环境信息
- uniontechos-server-20-1060a
- uniontechos-server-20-1060e
问题描述
因客户业务系统需过等保测评,需ssh登录实现:”应采用口令、密码技术、生物技术等两种或两种以上组合的鉴别技术对用户进行身份鉴别,且其中一种鉴别技术至少应使用密码技术来实现“
解决方案
步骤1 配置root的ssh登录(禁用 root 用户ssh登录)
# vim /etc/ssh/sshd_config
PermitRootLogin no
# systemctl restart sshd步骤2 配置 Google Authenticator 进行双因素认证(2FA)
# yum install epel-release
# yum install google-authenticator qrencode运行以下命令为当前用户生成Google Authenticator配置:
google-authenticator在运行这个命令后,系统会提出一系列问题。以下是推荐的配置:
- Do you want authentication tokens to be time-based (y/n) y
- Do you want me to update your "/home/imon/.google_authenticator" file? (y/n) y
- Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
- By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) n
- If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y
步骤3:编辑PAM配置文件 /etc/pam.d/sshd 在文件中添加以下行:
auth required pam_google_authenticator.so nullok- 将这行代码添加到文件顶部以确保它在所有其他认证模块之前执行
- nullok 选项项允许没有配置Google Authenticator的用户仅使用密码登录
步骤4:编辑SSH配置文件/etc/ssh/sshd_config,找到并修改以下设置,实现仅通过 keyboard-interactive 方法登录:
UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive步骤5:重启SSH服务
# systemctl restart sshd- 测试配置使用SSH登录服务器时,你会被要求输入密码,然后输入Google Authenticator应用生成的验证码
- 为所有用户配置Google Authenticator如果需要为所有用户配置Google Authenticator,可以让每个用户在首次登录时运行google-authenticator命令,生成他们的密钥
- 注意事项确保你有物理访问服务器的能力,以防配置错误导致无法远程登录
©统信软件技术有限公司。访问者可将本网站提供的内容或服务用于个人学习、研究或欣赏,以及其他非商业性或非盈利性用途,但同时应遵守著作权法及其他相关法律的规定,不得侵犯本网站及相关权利人的合法权利。除此以外,将本网站任何内容或服务进行转载,须备注:该文档出自【faq.uniontech.com】统信软件知识分享平台。否则统信软件将追究相关版权责任。
