架构（day08）

架构（day08）

Google双向认证

Google Authenticator介绍

通常我们直接通过ssh输入密码连接服务器，但这样很容易出现暴力破除情况，所以我们可以结合google的动态认证ssh密码，这样能够大大的提升登陆的安全。简单来说，就是当用户通过ssh登陆系统时，先输入google的随机验证码，然后在输入服务器的ssh密码

GoogleAuthenticator安装部署

# 1.安装依赖 [root@m01 ~]# yum -y install pam-devel libpng-devel autoconf automake libtool # 2.下载Google apm插件 ## 官方下载地址 [root@m01 opt]# wget ## 个人下载地址 [root@m01 ~]# wget # 3.解压插件 [root@m01 ~]# tar xf 1.04.tar.gz # 4.构建代码 ## 进入解压开的目录 [root@m01 ~]# cd google-authenticator-libpam-1.04/ [root@m01 google-authenticator-libpam-1.04]# ll total 52 -rwxrwxr-x 1 root root 605 Aug 16 2017 bootstrap.sh drwxrwxr-x 2 root root 24 Aug 16 2017 build -rw-rw-r-- 1 root root 1932 Aug 16 2017 configure.ac drwxrwxr-x 2 root root 46 Aug 16 2017 contrib -rw-rw-r-- 1 root root 1452 Aug 16 2017 CONTRIBUTING.md drwxrwxr-x 2 root root 20 Aug 16 2017 examples -rw-rw-r-- 1 root root 2622 Aug 16 2017 FILEFORMAT -rw-rw-r-- 1 root root 11358 Aug 16 2017 LICENSE -rw-rw-r-- 1 root root 2231 Aug 16 2017 Makefile.am drwxrwxr-x 2 root root 140 Aug 16 2017 man -rw-rw-r-- 1 root root 7155 Aug 16 2017 README.md drwxrwxr-x 2 root root 158 Aug 16 2017 src drwxrwxr-x 2 root root 49 Aug 16 2017 tests -rw-rw-r-- 1 root root 9423 Aug 16 2017 totp.html drwxrwxr-x 2 root root 41 Aug 16 2017 utc-time ## 执行bootstrap构建 [root@m01 google-authenticator-libpam-1.04]# ./bootstrap.sh # 6.编译 && 安装 [root@m01 google-authenticator-libpam-1.04]# make && make install # 7.检查插件是否安装 [root@m01 google-authenticator-libpam-1.04]# ll /usr/local/lib/security/ -rwxr-xr-x 1 root root 1021 May 25 09:15 pam_google_authenticator.la -rwxr-xr-x 1 root root 133552 May 25 09:15 pam_google_authenticator.so # 8.将安装好的插件，拷贝到系统库文件目录中 [root@m01 ~]# cp /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/ # 9.生成初始google认证识别码 [root@m01 ~]# google-authenticator ## 认证令牌是否随时间变化 Do you want authentication tokens to be time-based (y/n) y Your new secret key is: 7WHLC4Z6LT3W4BTK6OR2AVCR7E Your verification code is 020267 Your emergency scratch codes are: 81061642 20695747 19608008 26971435 40551289 Do you want me to update your "/root/.google_authenticator" file? (y/n) y 您想让我更新您的“/root/.google_Authenticator”文件吗？(y/n)y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y 是否不允许多次使用同一身份验证？ 令牌？这限制了您大约每30分钟登录一次，但它会增加。 你注意到甚至防止中间人破除的机会 By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y 默认情况下，移动应用程序每30秒生成一个新令牌。 为了补偿客户端和服务器之间可能出现的时间偏差， 我们允许在当前时间之前和之后增加一个令牌。这允许一个 验证服务器和客户端之间的时间偏差高达30秒。如果你 遇到时间同步不良的问题，可以增加窗口。 从其默认大小3允许的代码(一个以前的代码，当前 代码，下一个代码)到17个允许的代码(之前的8个代码，当前的 代码，以及下一个代码)。这将允许长达4分钟的时间倾斜。 在客户端和服务器之间。 你想这样做吗？(y/n)y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y 如果您正在登录的计算机没有硬化以抵抗暴力。 尝试登录时，可以启用身份验证模块的速率限制。 默认情况下，这将限制破除者每30次最多尝试3次登录。 Do you want to enable rate-limiting? (y/n) y

用手机扫描二维码

1.）苹果手机

生成动态认证令牌

如何删除？

改名

2.)安卓手机长按进行选择

将Google 2FA接入SSH

# 1.修改ssh认证配置 [root@m01 ~]# vim /etc/pam.d/sshd auth required pam_google_authenticator.so # 2.修改SSH配置文件，关联Google认证 [root@m01 ~]# vim /etc/ssh/sshd_config 69 ChallengeResponseAuthentication yes # 3.重启sshd服务 [root@m01 ~]# systemctl restart sshd

使用Python脚本登录CRT

# $language = "python" # $interface = "1.0" import hmac, base64, struct, hashlib, time,re #获取当前脚本所在的tab对象 objTab = crt.GetScriptTab() #objTab = crt.GetActiveTab() objTab.Screen.Synchronous = True objTab.Screen.IgnoreEscape = True #获取终端名字 tabName=objTab.Caption reIp=r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' hostIp=re.findall(reIp,tabName)[0] secretKey="Your new secret key is:" def calGoogleCode(secretKey): #secreKey 需要是8的倍数 t = int(time.time())//30 lens = len(secretKey) lenx = 8 - (lens % 4 if lens % 4 else 4) secretKey += lenx * '=' key = base64.b32decode(secretKey) msg = struct.pack(">Q", t) googleCode = hmac.new(key, msg, hashlib.sha1).digest() o = ord(str(googleCode[19])) & 15 googleCode = str((struct.unpack(">I", googleCode[o:o+4])[0] & 0x7fffffff) % 1000000) return googleCode.zfill(6) def get_string(objTab,szStart,szPrompt): objTab.Screen.WaitForStrings(szStart) return objTab.Screen.ReadString(szPrompt) def send_string(objTab,waitString,strings,selfSleepTime=20): objTab.Screen.WaitForStrings(waitString) time.sleep(0.0001) for i in strings: crt.Sleep(5) objTab.Screen.Send(i) # time.sleep(0.0001) objTab.Screen.WaitForStrings(strings) if strings[-1] != '\r': objTab.Screen.Send('\r') #msg(objTab.Screen.ReadString('[ q ]')) # time.sleep(0.0001) def send_pass(objTab,waitString,strings): objTab.Screen.WaitForStrings(waitString) for i in strings: crt.Sleep(5) objTab.Screen.Send(i) if strings[-1] != '\r': objTab.Screen.Send('\r') time.sleep(0.01) #发送2fa send_pass(objTab,'Verification code:',calGoogleCode(secretKey)) ## 发送密码 send_pass(objTab,'Password: ','1') # '1' 是服务器的密码 #发送登录ip send_string(objTab,'Opt> ',hostIp) #objTab.Screen.WaitForStrings("[MFA auth]: ","") #if objTab.Screen.WaitForStrings("Opt> ",1): # #发送登录ip 克隆会话,不需要二次验证码 # send_string(objTab,'Opt> ',hostIp) #else: # #发送2fa # send_pass(objTab,'[MFA auth]: ',calGoogleCode(secretKey)) # #发送登录ip # send_string(objTab,'Opt> ',hostIp)

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。