多因素认证(MFA)是提升系统安全性的关键措施。
很多企业喜欢使用弱密码或者固定的登录密码,软密码极易被暴力破解工具突破,即使是复杂密码也难保不会泄露。就算使用密钥也是有泄露的风险。
MFA的作用就是在系统登录凭证暴露的前提下,保护系统不被恶意访问。
MFA的实现方式有很多,最常见的就是短信、邮箱验证码和TOTP。考量这三种的安全性和成本推荐使用TOTP方式。
TOTP算法(Time-based One-time Password algorithm)是一种从共享密钥和当前时间计算一次性密码的算法。 它已被采纳为Internet工程任务组标准RFC 6238,是Initiative for Open Authentication(OATH)的基石,并被用于许多双因素身份验证系统。
TOTP依赖密钥和时间来生成验证码。使用之前必须保证服务端和客户端的时间同步。
服务端:Google Authenticator
手机客户端:Google Authenticator、2FAS授权
1、同步系统时间
# 以NTP为例
# 设置时区(上海)
timedatectl set-timezone Asia/Shanghai
# 启用时间同步
timedatectl set-ntp true
# 手动同步时间
ntpdate time.windows.com2、Google Authenticator
# CentOS
yum -y install epel-release ; yum -y install google-authenticator
# Ubuntu
apt install libpam-google-authenticator3、生成令牌
# 切换到需要使用多因素认证的用户
# google-authenticator
Do you want authentication tokens to be time-based (y/n) y #是否启用基于时间的认证
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/wuxk@apple%3Fsecret%3DCHQVZYCQOYNKQ5ETAHL2CHB5NY%26issuer%3Dapple
Your new secret key is: CHQVZYCQOYNKQ5ETAHL2CHB5NY
Enter code from app (-1 to skip): # 输入手机扫码后的口令
Code confirmation skipped
Your emergency scratch codes are:
2405420
5151806
5402433
7968067
2325809
# 此文件需要妥善保存,不能删除或修改
Do you want me to update your "/home/wuxk/.google_authenticator" file? y #将认证信息写入到这个文件内
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y # 禁止令牌重复使用,每次生成的验证码经过30s自动失效
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y # 修正时间变差,设置时间窗口,最小为三个验证码。 如果输入y,可以在4分钟查看8个有效的验证码,如果输入n,可以在一分半中查看三个有效验证码
Do you want to enable rate-limiting? (y/n) y #是否启用速率限制,主要是为了防止攻击
4、配置SSH、PAM
# Ubuntu 22.04
# /etc/ssh/sshd_config
PasswordAuthentication no
ChallengeResponseAuthentication yes
KbdInteractiveAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
# /etc/pam.d/sshd
#%PAM-1.0
# ADD GOOGLE AUTH
auth required pam_google_authenticator.so
# 注释掉这行 表示禁用密码登录
#auth substack password-auth
# Ubuntu Server 24.04 差异
# 注释这行
# @include common-auth
# 在下面添加添加
auth required pam_google_authenticator.so
重启ssh服务
