the sshd service is restarted here, your current ssh connection should not be affected, but it is impossible to create a new connection in the original way before you complete the following steps. Therefore, to be safe, either open one more ssh connection to avoid exiting the current connection by mistake; or put the steps to restart the sshd server after Step 3 is complete .)
Step 3: Use OTPW to generate a one-time password
As mentioned before, you need to create a one-time password and save it. Use the otpw-gen command to create a password:
$ cd ~$ otpw-gen > temporary_password.txt
This command requires you to enter the password prefix. When you log on later, you need to enter the prefix and one-time password at the same time. The password prefix is another layer of protection. Even if your one-time password table is leaked, no one else can crack your SSH password through brute force.
After the password prefix is set, this command will generate 280 one-time passwords ~ /. Otpw), and export them to a text file (such as temporary_password.txt ). Each password (8 characters by default) is indexed by a three-digit decimal number. You need to print out the password table and carry it with you.
View the./. otpw file, which stores the HASH value of the one-time password. The first three decimal digits correspond to the index of the password table that you carry with you, which will be used when you log on to the SSH server.
$ more ~/.otpw
<pre name="code" class="plain">OTPW1280 3 12 8191ai+:ENwmMqwn218tYRZc%PIY27a241ve8ns%NsHFmf055W4/YCauQJkr:102ZnJ4VWLFrk5N2273Xww55hteJ8Y1509d4b5=A64jBT168FWBXY%ztm9j%000rWUSdBYr%8UE037NvyryzcI+YRX122rEwA3GXvOk=z
Test one-time password login to the SSH server
Log on to the SSH server in Normal Mode:
$ ssh user@remote_host
If OTPW runs successfully, you will see a difference from usual Logon:
Password 191:
Open your password table and find the password with the index number 191.
023 kBvp tq/G 079 jKEw /HRM 135 oW/c /UeB 191 fOO+ PeiD 247 vAnZ EgUt
As shown in the preceding table, the password No. 191 is "fOO + PeiD ". You need to add the password prefix. For example, if you set the prefix to "000", you actually need to enter the password "000fOO + PeiD ".
After successful logon, the password you entered this time will automatically expire. View ~ /. Otpw file, you will find that the first line is changed to "-----", which indicates that the password 191 is invalid.
OTPW1280 3 12 8---------------218tYRZc%PIY27a241ve8ns%NsHFmf055W4/YCauQJkr:102ZnJ4VWLFrk5N2273Xww55hteJ8Y1509d4b5=A64jBT168FWBXY%ztm9j%000rWUSdBYr%8UE037NvyryzcI+YRX122rEwA3GXvOk=z
Summary
In this tutorial, I introduced how to use the OTPW tool to set a one-time logon password. You may realize that printing a password table makes people feel good in this two-factor authentication method, but this method is the easiest and does not depend on any third-party software. No matter which method you use to create one-time passwords, they are useful when you need to log on to the SSH server in an untrusted environment.