有SSH 2FA 配置说明。但是,我对强制使用 2FA 进行登录很感兴趣。例如,正常情况下,登录可能如下所示:
ubuntu login: cocomac
Password:
不过,为了增加安全性,我希望在输入密码后提示我输入(有效的)2FA 代码[1]。
我对 Ubuntu Server 特别感兴趣,尽管 Ubuntu Desktop(任何风格)答案都可以接受。任何受支持的(非 EOL)版本都可以。
如何在 Ubuntu 上为本地登录添加 2FA?
[1] 为了回答这个问题,假设系统的物理安全不是问题。
答案1
Google PAM通过终端安装软件包。PAM,是 的缩写Pluggable Authentication Module,是一种在 Linux 平台上提供额外身份验证层的机制。sudo apt install libpam-google-authenticator出现提示时,按“Y”并按ENTER继续安装。
user@ubuntu:~$ sudo apt install libpam-google-authenticator
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libqrencode3
The following NEW packages will be installed:
libpam-google-authenticator libqrencode3
0 upgraded, 2 newly installed, 0 to remove and 120 not upgraded.
Need to get 56.8 kB of archives.
After this operation, 183 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
- 安装Google 身份验证器应用程序。它会为您提供每 30 秒刷新一次的 2FA 代码。
安装 Google Authenticator 后,我们可以继续在 Ubuntu 上配置 Google PAM 包,方法是修改 /etc/pam.d/common-auth 文件,如下所示。
sudo vim /etc/pam.d/common-auth按照指示将下面的行附加到文件。
auth required pam_google_authenticator.so
3 #
4 # This file is included from other service-specific PAM config files,
5 # and should contain a list of the authentication modules that define
6 # the central authentication scheme for use on the system
7 # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
8 # traditional Unix authentication mechanisms.
9 #
10 # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
11 # To take advantage of this, it is recommended that you configure any
12 # local modules either before or after the default block, and use
13 # pam-auth-update to manage selection of other modules. See
14 # pam-auth-update(8) for details.
15
16 auth required pam_google_authenticator.so # Add this to the file
17
18 # here are the per-package modules (the "Primary" block)
19 auth [success=1 default=ignore]
20 # here's the fallback if no module succeeds
21 auth requisite
pam_unix.so nullok_secure
pam_deny.so
22 # prime the stack with a positive return value if there isn't one already;
保存文件并退出。
现在,运行以下命令来初始化 PAM。
google-authenticator
当系统询问您是否需要基于时间的令牌时,输入“Y”:
user@ubuntu:~$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
接下来终端上会显示一个二维码,同时会显示一些信息,显示的信息包括:
- 密钥
- 验证码
- 紧急刮刮卡
您需要将此信息保存到保险库以供将来参考。
在手机上,进入Google Authentictor应用程序并创建一个新的 2FA 帐户。然后选择扫描二维码并扫描终端中显示的二维码(注意:你可能需要最大化终端才能看到整个内容)。
Your new secret key is: IFERMENW4I4ACQGU5A4IMEWRZY
Your verification code is 300435
Your emergency scratch codes are:
55056039
74301730
41124860
44081953
35754525
Do you want me to update your "/home/user/.google_authenticator" file? (y/n)
然后,选择“y”来更新主文件夹中的 Google 身份验证器文件。
在下一个提示中,将登录限制为每 30 秒仅登录一次,以防止可能因中间人攻击而发生的攻击。因此选择“y”
Your new secret key is: IFERMENW414ACQGU5A4IMEWRZY Your verification code is 300435
Your emergency scratch codes are:
55056039
74301730
41124860
44081953
35754525
Do you want me to update your "/home/user/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
在下一个提示中,按“n”禁止延长时间,以解决服务器和客户端之间的时间偏差。这只是使您的 2FA 更安全的一个选项。
最后,将错误登录尝试的速率设置为 3。
By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server.
Do you want to do so? (y/n) n
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y.
user@ubuntu:~$
此时,您的机器上已启用 2FA。现在,任何命令都sudo需要可以在 Google Authenticator 应用中找到的代码。
user@ubuntu:~$ sudo apt update Verification code:
[sudo] password for tecmint:
Hit: 1 http://ubuntu.mirror.ac.ke/ubuntu bionic InRelease
Get:2 http://ubuntu.mirror.ac.ke/ubuntu bionic-updates InRelease [88.7 kB]
Get:3 http://ubuntu.mirror.ac.ke/ubuntu bionic-backports InRelease [74.6 kB]
Get:4 http://ubuntu.mirror.ac.ke/ubuntu bionic-security InRelease [88.7 kB]
Get:5 https://linux.teamviewer.com/deb stable InRelease [11.0 kB] Hit:6 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:7 http://ppa.launchpad.net/alexlarsson/flatpak/ubuntu bionic InRelease
Get:8 http://ubuntu.mirror.ac.ke/ubuntu bionic-updates/main amd64 Packages [1,88 5 kB]
重新启动,在登录屏幕上您将被提示输入 2FA 代码。
来源:https://www.tecmint.com/enable-two-factor-authentication-in-ubuntu/
答案2
这可以通过很多不同的方式来实现。
例如,你可以
- 有一个 luks 加密硬盘并将 luks-header 移到 usb 驱动器中
- 使用 yubikey 加密的 luks 分区
- 为 grub 添加密码
- 上面建议的是什么......
我确信还有很多其他方法。