Shulou(Shulou.com)06/01 Report--

This article focuses on "how to understand the cheat of linux command line mnemonic tools to prevent password disclosure". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to understand the cheat of the command line mnemonic tool linux to prevent password disclosure.

Recently, many well-known enterprises have leaked passwords, and the voice of multiple authentication in the industry is getting louder and louder. In this multi-authentication system, users need to go through two different authentication procedures: provide information they know (such as username / password), and then use other tools to provide information that users do not know (such as one-time passwords generated by mobile phones). This combination is often called two-factor authentication or two-stage verification.

To encourage widespread adoption of two-factor authentication, Google released Google Authenticator, an open source software that generates one-time passwords based on open rules such as HMAP/ based on time. This is a cross-platform software that can run on Linux, Android, iOS. Google also supports plug-in authentication module PAM (pluggable authentication module) to work with other tools (such as OpenSSH) that are also suitable for PAM verification.

In this tutorial, we will describe how to set up two-factor authentication for SSH services by integrating the authenticator implementation provided by OpenSSH and Google. I will use an Android device to generate one-time passwords, and this tutorial requires two weapons: (1) a Linux terminal running the OpenSSH service, and (2) an Android device.

Install Google Authenticator on a Linux system

The first step is to install the Google authenticator on the Linux host running the OpenSSH service. Follow these steps to install the Google authenticator and its PAM module.

Install Google Authenticator with the installation package

If you don't want to build Google Authenticator yourself, there are compiled installers on several Linux distributions. The installation package contains Google Authenticator binaries and PAM modules.

Install Google Authenticator on Ubuntu:

$sudo apt-get install libpam-google-authenticator

Install Google Authenticator on Fedora:

$sudo yum install google-authenticator

To install Google Authenticator on CentOS, you need to first enable the EPEL software library, and then run the following command:

$sudo yum install google-authenticator

If you don't want to use a compiled installation package, or if your Linux distribution is not included in this list, you can compile it yourself:

Google Authenticator on Linux

First, install the packages needed to build Google Authenticator.

On Debian, Ubuntu, or Linux Mint:

$sudo apt-get install wget make gcc libpam0g-dev

On CentOS, Fedora, or RHEL:

$sudo yum install wget make gcc pam-devel

Then download the source code for Google Authenticator and compile it as follows.

$wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2$ tar xvfvj libpam-google-authenticator-1.0-source.tar.bz2 $cd libpam-google-authenticator-1.0$ make

If the build is successful, you will see the pamgoogleauthenticator.so and google-authenticator files in the directory.

Finally, install Google Authenticator to the appropriate location

$sudo make install

Troubleshooting

The following error occurred while compiling Google Authenticator:

Fatal error: security/pam_appl.h: No such file or directory

To fix this problem, install the following dependency package.

On Debian, Ubuntu, or Linux Mint:

$sudo apt-get install libpam0g-dev

On CentOS, Fedora, or RHEL:

$sudo yum install pam-devel

When the Google authenticator is installed, you need to create an authentication key on the Linux host and register on the Android device. Note that this configuration is an one-time operation. We will describe in detail how to do this:

Generate authentication key

Run the Google authenticator on the Linux host

$google-authenticator

You will see a QR code that uses the following graph to represent the key of our digital form. We're going to use it to complete the configuration on Android devices later.

The Google authenticator will ask some questions, and if you are not sure, answer "Yes". This emergency backup CAPTCHA (pictured emergency scratch codes) resumes access if you lose your bound Android device (so you can't get the generated one-time password). It is best to keep the emergency verification code properly.

Run the Google verifier on Android devices

We need to install Google Authenticator app on Android devices to complete the two-factor authentication, download and install one from Google Play. Run the Google verifier on your Android device and find the configuration menu shown in the following figure.

You can select the "Scan a barcode" or "Enter provided key" options. "Scan a barcode" allows you to scan the QR code to complete the key entry, here you may need to install the scanning software Barcode Scanner app. If you select the "Enter provided key" option, you can enter the authentication key using the keyboard, as shown in the following figure:

In either way, once successful, you will see a successful registration prompt and an one-time password, as shown in the following figure:

Use Google authenticator for SSH server

In the end, we need to modify two files to complete the integration of Google authenticator and OpenSSH service.

First, modify the PAM configuration file, commands and what needs to be added are as follows:

$sudo vi / etc/pam.d/sshdauth required pam_google_authenticator.so

Then open the SSH configuration file, locate the parameter ChallengeResponseAuthentication, and enable it.

$sudo vi / etc/ssh/sshd_config

ChallengeResponseAuthentication yes

Finally, restart the SSH service.

On Ubuntu, Debian, and Linux Mint:

$sudo service ssh restart

On Fedora (or CentOS/RHEL 7):

$sudo systemctl restart sshd

On CentOS 6.x or RHEL 6.x:

$sudo service sshd restart

Verify two-factor authentication

Run the Google verifier on the bound Android device to get an one-time CAPTCHA that is valid for 30 seconds and will regenerate a new CAPTCHA once it expires.

Now, as usual, log in to the terminal using SSH

$ssh user@ssh_server

When prompted for the CAPTCHA, enter the CAPTCHA we just got. After the verification is successful, enter the login password for SSH.

Two-factor authentication effectively protects our fragile user passwords by adding a layer in front of the user's password. You can use Google authenticator to protect our other passwords, such as Google account, WordPress.com, Dropbox.com, Outlook.com, etc. Whether or not to use this technology is up to us, but the adoption of two-factor authentication is already a major trend in the industry.

At this point, I believe you have a deeper understanding of "how to understand the cheat of the command line practical mnemonic tool to prevent password disclosure from linux". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.