翻译完成

2024-12-26 21:30:55 +08:00 · 2019-03-19 22:08:47 +08:00 · 2019-03-19 22:08:47 +08:00 · 86dbec9d68
commit 86dbec9d68
parent e446682076
2 changed files with 157 additions and 170 deletions
--- a/sources/tech/20190220
+++ b/sources/tech/20190220
@ -1,170 +0,0 @@
 [#]: collector: (lujun9972)
 [#]: translator: (MjSeven)
 [#]: reviewer: ( )
 [#]: publisher: ( )
 [#]: url: ( )
 [#]: subject: (Set up two-factor authentication for SSH on Fedora)
 [#]: via: (https://fedoramagazine.org/two-factor-authentication-ssh-fedora/)
 [#]: author: (Curt Warfield https://fedoramagazine.org/author/rcurtiswarfield/)
 Set up two-factor authentication for SSH on Fedora
 ======
 ![](https://fedoramagazine.org/wp-content/uploads/2019/02/twofactor-auth-ssh-816x345.png)
 Every day there seems to be a security breach reported in the news where our data is at risk. Despite the fact that SSH is a secure way to connect remotely to a system, you can still make it even more secure. This article will show you how.
 That’s where two-factor authentication (2FA) comes in. Even if you disable passwords and only allow SSH connections using public and private keys, an unauthorized user could still gain access to your system if they steal your keys.
 With two-factor authentication, you can’t connect to a server with just your SSH keys. You also need to provide the randomly generated number displayed by an authenticator application on a mobile phone.
 The Time-based One-time Password algorithm (TOTP) is the method shown in this article. [Google Authenticator][1] is used as the server application. Google Authenticator is available by default in Fedora.
 For your mobile phone, you can use any two-way authentication application that is compatible with TOTP. There are numerous free applications for Android or IOS that work with TOTP and Google Authenticator. This article uses [FreeOTP][2] as an example.
 ### Install and set up Google Authenticator
 First, install the Google Authenticator package on your server.
 ```
 $ sudo dnf install -y google-authenticator
 ```
 Run the application.
 ```
 $ google-authenticator
 ```
 The application presents you with a series of questions. The snippets below show you how to answer for a reasonably secure setup.
 ```
 Do you want authentication tokens to be time-based (y/n) y
 Do you want me to update your "/home/user/.google_authenticator" file (y/n)? y
 ```
 The app provides you with a secret key, verification code, and recovery codes. Keep these in a secure, safe location. The recovery codes are the **only** way to access your server if you lose your mobile phone.
 ### Set up mobile phone authentication
 Install the authenticator application (FreeOTP) on your mobile phone. You can find it in Google Play if you have an Android phone, or in the iTunes store for an Apple iPhone.
 A QR code is displayed on the screen. Open up the FreeOTP app on your mobile phone. To add a new account, select the QR code shaped tool at the top on the app, and then scan the QR code. After the setup is complete, you’ll have to provide the random number generated by the authenticator application every time you connect to your server remotely.
 ### Finish configuration
 The application asks further questions. The example below shows you how to answer to set up a reasonably secure configuration.
 ```
 Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
 By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens).
 Do you want to do so? (y/n) n
 If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
 Do you want to enable rate-limiting (y/n) y
 ```
 Now you have to set up SSH to take advantage of the new two-way authentication.
 ### Configure SSH
 Before completing this step, **make sure you’ve already established a working SSH connection** using public SSH keys, since we’ll be disabling password connections. If there is a problem or mistake, having a connection will allow you to fix the problem.
 On your server, use [sudo][3] to edit the /etc/pam.d/sshd file.
 ```
 $ sudo vi /etc/pam.d/ssh
 ```
 Comment out the auth substack password-auth line:
 ```
 #auth       substack     password-auth
 ```
 Add the following line to the bottom of the file.
 ```
 auth sufficient pam_google_authenticator.so
 ```
 Save and close the file. Next, edit the /etc/ssh/sshd_config file.
 ```
 $ sudo vi /etc/ssh/sshd_config
 ```
 Look for the ChallengeResponseAuthentication line and change it to yes.
 ```
 ChallengeResponseAuthentication yes
 ```
 Look for the PasswordAuthentication line and change it to no.
 ```
 PasswordAuthentication no
 ```
 Add the following line to the bottom of the file.
 ```
 AuthenticationMethods publickey,password publickey,keyboard-interactive
 ```
 Save and close the file, and then restart SSH.
 ```
 $ sudo systemctl restart sshd
 ```
 ### Testing your two-factor authentication
 When you attempt to connect to your server you’re now prompted for a verification code.
 ```
 [user@client ~]$ ssh user@example.com
 Verification code:
 ```
 The verification code is randomly generated by your authenticator application on your mobile phone. Since this number changes every few seconds, you need to enter it before it changes.
 ![][4]
 If you do not enter the verification code, you won’t be able to access the system, and you’ll get a permission denied error:
 ```
 [user@client ~]$ ssh user@example.com
 Verification code:
 Verification code:
 Verification code:
 Permission denied (keyboard-interactive).
 [user@client ~]$
 ```
 ### Conclusion
 By adding this simple two-way authentication, you’ve now made it much more difficult for an unauthorized user to gain access to your server.
 --------------------------------------------------------------------------------
 via: https://fedoramagazine.org/two-factor-authentication-ssh-fedora/
 作者：[Curt Warfield][a]
 选题：[lujun9972][b]
 译者：[译者ID](https://github.com/译者ID)
 校对：[校对者ID](https://github.com/校对者ID)
 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
 [a]: https://fedoramagazine.org/author/rcurtiswarfield/
 [b]: https://github.com/lujun9972
 [1]: https://en.wikipedia.org/wiki/Google_Authenticator
 [2]: https://freeotp.github.io/
 [3]: https://fedoramagazine.org/howto-use-sudo/
 [4]: https://fedoramagazine.org/wp-content/uploads/2019/02/freeotp-1.png
--- a/translated/tech/20190220
+++ b/translated/tech/20190220
@ -0,0 +1,157 @@
 [#]: collector: (lujun9972)
 [#]: translator: (MjSeven)
 [#]: reviewer: ( )
 [#]: publisher: ( )
 [#]: url: ( )
 [#]: subject: (Set up two-factor authentication for SSH on Fedora)
 [#]: via: (https://fedoramagazine.org/two-factor-authentication-ssh-fedora/)
 [#]: author: (Curt Warfield https://fedoramagazine.org/author/rcurtiswarfield/)
 在 Fedora 上为 SSH 设置双因素验证
 ======
 ![](https://fedoramagazine.org/wp-content/uploads/2019/02/twofactor-auth-ssh-816x345.png)
 每天似乎都有一个安全漏洞的新闻报道，说我们的数据会因此而存在风险。尽管 SSH 是一种远程连接系统的安全方式，但你仍然可以使它更安全。本文将向你展示如何做到这一点。
 此时双因素验证（2FA）就有用武之地了。即使你禁用密码并只允许使用公钥和私钥进行 SSH 连接，但如果未经授权的用户偷窃了你的密钥，他仍然可以借此访问系统。
 使用双因素验证，你不能仅使用 SSH 密钥连接到服务器，你还需要提供手机上验证器应用程序随机生成的数字。
 本文展示的方法是基于时间的一次性密码算法（TOTP）。[Google Authenticator][1] 用作服务器应用程序。默认情况下，Google Authenticator 在 Fedora 中是可用的。
 至于手机，你可以使用与 TOTP 兼容的任何可以双向验证的应用程序。Andorid 或 IOS 有许多可以与 TOTP 和 Google Authenticator 配合使用的免费应用程序。本文与 [FreeOTP][2] 为例。
 ### 安装并设置 Google Authenticator
 首先，在你的服务器上安装 Google Authenticator。
 ```
 $ sudo dnf install -y google-authenticator
 ```
 运行应用程序：
 ```
 $ google-authenticator
 ```
 该应用程序提供了一系列问题。下面的片段展示了如何进行合理的安全设置：
 ```
 Do you want authentication tokens to be time-based (y/n) y
 Do you want me to update your "/home/user/.google_authenticator" file (y/n)? y
 ```
 这个应用程序为你提供一个密钥，验证码和恢复码。把它们放在安全的地方。如果你丢失了手机，恢复码是访问服务器的**唯一**方式。
 ### 设置手机验证
 在你的手机上安装 authenticator 应用程序（FreeOTP）。如果你有一台安卓手机，那么你可以在 Google Play 中找到它，也可以在苹果 iPhone 的 iTunes 商店中找到它。
 Google Authenticator 会在屏幕上显示一个二维码。打开手机上的 FreeOTP 应用程序，选择添加新账户，在应用程序顶部选择二维码形状工具，然后扫描二维码即可。设置完成后，在每次远程连接服务器时，你必须提供 authenticator 应用程序生成的随机数。
 ### 完成配置
 应用程序会向你询问更多的问题。下面示例展示了如何设置合理的安全配置。
 ```
 Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
 By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens).
 Do you want to do so? (y/n) n
 If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
 Do you want to enable rate-limiting (y/n) y
 ```
 现在，你必须设置 SSH 来利用新的双向验证。
 ### 配置 SSH
 在完成此步骤之前，**确保你已使用公钥建立了一个可用的 SSH 连接**，因为我们将禁用密码连接。如果出现问题或错误，一个已经建立的连接将允许你修复问题。
 在你的服务器上，使用 [sudo][3] 编辑 /etc/pam.d/sshd 文件。
 ```
 $ sudo vi /etc/pam.d/ssh
 ```
 注释掉 auth substack password-auth 这一行：
 ```
 #auth       substack     password-auth
 ```
 将以下行添加到文件底部。
 ```
 auth sufficient pam_google_authenticator.so
 ```
 保存并关闭文件。然后编辑 /etc/ssh/sshd_config 文件。
 ```
 $ sudo vi /etc/ssh/sshd_config
 ```
 找到 ChallengeResponseAuthentication 这一行并将其更改为 yes。
 ```
 ChallengeResponseAuthentication yes
 ```
 找到 PasswordAuthentication 这一行并将其更改为 no。
 ```
 PasswordAuthentication no
 ```
 将以下行添加到文件底部。
 ```
 AuthenticationMethods publickey,password publickey,keyboard-interactive
 ```
 保存并关闭文件，然后重新启动 SSH。
 ```
 $ sudo systemctl restart sshd
 ```
 ### 测试双因素验证
 当你尝试连接到服务器时，系统会提示你输入验证码：
 ```
 [user@client ~]$ ssh user@example.com
 Verification code:
 ```
 验证码由你手机上的 authenticator 应用程序随机生成。由于这个数字每隔几秒就会发生变化，因此你需要在它变化之前输入它。
 ![][4]
 如果你不输入验证码，你将无法访问系统，你会收到一个权限被拒绝的错误：
 ```
 [user@client ~]$ ssh user@example.com
 Verification code:
 Verification code:
 Verification code:
 Permission denied (keyboard-interactive).
 [user@client ~]$
 ```
 ### 结论
 通过添加这种简单的双向验证，现在未经授权的用户访问你的服务器将变得更加困难。
 --------------------------------------------------------------------------------
 via: https://fedoramagazine.org/two-factor-authentication-ssh-fedora/
 作者：[Curt Warfield][a]
 选题：[lujun9972][b]
 译者：[MjSeven](https://github.com/MjSeven)
 校对：[校对者ID](https://github.com/校对者ID)
 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
 [a]: https://fedoramagazine.org/author/rcurtiswarfield/
 [b]: https://github.com/lujun9972
 [1]: https://en.wikipedia.org/wiki/Google_Authenticator
 [2]: https://freeotp.github.io/
 [3]: https://fedoramagazine.org/howto-use-sudo/
 [4]: https://fedoramagazine.org/wp-content/uploads/2019/02/freeotp-1.png