Created
July 5, 2019 15:36
-
-
Save ssato/1b40e59fb6e58744c96d6d82621d6500 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .. seealso:: https://fedoramagazine.org/two-factor-authentication-ssh-fedora/ | |
| ssato@x1-carbon-gen6% sudo dnf install -y google-authenticator | |
| [sudo] password for ssato: | |
| ... | |
| Dependencies resolved. | |
| ... | |
| Installed: | |
| google-authenticator-1.04-4.fc30.x86_64 | |
| Complete! | |
| ssato@x1-carbon-gen6% rehash | |
| ssato@x1-carbon-gen6% google-authenticator | |
| Do you want authentication tokens to be time-based (y/n) y | |
| Warning: pasting the following URL into your browser exposes the OTP secret to Google: | |
| https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/... | |
| ... (QR code) ... | |
| Your new secret key is: ************************** | |
| Your verification code is ****** | |
| Your emergency scratch codes are: | |
| ******** | |
| ******** | |
| ******** | |
| ******** | |
| Do you want me to update your "/home/ssato/.google_authenticator" file? (y/n) y | |
| Do you want to disallow multiple uses of the same authentication | |
| token? This restricts you to one login about every 30s, but it increases | |
| your chances to notice or even prevent man-in-the-middle attacks (y/n) y | |
| By default, a new token is generated every 30 seconds by the mobile app. | |
| In order to compensate for possible time-skew between the client and the server, | |
| we allow an extra token before and after the current time. This allows for a | |
| time skew of up to 30 seconds between authentication server and client. If you | |
| experience problems with poor time synchronization, you can increase the window | |
| from its default size of 3 permitted codes (one previous code, the current | |
| code, the next code) to 17 permitted codes (the 8 previous codes, the current | |
| code, and the 8 next codes). This will permit for a time skew of up to 4 minutes | |
| between client and server. | |
| Do you want to do so? (y/n) n | |
| If the computer that you are logging into isn't hardened against brute-force | |
| login attempts, you can enable rate-limiting for the authentication module. | |
| By default, this limits attackers to no more than 3 login attempts every 30s. | |
| Do you want to enable rate-limiting? (y/n) y | |
| ssato@x1-carbon-gen6% sudo sed -i.save 's/^auth.*substack.*password-auth/#&/' /etc/pam.d/sshd | |
| ssato@x1-carbon-gen6% sudo vim /etc/pam.d/sshd | |
| ssato@x1-carbon-gen6% diff -u /etc/pam.d/sshd{.save,} | |
| --- /etc/pam.d/sshd.save 2019-06-17 19:59:33.000000000 +0900 | |
| +++ /etc/pam.d/sshd 2019-07-06 00:08:33.863098286 +0900 | |
| @@ -1,5 +1,6 @@ | |
| #%PAM-1.0 | |
| -auth substack password-auth | |
| +#auth substack password-auth | |
| auth include postlogin | |
| +auth sufficient pam_google_authenticator.so | |
| account required pam_sepermit.so | |
| account required pam_nologin.so | |
| ssato@x1-carbon-gen6% sudo grep '^ChallengeResponseAuthentication' /etc/ssh/sshd_config | |
| ChallengeResponseAuthentication no | |
| ssato@x1-carbon-gen6% sudo grep '^PasswordAuthentication' /etc/ssh/sshd_config | |
| PasswordAuthentication yes | |
| ssato@x1-carbon-gen6% sudo grep '^AuthenticationMethods' /etc/ssh/sshd_config | |
| ssato@x1-carbon-gen6% sudo su - | |
| [root@x1-carbon-gen6 ~]# sed -i.save -r ' | |
| s/^ChallengeResponseAuthentication .*/# & \ | |
| ChallengeResponseAuthentication yes/ | |
| s/^PasswordAuthentication .*/# & \ | |
| PasswordAuthentication no/ | |
| $ a \ | |
| AuthenticationMethods publickey,password publickey,keyboard-interactive | |
| ' /etc/ssh/sshd_config | |
| [root@x1-carbon-gen6 ~]# diff -u /etc/ssh/sshd_config{.save,} | |
| --- /etc/ssh/sshd_config.save 2019-06-17 19:59:33.000000000 +0900 | |
| +++ /etc/ssh/sshd_config 2019-07-06 00:06:46.828334208 +0900 | |
| @@ -70,11 +70,13 @@ | |
| # To disable tunneled clear text passwords, change to no here! | |
| #PasswordAuthentication yes | |
| #PermitEmptyPasswords no | |
| -PasswordAuthentication yes | |
| +# PasswordAuthentication yes | |
| +PasswordAuthentication no | |
| # Change to no to disable s/key passwords | |
| #ChallengeResponseAuthentication yes | |
| -ChallengeResponseAuthentication no | |
| +# ChallengeResponseAuthentication no | |
| +ChallengeResponseAuthentication yes | |
| # Kerberos options | |
| #KerberosAuthentication no | |
| @@ -146,3 +148,4 @@ | |
| # AllowTcpForwarding no | |
| # PermitTTY no | |
| # ForceCommand cvs server | |
| +AuthenticationMethods publickey,password publickey,keyboard-interactive | |
| [root@x1-carbon-gen6 ~]# ログアウト | |
| ssato@x1-carbon-gen6% sudo systemctl restart sshd | |
| ssato@x1-carbon-gen6% ssh localhost | |
| The authenticity of host 'localhost (::1)' can't be established. | |
| ECDSA key fingerprint is SHA256:************************************************* | |
| Are you sure you want to continue connecting (yes/no/[fingerprint])? yes | |
| Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. | |
| Verification code: <the_verification_code_generated> | |
| Last login: Thu Jun 27 23:38:39 2019 | |
| ssato@x1-carbon-gen6% ~ | |
| Connection to localhost closed. | |
| ssato@x1-carbon-gen6% |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment