|
|
| (14 intermediate revisions by 7 users not shown) |
| Line 1: |
Line 1: |
| {{Draft}}
| | #REDIRECT[[HOWTO OpenSSH 2FA with password and Google Authenticator]] |
| | |
| {{Note|Currently the packages required to follow this how-to are available only on edge (future AL3.7)}}
| |
| | |
| == Using Google Authenticator ==
| |
| | |
| {{cmd|apk add google-authenticator openssh-server-pam}}
| |
| | |
| {{cmd|cat /etc/pam.d/base-auth}}
| |
| <pre>
| |
| # basic PAM configuration for Alpine. | |
| | |
| auth required pam_env.so
| |
| #auth required pam_unix.so nullok_secure
| |
| auth required pam_nologin.so successok
| |
| auth required /lib/security/pam_google_authenticator.so
| |
| </pre>
| |
| | |
| {{cmd|cat /etc/ssh/sshd_config}}
| |
| <pre>
| |
| UsePAM yes
| |
| AuthenticationMethods publickey,keyboard-interactive
| |
| ChallengeResponseAuthentication yes
| |
| PermitRootLogin yes
| |
| </pre>
| |
| {{Note|This configuration does NOT allow password authentication. To allow password authentication append "password" to "AuthenticatioMethods"}}
| |
| | |
| As user root:
| |
| {{cmd|google-authenticator}}
| |
| <pre>
| |
| Do you want authentication tokens to be time-based (y/n) y
| |
| https://www.google.com/<pruned>
| |
| Your new secret key is: <secret>
| |
| Your verification code is <pruned>
| |
| Your emergency scratch codes are:
| |
| <pruned>
| |
| <pruned>
| |
| <pruned>
| |
| <pruned>
| |
| <pruned>
| |
| | |
| Do you want me to update your "/root/.google_authenticator" file? (y/n) y
| |
| | |
| Do you want to disallow multiple uses of the same authentication
| |
| token? This restricts you to one login about every 30s, but it increases
| |
| your chances to notice or even prevent man-in-the-middle attacks (y/n) n
| |
| | |
| By default, tokens are good for 30 seconds. In order to compensate for
| |
| possible time-skew between the client and the server, we allow an extra
| |
| token before and after the current time. If you experience problems with
| |
| poor time synchronization, you can increase the window from its default
| |
| size of +-1min (window size of 3) to about +-4min (window size of
| |
| 17 acceptable tokens).
| |
| Do you want to do so? (y/n) y
| |
| | |
| If the computer that you are logging into isn't hardened against brute-force
| |
| login attempts, you can enable rate-limiting for the authentication module.
| |
| By default, this limits attackers to no more than 3 login attempts every 30s.
| |
| Do you want to enable rate-limiting (y/n) n
| |
| </pre>
| |
| | |
| Download '''Google Authenticator''' app and enter manually your <secret> key
| |