描述:信息安全等级保护三级系统中,在主机安全身份鉴别模块中明确要求,同时使用两种以上的鉴别技术,就是双因子认证登录,今天小编就来聊一聊关于ubuntu身份验证?接下来我们就一起去研究一下吧!

ubuntu身份验证(Authenticator实现双因子认证登录)

ubuntu身份验证

描述:

信息安全等级保护三级系统中,在主机安全身份鉴别模块中明确要求,同时使用两种以上的鉴别技术,就是双因子认证登录。

运维人员一般远程管理服务器都是使用ssh远程管理服务器,默认ssh登录只需输入账号和密码,即可认证通过,显然这种方式无法满足信息安全登记保护的双因子认证登录。本次实验使用Google Authenticator(谷歌身份验证器),在输入账号和密码增加一个动态验证码验证,只有输入正确的帐号、密码和动态验证码,才能登录。这样就实现双因子认证登录。Google Authenticator(谷歌身份验证器)动态验证码通过手机"FreeTOP"APP应用获取(默认30秒刷新一次)

#系统信息:

sysroot@ubuntu:~$ lsb_release -a

sysroot@ubuntu:~$ cat /proc/version

sysroot@ubuntu:~$ uname --m

#安装依赖支持软件

sysroot@ubuntu:~$ sudo apt-get install unzip autoconf automake libtool libpam0g-dev build-essential qrencode

#下载"Google Authenticator" 源码

sysroot@ubuntu:~$ wget http://codeload.github.com/google/google-authenticator-libpam/zip/master

#解压"Google Authenticator" 源码包

sysroot@ubuntu:~$ unzip master

#进入解压目录

sysroot@ubuntu:~$ cd google-authenticator-libpam-master/

sysroot@ubuntu:~/google-authenticator-libpam-master$ /bootstrap.sh

#生成makefile配置文件

sysroot@ubuntu:~/google-authenticator-libpam-master$ /configure

#编译源码

sysroot@ubuntu:~/google-authenticator-libpam-master$ make

#安装"Google Authenticator"

sysroot@ubuntu:~/google-authenticator-libpam-master$ sudo make install

#生成动态验证码

#手机安装"FrreOTP"APP

sysroot@ubuntu:~/google-authenticator-libpam-master$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y

#是否希望身份验证令牌基于时间,选择"y"

Warning: pasting the following URL into your browser exposes the OTP secret to Google:

http://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/sysroot@ubuntu?secret=ILTAJB2B4KWHRO6T6YMZY5YQVA&issuer=ubuntu

Your new secret key is: ILTAJB2B4KWHRO6T6YMZY5YQVA

#如果不想使用"FreeOTP"APP扫描上面"二维码"的方式添加,可以手动输入这个key码,手动添加。

Enter code from app (-1 to skip): -1

Code confirmation skipped

Your emergency scratch codes are:

#系统会生成5个紧急验证码,当无法获取动态验证码或验证码不能使用时,可以使用这5个紧急验证码登录,5个紧急验证码是一次性的,不能重复使用。

48504801

93223955

82645854

10580754

57959419

#提示是否要更新验证文件,选择"y"

Do you want me to update your "/home/sysroot/.google_authenticator" file? (y/n) y

#禁止使用相同口令登录,口令30秒只允许登录一次,选择"y"

Do you want to disallow multiple uses of the same authentication

token? This restricts you to one login about every 30s, but it increases

your chances to notice or even prevent man-in-the-middle attacks (y/n) y

#默认动态验证码在30秒内有效,由于客户端和服务器可能会存在时间差,可将时间增加到最长4分钟,是否要这么做,选择"y"

By default, a new token is generated every 30 seconds by the mobile app.

In order to compensate for possible time-skew between the client and the server,

we allow an extra token before and after the current time. This allows for a

time skew of up to 30 seconds between authentication server and client. If you

experience problems with poor time synchronization, you can increase the window

from its default size of 3 permitted codes (one previous code, the current

code, the next code) to 17 permitted codes (the 8 previous codes, the current

code, and the 8 next codes). This will permit for a time skew of up to 4 minutes

between client and server.

Do you want to do so? (y/n) y

#是否限制尝试次数,每30秒只能尝试最多3次,选择:"y"

If the computer that you are logging into isn't hardened against brute-force

login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting? (y/n) y

#配置ssh登录服务调用"google authenticator"认证

1:编辑"/etc/pam.d/sshd"文件

sysroot@ubuntu:~/google-authenticator-libpam-master$ sudo vim /etc/pam.d/sshd

增加以下内容

auth required pam_google_authenticator.so no_increment_hotp

2:编辑"/etc/ssh/sshd_config"文件

sysroot@ubuntu:~/google-authenticator-libpam-master$ sudo vim /etc/ssh/sshd_config

修改以下参数,将"no"改为"yes"

ChallengeResponseAuthentication no

#查看"pam_google_authenticator.so"文件

sysroot@ubuntu:~/google-authenticator-libpam-master$ ll /usr/local/lib/security/

#源码安装的配置文件路径为"/usr/local/lib/security/"目录,需要创建"/lib/security/"目录

sysroot@ubuntu:~/google-authenticator-libpam-master$ sudo mkdir -p /lib/security/

#将"pam_google_authenticator.so"文件软连接或者cp复制到"/lib/security/"目录下

sysroot@ubuntu:~/google-authenticator-libpam-master$ sudo ln -s /usr/local/lib/security/pam_google_authenticator.so /lib/security/pam_google_authenticator.so

#重启ssh服务

sysroot@ubuntu:~/google-authenticator-libpam-master$ sudo service ssh restart

sysroot@ubuntu:~/google-authenticator-libpam-master$

#使用ssh工具测试:

1.Putty

2、SecureCRT

身份验证选择"键盘交互"

3、Xshell

#ssh用户身份证选择"使用键盘输入用户身份验证"