什么是多因素認證(Multi-Factor Authentication, MFA)？

MFA，顧名思義使用多種獨立的驗證機制，對用戶進行身份驗證，只有全部通過時才能授權訪問。MFA的目的是建立一個多層次的防御，使未經授權的人訪問計算機系統或網絡更加困難。驗證機制可以分為：

• Sth. you know 用戶知道什么（知識型的身份驗證）

• Sth. you have 用戶有什么（安全性令牌或者智能卡）

• Sth. you are 用戶是什么（生物識別驗證）

以我們去ATM取款為例，我們需要插入卡片（sth. you have)并輸入密碼（sth. you know)才能成功提款。

適用于Linux Server的多因素認證

日常中常見的做法是使用public key 和 password的方式進行認證，但是由于public key通常都是直接存儲在控制臺上，導致知道控制臺密碼(sth. you know) + 遠程服務器密碼 (sth. you know) 就可以訪問服務器了，只使用了sth. you know 一種驗證方式。破解方式有兩種：

• 使用生物識別驗證的控制臺(sth. you are) + 遠程服務器密碼(sth. you know)

• 使用密碼認證的控制臺 (sth. you know) + 遠程服務器安全令牌認證(sth. you have)
  

這里著重講一下sth. you have的免費的認證方式google-authenticator，無需×××在手機上即可安裝google authenticator軟件. 從在手機上安裝軟件開始吧……

Google-authenticator在CentOS 7上的配置

• 安裝所需的軟件： ?

yum?install?-y??autoconf?automake?libtool?pam-devel?git?qrencode

• 安裝google-authenticator

git?clone?https://github.com/google/google-authenticator-libpam.git cd?google-authenticator-libpam/ ./bootstrap.sh ./configure make make?install ln?-s?/usr/local/lib/security/pam_google_authenticator.so?/usr/lib64/security/pam_google_authenticator.so

• 配置openssh， vi /etc/pam.d/sshd
  

auth????required????????pam_google_authenticator.so?nullok??#加在最上面一行 #auth???????substack?????password-auth

編輯/etc/ssh/sshd_config為

.?.?. #?Change?to?no?to?disable?s/key?passwords ChallengeResponseAuthentication?yes #ChallengeResponseAuthentication?no .?.?. AuthenticationMethods?publickey,password?publickey,keyboard-interactive

重啟sshd

systemctl?restart?sshd.service

• 為用戶啟用google-authenticator

google-authenticator

1）屏幕提示Do you want authentication tokens to be time-based (y/n) ，回答y選用基于時間的token

2）屏幕提示二維碼，拿出手機打開google authenticator軟件，點擊+后選擇“條形碼掃描"添加認證條目。

注意：將屏幕顯示的secret key, verification code 和 recovery codes 保存在安全的地方，供密碼恢復使用。

3）Do you want me to update your "/home/sammy/.google_authenticator" file (y/n) y

4）Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

4）By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens). Do you want to do so? (y/n) n

5）If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

• 新建ssh連接（不要關閉當前的防止無法訪問）測試配置是否成功。
  

轉載于:https://blog.51cto.com/41084/1952500

總結

以上是生活随笔為你收集整理的CentOS 7 使用Google-Authenticator进行多因素认证的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。