From 9c7dcbeb3fa4942d544e95acf99fd8a8cd30cd15 Mon Sep 17 00:00:00 2001 From: Jack Nie Date: Thu, 10 Jul 2014 19:37:27 +0800 Subject: [PATCH] nd0104 is translating nd0104 is translating --- ...r authentication for SSH login on Linux.md | 1 + ...thentication for SSH login on Linux.md.bak | 110 ++++++++++++++++++ 2 files changed, 111 insertions(+) create mode 100644 sources/tech/20140709 How to set up two-factor authentication for SSH login on Linux.md.bak diff --git a/sources/tech/20140709 How to set up two-factor authentication for SSH login on Linux.md b/sources/tech/20140709 How to set up two-factor authentication for SSH login on Linux.md index 705bf92a3c..6839ec6a14 100644 --- a/sources/tech/20140709 How to set up two-factor authentication for SSH login on Linux.md +++ b/sources/tech/20140709 How to set up two-factor authentication for SSH login on Linux.md @@ -1,3 +1,4 @@ +nd0104 is translating How to set up two-factor authentication for SSH login on Linux ================================================================================ With many high-profile password leaks nowadays, there is a lot of buzz in the industry on "multi-factor" authentication. In a multi-factor authentication system, users are required to go through two distinct authentication procedures: providing something they know (e.g., username/password), and leveraging something they have "physical" access to (e.g., one-time passcode generated by their mobile phone). This scheme is also commonly known as two-factor authentication or two-step verification. diff --git a/sources/tech/20140709 How to set up two-factor authentication for SSH login on Linux.md.bak b/sources/tech/20140709 How to set up two-factor authentication for SSH login on Linux.md.bak new file mode 100644 index 0000000000..705bf92a3c --- /dev/null +++ b/sources/tech/20140709 How to set up two-factor authentication for SSH login on Linux.md.bak @@ -0,0 +1,110 @@ +How to set up two-factor authentication for SSH login on Linux +================================================================================ +With many high-profile password leaks nowadays, there is a lot of buzz in the industry on "multi-factor" authentication. In a multi-factor authentication system, users are required to go through two distinct authentication procedures: providing something they know (e.g., username/password), and leveraging something they have "physical" access to (e.g., one-time passcode generated by their mobile phone). This scheme is also commonly known as two-factor authentication or two-step verification. + +To encourage the wide adoption of two-factor authentication, Google released [Google Authenticator][1], an open-source application that can generate one-time passcode based on open standards (e.g., HMAP/time-based). It is available on multiple platforms including Linux, [Android][2], [iOS][3]. Google also offers a pluggable authentication module (PAM) for Google Authenticator, allowing it to be integrated with other PAM-enabled applications such as OpenSSH. + +In this tutorial, I will describe **how to set up two-factor authentication for an SSH server** by integrating Google Authenticator with OpenSSH. I am going to use a [Android][4] device to generate one-time passcode. In this tutorial, you will need two things: (1) a Linux host where OpenSSH server is running, and (2) an Android device. + +### Install Google Authenticator on Linux ### + +The first step is to install Google Authenticator on the Linux host where OpenSSH server is running. Follow [this guide][5] to install Google Authenticator and its PAM module on your system. + +Once Google Authenticator is ready, you need to go through one-time configuration which involves creating an authentication key from this Linux host, and registering it with an Android device. This will be explained next. + +### Generate an Authentication Key ### + +To start, simply run Google Authenticator on the Linux server host. + + $ google-authenticator + +You will see a QR code, as well as a secret key underneath it. The displayed QR code simply represents the numeric secret key. You will need either information to finalize configuration with an Android device. + +![](https://farm4.staticflickr.com/3843/14573264401_d3f5a2f247_z.jpg) +![](https://farm4.staticflickr.com/3848/14390010599_18dfc23d76_z.jpg) + +Google Authenticator will ask you several questions. If you are not sure, you an answer "Yes" to all questions. The emergency scratch codes can be used to regain access to the SSH server in case you lose your Android device, and so cannot generate one-time passcode. So it's better to write them down somewhere. + +### Run Google Authenticator on Android ### + +As we are going to use an Android device for two-factor authentication, you will need to install [Google Authenticator app][6] on Android. Go to Google Play to install it on Android. + +When you start Google Authenticator on Android, you will see the following configuration menu. + +![](https://farm6.staticflickr.com/5574/14554094476_bfc070d242_z.jpg) + +You can choose either "Scan a barcode" or "Enter provided key" option. The first option allows you to enter the security key, simply by scanning the generated QR code. In this case, you will need to install [Barcode Scanner app][7] first. If you choose the second option, you can type the security key using Android keyboard as follows. + +![](https://farm6.staticflickr.com/5535/14596723603_d510dbe48d_z.jpg) + +Once you register a secret key either way, you will see the following screen on Android. + +![](https://farm6.staticflickr.com/5586/14390009579_5ba109bf5b_z.jpg) + +### Enable Google Authenticator on SSH Server ### + +The final step is to integrate Google Authenticator with OpenSSH server. For that, you need to edit two files. + +First, edit a PAM configuration file, and append the line below. + + $ sudo vi /etc/pam.d/sshd + +---------- + + auth required pam_google_authenticator.so + +Then open an SSH server config file, search for ChallengeResponseAuthentication, and enable it. + + $ sudo vi /etc/ssh/sshd_config + +---------- + +ChallengeResponseAuthentication yes + +Finally, restart SSH server. + +On Ubuntu, Debian or Linux Mint: + + $ sudo service ssh restart + +On Fedora: + + $ sudo systemctl restart sshd + +On CentOS or RHEL: + + $ sudo service sshd restart + +### Test Two-factor Authentication ### + +Here is how you use two-factor authentication for SSH logins. + +Run Google Authenticator app on Android to obtain one-time verification code. Once generated, a given passcode is valid for 30 seconds. Once it expires, Google Authenticator will automatically generate a new one. + +![](https://farm3.staticflickr.com/2937/14389989618_d9355dcbb2_z.jpg) + +Now log in to the SSH server as you normally do. + + $ ssh user@ssh_server + +When you are asked to enter "Verification code", type in the verification code generated by Android. After successful verification, then you can type in your SSH login password. + +![](https://farm3.staticflickr.com/2938/14389952480_93351f12a4_z.jpg) + +To conclude, two-factor authentication can be an effective means to secure password authentication by adding an extra layer of protection. You can use Google Authenticator to secure other logins such as Google account, WordPress.com, Dropbox.com, Outlook.com, etc. Whether you decide to use it or not, it's up to you, but there is a clear industry trend towards the adoption of two-factor authentication. + +-------------------------------------------------------------------------------- + +via: http://xmodulo.com/2014/07/two-factor-authentication-ssh-login-linux.html + +译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出 + +[1]:http://code.google.com/p/google-authenticator/ +[2]:https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 +[3]:https://itunes.apple.com/us/app/google-authenticator/id388497605 +[4]:http://xmodulo.com/go/android_guide +[5]:http://ask.xmodulo.com/install-google-authenticator-linux.html +[6]:https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 +[7]:https://play.google.com/store/apps/details?id=com.google.zxing.client.android \ No newline at end of file