RHEL CentOS 8 SSH two-factor authentication

Two-factor authentication

Two-factor authentication is to realize two-factor identity authentication by combining the two elements of user's known information (user name and password) + user's unknown information in advance. Two-factor authentication is a system that uses time synchronization technology. It uses a one-time password based on the three variables of time, event and key to replace the traditional static password. Each dynamic password card has a unique key, which is stored on the server side at the same time. During each authentication, the dynamic password card and the server are based on the same key, the same random parameters (time, event) and the same The algorithm calculates the dynamic password for authentication to ensure the consistency of the password, thereby realizing the user's identity authentication.

TOTP

Time-Based One-Time Password Algorithm, one-time password based on time synchronization, dynamic password.

TOTP certification steps

• ① After the user turns on the two-factor authentication, the server generates a key.
• ② The server prompts the user to scan the QR code and save the key to the user's mobile phone. In other words, the server and the user's mobile phone now have the same key.
• ③ When the user logs in, the mobile client uses this key and the current timestamp to generate a hash. The validity period is 30 seconds by default. The user submits this hash to the server within the validity period.
• ④ The server also uses the key and the current timestamp to generate a hash, which is compared with the hash submitted by the user. As long as the two are inconsistent, login is refused.

Authenticator (Google Authenticator is used this time)

Google Authenticator

Microsoft Authenticator

TOTP Authenticator

Aliyun identity treasure

Time synchronization

In CentOS 8, dnf install ntp prompts that there is no ntp installation software.

# Add wlnmp's yum source
rpm -ivh http://mirrors.wlnmp.com/centos/wlnmp-release-centos.noarch.rpm
# Install time synchronization software
yum install wntp
# Synchronization event
ntpdate  192.168.99.107
# Time synchronization scheduled task
crontab   -e
* /10****/usr/sbin/ntpdate 192.168.99.107;/sbin/hwclock -w 
# Restart scheduled tasks
systemctl   restart crond

google-authenticator

epel warehouse

dnf install  epel-release

google-authenticator

dnf install google-authenticator

google-authenticator version

rpm -qa |grep google-authenticator
google-authenticator-1.07-1.el8.x86_64

QR code generation tool

Without installing the QR code generation tool, google-authenticator will not be able to generate a QR code, but you can copy the generated link to the browser to generate a QR code.

dnf  install qrencode

Run google-authenticator

google-authenticator parameter introduction

Number 1: Ask if you want to make a time-based token, first choose y

Number 2: Whether to update your Google authentication file, because it is the first time to set up, so be sure to choose y

The third one: Whether to prohibit multiple use of passwords, choose y here to prohibit it to prevent middleman cheating.

Fourth: By default, the validity period of a password is 30s. This is to prevent the host time and the password client time from being inconsistent. The setting error can be y or n, depending on the degree of rigor.

The fifth: whether to open the limit of attempts, by default, no more than 3 login tests within 30s can be used to prevent others from brute force cracking.

note:

The parameter settings will be stored in the user's ~/.google_authenticator file. The 5 codes in emergency scratch codes are emergency codes, please remember! If your dynamic password cannot be used, remember to use one to invalidate one. You can log in to the system to regenerate later.

Mobile Google Authenticator

Scan the QR code with the Google Authenticator app on your phone

PAM SSH

Configure sshd in the PAM module of the system to support google_authenticator authentication

vim /etc/pam.d/sshd
# Add the following line at the bottom of the file (password authentication and then google_Authenticator authentication):
auth required pam_google_authenticator.so
-----------------------------------------------------------------------
# Add the following line to the first line of the file (first google_Authenticator authentication and then password authentication):
auth required pam_google_authenticator.so no_increment_hotp

SSH service

vim /etc/ssh/sshd_config 
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes

Restart ssh service

systemctl restart sshd

Login Verification

Authentication optimization

Google-authenticator authentication is not performed on hosts that access specific network segments in the local area network, and google-authenticator authentication is required for access to other network segments. . .

PAM SSH configuration

# Add the following line at the top of the file: vim/etc/pam.d/sshd
auth [success=1default=ignore] pam_access.so accessfile=/etc/security/access-localhost.conf
auth       required pam_google_authenticator.so no_increment_hotp

Add access-localhost.conf file

cat /etc/security/access-localhost.conf
+: ALL :192.168.99.0/24+: ALL : LOCAL
- : ALL : ALL

Restart ssh service

systemctl restart sshd

Login Verification