Linux uses Google Authenticator to implement two-factor authentication for ssh Login, authenticatorssh

Linux uses Google Authenticator to implement two-factor authentication for ssh Login, authenticatorssh

1. Introduction

Two-factor authentication: two-factor authentication is an identity authentication system that combines all the two elements you know and what you have to make a difference. Two-factor authentication is a system that uses time synchronization technology. It uses a one-time password generated based on the time, event, and key three changes to replace the traditional static password. Each dynamic password card has a unique key, which is stored on the server at the same time. Each authentication is performed based on the same key and the same random parameters (time and event) of the dynamic password card and the server) the same algorithm is used to calculate the authentication dynamic password, so as to ensure the password consistency and achieve user authentication. Because the random parameters for each authentication are different, the dynamic passwords generated each time are different. The randomness of parameters during each calculation ensures the unpredictability of each password, thus ensuring the security of the system in the most basic password authentication process.

To put it bluntly, just like the password cards we sent to the bank a few years ago, and the general orders in NetEase games, you will be asked to enter a dynamic password when you use online banking or log on to the game.

 

2. Purpose

To log on to the Linux server, in addition to entering the user name and password, you must enter a one-time dynamic password to verify success.

 

3. Installation Process

3.1 install chrony

One of the factors for generating a dynamic password is time. The same dynamic password can be generated only when the system time of the terminal device and the server is consistent.

To put it simply, chrony: chrony is another Implementation of the Network Time Protocol (NTP), which is different from the Network Time Protocol Background Program (ntpd, it can synchronize the entire system more quickly and accurately.

Ntp servers in China: Official Website

Note: set the system time zone accurately during synchronization.

[root @ localhost ~] # yum install -y chrony
[root @ localhost ~] # vim /etc/chrony.conf

server 0.cn.pool.ntp.org iburst

[root @ localhost ~] # systemctl restart chronyd
[root @ localhost ~] # chronyc sources
210 Number of sources = 4
MS Name / IP address Stratum Poll Reach LastRx Last sample
================================================== == ===============================
^? 223.112.179.133 0 6 0 10y + 0ns [+ 0ns] +/- 0ns
^ * dns1.synet.edu.cn 2 6 33 0 + 113us [+ 284us] +/- 28ms
^? 2001: da8: 202: 10 :: 61 0 6 0 10y + 0ns [+ 0ns] +/- 0ns
^? 42.96.167.209 2 6 10 8 + 2011us [+ 949us] +/- 127ms

[root @ localhost ~] # date
Saturday, December 31, 2016 09:30:24 CST

3.2 install dependency Components

[root@localhost ~]# yum install -y git automake libtool pam-devel

3.3 download the Google certification Module

[root @ localhost ~] # git clone https://github.com/google/google-authenticator-libpam.git
[root @ localhost ~] # ll
drwxr-xr-x 11 root root 4096 Dec 27 16:29 google-authenticator-libpam

[root @ localhost ~] # cd google-authenticator-libpam /
[root @ localhost google-authenticator-libpam] # ./bootstrap.sh
[root @ localhost google-authenticator-libpam] # ./configure
[root @ localhost google-authenticator-libpam] # make && make install
[root @ localhost google-authenticator-libpam] # google-authenticator
[root @ localhost google-authenticator-libpam] # cd ~
[root @ localhost ~] # vim /etc/pam.d/sshd

auth required pam_google_authenticator.so no_increment_hotp

[root @ localhost ~] # vim / etc / ssh / sshd_config

asswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes

[root @ localhost ~] # systemctl restart sshd
[root @ localhost ~] # google-authenticator

Do you want authentication tokens to be time-based (y / n) y
#Is the authentication token you want to make based on time?
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@localhost.localdomain%3Fsecret%3DN4HLEJOQHT27VCR6RX66WXB2SY%26issuer%3Dlocalhost.localdomain

Your new secret key is: N4HLEJOQHT27VCR6RX66WXB2SY
Your verification code is 299695
Your emergency scratch codes are:

  44477086
  92790948
  29251218
  26350870
  30696065

Do you want me to update your "/root/.google_authenticator" file? (Y / n) y
#Do you want me to update your "/root/.google_authenticator" file (y / n)?
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y / n) y
#Do you want to prohibit multiple uses of the same authentication token? This limits your login time to approximately 30 seconds each time, but this increases the likelihood of discovering or even preventing man-in-the-middle attacks (y / n)?
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (Y / n) y
#By default, the token remains valid for 30 seconds; in order to compensate for the possible time lag between the client and the server,
We allow an additional token before and after the current time. If you encounter problems with time synchronization, you can increase the window from the default of 3 passable verification codes to 17 passable verification codes.
This will allow the time difference between the client and the server to increase to 4 minutes. Would you like to do this (y / n)?
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (Y / n) y
#If the computer you are logged into has not been cured to prevent brute force login attempts, you can verify the module
Enable limit on attempts. By default, this limits the number of times an attacker can try to log in only 3 times per 30 seconds. Do you want to enable limit attempts (y / n)?

3.4 install the authenticator on your mobile phone

App: http://www.coolapk.com/apk/com.google.android.apps.authenticator2

 

4. logon Verification

Note: The first logon may fail. The following error occurs when you view the log information:

[root@localhost ~]# tail -n10 /var/log/secure

...
Dec 31 09:42:46 localhost sshd[2393]: PAM unable to dlopen(/usr/lib64/security/pam_google_authenticator.so): /usr/lib64/security/pam_google_authenticator.so: cannot open shared object file: No such file or directory
Dec 31 09:42:46 localhost sshd[2393]: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.so
...

[root@localhost ~]# ln -sv /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
"/usr/lib64/security/pam_google_authenticator.so" -> "/usr/local/lib/security/pam_google_authenticator.so" 

Start logging on again

It's time to get the Verification code 077625 from the mobile app. Enter the Verification code in the Verification code as follows: