内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档学习交流加群风哥微信: itpux-com等内容,详细介绍了相关技术的配置和使用方法。
风哥提示:
本文档详细介绍多因素认证MFA的配置方法。
Part01-MFA基础
1.1 认证因素类型
1. 知识因素
– 密码
– PIN码
– 安全问题
2. 拥有因素
– 手机
– 硬件令牌
– 智能卡
3. 固有因素
– 指纹
– 面部识别
– 虹膜扫描
4. 位置因素
– GPS位置
– IP地址
– 网络位置
5. 时间因素
– 登录时间
– 访问时段
– 时区检查
# MFA组合示例
– 密码 + 短信验证码
– 密码 + TOTP令牌
– 密码 + 硬件密钥
– 密码 + 指纹
– 密码 + 邮件验证码
Part02-TOTP配置
2.1 配置TOTP认证
$ sudo dnf install -y google-authenticator
# 为用户配置TOTP
$ google-authenticator
Do you want authentication tokens to be time-based? (y/n) y
[QR CODE DISPLAYED]
Your new secret key is: ABCDEFGHIJKLMNOP
Your verification code is: 123456
Your emergency scratch codes are:
12345678
23456789
34567890
45678901
56789012
Do you want me to update your “~/.google_authenticator” file? (y/n) y
Do you want to disallow multiple uses of the same authentication token? (y/n) y
By default, a new token is generated every 30 seconds by the mobile app. (y/n) y
By default, tokens are good for 30 seconds. (y/n) y
Do you want to enable rate-limiting? (y/n) y
# 配置SSH使用TOTP
$ sudo tee /etc/pam.d/sshd << 'EOF'
auth required pam_google_authenticator.so
auth substack password-auth
auth include postlogin
EOF
# 配置SSH
$ sudo tee /etc/ssh/sshd_config.d/mfa.conf << 'EOF'
AuthenticationMethods publickey,keyboard-interactive
ChallengeResponseAuthentication yes
UsePAM yes
EOF
$ sudo systemctl restart sshd
# 批量配置用户
$ for user in user1 user2 user3; do
sudo -u $user google-authenticator -t -d -f -r 3 -R 30 -w 3
done
Part03-硬件密钥
3.1 配置U2F/FIDO2
$ sudo dnf install -y pam-u2f
# 配置U2F设备
$ mkdir -p ~/.config/Yubico
# 注册U2F设备
$ pamu2fcfg > ~/.config/Yubico/u2f_keys
Please insert your U2F device, then press ENTER.
Please touch the device.
# 配置PAM使用U2F
$ sudo tee /etc/pam.d/u2f-auth << 'EOF'
auth required pam_u2f.so
EOF
# 配置SSH使用U2F
$ sudo tee /etc/pam.d/sshd << 'EOF'
auth requisite pam_u2f.so authfile=/etc/u2f_mappings cue
auth substack password-auth
auth include postlogin
EOF
# 创建全局U2F映射文件
$ sudo tee /etc/u2f_mappings << 'EOF'
user1:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,es256,+presence
user2:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB,BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB,es256,+presence
EOF
# 配置sudo使用U2F
$ sudo tee /etc/pam.d/sudo << 'EOF'
auth requisite pam_u2f.so authfile=/etc/u2f_mappings cue
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
EOF
Part04-FreeIPA MFA
4.1 配置FreeIPA MFA
$ ipa config-mod –user-auth-type=password,totp
# 为用户启用TOTP
$ ipa user-mod user1 –user-auth-type=password,totp
# 添加OTP令牌
$ ipa otptoken-add –type=totp –owner=user1
Added OTP token “12345678-1234-1234-1234-123456789012”
Unique ID: 12345678-1234-1234-1234-123456789012
Type: TOTP
Owner: user1
Secret key: ABCDEFGHIJKLMNOP
# 配置SSSD MFA
$ sudo tee /etc/sssd/sssd.conf << 'EOF'
[sssd]
config_file_version = 2
services = nss, pam
domains = fgedu.net.cn
[domain/fgedu.net.cn]
id_provider = ipa
auth_provider = ipa
ipa_domain = fgedu.net.cn
ipa_server = ipa.fgedu.net.cn
# MFA配置
ldap_user_principal = krbPrincipalName
ldap_user_extra_attrs = ipatokenRadiusConfigLink:ipatokenRadiusConfigLink
EOF
$ sudo systemctl restart sssd
# 配置PAM MFA
$ sudo tee /etc/pam.d/system-auth << 'EOF'
auth required pam_env.so
auth requisitfrom PG视频:www.itpux.come pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth requisite pam_sss.so use_first_pass
auth required pam_deny.so
EOF
# 测试MFA登录
$ ssh user1@localhost
Password:
Verification code:
1. 至少使用两种认证因素
2. 提供备用认证方式
3. 配置紧急恢复码
4. 监控认证日志
5. 定期审查MFA策略
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
