Configuring two-step authentication for root

Segodnya ya rasskazhu kak nastroit’ dvukhetapnuyu autentifikatsiyu dlya pol’zovatelya root na vashem servere po vremennomu odnorazovomu parolyu, chto budet generirovat’ prilozheniye na telefone ili zhe prostaya konsol’. Smysl v tom, chto pri perekhode v superpol’zovatelya na vashem servere vnachale budet zaproshen vremennyy (odnorazovyy) parol’ i tol’ko zatem — parol’ ruta. Eto pomozhet vam boleye kachestvenno zashchitit’ vash server ot nesanktsionirovannogo dostupa.

Nachnom s ustanovki OATH Toolkit chto uzhe yest’ v repozitorii Debian.

apt-get install oathtool libpam-oath

Daleye nam potrebuyetsya sgenerirovat’ sluchaynuyu stroku (sekretnuyu frazu) na osnove kotoroy i budut generirovat’sya sluchaynyye vremennyye odnorazovyye klyuchi. Poetomu stoit derzhat’ etu stroku v sekrete.

head -c 4096 /dev/urandom | md5sum | awk ‘{print $1}’
6819c89679c56508fec770362e312c4e

V dannom primere sekretnaya fraza eto 6819c89679c56508fec770362e312c4e.

Teper’ nam neobkhodimo sozdat’ fayl (/etc/users.oath) s opisaniyem algoritmov raboty, pol’zovatelya i yego sekretnoy frazy.

echo “HOTP/T30 root – 6819c89679c56508fec770362e312c4e” > /etc/users.oath

chown root:root /etc/users.oath

chmod 600 /etc/users.oath

Daleye — redaktirovaniye fayla /etc/pam.d/su.
Vam neobkhodimo dopisat’ posle

auth sufficient pam_rootok.so

stroku

auth requisite pam_oath.so usersfile=/etc/users.oath window=10 digits=6

Gde
usersfile — put’ k faylu s opisaniyem pol’zovateley i ikh sekretnykh fraz,
window — razmer «okna». Poskol’ku vremennyy odnorazovyy klyuch sozdayotsya otnositel’no vremeni, to okno — eto raskhozhdeniye servernogo vremeni ot vremeni kliyenta/prilozheniya. Odno «okno» — 30 sekund. T.ye. my zadali maksimal’noye raskhozhdeniye klyuchey v 5 minut.
digits — neobkhodimoye kolichestvo tsifr vo vremennom odnorazovom klyuche.

Teper’ probuyem poluchit’ odnorazovyy vremennyy parol’ s nashey sekretnoy frazoy:

oathtool –verbose –totp 6819c89679c56508fec770362e312c4e

Na chto poluchim chto-to sleduyushcheye:

Hex secret: 6819c89679c56508fec770362e312c4e
Base32 secret: NAM4RFTZYVSQR7WHOA3C4MJMJY======
Digits: 6
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2014-04-15 05:36:28 UTC (1397540188)
Counter: 0x2C6D360 (46584672)

385762

385762 — eto i yest’ nash odnorazovyy vremennyy parol’, a vot stroku Base32 secret my budem ispol’zovat’ kogda budem nastraivat’ prilozheniye dlya telefona (tol’ko vvodit’ my budem etot kod bez znakov «=», t.ye. kak NAM4RFTZYVSQR7WHOA3C4MJMJY).

U Google yest’ otlichnaya programma dlya generirovaniya vremennykh (odnorazovykh) klyuchey — Google Authenticator
Na ofitsial’noy stranitse detal’no raspisano kak ustanovit’ eto prilozheniye dlya telefonov na baze Android, iOS, Blackberry i t.p. poetomu na etom shage ya ostanavlivat’sya ne budu.

I nakonets testiruyem!

Podklyuchayemsya k serveru drugim soyedineniyem (na vsyakiy sluchay ne zakryvayte sessiyu root!) i probuyem sdelat’ su
Sistema dolzhna nas vnachale sprosit’ odnorazovyy vremennyy parol’.

$ su
One-time password (OATH) for root':

Generiruyem odnorazovyy vremennyy parol' libo cherez konsol' s pomoshch'yu komandy oathtool, libo cherez prilozheniye na vashem telefone i vvodim yego.
Yesli vy vso sdelali pravil'no, to posle vvoda vremennogo parolya sistema vam predlozhit vvesti parol' ruta.

Today I will tell you how to set up a two-step authentication for the root user on your server on a temporary one-time password that will generate the application on the phone or just the console. The idea is that the transition to the root user on your server will first be prompted for a temporary (one-time) password and only then - the root password. This will help you better protect your server from unauthorized access.

Let's start with the installation OATH Toolkit that is already in the repository Debian.

apt-get install oathtool libpam-oath

Next, we need to generate a random string (passphrase) on the basis of which will be generated by the random temporary disposable keys. Therefore it is necessary to keep this a secret string.

head -c 4096 / dev / urandom | md5sum | awk '{print $ 1}'
6819c89679c56508fec770362e312c4e

In this example, the passphrase is 6819c89679c56508fec770362e312c4e.

Now we need to create a file (/etc/users.oath) describing algorithms, and user passphrase.

echo "HOTP / T30 root - 6819c89679c56508fec770362e312c4e"> /etc/users.oath

chown root: root /etc/users.oath

chmod 600 /etc/users.oath

Next - edit file /etc/pam.d/su.
You need to finish after

auth sufficient pam_rootok.so

line

auth requisite pam_oath.so usersfile = / etc / users.oath window = 10 digits = 6

Where
usersfile - path to the file with a description of users and their passphrase
window - the size of the "window". As a temporary one-time key is created with respect to time, the window - this divergence time from the time server client / application. One "window" - 30 seconds. Ie We set the maximum divergence of keys in 5 minutes.
digits - the required number of digits in a temporary one-time key.

Now try to get a one-time temporary password with our secret phrase:

oathtool --verbose --totp 6819c89679c56508fec770362e312c4e

What we get something as follows:

Hex secret: 6819c89679c56508fec770362e312c4e
Base32 secret: NAM4RFTZYVSQR7WHOA3C4MJMJY ======
Digits: 6
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2014-04-15 05:36:28 UTC (1397540188)
Counter: 0x2C6D360 (46584672)

385762

385 762 - this is our one-time temporary password, but a string Base32 secret we will use when we configure the app for your phone (only enter this code, we will not sign "=", ie as NAM4RFTZYVSQR7WHOA3C4MJMJY).

Google has a great program to generate a temporary (one-time) key - Google Authenticator
On the official website of painted detail how to install this application for phones based on Android, iOS, Blackberry, etc. so at this stage I will not dwell.

Finally test!

Connect to the server with another compound (at least not close the session root!) And try to make su
The system should ask us first-time temporary password.

$ Su
One-time password (OATH) for
root ‘:

Generate a one-time temporary password via the console or by using the oathtool, or through an application on your phone and enter it.
If you did everything correctly, after you enter the temporary password system will prompt you to enter the root password.