本文已参与「新人创作礼」活动, 一起开启掘金创作之路。
什么是 MFA ?
Multi-Factor Authentication (MFA) 是一种简单有效的最佳安全实践方法,它能够在用户名和密码之外再额外增加一层安全保护。
功能:实现SSH登录的两次身份验证,先验证APP的数字码,再验证root用户的密码,都通过才可以登录。
1.首先扫这个二维码下载,手机APP
2.运行下面脚本实现自动安装
[root@rocky8 ~]# cat google-authenticator.sh
#安装epel
#yum install -y epel-release.noarch
#yum makecache
#安装google authenticator
yum install -y google-authenticator.x86_64
echo -e "\033[31mDo you want me to update your "/root/.google_authenticator" file? (y/n) y"
echo -e "\033[31m你希望我更新你的“/root/.google_authenticator”文件吗(y/n)?\033[0m"
echo -e "\033[31mDo you want to disallow multiple uses of the same authentication"
echo -e "\033[31mtoken? This restricts you to one login about every 30s, but it increases"
echo -e "\033[31myour chances to notice or even prevent man-in-the-middle attacks (y/n) y"
echo -e "\033[31m你希望禁止多次使用同一个验证令牌吗?这限制你每次登录的时间大约是30秒, 但是这加大了发现或甚至防止中间人攻击的可能性(y/n)?\033[0m"
echo -e "\033[31mBy default, a new token is generated every 30 seconds by the mobile app."
echo -e "\033[31mIn order to compensate for possible time-skew between the client and the server,"
echo -e "\033[31mwe allow an extra token before and after the current time. This allows for a"
echo -e "\033[31mtime skew of up to 30 seconds between authentication server and client. If you"
echo -e "\033[31mexperience problems with poor time synchronization, you can increase the window"
echo -e "\033[31mfrom its default size of 3 permitted codes (one previous code, the current"
echo -e "\033[31mcode, the next code) to 17 permitted codes (the 8 previous codes, the current"
echo -e "\033[31mcode, and the 8 next codes). This will permit for a time skew of up to 4 minutes"
echo -e "\033[31mbetween client and server."
echo -e "\033[31mDo you want to do so? (y/n) y"
echo -e "\033[31m默认情况下,令牌保持30秒有效;为了补偿客户机与服务器之间可能存在的时滞,\033[0m"
echo -e "\033[31m我们允许在当前时间前后有一个额外令牌。如果你在时间同步方面遇到了问题, 可以增加窗口从默认的3个可通过验证码增加到17个可通过验证码,\033[0m"
echo -e "\033[31m这将允许客户机与服务器之间的时差增加到4分钟。你希望这么做吗(y/n)?\033[0m"
echo -e "\033[31mIf the computer that you are logging into isn't hardened against brute-force"
echo -e "\033[31mlogin attempts, you can enable rate-limiting for the authentication module."
echo -e "\033[31mBy default, this limits attackers to no more than 3 login attempts every 30s."
echo -e "\033[31mDo you want to enable rate-limiting? (y/n) y"
echo -e "\033[31m如果你登录的那台计算机没有经过固化,以防范运用蛮力的登录企图,可以对验证模块\033[0m"
echo -e "\033[31m启用尝试次数限制。默认情况下,这限制攻击者每30秒试图登录的次数只有3次。 你希望启用尝试次数限制吗(y/n)?\033[0m"
echo -e "\033[32m 在App Store 搜索Google Authenticator 进行App安装 \033[0m"
google-authenticator
#/etc/pam.d/sshd文件,修改或添加下行保存
#auth required pam_google_authenticator.so
sed -i '1a\auth required pam_google_authenticator.so' /etc/pam.d/sshd
#编辑/etc/ssh/sshd_config找到下行
#ChallengeResponseAuthentication no
#更改为
#ChallengeResponseAuthentication yes
sed -i 's/.*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
#重启SSH服务
service sshd restart
[root@rocky8 ~]# bash google-authenticator.sh
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@rocky8%3Fsecret%3DWPZQDZ3W7J2BNOHJ3B52WLXEUE%26issuer%3Drocky8 #把这段复制到浏览器,打开用手机APP扫码,绑定设备
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: WPZQDZ3W7J2BNOHJ3B52WLXEUE
Enter code from app (-1 to skip):
3.访问生成的URL(需要XX上网)
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@rocky8%3Fsecret%3DWPZQDZ3W7J2BNOHJ3B52WLXEUE%26issuer%3Drocky8
- 打开用身份验证器APP,扫网页上的二维码,进行绑定手机
- 继续上面的安装配置向导,输入手机APP上的数字,后续都回答 y 即可
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: WPZQDZ3W7J2BNOHJ3B52WLXEUE
Enter code from app (-1 to skip): 985657 #手机APP上的数字
Code confirmed
Your emergency scratch codes are:
42705772
91980223
12042355
50443973
44998901
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
Redirecting to /bin/systemctl restart sshd.service
- ssh 当前主机,可看到提示,输入手机APP上显示的数字码和root密码,可以登录,否则失败
[root@centos7 ~]# ssh 172.31.1.8
The authenticity of host '172.31.1.8 (172.31.1.8)' can't be established.
ECDSA key fingerprint is SHA256:vNisZsO9QqmnO9PgokkzEsDHuQCYWfXCuG9Ep2AudpQ.
ECDSA key fingerprint is MD5:37:f1:42:63:36:b8:d5:20:8b:0c:a3:76:71:ff:a5:27.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.31.1.8' (ECDSA) to the list of known hosts.
Verification code: #手机APP上的数字
Password:
Last login: Thu Nov 18 17:51:56 2021 from 172.31.0.1
[root@rocky8 ~]# exit
logout
Connection to 172.31.1.8 closed.
- 临时口令存放在/root/.google_authenticator中,用一次删除一个,可手动加入使用
[root@rocky8 ~]# cat .google_authenticator
WPZQDZ3W7J2BNOHJ3B52WLXEUE
" RATE_LIMIT 3 30 1637229675
" WINDOW_SIZE 17
" DISALLOW_REUSE 54574322
" TOTP_AUTH
42705772
91980223
12042355
50443973
44998901
