描述:信息安全等级保护三级系统中,在主机安全身份鉴别模块中明确要求,同时使用两种以上的鉴别技术,就是双因子认证登录,今天小编就来聊一聊关于ubuntu身份验证?接下来我们就一起去研究一下吧!
ubuntu身份验证
描述:
信息安全等级保护三级系统中,在主机安全身份鉴别模块中明确要求,同时使用两种以上的鉴别技术,就是双因子认证登录。
运维人员一般远程管理服务器都是使用ssh远程管理服务器,默认ssh登录只需输入账号和密码,即可认证通过,显然这种方式无法满足信息安全登记保护的双因子认证登录。本次实验使用Google Authenticator(谷歌身份验证器),在输入账号和密码增加一个动态验证码验证,只有输入正确的帐号、密码和动态验证码,才能登录。这样就实现双因子认证登录。Google Authenticator(谷歌身份验证器)动态验证码通过手机"FreeTOP"APP应用获取(默认30秒刷新一次)
#系统信息:
sysroot@ubuntu:~$ lsb_release -a
sysroot@ubuntu:~$ cat /proc/version
sysroot@ubuntu:~$ uname --m
#安装依赖支持软件
sysroot@ubuntu:~$ sudo apt-get install unzip autoconf automake libtool libpam0g-dev build-essential qrencode
#下载"Google Authenticator" 源码
sysroot@ubuntu:~$ wget http://codeload.github.com/google/google-authenticator-libpam/zip/master
#解压"Google Authenticator" 源码包
sysroot@ubuntu:~$ unzip master
#进入解压目录
sysroot@ubuntu:~$ cd google-authenticator-libpam-master/
sysroot@ubuntu:~/google-authenticator-libpam-master$ /bootstrap.sh
#生成makefile配置文件
sysroot@ubuntu:~/google-authenticator-libpam-master$ /configure
#编译源码
sysroot@ubuntu:~/google-authenticator-libpam-master$ make
#安装"Google Authenticator"
sysroot@ubuntu:~/google-authenticator-libpam-master$ sudo make install
#生成动态验证码
#手机安装"FrreOTP"APP
sysroot@ubuntu:~/google-authenticator-libpam-master$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
#是否希望身份验证令牌基于时间,选择"y"
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
http://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/sysroot@ubuntu?secret=ILTAJB2B4KWHRO6T6YMZY5YQVA&issuer=ubuntu
Your new secret key is: ILTAJB2B4KWHRO6T6YMZY5YQVA
#如果不想使用"FreeOTP"APP扫描上面"二维码"的方式添加,可以手动输入这个key码,手动添加。
Enter code from app (-1 to skip): -1
Code confirmation skipped
Your emergency scratch codes are:
#系统会生成5个紧急验证码,当无法获取动态验证码或验证码不能使用时,可以使用这5个紧急验证码登录,5个紧急验证码是一次性的,不能重复使用。
48504801
93223955
82645854
10580754
57959419
#提示是否要更新验证文件,选择"y"
Do you want me to update your "/home/sysroot/.google_authenticator" file? (y/n) y
#禁止使用相同口令登录,口令30秒只允许登录一次,选择"y"
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
#默认动态验证码在30秒内有效,由于客户端和服务器可能会存在时间差,可将时间增加到最长4分钟,是否要这么做,选择"y"
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
#是否限制尝试次数,每30秒只能尝试最多3次,选择:"y"
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
#配置ssh登录服务调用"google authenticator"认证
1:编辑"/etc/pam.d/sshd"文件
sysroot@ubuntu:~/google-authenticator-libpam-master$ sudo vim /etc/pam.d/sshd
增加以下内容
auth required pam_google_authenticator.so no_increment_hotp
2:编辑"/etc/ssh/sshd_config"文件
sysroot@ubuntu:~/google-authenticator-libpam-master$ sudo vim /etc/ssh/sshd_config
修改以下参数,将"no"改为"yes"
ChallengeResponseAuthentication no
#查看"pam_google_authenticator.so"文件
sysroot@ubuntu:~/google-authenticator-libpam-master$ ll /usr/local/lib/security/
#源码安装的配置文件路径为"/usr/local/lib/security/"目录,需要创建"/lib/security/"目录
sysroot@ubuntu:~/google-authenticator-libpam-master$ sudo mkdir -p /lib/security/
#将"pam_google_authenticator.so"文件软连接或者cp复制到"/lib/security/"目录下
sysroot@ubuntu:~/google-authenticator-libpam-master$ sudo ln -s /usr/local/lib/security/pam_google_authenticator.so /lib/security/pam_google_authenticator.so
#重启ssh服务
sysroot@ubuntu:~/google-authenticator-libpam-master$ sudo service ssh restart
sysroot@ubuntu:~/google-authenticator-libpam-master$
#使用ssh工具测试:
1.Putty
2、SecureCRT
身份验证选择"键盘交互"
3、Xshell
#ssh用户身份证选择"使用键盘输入用户身份验证"