什么是多因素認(rèn)證(Multi-Factor Authentication, MFA)？

MFA，顧名思義使用多種獨(dú)立的驗(yàn)證機(jī)制，對用戶進(jìn)行身份驗(yàn)證，只有全部通過時才能授權(quán)訪問。MFA的目的是建立一個多層次的防御，使未經(jīng)授權(quán)的人訪問計算機(jī)系統(tǒng)或網(wǎng)絡(luò)更加困難。驗(yàn)證機(jī)制可以分為：

• Sth. you know 用戶知道什么（知識型的身份驗(yàn)證）

• Sth. you have 用戶有什么（安全性令牌或者智能卡）

• Sth. you are 用戶是什么（生物識別驗(yàn)證）

以我們?nèi)TM取款為例，我們需要插入卡片（sth. you have)并輸入密碼（sth. you know)才能成功提款。

適用于Linux Server的多因素認(rèn)證

日常中常見的做法是使用public key 和 password的方式進(jìn)行認(rèn)證，但是由于public key通常都是直接存儲在控制臺上，導(dǎo)致知道控制臺密碼(sth. you know) + 遠(yuǎn)程服務(wù)器密碼 (sth. you know) 就可以訪問服務(wù)器了，只使用了sth. you know 一種驗(yàn)證方式。破解方式有兩種：

• 使用生物識別驗(yàn)證的控制臺(sth. you are) + 遠(yuǎn)程服務(wù)器密碼(sth. you know)

• 使用密碼認(rèn)證的控制臺 (sth. you know) + 遠(yuǎn)程服務(wù)器安全令牌認(rèn)證(sth. you have)
  

這里著重講一下sth. you have的免費(fèi)的認(rèn)證方式google-authenticator，無需×××在手機(jī)上即可安裝google authenticator軟件. 從在手機(jī)上安裝軟件開始吧……

Google-authenticator在CentOS 7上的配置

• 安裝所需的軟件： ?

yum?install?-y??autoconf?automake?libtool?pam-devel?git?qrencode

• 安裝google-authenticator

git?clone?https://github.com/google/google-authenticator-libpam.git cd?google-authenticator-libpam/ ./bootstrap.sh ./configure make make?install ln?-s?/usr/local/lib/security/pam_google_authenticator.so?/usr/lib64/security/pam_google_authenticator.so

• 配置openssh， vi /etc/pam.d/sshd
  

auth????required????????pam_google_authenticator.so?nullok??#加在最上面一行 #auth???????substack?????password-auth

編輯/etc/ssh/sshd_config為

.?.?. #?Change?to?no?to?disable?s/key?passwords ChallengeResponseAuthentication?yes #ChallengeResponseAuthentication?no .?.?. AuthenticationMethods?publickey,password?publickey,keyboard-interactive

重啟sshd

systemctl?restart?sshd.service

• 為用戶啟用google-authenticator

google-authenticator

1）屏幕提示Do you want authentication tokens to be time-based (y/n) ，回答y選用基于時間的token

2）屏幕提示二維碼，拿出手機(jī)打開google authenticator軟件，點(diǎn)擊+后選擇“條形碼掃描"添加認(rèn)證條目。

注意：將屏幕顯示的secret key, verification code 和 recovery codes 保存在安全的地方，供密碼恢復(fù)使用。

3）Do you want me to update your "/home/sammy/.google_authenticator" file (y/n) y

4）Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

4）By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens). Do you want to do so? (y/n) n

5）If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

• 新建ssh連接（不要關(guān)閉當(dāng)前的防止無法訪問）測試配置是否成功。
  

轉(zhuǎn)載于:https://blog.51cto.com/41084/1952500

總結(jié)

以上是生活随笔為你收集整理的CentOS 7 使用Google-Authenticator进行多因素认证的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。