Configure o SSH para usar a autenticação de dois fatores

admin 2FA, SSH

SSH, o shell seguro, é frequentemente usado para acessar sistemas Linux remotos, é recomendável adicionar outra camada de segurança. Aí vem a autenticação de dois fatores (2FA).

Instalação dos pacotes necessários:

apt install libpam-google-authenticator
google-authenticator

Anote os “scratch codes” em um local seguro (você pode precisar futuramente)

Responda as perguntas referente ao comando “google-authenticator”

Do you want me to update your “/root/.google_authenticator” file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Edite o arquivo:

vim /etc/pam.d/sshd

Insira no final do arquivo 

# Google
auth required pam_google_authenticator.so

Edite o arquivo:

vim /etc/ssh/sshd_config

Altere o campo

ChallengeResponseAuthentication no

Para:

ChallengeResponseAuthentication yes

SSH

service sshd restart

Faça a leitura do código QR no aplicativo do google no celular.

Fazendo os teste:

Dicas:

Apenas “verification code”, sem verificação de senha:

sed -i 's/@include common-auth/#@include common-auth/g' /etc/pam.d/sshd

Pedir o “verification code” quando alteramos de “usuário” para “root”:

echo "auth required pam_google_authenticator.so nullok" | sudo tee -a /etc/pam.d/common-auth

Ambiente gráfico :

echo "auth required pam_google_authenticator.so nullok" | sudo tee -a /etc/pam.d/common-session