Linux uses Google authenticator to enable SSH login two-factor authentication

1. Introduction

Two factor authentication: Two-factor authentication is an authentication system that you know plus a combination of the two elements you can have to work together. Two-factor authentication is a system using time synchronization technology, which takes the time, event and key three variables to replace the traditional static password. Each dynamic password card has a unique key, the key is stored in the server side, each time the authentication dynamic password card and the server according to the same key, the same random parameters (time, event) and the same algorithm to calculate the authentication dynamic password, so as to ensure the consistency of the password, so as to achieve the user authentication. Because the random parameters of each authentication are different, the dynamic password generated each time is different. Because the randomness of the parameters in each calculation guarantees the unpredictability of each password, the security of the system is ensured in the most basic password authentication.

To put it bluntly, just like we went to the bank card for a few years to send the token, as well as the general order of NetEase games, when you use online silver or landing game will let you enter the dynamic password.

2. Purpose

When implementing login to the Linux server, in addition to entering the user name password, you need to enter a one-time dynamic password to verify success.

3. Installation process

3.1 Installing Chrony

One of the factors that generate a dynamic password is the time required to keep the device and the server's system time consistent to generate the same dynamic password

To put it simply, Chrony:chrony is another implementation of the Network Time Protocol (NTP), which, unlike the Network Time Protocol daemon (NTPD), synchronizes the system more and more accurately at all times.

More useful NTP server in China: official website

Note, when synchronizing time, set the system time zone exactly

[[email protected] ~] # yum install -y chrony
[[email protected] ~] # vim /etc/chrony.conf

server 0.cn.pool.ntp.org iburst

[[email protected] ~] # systemctl restart chronyd
[[email protected] ~] # chronyc sources
210 Number of sources = 4
MS Name / IP address Stratum Poll Reach LastRx Last sample
================================================== =============================
^? 223.112.179.133 0 6 0 10y + 0ns [+ 0ns] +/- 0ns
^ * dns1.synet.edu.cn 2 6 33 0 + 113us [+ 284us] +/- 28ms
^? 2001: da8: 202: 10 :: 61 0 6 0 10y + 0ns [+ 0ns] +/- 0ns
^? 42.96.167.209 2 6 10 8 + 2011us [+ 949us] +/- 127ms

[[email protected] ~] # date
Saturday, December 31, 2016 09:30:24 CST
3.2 Install dependent components

[[email protected] ~] # yum install -y git automake libtool pam-devel
3.3 Download Google authentication module

[[email protected] ~] # git clone https://github.com/google/google-authenticator-libpam.git
[[email protected] ~] # ll
drwxr-xr-x 11 root root 4096 December 27 16:29 google-authenticator-libpam

[[email protected] ~] # cd google-authenticator-libpam /
[[email protected] google-authenticator-libpam] # ./bootstrap.sh
[[email protected] google-authenticator-libpam] # ./configure
[[email protected] google-authenticator-libpam] # make && make install
[[email protected] google-authenticator-libpam] # google-authenticator
[[email protected] google-authenticator-libpam] # cd ~
[[email protected] ~] # vim /etc/pam.d/sshd

auth required pam_google_authenticator.so no_increment_hotp

[[email protected] ~] # vim / etc / ssh / sshd_config

asswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes

[[email protected] ~] # systemctl restart sshd
[[email protected] ~] # google-authenticator

Do you want authentication tokens to be time-based (y / n) y
#Is the authentication token you want to do time-based?
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]% 3Fsecret% 3DN4HLEJOQHT27VCR6RX66WXB2SY% 26issuer% 3Dlocalhost.localdomain

Your new secret key is: N4HLEJOQHT27VCR6RX66WXB2SY
Your verification code is 299695
Your emergency scratch codes are:

  44477086
  92790948
  29251218
  26350870
  30696065

Do you want me to update your "/root/.google_authenticator" file? (Y / n) y
#Do you want me to update your "/root/.google_authenticator" file (y / n)?
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y / n) y
#Do you want to prohibit multiple uses of the same authentication token? This limits the time you log in each time to about 30 seconds, but this increases the possibility of discovering or even preventing man-in-the-middle attacks (y / n)?
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (Y / n) y
#By default, the token remains valid for 30 seconds; to compensate for the time lag that may exist between the client and the server,
We allow an extra token before and after the current time. If you have problems with time synchronization, you can increase the window from the default 3 passable verification codes to 17 passable verification codes,
This will allow the time difference between the client and the server to increase to 4 minutes. Do you want to do this (y / n)?
If the computer that you are logging into is n‘t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (Y / n) y
#If the computer you log in is not cured to prevent the use of brute force login attempts, you can verify the module
Enable the limit on the number of attempts. By default, this limits the number of attempts by an attacker to log in every 30 seconds to only 3 times. Do you want to enable the number of attempts limit (y / n)?
3.4 Installing an authenticator on the phone

app: http://www.coolapk.com/apk/com.google.android.apps.authenticator2

 

4. Login verification

Note that the login failure may occur during the first login. Checking the log information shows the error as follows:

[[email protected] ~] # tail -n10 / var / log / secure

...
Dec 31 09:42:46 localhost sshd [2393]: PAM unable to dlopen (/usr/lib64/security/pam_google_authenticator.so): /usr/lib64/security/pam_google_authenticator.so: cannot open shared object file: No such file or directory
Dec 31 09:42:46 localhost sshd [2393]: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.so
...

[[email protected] ~] # ln -sv /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
"/usr/lib64/security/pam_google_authenticator.so"-> "/usr/local/lib/security/pam_google_authenticator.so"
Start logging in again

At an exciting time, get the verification code 077625 from the mobile app, enter it in the Verification code, as follows:

 

Linux uses Google Authenticator to implement ssh login two-factor authentication