Merge pull request #11770 from hopefully2333/master

[translated] 20181022 Improve login security with challenge-response authentication.md
2025-03-24 02:20:09 +08:00 · 2018-12-24 07:00:17 +08:00 · 2018-12-24 07:00:17 +08:00 · 32ad260d8d
commit 32ad260d8d
parent 39670b1c2f 6ad5b97e7a
2 changed files with 182 additions and 185 deletions
--- a/sources/tech/20181022
+++ b/sources/tech/20181022
@ -1,185 +0,0 @@
-translating by hopefully2333
-
-Improve login security with challenge-response authentication
-======
-
-![](https://fedoramagazine.org/wp-content/uploads/2018/10/challenge-response-816x345.png)
-
-### Introduction
-
-Today, Fedora offers multiple ways to improve the secure authentication of our user accounts. Of course it has the familiar user name and password to login. It also offers additional authentication options such as biometric, fingerprint, smart card, one-time password, and even challenge-response authentication.
-
-Each authentication method has clear pros and cons. That, in itself, could be a topic for a rather lengthy article. Fedora Magazine has covered a few of these options previously:
-
-
-+ [Using the YubiKey4 with Fedora][1]
-+ [Fedora 28: Better smart card support in OpenSSH][2]
-
-
-One of the most secure methods in modern Fedora releases is offline hardware challenge-response. It’s also one of the easiest to deploy. Here’s how.
-
-### Challenge-response authentication
-
-Technically, when you provide a password, you’re responding to a user name challenge. The offline challenge response covered here requires your user name first. Next, Fedora challenges you to provide an encrypted physical hardware token. The token responds to the challenge with another encrypted key it stores via the Pluggable Authentication Modules (PAM) framework. Finally, Fedora prompts you for the password. This prevents someone from just using a found hardware token, or just using a user name and password without the correct encrypted key.
-
-This means that in addition to your user name and password, you must have previously registered one or more encrypted hardware tokens with the OS. And you have to provide that physical hardware token to be able to authenticate with your user name.
-
-Some challenge-response methods, like one time passwords (OTP), take an encrypted code key on the hardware token, and pass that key across the network to a remote authentication server. The server then tells Fedora’s PAM framework if it’s is a valid token for that user name. This is great if the authentication server(s) are on the local network. The downside is if the network connection is down or you’re working remote without a network connection, you can’t use this remote authentication method. You could be locked out of the system until you can connect through the network to the server.
-
-Sometimes a workplace requires use of Yubikey One Time Passwords (OTP) configuration. However, on home or personal systems you may prefer a local challenge-response configuration. Everything is local, and the method requires no remote network calls. The following process works on Fedora 27, 28, and 29.
-
-### Preparation
-
-#### Hardware token keys
-
-First you need a secure hardware token key. Specifically, this process requires a Yubikey 4, Yubikey NEO, or a recently released Yubikey 5 series device which also supports FIDO2. You should purchase two of them to provide a backup in case one becomes lost or damaged. You can use these keys on numerous workstations. The simpler FIDO or FIDO U2F only versions don’t work for this process, but are great for online services that use FIDO.
-
-#### Backup, backup, and backup
-
-Next, make a backup of all your important data. You may want to test the configuration in a Fedora 27/28/29 cloned VM to make sure you understand the process before setting up your personal workstation.
-
-#### Updating and installing
-
-Now make sure Fedora is up to date. Then install the required Fedora Yubikey packages via these dnf commands:
-
-```
-$ sudo dnf upgrade
-$ sudo dnf install ykclient* ykpers* pam_yubico*
-$ cd
-```
-
-If you’re in a VM environment, such as Virtual Box, make sure the Yubikey device is inserted in a USB port, and enable USB access to the Yubikey in the VM control.
-
-### Configuring Yubikey
-
-Verify that your user account has access to the USB Yubikey:
-
-```
-$ ykinfo -v
-version: 3.5.0
-```
-
-If the YubiKey is not detected, the following error message appears:
-
-```
-Yubikey core error: no yubikey present
-```
-
-Next, initialize each of your new Yubikeys with the following ykpersonalize command. This sets up the Yubikey configuration slot 2 with a Challenge Response using the HMAC-SHA1 algorithm, even with less than 64 characters. If you have already setup your Yubikeys for challenge-response, you don’t need to run ykpersonalize again.
-
-```
-ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
-```
-
-Some users leave the YubiKey in their workstation while using it, and even use challenge-response for virtual machines. However, for more security you may prefer to manually trigger the Yubikey to respond to challenge.
-
-To add that manual challenge button trigger, add the -ochal-btn-trig flag. This flag causes the Yubikey to flash the yubikey LED on a request. It waits for you to press the button on the hardware key area within 15 seconds to produce the response key.
-
-```
-$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible
-```
-
-Do this for each of your new hardware keys, only once per key. Once you have programmed your keys, store the Yubikey configuration to ~/.yubico with the following command:
-
-```
-$ ykpamcfg -2 -v
-debug: util.c:222 (check_firmware_version): YubiKey Firmware version: 4.3.4
-
-Sending 63 bytes HMAC challenge to slot 2
-Sending 63 bytes HMAC challenge to slot 2
-Stored initial challenge and expected response in '/home/chuckfinley/.yubico/challenge-9992567'.
-```
-
-If you are setting up multiple keys for backup purposes, configure all the keys the same, and store each key’s challenge-response using the ykpamcfg utility. If you run the command ykpersonalize on an existing registered key, you must store the configuration again.
-
-### Configuring /etc/pam.d/sudo
-
-Now to verify this configuration worked, **in the same terminal window** you’ll setup sudo to require the use of the Yubikey challenge-response. Insert the following line into the /etc/pam.d/sudo file:
-
-```
-auth required pam_yubico.so mode=challenge-response
-```
-
-Insert the above auth line into the file above the auth include system-auth line. Then save the file and exit the editor. In a default Fedora 29 setup, /etc/pam.d/sudo should now look like this:
-
-```
-#%PAM-1.0
-auth required pam_yubico.so mode=challenge-response
-auth include system-auth
-account include system-auth
-password include system-auth
-session optional pam_keyinit.so revoke
-session required pam_limits.so
-session include system-auth
-```
-
-**Keep this original terminal window open** , and test by opening another new terminal window. In the new terminal window type:
-
-```
-$ sudo echo testing
-```
-
-You should notice the LED blinking on the key. Tap the Yubikey button and you should see a prompt for your sudo password. After you enter your password, you should see “testing” echoed in the terminal screen.
-
-Now test to ensure a correct failure. Start another terminal window and remove the Yubikey from the USB port. Verify that sudo no longer works without the Yubikey with this command:
-
-```
-$ sudo echo testing fail
-```
-
-You should immediately be prompted for the sudo password. Even if you enter the password, it should fail.
-
-### Configuring Gnome Desktop Manager
-
-Once your testing is complete, now you can add challenge-response support for the graphical login. Re-insert your Yubikey into the USB port. Next you’ll add the following line to the /etc/pam.d/gdm-password file:
-
-```
-auth required pam_yubico.so mode=challenge-response
-```
-
-Open a terminal window, and issue the following command. You can use another editor if desired:
-
-```
-$ sudo vi /etc/pam.d/gdm-password
-```
-
-You should see the yubikey LED blinking. Press the yubikey button, then enter the password at the prompt.
-
-Modify the /etc/pam.d/gdm-password file to add the new auth line above the existing line auth substack password-auth. The top of the file should now look like this:
-
-```
-auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
-auth required pam_yubico.so mode=challenge-response
-auth substack password-auth
-auth optional pam_gnome_keyring.so
-auth include postlogin
-
-account required pam_nologin.so
-```
-
-Save the changes and exit the editor. If you use vi, the key sequence is to hit the **Esc** key, then type wq! at the prompt to save and exit.
-
-### Conclusion
-
-Now log out of GNOME. With the Yubikey inserted into the USB port, click on your user name in the graphical login. The Yubikey LED begins to flash. Touch the button, and you will be prompted for your password.
-
-If you lose the Yubikey, you can still use the secondary backup Yubikey in addition to your set password. You can also add additional Yubikey configurations to your user account.
-
-If someone gains access to your password, they still can’t login without your physical hardware Yubikey. Congratulations! You’ve now dramatically increased the security of your workstation login.
-
--------------------------------------------------------------------------------
-
-via: https://fedoramagazine.org/login-challenge-response-authentication/
-
-作者：[nabooengineer][a]
-选题：[lujun9972][b]
-译者：[译者ID](https://github.com/译者ID)
-校对：[校对者ID](https://github.com/校对者ID)
-
-本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
-
-[a]: https://fedoramagazine.org/author/nabooengineer/
-[b]: https://github.com/lujun9972
-[1]: https://fedoramagazine.org/using-the-yubikey4-with-fedora/
-[2]: https://fedoramagazine.org/fedora-28-better-smart-card-support-openssh/
-
--- a/translated/tech/20181022
+++ b/translated/tech/20181022
@ -0,0 +1,182 @@
+通过询问-响应身份认证提高登陆安全
+======
+
+![](https://fedoramagazine.org/wp-content/uploads/2018/10/challenge-response-816x345.png)
+
+### 介绍
+
+今天，Fedora 提供了多种方式来提高我们账户的身份认证的安全性。当然，它有我们熟悉的用户名密码登陆，它也同样提供了其他的身份认证选项，比如生物识别、指纹、智能卡、一次性密码，甚至是询问-响应身份认证。
+
+每种认证方式都有明确的优缺点。这点本身就可以成为一篇相当冗长的文章的主题。Fedora 杂志之前就已经介绍过了这其中的一些选项：
+
+
+ [Using the YubiKey4 with Fedora][1]
+ [Fedora 28: Better smart card support in OpenSSH][2]
+
+
+在现在的 Fedora 版本中，最安全的方法之一就是离线硬件询问-响应。它也同样是最容易部署的方法之一。下面是具体方法：
+
+### 询问-响应认证
+
+从技术上来讲，当你输入密码的时候，你就正在响应用户名询问。离线的询问、响应包含了这些部分：首先是需要你的用户名，接下来，Fedora 会要你提供一个加密的物理硬件的令牌。令牌会将另一个通过可插入式身份认证模块（PAM）框架进行存储的加密密钥来响应询问。最后，Fedora 才会提示你输入密码。这可以防止其他人仅仅使用了找到的硬件令牌，或是只使用了账户名密码而没有正确的加密密钥。
+
+这意味着除了你的账户名密码之外，你必须事先在你的操作系统中注册了一个或多个加密硬件令牌。你必须保证你的物理硬件令牌能够匹配你的用户名。
+
+一些询问-响应的方法，比如一次性密码（OTP），在硬件令牌上获取加密代码密钥，然后将这个密钥通过网络传输到远程身份认证服务器。然后这个服务器会告诉 Fedora 的 PAM 框架，这是否是该用户的一个有效令牌。如果身份认证服务器在本地网络上，这个方法非常好。但它的缺点是如果网络连接断开或是你在没有网的远程端工作。你会被锁在系统之外，直到你能通过网络连接到身份认证服务器。
+
+有时候，生产环境会需要通过 Yubikey 使用一次性密码（OTP）设置，然而，在家庭或个人的系统上，你可能更喜欢询问-响应设置。一切都是本地的，这种方法不需要通过远程网络呼叫。下面这些过程适用于 Fedora 27、28和29.
+
+### 准备
+
+#### 硬件令牌密钥
+
+首先，你需要一个安全的硬件令牌密钥。具体来说，这个过程需要一个 Yubikey 4，Yubikey NEO，或者是最近发布的、同样支持 FIDO2 的 Yubikey 5 系列设备。你应该购买它们中的两个来有一个备份，以避免其中一个丢失或遭到损坏。你可以在不同的工作地点使用这些密钥。较为简单的 FIDO 和 FIDO U2F 版本不适用与这个过程，但是非常适合使用 FIDO 的在线服务。
+
+#### 备份、备份，以及备份
+
+接下来，为你所有的重要数据制作备份，你可能想在克隆在 VM 里的 Fedora 27/28/29 里测试配置，来确保你在设置你自己的个人工作环境之前理解这个过程。
+
+#### 升级，然后安装
+
+现在，确定你的 Fedora 是最新的，然后通过 dnf 命令安装所需要的 Fedora Yubikey 包。
+
+```
+$ sudo dnf upgrade
+$ sudo dnf install ykclient* ykpers* pam_yubico*
+$ cd
+```
+
+如果你使用的是 VM 环境，例如 Virtual Box，确保 Yubikey 设备已经插进了 USB 口，然后允许 VM 控制的 USB 访问  Yubikey。
+
+### 配置 Yubikey 
+
+通过 USB Yubikey 验证你的账户：
+
+```
+$ ykinfo -v
+version: 3.5.0
+```
+
+如果 Yubikey 没有被检测到，会出现下面这些错误信息：
+
+```
+Yubikey core error: no yubikey present
+```
+
+接下来，通过下面这些 ykpersonalize 命令初始化你每个新的 Yubikeys。使用 HMAC-SHA1 算法进行询问响应，以此来设置 Yubikey 配置插槽 2。即使少于 64 个字符，如果你已经为询问响应设置好了你的 Yubikey。你就不需要再运行 ykpersonalize 了。
+
+```
+ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
+```
+
+一些用户在使用的时候将 YubiKey 留在了工作环境里，甚至对虚拟机使用了询问响应。然而，为了更好的安全性，你可能会更愿意使用手动触发 YubiKey 来响应询问。
+
+要添加手动询问按钮触发器，请添加 -ochal-btn-trig 标记，这个标记可以在请求中使得 Yubikey 闪烁 Yubikey LED。等待你在 15 秒内按下硬件密钥区域上的按钮来生成响应密钥。
+
+```
+$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible
+```
+
+为你的每个新的硬件密钥执行此操作。每个密钥执行以此，使用下面的命令将 Yubikey 配置存储到 ~/.yubico：
+
+```
+$ ykpamcfg -2 -v
+debug: util.c:222 (check_firmware_version): YubiKey Firmware version: 4.3.4
+
+Sending 63 bytes HMAC challenge to slot 2
+Sending 63 bytes HMAC challenge to slot 2
+Stored initial challenge and expected response in '/home/chuckfinley/.yubico/challenge-9992567'.
+```
+
+如果你要设置多个密钥用于备份。请将所有的密钥设置为相同，然后使用 ykpamcfg utility 存储每个密钥的询问-响应。如果你在一个已经存在的注册密钥上运行 ykpersonalize 命令，你就必须再次存储配置信息。
+
+### 配置 /etc/pam.d/sudo
+
+现在要去验证配置是否有效，在相同的终端窗口中，你需要设置 sudo 来要求使用 Yubikey 的询问-响应。将下面这几行插入到 /etc/pam.d/sudo 文件中。
+
+```
+auth required pam_yubico.so mode=challenge-response
+```
+
+将上面的 auth 行插入到 auth 文件中的 system-auth 行的上面，然后保存并退出编辑器。在默认的 Fedora 29 设置中，/etc/pam.d/sudo 应该像下面这样：
+
+```
+#%PAM-1.0
+auth required pam_yubico.so mode=challenge-response
+auth include system-auth
+account include system-auth
+password include system-auth
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+session include system-auth
+```
+
+保持原始终端窗口打开，然后打开一个新的终端窗口进行测试，在新的终端窗口中输入：
+
+```
+$ sudo echo testing
+```
+
+你应该注意到了 key 上的 LED 在闪烁。点击 Yubikey 按钮，你应该会看见一个输入 sudo 密码的提示。在你输入你的密码之后，你应该会在终端屏幕上看见 ”testing“ 的字样。
+
+现在去测试确保正常的失败，启动另一个终端窗口，并从 USB 插口中拔掉 Yubikey。使用下面这条命令验证，在没有 Yubikey 的情况下，sudo 是否会不再正常工作。
+
+```
+$ sudo echo testing fail
+```
+你应该立刻被提示输入 sudo 密码，即使你输入了正确密码，登陆也应该失败。
+
+### 设置 Gnome 桌面管理
+
+一旦你的测试完成后，你就可以为图形登陆添加询问-响应支持了。将你的 Yubikey 再次插入进 USB 插口中。然后将下面这几行添加到 /etc/pam.d/gdm-password 文件中：
+
+```
+auth required pam_yubico.so mode=challenge-response
+```
+
+打开一个终端窗口，然后运行下面这些命令。如果需要，你可以使用其他的编辑器：
+
+```
+$ sudo vi /etc/pam.d/gdm-password
+```
+
+你应该看到 yubikey 上的 LED 在闪烁，按下 yubikey 按钮，然后在提示符出输入密码。
+
+修改 /etc/pam.d/gdm-password 文件，在已有的 password-auth 上添加新的 auth 行。这个文件的顶部应该像下面这样：
+
+```
+auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
+auth required pam_yubico.so mode=challenge-response
+auth substack password-auth
+auth optional pam_gnome_keyring.so
+auth include postlogin
+
+account required pam_nologin.so
+```
+
+保存更改并退出编辑器，如果你使用的是 vi，输入键是按 Esc 键，然后在提示符出输入 wq！ 来保存并退出。
+
+### 结论
+
+现在注销 GNOME。将 Yubikey 插入到 USB 口，在图形登陆界面上点击你的用户名。Yubikey LED 会开始闪烁。触摸那个按钮，你会被提示输入你的密码。
+
+如果你丢失了 Yubikey，除了重置密码之外，你还可以使用备份的  Yubikey。你还可以给你的账户增加额外的 Yubikey 配置。
+
+如果有其他人获得了你的密码，他们在没有你的物理硬件 Yubikey 的情况下，仍然不能登陆。恭喜！你已经显著提高了你的工作环境登陆的安全性了。
+
+--------------------------------------------------------------------------------
+
+via: https://fedoramagazine.org/login-challenge-response-authentication/
+
+作者：[nabooengineer][a]
+选题：[lujun9972][b]
+译者：[hopefully2333](https://github.com/hopefully2333)
+校对：[校对者ID](https://github.com/校对者ID)
+
+本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
+
+[a]: https://fedoramagazine.org/author/nabooengineer/
+[b]: https://github.com/lujun9972
+[1]: https://fedoramagazine.org/using-the-yubikey4-with-fedora/
+[2]: https://fedoramagazine.org/fedora-28-better-smart-card-support-openssh/
+