La Ukuqinisekiswa kwezinto ezimbini (2FA) ayisiyonto eyahlukileyo enokusetyenziswa kwimidiya yoluntu okanye nakweyiphi na iwebhusayithi. Ewe, eli nyathelo lokhuseleko linokuphunyezwa ngaphakathi kwenkqubo yokusebenza.
Yiyo loo nto Namhlanje siza kubona indlela yokuphumeza ukungqinisisa kwezinto ezimbini kwi-SSH ku-Ubuntu kunye nezinye iimveliso ezisebenzisa iAuthenticator eyaziwayo yeGoogle eya kuthi inyuse kakhulu ukhuseleko kwiseva yakho ye-OpenSSH.
Ngokwesiqhelo, kufuneka ufake nje iphasiwedi okanye usebenzise isitshixo se-SSH ukungena kwinkqubo yakho ukude.
Ukuqinisekiswa kwezinto ezimbini (2FA) kufuna ukuba kungeniswe iziqwenga ezimbini zolwazi ukuze ungene kuzo.
Ke ngoko, kuya kufuneka ufake ipassword yexesha elinye esekwe kwi-SSH server.
Iphasiwedi yexesha elinye ibalwa kusetyenziswa i-TOTP algorithm, esemgangathweni we-IETF.
Ukufakwa kunye noqwalaselo lweAuthenticator kaGoogle ku-Ubuntu nakwiziphumo
Inyathelo lokuqala esiza kuliphumeza kukufaka isiQinisekisi sikaGoogle kwinkqubo yethu, ke siza kuvula i-terminal kwinkqubo (oku kunokwenziwa ngokudityaniswa kwesitshixo "Ctrl + Alt + T) kwaye kuyo siza kuchwetheza lo myalelo ulandelayo:
sudo apt install libpam-google-authenticator
Ufakelo lwenziwe Siza kuqhuba usetyenziso olusanda kufakelwa ngalo myalelo ulandelayo:
google-authenticator
Xa usenza lo myalelo, into esiza kuyenza kukunika isitshixo semfihlo kwaye oku kuya kusibuza ukuba ngaba sifuna ukusebenzisa amathokheni ngokusekwe kwixesha, esiya kuthi ewe.
Emva koku, baya kubona ikhowudi ye-QR abanokuthi bayiskene basebenzise i-app ye-TOTP kwifowuni yabo.
Apha Sicebisa ukuba usebenzise isiQinisekisi sikaGoogle usetyenziso kwifowuni yakho ephathekayo.il, ukuze ufake usetyenziso kwiGoogle Play okanye kwiVenkile yeApple kwifowuni yakho.
Sele unesicelo kwifowuni yakho, kuya kufuneka uskene ikhowudi ye-QR ngayo. Gcina ukhumbula ukuba kuya kufuneka wandise i-terminal yefestile ukuskena yonke ikhowudi ye-QR.
Ikhowudi ye-QR imele isitshixo semfihlo, Eyaziwa kuphela kwiserver yayo ye-SSH kunye ne-Google Authenticator app.
Nje ukuba ikhowudi ye-QR iskenwe, banokubona ithokheni enamanani amathandathu okhethekileyo kwifowuni yabo. Ngokuzenzekelayo lo mqondiso uhlala imizuzwana engama-30 kwaye kufuneka ungeniswe ungene ku-Ubuntu ngeSSH.
Kwisiphelo ungabona ikhowudi eyimfihlo, kunye nekhowudi yokuqinisekisa kunye nekhowudi yokuqala engxamisekileyo.
Ukusuka apho sicebisa ukuba ugcine olu lwazi kwindawo ekhuselekileyo ukuze ulusebenzise kamva. Kweminye imibuzo ebuzwayo, siza kuphendula ngo-ewe ngokuchwetheza unobumba y.
Ukuseta i-SSH ukuze isebenzise isiQinisekisi sikaGoogle
Sele ndibala apha ngasentla, Ngoku siza kwenza ubumbeko oluyimfuneko ukuze sikwazi ukusebenzisa uqhagamshelo lwe-SSH kwinkqubo yethu kunye nesiQinisekisi sikaGoogle.
Kwisiphelo vSiza kuchwetheza lo myalelo ulandelayo
sudo nano /etc/ssh/sshd_config
Ngaphakathi kwifayile Siza kujonga le migca ilandelayo kwaye siya kuyitshintsha ibe ngu "ewe", ngolu hlobo lulandelayo:
UsePAM yes ChallengeResponseAuthentication yes
Nje ukuba utshintsho lwenziwe, gcina utshintsho olwenziwe ngeCtrl + O kwaye uvale ifayile ngeCtrl + X.
Kwisiphelo esinye siza kuqala iSSH nge:
sudo systemctl restart ssh
Ngokuzenzekelayo, ukungqinisisa kufuna ukuba bangenise ipassword yomsebenzisi ukuze ungene.
Lo nto Makhe sihlele imigaqo yePAM yefayile yedemon ye-SSH
sudo nano /etc/pam.d/sshd
Ekuqaleni kwale fayile, ungabona lo mgca ulandelayo, owenza ukuba kungqinwe igama eligqithisiweyo
ChallengeResponseAuthentication
Oko simele ukusetha ewe.
Ukwenza uqinisekiso lwegama eligqithisiweyo lwexesha elinye, yongeza le migca mibini ilandelayo.
@include common-auth #One-time password authentication via Google Authenticator auth required pam_google_authenticator.so
Gcina kwaye uvale ifayile.
Ukusukela ngoku ukuya phambili, ngalo lonke ixesha bengena kwinkqubo yakho ngoqhagamshelo lwe-SSH, baya kucelwa ukuba bangenise igama lokugqitha kunye nekhowudi yokuqinisekisa (iphasiwedi yexesha elinye eveliswe nguGoogle Authenticator).
Molo, isifundo esilula, nangona kunjalo, nje ukuba ndenze onke amanyathelo andisakwazi ukungena nge-ssh, indiphosela ngempazamo yegama eligqithisiweyo, andikwazi nokucela i-2FA.
Ndine Ubuntu Server 20.04