Yadda za a saita Tabbatar da Gaske-Biyu (Mai Tabbatar da Google) don SSH Logins
Ta hanyar tsoho, SSH ya riga ya yi amfani da amintaccen sadarwa ta hanyar sadarwa tsakanin injina masu nisa, amma idan kanaso ka kara wani layin tsaro zuwa hanyoyin sadarwar ka na SSH, zaka iya kara tsarin Google Authenticator (ingantaccen abu biyu) wanda zai baka damar shiga bazuwar lambar tabbaci-lokaci (TOTP) lambar tabbaci yayin haɗawa zuwa sabobin SSH. Dole ne ku shigar da lambar tabbatarwa daga wayanku ko PC lokacin da kuka haɗa.
Google Authenticator sigar buɗe-tushe ce wacce ta haɗa da aiwatar da alamun tabbaci na lokaci ɗaya (TOTP) wanda Google ta haɓaka. Yana tallafawa dandamali da wayoyi da yawa, da PAM (Module Authentication Module). Ana kirkirar waɗannan lambar wucewa ta lokaci ɗaya ta amfani da daidaitattun ƙa'idodin da Oaddamar da ATaddamarwa don Buɗe Tabbatarwa).
A cikin wannan labarin zan nuna muku yadda za ku saita da saita SSH don ingantaccen abu biyu a ƙarƙashin Red Hat, CentOS, Fedora da Ubuntu, Linux Mint da Debian.
Girkawa Auta'idodin Ingantaccen Google
Bude injin da kake son kafa ingantattun abubuwa guda biyu sannan ka sanya wadannan dakunan karatu na PAM tare da dakunan karatu na ci gaba da ake bukata don tsarin PAM yayi aiki daidai da tsarin mai tantance gaskiyar Google.
A kan Red Hat, CentOS da Fedora sun girka tsarin 'pam-devel'.
# yum install pam-devel make automake libtool gcc-c++ wget
A kan Ubuntu, Linux Mint da tsarin Debian sun girka ‘libpam0g-dev’ kunshin.
# apt-get install libpam0g-dev make automake libtool gcc-c++ wget
Yanzu clone kuma shigar da ƙirar ingantaccen Google a ƙarƙashin kundin adireshin Gida (ɗauka cewa kun riga kun shiga cikin kundin adireshin gida ta tushen) ta amfani da umarnin git.
# git clone https://github.com/google/google-authenticator-libpam.git # cd google-authenticator-libpam/ # ./bootstrap.sh # ./configure # make # make install # google-authenticator
Da zarar ka kunna ‘google-authenticator‘ umarni, zai baka damar tambaya mai mahimmanci. Kawai a rubuta “y” (ee) azaman amsar a mafi yawan yanayi. Idan wani abu yayi ba daidai ba, zaka iya sake buga 'google-authenticator' umarni don sake saita saitunan.
- Shin kuna son alamun tabbatarwa su zama masu amfani da lokaci (y/n) y
Bayan wannan tambayar, zaku sami ‘mabuɗan sirrinku’ da ‘lambobin gaggawa’. Rubuta waɗannan bayanan dalla-dalla a wani wuri, zamu buƙaci 'mabuɗin ɓoye' daga baya zuwa saitin Google Authenticator app.
google-authenticator Do you want authentication tokens to be time-based (y/n) y https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email %3Fsecret%3DXEKITDTYCBA2TLPL Your new secret key is: XEKITDTYCBA2TLPL Your verification code is 461618 Your emergency scratch codes are: 65083399 10733609 47588351 71111643 92017550
Na gaba, bi maye gurbin saiti kuma a mafi yawan lokuta rubuta amsar azaman "y" (eh) kamar yadda aka nuna a ƙasa.
Do you want me to update your "/root/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Igaddamar da SSH don amfani da Module Authenticator Module
Bude fayil din sanyi na PAM '/etc/pam.d/sshd' saika kara layi mai zuwa a saman file din.
auth required pam_google_authenticator.so
Na gaba, buɗe fayil ɗin daidaitawa na SSH '/ etc/ssh/sshd_config' kuma gungura ƙasa don neman layin da yake faɗi.
ChallengeResponseAuthentication no
Canja shi zuwa "eh". Don haka, ya zama kamar wannan.
ChallengeResponseAuthentication yes
A ƙarshe, sake kunna sabis na SSH don ɗaukar sabbin canje-canje.
# /etc/init.d/sshd restart
Harhadawa Google Authenticator App
Kaddamar da Google Authenticator app a cikin wayoyin ku. Latsa Menu ka zaɓi “Saita asusu“. Idan baka da wannan aikin, zaka iya saukarwa da girka app Authenticator app akan na'urorin Android/iPhone/Blackberry.
Latsa\"An ba da maɓallin shiga".
Yourara asusunka 'Sunan' kuma shigar da 'maɓallin sirri' wanda aka ƙirƙira a baya.
Zai samar da kalmar sirri lokaci daya (lambar tabbatarwa) wacce koyaushe zata canza kowane 30sec akan wayarka.
Yanzu kokarin shiga ta hanyar SSH, za a sa ku tare da lambar Google Authenticator (lambar Tabbatarwa) da Kalmar wucewa duk lokacin da kuka yi yunƙurin shiga ta hanyar SSH. Ba ku da sakan 30 kawai don shigar da wannan lambar tabbatarwa, idan kun rasa zai sabunta sabuwar lambar tabbatarwa.
login as: tecmint Access denied Using keyboard-interactive authentication. Verification code: Using keyboard-interactive authentication. Password: Last login: Tue Apr 23 13:58:29 2013 from 172.16.25.125
Idan baka da wayoyin komai da komai, zaka iya amfani da add-on Firefox da ake kira GAuth Authenticator don yin ingantaccen abu biyu.
Mahimmi: Ingancin abubuwa biyu yana aiki tare da shigarwar kalmar shiga ta SSH. Idan kuna amfani da kowane zaman sirri na SSH na sirri/na jama'a, zai yi watsi da ingantattun abubuwa biyu kuma ya shiga ku kai tsaye.