技术控

    今日:43| 主题:49507
收藏本版 (1)
最新软件应用技术尽在掌握

[其他] Lock Up Your Raspberry Pi with Google Authenticator

[复制链接]
你造我宣 发表于 2016-10-1 06:08:01
254 2

立即注册CoLaBug.com会员,免费获得投稿人的专业资料,享用更多功能,玩转个人品牌!

您需要 登录 才可以下载或查看,没有帐号?立即注册

x

Lock Up Your Raspberry Pi with Google Authenticator-1 (completely,password,computer,recently,anything)

   Raspberry Pi boards (or any of the many similar boards) are handy to leave at odd places to talk to the network and collect data, control things, or do whatever other tasks you need a tiny fanless computer to do. Of course, any time you have a computer on a network, you are inviting hackers (and not our kind of hackers) to break in.
    We recently looked at how to tunnel ssh using a reverse proxy via Pagekite so you can connect to a Pi even through firewalls and at dynamic IP addresses. How do you stop a bad guy from trying to log in repeatedly until they have access? This can work on any Linux machine, but for this tutorial I’ll use Raspberry Pi as the example device. In all cases, knowing how to set up adequate ssh security is paramount for anything you drop onto a network.
   Better than Password Security

   Experts tell you to use a good password. However, with ssh, the best method is to disallow passwords completely. To make this work, you need to create a private and public certificate on the machine you want to use to connect. Then you copy the public key over to the Raspberry Pi. Once it is set up, your ssh client will automatically authenticate to the server. That’s great if you always log in using the same machine and you never lose your keys.
   You need to create a personal key pair if you haven’t already. You can use the ssh-keygen command to do that on Linux. You can require a passphrase to unlock the key or, if you are sure only you have access to your machine, you can leave it blank.
   Once you have the key it is easy to send the public key over to the server with the ssh-copy-id command. For example:
   [code]ssh-copy-id [email protected][/code]   You log in with your password one last time and the command copies your public key to the server. From then on, when you use ssh on that host, you’ll be automatically authenticated. Very handy.
   Once you have keys set up, you can disable using regular passwords by editing /etc/ssh/sshd_config. You need the following settings:
   [code]ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no[/code]   That prevents anyone from breaking in by brute force guessing of passwords. It also makes it harder to set up new users or log in from a new computer.
   Save the Passwords; Use Two Types

   For those reasons, it is not always a good idea to turn off passwords. A better idea is to use two-factor authentication. That requires you to enter a password and also a “one time” verification code. Where do you get that code?
   There are several options, but the one I’ll use is from the Google Authenticator application. You can get the application for Apple devices, Blackberries, and–of course–Android devices. You install it in the usual way for your device. The trick is how to make the ssh server on the Pi use it.
   Luckily the Raspian repos have a package called libpam-google-authenticator that will do the trick. Installing it with apt-get is only part of the trick, though. You need two things. First, you need to set up your account.
   Set Up a Google Authenticator Account

   To set up your account, you need to log into your Pi and issue the command google-authenticator. The program will ask you a few questions and then generate a URL that will show you a QR code. It will also provide you a numeric code. You can use either of these to set up your phone. The command will also provide you a few one-time scratch codes you need to save in case you lose your authenticator device. You need to do this for any user ID that can log in via ssh (even ones where you normally use a certificate).
   Tell Your Pi to Require Two-Factor Login

   The other part of the puzzle requires you to make changes to /etc/pam.d/sshd and /etc/ssh/sshd_config. The first line of /etc/pam.d/sshd should be:
   [code]auth required pam_google_authenticator.so[/code]   In /etc/ssh/sshd_config you need to make sure passwords are on:
   [code]ChallengeResponseAuthentication yes
PasswordAuthentication yes
UsePAM yes[/code]   Just make sure you don’t mess anything up. Losing the ssh server could stop you from being able to access the machine. I haven’t messed one up yet, but the advice I hear is to keep an ssh session open while you restart the ssh server (/etc/init.d/sshd restart) so if something goes wrong, you’ll still have a shell prompt open. You might also consider running:
   [code]/usr/sbin/sshd -t[/code]   This will verify your configuration before you pull the trigger.
   By the way, if you already use certificates to log in, this won’t change anything for you. The certificate authentication takes priority over passwords. That does make it tricky to test your setup. You can force ssh not to use your certificate like this:
   [code]ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no [email protected][/code]   Even for accounts where you use certificates, adding the two-factor log in will prevent brute force attacks on your password, so be sure to set up for all accounts you can use over ssh.
   Other Protections

   There are several other things you can do to help secure your ssh connection:
   
       
  • Disallow root logins (edit the PermitRootLogin line in /etc/ssh/sshd_config; you can use sudo from a normal account if you want to become root)   
  • Use a non-standard ssh port (edit port in sshd_config)   
  • Consider installing fail2ban which will block IP addresses that exhibit suspicious behavior   
  • Disallow any users that don’t need ssh access (use AllowUsers or DenyUsers in the sshd_config file)   
  • Set PermitEmptyPasswords in sshd_config to ‘no’   
   Not everyone will agree with disallowing root logins. However, empirically, a lot of attacks will try logging in as root since virtually every Linux system has that account. It is harder for a random attacker to know that my user ID is WetSnoopy.
   There are many other techniques ranging from port knocking to locking users to their home directories. You can rate limit connection attempts on the ssh port. Only you can decide how much security is enough. After all, you lock up your cash box better than you lock up your supply closet. However, convenient and free two-factor authentication can add a high level of security to your Raspberry Pi or other Linux-based projects. If you are really concerned, by the way, you can also force two-factor for accessing sudo, as well.
友荐云推荐




上一篇:两端对齐布局与text-align:justify
下一篇:Anwesha Das: My talk about software licenses in PyCon India
酷辣虫提示酷辣虫禁止发表任何与中华人民共和国法律有抵触的内容!所有内容由用户发布,并不代表酷辣虫的观点,酷辣虫无法对用户发布内容真实性提供任何的保证,请自行验证并承担风险与后果。如您有版权、违规等问题,请通过"联系我们"或"违规举报"告知我们处理。

ehuntZ 发表于 2016-10-1 08:06:28
已经习惯给自己第一朵了
回复 支持 反对

使用道具 举报

atlantis2007 发表于 2016-10-2 00:38:26
现在你骂我,是因为你还不了解我,等到以后你了解了我,你一定会动手打我的。
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

我要投稿

推荐阅读

扫码访问 @iTTTTT瑞翔 的微博
回页顶回复上一篇下一篇回列表手机版
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 )|网站地图 酷辣虫

© 2001-2016 Comsenz Inc. Design: Dean. DiscuzFans.

返回顶部 返回列表