Merge pull request #3983 from ictlyh/master

Translated: sources/tech/20160513 How to Set Up 2-Factor Authentication for Login and sudo.md
This commit is contained in:
Yuanhao Luo 2016-05-15 19:08:47 +08:00
commit 3ceb937dfe
3 changed files with 117 additions and 197 deletions

View File

@ -1,80 +0,0 @@
On the Rise: Six Unsung Apache Big Data Projects
=================================================
![](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/star-clusters-74052_1920.jpg?itok=HJISFdwo)
>Creative Commons Zero
Countless organizations around the world are now working with data sets so large and complex that traditional data processing applications can no longer drive optimized analytics and insights. Thats the problem that the new wave of Big Data applications aims to solve, and the Apache Software Foundation (ASF) has recently graduated a slew of interesting open source Big Data projects to Top-Level status. That means that they will get active development and strong community support.
Most people have heard of Apache Spark, [a Big Data processing framework][1] with built-in modules for streaming, SQL, machine learning and graph processing. IBM and other companies are pouring billions of development dollars into Spark initiatives, and NASA and the [SETI Institute][2] are collaborating to analyze terabytes of complex deep space radio signals using Sparks machine learning capabilities in a hunt for patterns that might betray the presence of intelligent extraterrestrial life.
![](https://www.linux.com/sites/lcom/files/styles/floated_images/public/asf.jpg?itok=wtu0hq36)
However, several other recently elevated Apache Big Data projects deserve attention, too. In fact, some of them may produce ecosystems of activity and development that will rival Sparks. In conjunction with this weeks [ApacheCon North America conference][3] and Apache: Big Data events, this article will round up the Apache Big Data projects that you should know about.
Here are six projects on the rise:
### Kylin
Apache recently [announced][4] that its Kylin project, an open source Big Data project born at eBay, has graduated to Top-Level status. Kylin is an open source Distributed Analytics Engine designed to provide an SQL interface and multi-dimensional analysis (OLAP) on Apache Hadoop, supporting extremely large datasets. It is still widely used at eBay and at a few other organizations.
"Apache Kylin's incubation journey has demonstrated the value of Open Source governance at ASF and the power of building an open-source community and ecosystem around the project," said Luke Han, Vice President of Apache Kylin. "Our community is engaging the world's biggest local developer community in alignment with the Apache Way."
As an OLAP-on-Hadoop solution, Apache Kylin aims to fill the gap between Big Data exploration and human use, "enabling interactive analysis on massive datasets with sub-second latency for analysts, end users, developers, and data enthusiasts," according to developers. "Apache Kylin brings back business intelligence (BI) to Apache Hadoop to unleash the value of Big Data," they added.
### Lens
Apache also recently [announced][5] that Apache Lens, an open source Big Data and analytics tool, has graduated from the Apache Incubator to become a Top-Level Project (TLP). According to the announcement: "Apache Lens is a Unified Analytics platform. It provides an optimal execution environment for analytical queries in the unified view. Apache Lens aims to cut the Data Analytics silos by providing a single view of data across multiple tiered data stores."
"By providing an online analytical processing (OLAP) model on top of data, Lens seamlessly integrates Apache Hadoop with traditional data warehouses to appear as one. It also provides query history and statistics for queries running in the system along with query life cycle management."
"Incubating Apache Lens has been an amazing experience at the ASF," said Amareshwari Sriramadasu, Vice President of Apache Lens. "Apache Lens solves a very critical problem in Big Data analytics space with respect to end users. It enables business users, analysts, data scientists, developers and other users to do complex analysis with ease, without knowing the underlying data layout."
### Ignite
The ASF has also [announced][6] that Apache Ignite has become a top-level project. It's an open source effort to build an in-memory data fabric.
“Apache Ignite is a high-performance, integrated and distributed In-Memory Data Fabric for computing and transacting on large-scale data sets in real-time, "orders of magnitude faster than possible with traditional disk-based or flash technologies," according to Apache community members. “It is designed to easily power both existing and new applications in a distributed, massively parallel architecture on affordable, industry-standard hardware.”
### Brooklyn
The foundation [announced][7] that Apache Brooklyn is now a Top-Level Project (TLP), "signifying that the project's community and products have been well-governed under the ASF's meritocratic process and principles." Brooklyn is an application blueprint and management platform used for integrating services across multiple data centers as well as and a wide range of software in the cloud.
According to the Brooklyn announcement: "With modern applications being composed of many components, and increasing interest in micro-services architecture, the deployment and ongoing evolution of deployed apps is an increasingly difficult problem. Apache Brooklyns blueprints provide a clear, concise way to model an application, its components and their configuration, and the relationships between components, before deploying to public Cloud or private infrastructure. Policy-based management, built on the foundation of autonomic computing theory, continually evaluates the running application and makes modifications to it to keep it healthy and optimize for metrics such as cost and responsiveness."
Brooklyn is in use at some notable organizations. Cloud service providers Canopy and Virtustream have created product offerings built on Brooklyn. IBM has also made extensive use of Apache Brooklyn in order to migrate large workloads from AWS to IBM Softlayer.
### Apex
In April, the Apache Software Foundation [elevated][8] its Apex project to Top-Level status. It is billed as “a large scale, high throughput, low latency, fault tolerant, unified Big Data stream and batch processing platform for the Apache Hadoop ecosystem.” Apex works in conjunction with Apache Hadoop YARN, a resource management platform for working with Hadoop clusters.
### Tajo
Finally, Apache Tajo, an advanced open source data warehousing system in Apache Hadoop, is another new Big Data project to know about. Apache claims that Tajo provides the ability to rapidly extract more intelligence for Hadoop deployments, third party databases, and commercial business intelligence tools.
Clearly, although Apache Spark draws the bulk of the headlines, it is not the only Big Data tool from Apache to keep your eyes on. As this year continues, Apache likely will graduate even more compelling Big Data projects to Top-Level status, where they will benefit from optimized development resources and more.
--------------------------------------------------------------------------------
via: https://www.linux.com/news/enterprise/systems-management/887177-achieving-enterprise-ready-container-tools-with-werckers-open-source-cli
作者:[SAM DEAN][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://www.linux.com/users/sam-dean
[1]: https://www.linux.com/news/apache-spark-16-strong-typing-faster-throughput
[2]: http://www.seti.org/
[3]: http://events.linuxfoundation.org/events/apachecon-north-america
[4]: http://globenewswire.com/news-release/2015/12/08/793713/0/en/The-Apache-Software-Foundation-Announces-Apache-Kylin-as-a-Top-Level-Project.html
[5]: http://globenewswire.com/news-release/2015/08/26/763513/10147133/en/The-Apache-Software-Foundation-Announces-Apache-tm-Lens-tm-as-a-Top-Level-Project.html
[6]: http://globenewswire.com/news-release/2015/08/25/763148/10146997/en/The-Apache-Software-Foundation-Announces-Apache-tm-Ignite-tm-as-a-Top-Level-Project.html
[7]: http://globenewswire.com/news-release/2015/11/23/789504/0/en/The-Apache-Software-Foundation-Announces-Apache-Brooklyn-as-a-Top-Level-Project.html
[8]: https://globenewswire.com/news-release/2016/04/25/832114/0/en/The-Apache-Software-Foundation-Announces-Apache-Apex-as-a-Top-Level-Project.html

View File

@ -1,117 +0,0 @@
ictlyh Translating
How to Set Up 2-Factor Authentication for Login and sudo
==========================================================
![](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/auth_crop.png?itok=z_cdYZZf)
>[Used with permission][1]
Security is all the rage—as it should be. We live in a world where data is an incredibly valuable currency, and youre always at risk of loss. Because of this, you must do everything you can to ensure what you hold on your desktops and servers is safe. To that end, administrators and users will create incredibly complex passwords, employ password managers, and more. But, what if I told you could take the login to your Linux servers and desktops one step—nay, two steps—further? Thanks to the [Google Authenticator][2], you can. On top of that, its incredibly easy to set up.
I am going to walk you through the process of setting up two-factor authentication for use on login and sudo. I will demonstrate this on a Ubuntu 16.04 desktop, but the process works for the server as well. To handle the two-factor side of things, I will be making use of the Google Authenticator.
There is one very important caveat to this: Once youve set this up, you will not be able to log into the account (or issue sudo commands) without a six-digit code from the authenticator. This also adds another step for you, so if having to pull out your smartphone every time you need to log into your Linux machine (or use sudo), this might not be for you. Remember, however, this added step brings with it an extra layer of security you wouldnt have otherwise.
With that said, lets set this up.
### Installing the Necessary Components
There are two pieces of this puzzle that must be installed—both in the form of the Google Authenticator. The first is the smartphone app. Heres how to install from the Google Play Store:
1. Open the Google Play Store on your Android device
2. Search for google authenticator
3. Locate and tap the entry by Google Inc.
4. Tap Install
5. Tap Accept
6. Allow the installation to complete
Now lets move on to installing the authenticator on your Linux machine. Heres how:
1. Open a terminal window
2. Issue the command sudo apt-get install google-authenticator
3. Type your sudo password and hit Enter
4. If prompted, type y and hit Enter
5. Allow the installation to complete
Its now time to configure the login process to work with the google-authenticator.
### Configuration
Just one file must be edited to add two-step authentication for both login and sudo usage. The file is /etc/pam.d/common-auth. Open it and look for the line:
```
auth [success=1 default=ignore] pam_unix.so nullok_secure
```
Above that line, add the following:
```
auth required pam_google_authenticator.so
```
Save and close the file.
The next step is to set up google-authenticator for every user on the system (otherwise, they will not be able to log in). For examples sake, well assume there are two users on your system: jack and olivia. Well first set this up for jack (well assume this is the account weve been working with all along).
Open up a terminal window and issue the command google-authenticator. You will be asked a series of questions (each of which you should answer with a y. The questions are:
* Do you want me to update your "/home/jlwallen/.google_authenticator" file (y/n) y
* Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)
* By default, tokens are good for 30 seconds, and to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)
* If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)
Once youve answered these questions, youll be presented with your secret key, a verification code, and five emergency scratch codes. Print out the scratch codes and keep them with you. These codes can be used if you do not have your phone (each code is a one-time use only). The secret key is what you use to set up the account on the Google Authenticator app and the verification code is a one-time use code that you can use immediately (if needed).
### Setting Up the App
You now have the user jack set up. Before you can set up the user olivia, you need to add an account for jack on the Google Authenticator app. Open the app and the, from the main window, tap the menu button (three vertical dots in the upper right hand corner). Tap Set up account and then tap Enter provided key. In the next window (Figure 1), you will enter 16-digit secret key provided when you issued the google-authenticator app. Give the account a name (so you will remember which account this is to be used on) and tap ADD.
![](https://www.linux.com/sites/lcom/files/styles/floated_images/public/auth_a.png?itok=xSMkd-Mf)
>Figure 1: Adding a new account to the Google Authenticator app.
Now that youve added the account, you will be presented with six-digit keys that will be requested every time you log in or attempt to use sudo.
Finally, you have to set up the other accounts on the system. As I mentioned, were going to set up the account called olivia. Heres how:
1. Open up a terminal window
2. Issue the command sudo su olivia
3. Open the Google Authenticator on your smartphone
4. Type the six digit authentication code (provided by the app) in the terminal window (Figure 2) and hit Enter
5. Type your sudo password and hit Enter
6. As the new user, issue the google-authenticator command, answer the questions, and record the keys and codes provided
After youve successfully set up the user olivia, with the google-authenticator command, add a new account on the Google Authenticator app with that users info (in the same manner you did for the initial user). You should now have accounts on the Google Authenticator app for both jack and olivia.
![](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/auth_b.png?itok=FH36V1r0)
>Figure 2: Entering the six-digit authentication code for sudo.
Thats it. Every time you attempt to log into your machine (or use sudo), you will be required to provide a six-digit authentication key, before you can enter your user password. Your Linux machine is now far more secure than it was before adding two-factor authentication. Although some might consider this process a hassle, I highly recommend setting it up...especially for machines that house sensitive data.
--------------------------------------------------------------------------------
via: https://www.linux.com/sites/lcom/files/styles/rendered_file/public/auth_b.png?itok=FH36V1r0
作者:[JACK WALLEN][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
[a]: https://www.linux.com/users/jlwallen
[1]: https://www.linux.com/licenses/category/used-permission
[2]: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

View File

@ -0,0 +1,117 @@
如何为登录和 sudo 设置双重认证
==========================================================
![](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/auth_crop.png?itok=z_cdYZZf)
>[Used with permission][1]
安全就是一切。我们生活的当今世界,数据具有令人难以置信的价值,而你也一直处于数据丢失的风险之中。因此,你必须想尽办法保证你桌面系统和服务器中东西的安全。结果,管理员和用户就会创建极其复杂的密码、使用密码管理器甚至其它更复杂的东西。但是,如果我告诉你你可以只需要一步-至多两步就能登录到你的 Linux 服务器或桌面系统中呢?多亏了 [Google Authenticator][2],现在你可以做到了。在这之上配置也极其简单。
我会给你简要介绍为登录和 sudo 设值双重认证的步骤。我基于 Ubuntu 16.04 桌面系统进行介绍,但这些步骤也适用于其它服务器。为了做到双重认证,我会使用 Google Authenticator。
这里有个非常重要的警告:一旦你设置了认证,没有一个从认证器中获得的由 6 个数字组成的验证码你就不可能登录账户(或者执行 sudo 命令)。这也给你增加了一步额外的操作,因此如果你不想每次登录到 Linux 服务器(或者使用 sudo的时候都要拿出你的智能手机这个方案就不适合你。但你也要记住这额外的一个步骤也给你带来一层其它方法无法给予的保护。
话不多说,开始吧。
### 安装必要的组件
安装 Google 认证,首先要解决两个问题。一是安装智能机应用。下面是如何从 Google 应用商店安装的方法:
1. 在你的安卓设备中打开 Google 应用商店
2. 搜索 google 认证
3. 找到并点击有 Google 标识的应用
4. 点击安装
5. 点击 接受
6. 等待安装完成
接下来,我们继续在你的 Linux 机器上安装认证。步骤如下:
1. 打开一个终端窗口
2. 输入命令 sudo apt-get install google-authenticator
3. 输入你的 sudo 密码并敲击回车
4. 如果有弹窗提示,输入 y 并敲击回车
5. 等待安装完成
接下来配置使用 google-authenticator 进行登录。
### 配置
要为登录和 sudo 添加两阶段认证只需要编辑一个文件。也就是 /etc/pam.d/common-auth。打开并找到如下一行
Just one file must be edited to add two-step authentication for both login and sudo usage. The file is /etc/pam.d/common-auth. Open it and look for the line
```
auth [success=1 default=ignore] pam_unix.so nullok_secure
```
在这行上面添加:
```
auth required pam_google_authenticator.so
```
保存并关闭文件。
下一步就是为系统中的每个用户设置 google-authenticator否则会不允许他们登录。为了简单起见我们假设你的系统中有两个用户jack 和 olivia。首先为 jack 设置(我们假设这是我们一直使用的账户)。
打开一个终端窗口并输入命令 google-authenticator。之后会问你一系列的问题每个问题你都应该用 y 回答)。问题包括:
* 是否允许更新你的 "/home/jlwallen/.google_authenticator" 文件 (y/n) y
* 是否禁止多个用户使用同一个认证令牌?这会限制你每 30 秒内只能登录一次,但能增加你注意到甚至防止中间人攻击的可能 (y/n)
* 默认情况下令牌时长为 30 秒即可,为了补偿客户端和服务器之间可能出现的时间偏差,我们允许添加一个当前时间之前或之后的令牌。如果你无法进行时间同步,你可以把时间窗口由默认的 1:30 分钟增加到 4 分钟。是否希望如此 (y/n)
* 如果你尝试登陆的计算机没有针对蛮力登陆进行加固,你可以为验证模块启用速率限制。默认情况下,限制攻击者每 30 秒不能尝试登陆超过 3 次。是否启用速率限制 (y/n)
一旦完成了问题回答,你就会看到你的密钥、验证码以及 5 个紧急刮码。把刮码输出保存起来。你可以在无法使用手机的时候使用它们(每个刮码仅限使用一次)。密钥用于你在 Google Authenticator 上设置账户,验证码是你能立即使用(如果需要)的一次性验证码。
### 设置应用
现在你已经配置好了用户 jack。在设置用户 olivia 之前,你需要在 Google Authenticator 应用上为 jack 添加账户。在主屏幕上打开应用,点击 菜单 按钮右上角三个竖排点。点击添加账户然后输入提供的密钥。在下一个窗口示意图1你需要输入你运行 google-authenticator 应用时提供的 16 个数字的密钥。给账户取个名字(以便你记住这用于哪个账户),然后点击添加。
![](https://www.linux.com/sites/lcom/files/styles/floated_images/public/auth_a.png?itok=xSMkd-Mf)
>Figure 1: 在 Google Authenticator 应用上新建账户
添加完账户之后,你就会看到一个 6 个数字的密码,你每次登录或者使用 sudo 的时候都会需要这个密码。
最后,在系统上设置其它账户。正如之前提到的,我们会设置一个叫 olivia 的账户。步骤如下:
1. 打开一个终端窗口
2. 输入命令 sudo su olivia
3. 在智能机上打开 Google Authenticator
4. 在终端窗口示意图2中输入应用提供的 6 位数字验证码并敲击回车
5. 输入你的 sudo 密码并敲击回车
6. 以新用户输入命令 google-authenticator回答问题并记录生成的密钥和验证码。
成功为 olivia 用户设置好之后,用 google-authenticator 命令,在 Google Authenticator 应用上根据用户信息(和之前为第一个用户添加账户相同)添加一个新的账户。现在你在 Google Authenticator 应用上就会有 jack 和 olivia 两个账户了。
![](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/auth_b.png?itok=FH36V1r0)
>Figure 2: 为 sudo 输入 6位数字验证码
好了,就是这些。每次你尝试登陆系统(或者使用 sudo 的时候,在你输入用户密码之前,都会要求你输入提供的 6 位数字验证码。现在你的 Linux 机器就比添加双重认证之前安全多了。虽然有些人会认为这非常麻烦,我仍然推荐使用,尤其是那些保存了敏感数据的机器。
--------------------------------------------------------------------------------
via: https://www.linux.com/sites/lcom/files/styles/rendered_file/public/auth_b.png?itok=FH36V1r0
作者:[JACK WALLEN][a]
译者:[ictlyh](http://mutouxiaogui.cn/blog/)
校对:[校对者ID](https://github.com/校对者ID)
[a]: https://www.linux.com/users/jlwallen
[1]: https://www.linux.com/licenses/category/used-permission
[2]: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2