Two-factor authentication on a home server - fast, cheap, friendly
Two-factor authentication - providing information from two different types of authentication information [ " ]
For example, it can be sequentially entered password and code that issues a token with a button. I think many of you have seen such devices, and some even use them regularly.
')
It is as if a second lock was put on the door. The key to the first is a regular password. The second is a one-time code valid for 30 seconds. You can get out the door only if both keys are correct, and not one, as it was before.
For some time now, Google has made two-factor authentication available in its services. Now the token has moved to your mobile phone with Android! iPhone and Blackberry also fit in this role. Very comfortably. After testing on Gmail, I wanted to do the same thing at my place, and then suddenly I found libpam-google-authenticator.
At the very beginning, during initialization, a secret key is created, which will also be recorded on the server, and which must be entered into the application on the phone. This is a one-time procedure, then they work by themselves. Each time from a secret key and the current time, a code that is valid for 30 seconds is calculated using a special algorithm .
I emphasize that Google’s servers are not involved in authentication - the algorithm and key formats are simply compatible with those used in Google services, which makes it possible to use ready-made mobile applications. For paranoids - the source is open, a link to them is at the end of the post :)
I have Debian testing (Wheezy), so everything is available out of the box:
In Debian stable (Sqeeze), this module has not yet been added, but the package from testing is installed without problems.
It's time to get your phone. If it is Android - download Google Authenticator there . More useful QR code scanner, for example. If the smartphone is different, then you are here .
Every user on the server who plans to get there must first start the console tool, which is called
And immediately draws such a nice QR code containing a secret key
And also 5 reserve codes just in case, suddenly something will happen to the phone. And according to the URL, which tulza also writes, you don’t need to go - it’s just that the QR code is more beautiful. You do not want to show your secret code to Google? :)
We immediately scan the QR code from the application, then answer the questions.
- Save everything permanently in
- y
- Prohibit the use of one code several times? Helps to catch or prevent the man-in-the-middle attack.
- y
- Increase the time window from about 1.5 minutes to 4 minutes?
- n ( and then immediately check whether the time is exactly on the phone )
- Limit the number of login attempts for a period of time?
- y
If the file
Until everything works, it's better to leave the rue shell open
In / etc / ssh / sshd_config, we enable the call-response and restart ssh:
To manage the authentication, create the file /etc/ssh/two-factor-skip.conf, for example:
In /etc/pam.d/sshd we enter two lines:
It is best to write them in front of
ssh to where it all just set up. Enter the temporary code, then the password. Enjoying.
Due to the current features of the OpenSSH, if we go by key - two-factor authentication does not work (PAM is not used). Unfortunately.
Other services using PAM can be improved in this way.
For example, it can be sequentially entered password and code that issues a token with a button. I think many of you have seen such devices, and some even use them regularly.
')
It is as if a second lock was put on the door. The key to the first is a regular password. The second is a one-time code valid for 30 seconds. You can get out the door only if both keys are correct, and not one, as it was before.
For some time now, Google has made two-factor authentication available in its services. Now the token has moved to your mobile phone with Android! iPhone and Blackberry also fit in this role. Very comfortably. After testing on Gmail, I wanted to do the same thing at my place, and then suddenly I found libpam-google-authenticator.
At the very beginning, during initialization, a secret key is created, which will also be recorded on the server, and which must be entered into the application on the phone. This is a one-time procedure, then they work by themselves. Each time from a secret key and the current time, a code that is valid for 30 seconds is calculated using a special algorithm .
I emphasize that Google’s servers are not involved in authentication - the algorithm and key formats are simply compatible with those used in Google services, which makes it possible to use ready-made mobile applications. For paranoids - the source is open, a link to them is at the end of the post :)
We set and prepare
I have Debian testing (Wheezy), so everything is available out of the box:
aptitude install libpam-google-authenticatorIn Debian stable (Sqeeze), this module has not yet been added, but the package from testing is installed without problems.
It's time to get your phone. If it is Android - download Google Authenticator there . More useful QR code scanner, for example. If the smartphone is different, then you are here .
Every user on the server who plans to get there must first start the console tool, which is called
google-authenticatorAnd immediately draws such a nice QR code containing a secret key
And also 5 reserve codes just in case, suddenly something will happen to the phone. And according to the URL, which tulza also writes, you don’t need to go - it’s just that the QR code is more beautiful. You do not want to show your secret code to Google? :)
We immediately scan the QR code from the application, then answer the questions.
- Save everything permanently in
~/.google_authenticator ?- y
- Prohibit the use of one code several times? Helps to catch or prevent the man-in-the-middle attack.
- y
- Increase the time window from about 1.5 minutes to 4 minutes?
- n ( and then immediately check whether the time is exactly on the phone )
- Limit the number of login attempts for a period of time?
- y
If the file
~/.google_authenticator (by the way, the path to it can be changed with the appropriate module option) is missing, then the user will not be allowed.Configure SSH and PAM
Until everything works, it's better to leave the rue shell open
In / etc / ssh / sshd_config, we enable the call-response and restart ssh:
ChallengeResponseAuthentication yesTo manage the authentication, create the file /etc/ssh/two-factor-skip.conf, for example:
# + : ALL : 192.168.1.0/24 # + : bezmobilki : ALL # - : ALL : ALL In /etc/pam.d/sshd we enter two lines:
auth [success=1 default=ignore] pam_access.so accessfile=/etc/ssh/two-factor-skip.conf auth required pam_google_authenticator.so It is best to write them in front of
@include common-authCheck
ssh to where it all just set up. Enter the temporary code, then the password. Enjoying.
Due to the current features of the OpenSSH, if we go by key - two-factor authentication does not work (PAM is not used). Unfortunately.
What's next?
Other services using PAM can be improved in this way.
Links
Source: https://habr.com/ru/post/133481/
All Articles