CentOS 7 使用Google-Authenticator进行多因素认证

什么是多因素认证(Multi-Factor Authentication, MFA)？

MFA，顾名思义使用多种独立的验证机制，对用户进行身份验证，只有所有经过时才能受权访问。MFA的目的是创建一个多层次的防护，使未经受权的人访问计算机系统或网络更加困难。验证机制能够分为：

• Sth. you know 用户知道什么（知识型的身份验证）

• Sth. you have 用户有什么（安全性令牌或者智能卡）

• Sth. you are 用户是什么（生物识别验证）

以咱们去ATM取款为例，咱们须要插入卡片（sth. you have)并输入密码（sth. you know)才能成功提款。

适用于Linux Server的多因素认证

平常中常见的作法是使用public key 和 password的方式进行认证，可是因为public key一般都是直接存储在控制台上，致使知道控制台密码(sth. you know) + 远程服务器密码 (sth. you know) 就能够访问服务器了，只使用了sth. you know 一种验证方式。破解方式有两种：

• 使用生物识别验证的控制台(sth. you are) + 远程服务器密码(sth. you know)

• 使用密码认证的控制台 (sth. you know) + 远程服务器安全令牌认证(sth. you have)
  

这里着重讲一下sth. you have的免费的认证方式google-authenticator，无需×××在手机上便可安装google authenticator软件. 从在手机上安装软件开始吧……

Google-authenticator在CentOS 7上的配置

• 安装所需的软件：  

yum install -y  autoconf automake libtool pam-devel git qrencode

• 安装google-authenticator

git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam/
./bootstrap.sh
./configure
make
make install
ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so

• 配置openssh， vi /etc/pam.d/sshd
  

auth    required        pam_google_authenticator.so nullok  #加在最上面一行
#auth       substack     password-auth

编辑/etc/ssh/sshd_config为

. . .
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
. . .
AuthenticationMethods publickey,password publickey,keyboard-interactive

重启sshd

systemctl restart sshd.service

• 为用户启用google-authenticator

google-authenticator

1）屏幕提示Do you want authentication tokens to be time-based (y/n) ，回答y选用基于时间的token

2）屏幕提示二维码，拿出手机打开google authenticator软件，点击+后选择“条形码扫描"添加认证条目。

注意：将屏幕显示的secret key, verification code 和 recovery codes 保存在安全的地方，供密码恢复使用。

3）Do you want me to update your "/home/sammy/.google_authenticator" file (y/n) y

4）Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

4）By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens). Do you want to do so? (y/n) n

5）If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

• 新建ssh链接（不要关闭当前的防止没法访问）测试配置是否成功。