在Linux中设置离线两因素身份验证的6个简单步骤

时间:2020-01-09 10:42:49  来源:igfitidea点击:

在本文中,我将针对Linux下的以下情况,分享使用开源Google身份验证器安装和配置脱机两因素身份验证的分步指南

  • 为" SSH"配置离线两因素身份验证

  • 为SUDO配置离线两因素身份验证

  • 为" SU"配置离线两因素身份验证

实验室环境

我已在Linux节点上安装了Oracle Virtual Box,并在该节点上使用RHEL/CentOS 7和8 Linux创建了多个虚拟机。

本文中配置两个因素身份验证的步骤已在RHEL/CentOS 7和8 Linux环境中得到验证。

还是手动安装Linux?

我建议使用Network PXE Boot Server配置"一键安装"。

使用PXE服务器,我们可以安装Oracle虚拟机或者基于KVM的虚拟机或者任何类型的物理服务器,而无需任何人工干预,从而节省了时间和精力。

我们需要在Virtual Box上建立互联网连接,才能下载并安装所需的Google Authenticator程序包。

但是,一旦配置了两因素身份验证,就不需要Internet连接来进行验证,这意味着这将在Linux中充当离线两因素身份验证。

带有PAM的Google身份验证器

根据其GitHub页面,使用PAM提供的可插入身份验证模块,开源Google Authenticator支持Linux中的离线两因素身份验证的以下功能:

  • 每个用户的机密和状态文件存储在用户的主目录中

  • 支持30秒的TOTP码

  • 支持紧急暂存代码

  • 防止重放攻击

  • 通过显示QRCode进行密钥配置

  • 手动输入RFC 3548 base32密钥字符串

另请阅读:

如何为每个用户配置基于ssh主机的身份验证(CentOS/RHEL 7/8)

在RHEL/CentOS 7和8 Linux上安装Google Authenticator

有两种方法可以在RHEL/CentOS 7和8 Linux环境上安装Google Authenticator。

方法1:使用DNF或者YUM安装

希望我们知道DNF是YUM的替代产品。

默认情况下,Google身份验证器rpm不属于CentOS或者Red Hat存储库的一部分,因此我们必须首先在Linux节点上安装EPEL存储库。

提示:

如果我们使用的是RHEL/CentOS 7.6或者更早版本,则DNF可能不可用,在这种情况下,我们可以使用" yum"来安装软件包。

由于RHEL/CentOS 7和8 Linux的两个仓库的Google Authenticator版本都不相同,因此两个rpm中的内容也会有所不同。

[root@centos-8 ~]# dnf install epel-release -y

在启用离线两要素身份验证之前,请先执行下一个"安装google authenticator rpm"操作:

说明:

需要libqrencode来打印QR码,以进行离线两因素验证。
没有该库,我们将无法使用libqrencode直观显示QR码进行扫描。
考虑将OTP机密手动输入到应用中。
错误。
在RHEL/CentOS 7/8 Linux中,libqrencodeqrencode-libsrpm提供。

[root@centos-8 ~]# dnf install google-authenticator qrencode-libs -y

RHEL/CentOS 7上的rpm内容

[root@centos-7 ~]# rpm -ql google-authenticator-1.04-1.el7.x86_64
/usr/bin/google-authenticator
/usr/lib64/security/pam_google_authenticator.la
/usr/lib64/security/pam_google_authenticator.so
/usr/share/doc/google-authenticator-1.04
/usr/share/doc/google-authenticator-1.04/CONTRIBUTING.md
/usr/share/doc/google-authenticator/FILEFORMAT
/usr/share/doc/google-authenticator/README.md
/usr/share/doc/google-authenticator/totp.html
/usr/share/licenses/google-authenticator-1.04
/usr/share/licenses/google-authenticator-1.04/LICENSE
/usr/share/man/man1/google-authenticator.1.gz
/usr/share/man/man8/pam_google_authenticator.8.gz

RHEL/CentOS 8上的rpm内容

[root@centos-8 ~]# rpm -ql google-authenticator-1.07-1.el8.x86_64
/usr/bin/google-authenticator
/usr/lib/.build-id
/usr/lib/.build-id/28
/usr/lib/.build-id/28/19f17158d9ddef0a7f6135defe09c66b2b8061
/usr/lib/.build-id/70
/usr/lib/.build-id/70/03ef7a7d6793e0fcd5b4db22f580420272c34a
/usr/lib64/security/pam_google_authenticator.la
/usr/lib64/security/pam_google_authenticator.so
/usr/share/doc/google-authenticator
/usr/share/doc/google-authenticator/CONTRIBUTING.md
/usr/share/doc/google-authenticator/FILEFORMAT
/usr/share/doc/google-authenticator/README.md
/usr/share/doc/google-authenticator/totp.html
/usr/share/licenses/google-authenticator
/usr/share/licenses/google-authenticator/LICENSE
/usr/share/man/man1/google-authenticator.1.gz
/usr/share/man/man8/pam_google_authenticator.8.gz

方法2:使用源代码安装

我们可以在Linux节点上克隆google authenticator git存储库

提示:

如果未安装git,则可能会得到-bash:git:命令未找到,要解决此问题,可以使用yum i安装git。

e。
Yum安装git -y

# git clone https://github.com/google/google-authenticator-libpam.git
Cloning into 'google-authenticator-libpam'...
remote: Enumerating objects: 52, done.
remote: Counting objects: 100% (52/52), done.
remote: Compressing objects: 100% (39/39), done.
remote: Total 848 (delta 31), reused 32 (delta 13), pack-reused 796
Receiving objects: 100% (848/848), 580.86 KiB | 532.00 KiB/s, done.
Resolving deltas: 100% (539/539), done.

下一步构建和安装

# cd google-authenticator-libpam/
# ./bootstrap.sh
# ./configure
# make
# make install

这将在Linux节点上安装并配置Google Authenticator。

在Linux中配置离线两因素身份验证

现在,我们不需要Linux节点上的Internet即可启用脱机两因素身份验证。
执行不带任何参数的google-authenticator二进制文件,如下所示,这将提示我们进行各种输入

[root@centos-8 ~]# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Your new secret key is: Q7OLD3KUKF3F7BT5J3I7XMVKGI

提示:

如果无法使用libqrencode直观显示QR码而不是QR图像进行扫描,则必须安装libqrencode库。
在RHEL/CentOS 7/8中,该库是qrencode-libs rpm的一部分。

提示:

在RHEL/CentOS 8上,我们必须提供验证码,然后才能进行离线两因素Google身份验证。

尽管在RHEL/CentOS 7中,我们可以在完成离线两因素身份验证后配置Google Authenticator。

Enter code from app (-1 to skip): 952203   <-- Since this is CentOS 8, I have already configured Google Authenticator on my android device to get this OTP
Code confirmed
Your emergency scratch codes are:     <--- These emergency codes can be used when Google Authenticator is not accessible
  78193766
  22845673
  75571630
  42294143
  42293545
Do you want me to update your "/root/.google_authenticator" file? (y/n) y   <-- Press y to add the emergency codes under the provided file
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y 
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

下载并配置Google Authenticator移动应用

在进入启用和配置脱机两因素身份验证的步骤之前,我们需要有一个Google Authenticator应用,它将为我们提供用于验证代码的OTP。

根据设备从" Google Play商店"或者" App Store"下载并安装Google身份验证器。

点击"开始"进入下一个屏幕。

接下来,"添加帐户"。
我们可以使用在第2步中生成的" BARCODE"或者" KEY"来添加新帐户。

添加帐户后,我们应该开始获取OTP(验证码),可用于在配置了脱机两因素身份验证ssh的Linux节点上登录。

配置ssh两因素身份验证

为了保护SSH并防止暴力攻击,我们可以配置SSH两因素身份验证,这样,对于每次SSH尝试,`我们还需要提供Google Authenticator的OTP或者验证代码。

.1:配置/etc/pam.d/sshd模块

要启用SSH两因素身份验证,我们将使用PAM模块。
需要调整文件/etc/pam.d/sshd来调用google-authenticator模块:

[root@centos-8 ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_google_authenticator.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin

.2:配置/etc/ssh/sshd_config

接下来在/etc/ssh/sshd_config中启用ChallengeResponseAuthentication

[root@centos-8 ~]# grep ChallengeResponseAuthentication /etc/ssh/sshd_config
ChallengeResponseAuthentication yes

重新启动sshd服务以激活更改

[root@centos-8 ~]# systemctl restart sshd

.3:验证ssh两因素身份验证

重要的提示:

确保我们保持一个SSH会话处于活动状态以验证更改,因为如果配置不正确,这些更改可能会将我们锁定。
或者,我们可以使用控制台登录以更正更改。

`打开一个新的SSH会话,现在该会话将提示我们输入验证码。

由于我们使用了authrequiredpam_google_authenticator.so,因此Linux将提示我们输入验证码,然后输入用户密码:

login as: root
Using keyboard-interactive authentication.
Verification code:                 <--- Provide the OTP from your Google Authenticator App
Using keyboard-interactive authentication.
Password:                          <-- provide the password of user "root"
Last login: Sat Mar 28 16:09:48 2017 from 10.0.2.2
[root@centos-8 ~]#

如果我们使用authsufficientpam_google_authenticator.so,那么Linux将仅在登录之前提示我们输入验证码:

login as: root
Using keyboard-interactive authentication.
Verification code:               <--- Provide the OTP from your Google Authenticator App
Last login: Sat Mar 28 16:09:23 2017 from 10.0.2.2
[root@centos-8 ~]#

另请阅读:

6种SSH身份验证方法来保护连接(sshd_config)

配置sudo两因素身份验证(可选)

如果我们仅需要配置SSH两因素身份验证,则可以忽略此步骤。
但是为了增强安全性,我们还可以配置sudo两因素身份验证,以便"每次用户使用SUDO",都会提示用户输入OTP(验证码)。

.1:修改/etc/pam.d/sudo模块

为了启用sudo两因素身份验证,我们将使用PAM模块。
需要调整文件/etc/pam.d/sudo来调用google-authenticator模块:

[root@centos-8 ~]# cat /etc/pam.d/sudo
#%PAM-1.0
auth       required     pam_google_authenticator.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

.2:验证sudo两因素身份验证

接下来,我们可以尝试使用任何用户执行sudo操作:

[hynman@centos-8 ~]$sudo ls -l /tmp/
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
Verification code:              <--- Provide the OTP from your Google Authenticator App
[sudo] password for hynman:     <--- Provide the password of user "hynman"
total 12
drwxr-x--T 2 root root 4096 Mar 23 17:47 marketing
drwx------ 3 root root 4096 Mar 24 19:49 systemd-private-64c4909968-chronyd.service-cpBn60
drwx------ 3 root root 4096 Mar 28 12:16 systemd-private-64c4909968-fprintd.service-Wo6SXe

提示:

如果我们使用足够的auth pam_google_authenticator.so,那么Linux将仅提示我们输入验证码:

另请阅读:

循序渐进:如何在Ubuntu 18.04上将用户添加到Sudoers

配置su两因素身份验证(可选)

同样,如果要求仅限于SUDO或者SSH两因素身份验证,则可以忽略此步骤。
但是为了增强安全性,我们还可以配置su两因素身份验证,以便每次`普通用户尝试切换用户(su)角色时,系统都会提示用户输入OTP(验证码)"

.1:配置/etc/pam.d/su模块

为了启用su两因素身份验证,我们将使用PAM模块。
需要调整文件/etc/pam.d/su来调用google-authenticator模块:

[root@centos-8 ~]# cat /etc/pam.d/su
#%PAM-1.0
auth            required        pam_google_authenticator.so
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            substack        system-auth
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so

.2:验证su两因素验证

接下来,尝试通过切换用户(su)来验证PAM配置:

[hynman@centos-8 ~]$su 
Verification code:   <--- Provide the OTP from your Google Authenticator App
Password:            <--- Provide the password of user "root"
[root@centos-8 ~]#

提示:

如果我们使用足够的auth pam_google_authenticator.so,那么Linux将仅提示我们输入验证码: