Otu esi edozi nkwenye ihe abụọ maka SSH na Linux
Site na ndabara, SSH ejirila nzikọrịta ozi data echekwara n'etiti igwe ndị dịpụrụ adịpụ, mana ọ bụrụ na ịchọrọ ịgbakwunye oyi akwa nchekwa ọzọ na njikọ SSH gị, ịnwere ike ịgbakwunye modul Google Authenticator (nnwale ihe abụọ) nke na-enye gị ohere ịbanye otu enweghị usoro. koodu nkwenye oge (TOTP) mgbe ị na-ejikọ na sava SSH. Ị ga-etinye koodu nkwenye site na ekwentị gị ma ọ bụ PC mgbe ị jikọọ.
Google Authenticator bụ modul mepere emepe nke na-agụnye mmejuputa koodu passcode otu oge (TOTP) nke Google mepụtara.
Ọ na-akwado ọtụtụ nyiwe mkpanaka, yana PAM (Module Nyochaa Pluggable). A na-emepụta koodu passcode ndị a otu oge site na iji ụkpụrụ mepere emepe nke OATH Initiative for Open Authentication mepụtara).
N'isiokwu a, m ga-egosi gị otu esi edozi na hazie SSH maka njirimara ihe abụọ n'okpuru nkesa Linux nke Debian dị ka Fedora, CentOS Stream, Rocky Linux, na AlmaLinux, Ubuntu, Debian, na Mint.
Ịwụnye Google Authenticator na Linux
Mepee igwe nke ịchọrọ ịtọlite nnwale ihe abụọ ma wụnye ụlọ akwụkwọ PAM ndị a yana ụlọ akwụkwọ mmepe nke achọrọ maka modul PAM ka ọ rụọ ọrụ nke ọma na modul Google Authenticator.
Na sistemụ dabere na RedHat wụnye ngwugwu 'pam-devel' site na iji iwu yum na-esote.
# yum install google-authenticator -y
Na sistemu Debian wụnye ngwugwu 'libpam0g-dev' site na iji iwu dabara adaba.
$ sudo apt install libpam-google-authenticator -y
Mepụta akara ngosi Google
Ozugbo ịmechara iwu 'google-authenticator', ọ ga-akpali gị ọtụtụ ajụjụ.
# google-authenticator
Naanị pịnye “y” (ee) ka azịza n'ọtụtụ ọnọdụ. Ọ bụrụ na ihe adịghị mma, ị nwere ike pịnye ọzọ iwu 'google-authenticator' ka ịtọgharịa ntọala ahụ.
- Ịchọrọ ka akara njirimara bụrụ nke dabere na oge (y/n) y
Mgbe ajụjụ a gasịrị, ị ga-enweta 'igodo nzuzo' na 'koodu mberede'. Dee nkọwa ndị a ebe, anyị ga-achọ 'igodo nzuzo' emesia ka ịtọlite ngwa Google Authenticator.
# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email %3Fsecret%3DCYZF2YF7HFGX55ZEPQYLHOO5JM%26issuer%3Dtecmint
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: CYZF2YF7HFGX55ZEPQYLHOM
Enter code from app (-1 to skip): -1 Code confirmation skipped Your emergency scratch codes are: 83714291 53083200 80975623 57217008 77496339Na-esote, soro ọkachamara ntọlite na n'ọtụtụ ọnọdụ pịnye azịza dịka y (ee) dịka egosiri n'okpuru.
Do you want me to update your "/root/.google_authenticator" file (y/n)yDo you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)yBy default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)yIf the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)y
Ịhazi SSH iji jiri Google Authenticator na Linux
Mepee faịlụ nhazi PAM '/etc/pam.d/sshd'ma tinye ahịrị na-esonụ na ala nke faịlụ ahụ.
auth required pam_google_authenticator.so nullok auth required pam_permit.so
Ọzọ, mepee faịlụ nhazi SSH '/etc/ssh/sshd_config'ma gbadaa ala ka ịchọta ahịrị na-ekwu.
ChallengeResponseAuthentication no
Gbanwee ya ka ọ bụrụ ee. Yabụ, ọ na-adị ka nke a.
ChallengeResponseAuthentication yes
N'ikpeazụ, malitegharịa ọrụ SSH iji mee mgbanwe ọhụrụ.
# systemctl restart sshd Or $ sudo systemctl restart sshd
Na-ahazi ngwa Google Authenticator
Mepee ngwa Google Authenticator na ekwentị gị. Pịa + wee họrọ Tinye igodo nhazi. Ọ bụrụ na ịnweghị ngwa a, ịnwere ike ibudata ma wụnye ngwa Google Authenticator na ngwaọrụ gam akporo/iPhone/Blackberry gị.
Tinye 'Aha' akaụntụ gị wee tinye 'igodo nzuzo' ewepụtara na mbụ.
Ọ ga-ewepụta paswọọdụ otu oge (koodu nkwenye) nke ga-agbanwe mgbe niile nkeji iri atọ na ekwentị gị.
Ugbu a gbalịa ịbanye site na SSH, a ga-akpali gị site na koodu nyocha Google (koodu nkwenye) na paswọọdụ mgbe ọ bụla ị nwara ịbanye site na SSH. Ị nwere naanị 30 sekọnd iji tinye koodu nkwenye a, ọ bụrụ na ị na-atụ uche, ọ ga-emegharị koodu nkwenye ọhụrụ.
login as: tecmint Access denied Using keyboard-interactive authentication. Verification code: Using keyboard-interactive authentication. Password: Last login: Tue Apr 23 13:58:29 2022 from 172.16.25.125
Ọ bụrụ na ịnweghị ama, ị nwekwara ike iji ihe mgbakwunye Firefox a na-akpọ Authenticator mee nyocha ihe abụọ.
Ihe dị mkpa: Nyocha nke ihe abụọ na-arụ ọrụ na nbanye SSH dabere na paswọọdụ. Ọ bụrụ na ị na-eji nnọkọ SSH nkeonwe/ọhaneze, ọ ga-eleghara nyocha ihe abụọ wee banye gị ozugbo.