![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2015-03-03
目錄
介紹
- Multiple accounts
- 30-second TOTP codes
- Key provisioning via scanning a QR code
- Protection against replay attacks
- Support for emergency scratch codes
Home Page
http://code.google.com/p/google-authenticator/
安裝
Ubuntu12.04
apt-get install libpam-google-authenticator
獲得:
- /lib/security/pam_google_authenticator.so
- /usr/bin/google-authenticator
Debian6/7
aptitude install libqrencode3
Download Package:
i386:
http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20130529-2_i386.deb
amd:
http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20130529-2_amd64.deb
Centos 6 / 7
yum install google-authenticator # EPEL
獲得 file: /lib/security/pam_google_authenticator.so
Compile by source
# 新版 Centos 7 的 Epel 有 google-authenticator, 所以不用自行 Compile 了
yum -y groupinstall "Development Tools"
yum -y install pam-devel
cd /usr/src
wget https://github.com/google/google-authenticator-libpam/archive/refs/heads...
unzip master.zip
cd google-authenticator-libpam-master
./bootstrap.sh
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build'. libtoolize: copying file `build/ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'. libtoolize: copying file `build/libtool.m4' libtoolize: copying file `build/ltoptions.m4' libtoolize: copying file `build/ltsugar.m4' libtoolize: copying file `build/ltversion.m4' libtoolize: copying file `build/lt~obsolete.m4' configure.ac:11: installing 'build/config.guess' configure.ac:11: installing 'build/config.sub' configure.ac:8: installing 'build/install-sh' configure.ac:8: installing 'build/missing' Makefile.am: installing 'build/depcomp' parallel-tests: installing 'build/test-driver'
./configure
make -j # 獲得 .libs/pam_google_authenticator.so
Install by cp
cp -a .libs/pam_google_authenticator.so /usr/lib64/security
cp -a google-authenticator /usr/bin
學習
man google-authenticator
man pam_google_authenticator
設定: pam + sshd
設定 pam:
修改 /etc/pam.d/sshd 加入
# authenticator 及 password 同時正確才可以 login
auth required pam_google_authenticator.so# 如果想單是它 login 就夠 (不理會 user passwd)
auth sufficient pam_google_authenticator.soExample:
# Debian
# google_authenticator
auth sufficient pam_google_authenticator.so
# Standard Un*x authentication.
@include common-auth
..............................................# Centos
#%PAM-1.0
auth required pam_sepermit.so
# google_authenticator
auth sufficient pam_google_authenticator.so
auth include password-auth
注意這樣的次序 !! pam_sepermit, pam_google_authenticatorm, password-auth
nullok
During the initial roll-out process, you might find that not all users have created a secret key yet.
If you would still like them to be able to log in, you can pass the "nullok" option
... auth required pam_google_authenticator.so nullok ...
設定 sshd:
修改 /etc/ssh/sshd_config 加入
# google_authenticator 是用 PAM 去認證的
# Default: "no"
UsePAM yes# Specifies whether challenge response authentication is allowed (default is "yes")
ChallengeResponseAuthentication yes
# 保留傳統的 Password login
PasswordAuthentication yes
service sshd restart
root login 時的 log:
.. sshd(pam_google_authenticator)[15687]:
Failed to read "/root/.google_authenticator" for "root"
.. sshd[15679]: Accepted keyboard-interactive/pam
for root from s.s.s.sport 9193 ssh2建立 Authentication Key (~/.google_authenticator):
google-authenticator
之後會見到 QR code 及答以下問題
Do you want me to update your "~/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication <--- DISALLOW_REUSE token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for <--- WINDOW_SIZE possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force <--- login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Remark
By default the PAM module requires that
- the secrets file must be owned the user logging in
- requires the secrets file to be readable only by the owner of the file (mode 0600 by default)
Configure File
~/.google_authenticator
Option
They all start with a double quote character, followed by a space character.
This ensures that they cannot accidentally appear anywhere else in the file.
RESETTING_TIME_SKEW t1 t2 ...
記錄來, 不是設定
// If the user can produce a sequence of three consecutive codes that fall
// within a day of the current time. And if he can enter these codes in
// quick succession, then we allow the time skew to be reset.
TIME_SKEW n
記錄來, 不是設定
// If a user repeated attempts to log in with the same time skew,
// remember this skew factor for future login attempts
RATE_LIMIT # -r, --rate-limit=N; -R, --rate-time=M
# restricts the number of logins to at most "n" within each "m" second interval
# Additional parameters "?" in this line are undocumented;
# they are used internally to keep track of state.
RATE_LIMIT n m ?
Over 後不再問
Verification code:
log
... sshd(pam_google_authenticator)[28681]:
Too many concurrent login attempts ("/root/.google_authenticator"). Please try again.WINDOW_SIZE n # -w n
# Default: 3. allowing up to "n" extra valid token before and after the currently active one
WINDOW_SIZE n
In counter-based mode, this option is the number of valid tokens after the currently active one.
DISALLOW_REUSE # -D
If present, this signals that a time-based token can be used at most once.
This means that users can typically not log in faster than once every ~30 seconds.
A space-separated list of time stamps that have previously been used for login attempts
DISALLOW_REUSE t1 t2 ...
TOTP_AUTH
The "secret" can be used to authenticate users with a time-based token.
Exampe
??????????????? <-- base32 encoded secret " RESETTING_TIME_SKEW 45418776+9 45418783+9 <-- optional start with " " TIME_SKEW -960 " RATE_LIMIT 3 30 1362564814 " WINDOW_SIZE 3 <-- from 3 to "n", default 3 " DISALLOW_REUSE 45418788 45418790 " TOTP_AUTH <-- 啟用 time-based token 登入 8359???? <-- one-time tokens, eight-digit numbers 6479???? <-- 用了那行, 那行就會被刪除 6257????
Template: ~/.google_authenticator
???? " RATE_LIMIT 3 30 " DISALLOW_REUSE " TOTP_AUTH
Other Opts
STEP_SIZE n # -S n
The number of seconds in each time step during which a TOTP code is valid.(Default: 30s)
QR codes Format
URI with the following format:
otpauth://TYPE/LABEL?PARAMETERS
# Google Authenticator
otpauth://totp/LABEL?secret=key.base32
# LABEL 用來顯示而已
# key at least 30 hex chars
i.e.
otpauth://totp/software@mydomian?secret=0123456789abcdef0
HOTP
HOTP = HMAC-Based One-time Password(RFC 4226)
Event-based One-Time Password
原理:
seed(secret key) + moving factor(counter)
The counter on the server is incremented only when an OTP is successfully validated
The OTP generator and the server are synced each time the code is validated and the user gains access
Setting
HOTP_COUNTER n
Authenticate users with a counter-based token
The argument "n" represents which counter value the token will accept next.
