CentOS 7 使用Google-Authenticator進行多因素認證

什麼是多因素認證(Multi-Factor Authentication, MFA)？

MFA，顧名思義使用多種獨立的驗證機制，對用戶進行身份驗證，只有所有經過時才能受權訪問。MFA的目的是創建一個多層次的防護，使未經受權的人訪問計算機系統或網絡更加困難。驗證機制能夠分爲：

• Sth. you know 用戶知道什麼（知識型的身份驗證）

• Sth. you have 用戶有什麼（安全性令牌或者智能卡）

• Sth. you are 用戶是什麼（生物識別驗證）

以咱們去ATM取款爲例，咱們須要插入卡片（sth. you have)並輸入密碼（sth. you know)才能成功提款。

適用於Linux Server的多因素認證

平常中常見的作法是使用public key 和 password的方式進行認證，可是因爲public key一般都是直接存儲在控制檯上，致使知道控制檯密碼(sth. you know) + 遠程服務器密碼 (sth. you know) 就能夠訪問服務器了，只使用了sth. you know 一種驗證方式。破解方式有兩種：

• 使用生物識別驗證的控制檯(sth. you are) + 遠程服務器密碼(sth. you know)

• 使用密碼認證的控制檯 (sth. you know) + 遠程服務器安全令牌認證(sth. you have)
  

這裏着重講一下sth. you have的免費的認證方式google-authenticator，無需×××在手機上便可安裝google authenticator軟件. 從在手機上安裝軟件開始吧……

Google-authenticator在CentOS 7上的配置

• 安裝所需的軟件：  

yum install -y  autoconf automake libtool pam-devel git qrencode

• 安裝google-authenticator

git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam/
./bootstrap.sh
./configure
make
make install
ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so

• 配置openssh， vi /etc/pam.d/sshd
  

auth    required        pam_google_authenticator.so nullok  #加在最上面一行
#auth       substack     password-auth

編輯/etc/ssh/sshd_config爲

. . .
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
. . .
AuthenticationMethods publickey,password publickey,keyboard-interactive

重啓sshd

systemctl restart sshd.service

• 爲用戶啓用google-authenticator

google-authenticator

1）屏幕提示Do you want authentication tokens to be time-based (y/n) ，回答y選用基於時間的token

2）屏幕提示二維碼，拿出手機打開google authenticator軟件，點擊+後選擇「條形碼掃描"添加認證條目。

注意：將屏幕顯示的secret key, verification code 和 recovery codes 保存在安全的地方，供密碼恢復使用。

3）Do you want me to update your "/home/sammy/.google_authenticator" file (y/n) y

4）Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

4）By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens). Do you want to do so? (y/n) n

5）If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

• 新建ssh鏈接（不要關閉當前的防止沒法訪問）測試配置是否成功。