서버 보안을 위해 ssh 접속 시 google OTP를 활용하여 2차 인증을 하도록 설정 진행
난이도 : 하
설정 소요 시간 : 10분~20분
테스트 버전 : 16.04, 18.04, 20.04, 22.04
모두 동일한 방법으로 진행하였으며 정상적으로 적용된 점 확인하였다.
1.OTP 설치 진행
| # apt install -y libpam-google-authenticator |
root@hagorud99-228099:~# apt install -y libpam-google-authenticator
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libfwupdplugin1 libxmlb1
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
libqrencode4
The following NEW packages will be installed:
libpam-google-authenticator libqrencode4
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 57.3 kB of archives.
After this operation, 190 kB of additional disk space will be used.
Get:1 <http://nova.clouds.archive.ubuntu.com/ubuntu> focal/universe amd64 libqrencode4 amd64 4.0.2-2 [23.6 kB]
Get:2 <http://nova.clouds.archive.ubuntu.com/ubuntu> focal/universe amd64 libpam-google-authenticator amd64 20170702-2 [33.7 kB]
Fetched 57.3 kB in 2s (32.7 kB/s)
Selecting previously unselected package libqrencode4:amd64.
(Reading database ... 99413 files and directories currently installed.)
Preparing to unpack .../libqrencode4_4.0.2-2_amd64.deb ...
Unpacking libqrencode4:amd64 (4.0.2-2) ...
Selecting previously unselected package libpam-google-authenticator.
Preparing to unpack .../libpam-google-authenticator_20170702-2_amd64.deb ...
Unpacking libpam-google-authenticator (20170702-2) ...
Setting up libqrencode4:amd64 (4.0.2-2) ...
Setting up libpam-google-authenticator (20170702-2) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.12) ...
2.pam.d/sshd 파일 설정
| # cp -arp /etc/pam.d/sshd /etc/pam.d/sshd_bak //기존 설정파일 백업 # vi /etc/pam.d/sshd //설정파일 오픈 auth required pam_google_authenticator.so nullok //맨 밑에 추가 저장 |
#vi /etc/pam.d/sshd
auth required pam_google_authenticator.so nullok
//아래 추가
3.sshd_config 파일 설정
| # cp -arp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak //기존 설정파일 백업 # vi /etc/ssh/sshd_config PermitEmptyPassword no // 주석 해제 또는 yes -> no PasswordAuthentication no //주석 해제 또는 yes -> no ChallengeResponseAuthentication yes //주석 해제 또는 no -> yes UsePam yes //기존 yes로 되어있으나 혹시 모르니 한번 확인. 변경 후 systemctl restart sshd 하여야 적용된다. |
#vi /etc/ssh/sshd_config
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
otp 발급 방법
ssh 접속하는 계정으로 로그인
| # google_authenticator |
otp 생성 //생성하려는 계정으로 접속해야한다.
$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
<https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpau....~~~ //QR코드 보이는 URL
[QR code출력] //google otp APP에서 QR코드 인식
Your new secret key is: [secret key 값 출력]
Your verification code is 760577
Your emergency scratch codes are:
2705????
2570????
3742????
1975????
9563????
Do you want me to update your "/home/Hagorud99/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
# ll /home/Hagorud99/
total 16
drwxr-xr-x 3 Hagorud99 Hagorud99 4096 Nov 14 14:10 ./
drwxr-xr-x 4 root root 4096 Nov 14 14:09 ../
drwx------ 2 Hagorud99 Hagorud99 4096 Nov 14 14:09 .cache/
-r-------- 1 Hagorud99 Hagorud99 136 Nov 14 14:10 .google_authenticator //계정 홈디렉토리에 숨김 파일로 생성된다.로그인 시 기존 계정 패스워드 입력 후 otp입력
[다른 서버에 동일한 OTP를 중복 사용하는 방법]
다른 서버에 동일한 otp를 사용하고 싶을 시
dnf로 구글 otp 설치 후 google_authenticator 진행하지 않고 파일만 복사
- cd 접속하는 계정 디렉토리
- .google_authenticator 파일생성 후 키값 내용 복사
- chmod 400 .google_authenticator
- chwon 계정.계정 .google_authenticator 진행하시면 됩니다.
댓글