Skip to content

Instantly share code, notes, and snippets.

@ssato
Created July 5, 2019 15:36
Show Gist options
  • Save ssato/1b40e59fb6e58744c96d6d82621d6500 to your computer and use it in GitHub Desktop.
Save ssato/1b40e59fb6e58744c96d6d82621d6500 to your computer and use it in GitHub Desktop.
# .. seealso:: https://fedoramagazine.org/two-factor-authentication-ssh-fedora/
ssato@x1-carbon-gen6% sudo dnf install -y google-authenticator
[sudo] password for ssato:
...
Dependencies resolved.
...
Installed:
google-authenticator-1.04-4.fc30.x86_64
Complete!
ssato@x1-carbon-gen6% rehash
ssato@x1-carbon-gen6% google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/...
... (QR code) ...
Your new secret key is: **************************
Your verification code is ******
Your emergency scratch codes are:
********
********
********
********
Do you want me to update your "/home/ssato/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
ssato@x1-carbon-gen6% sudo sed -i.save 's/^auth.*substack.*password-auth/#&/' /etc/pam.d/sshd
ssato@x1-carbon-gen6% sudo vim /etc/pam.d/sshd
ssato@x1-carbon-gen6% diff -u /etc/pam.d/sshd{.save,}
--- /etc/pam.d/sshd.save 2019-06-17 19:59:33.000000000 +0900
+++ /etc/pam.d/sshd 2019-07-06 00:08:33.863098286 +0900
@@ -1,5 +1,6 @@
#%PAM-1.0
-auth substack password-auth
+#auth substack password-auth
auth include postlogin
+auth sufficient pam_google_authenticator.so
account required pam_sepermit.so
account required pam_nologin.so
ssato@x1-carbon-gen6% sudo grep '^ChallengeResponseAuthentication' /etc/ssh/sshd_config
ChallengeResponseAuthentication no
ssato@x1-carbon-gen6% sudo grep '^PasswordAuthentication' /etc/ssh/sshd_config
PasswordAuthentication yes
ssato@x1-carbon-gen6% sudo grep '^AuthenticationMethods' /etc/ssh/sshd_config
ssato@x1-carbon-gen6% sudo su -
[root@x1-carbon-gen6 ~]# sed -i.save -r '
s/^ChallengeResponseAuthentication .*/# & \
ChallengeResponseAuthentication yes/
s/^PasswordAuthentication .*/# & \
PasswordAuthentication no/
$ a \
AuthenticationMethods publickey,password publickey,keyboard-interactive
' /etc/ssh/sshd_config
[root@x1-carbon-gen6 ~]# diff -u /etc/ssh/sshd_config{.save,}
--- /etc/ssh/sshd_config.save 2019-06-17 19:59:33.000000000 +0900
+++ /etc/ssh/sshd_config 2019-07-06 00:06:46.828334208 +0900
@@ -70,11 +70,13 @@
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
-PasswordAuthentication yes
+# PasswordAuthentication yes
+PasswordAuthentication no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
-ChallengeResponseAuthentication no
+# ChallengeResponseAuthentication no
+ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
@@ -146,3 +148,4 @@
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
+AuthenticationMethods publickey,password publickey,keyboard-interactive
[root@x1-carbon-gen6 ~]# ログアウト
ssato@x1-carbon-gen6% sudo systemctl restart sshd
ssato@x1-carbon-gen6% ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:*************************************************
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Verification code: <the_verification_code_generated>
Last login: Thu Jun 27 23:38:39 2019
ssato@x1-carbon-gen6% ~
Connection to localhost closed.
ssato@x1-carbon-gen6%
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment