PREREQUISITO: INSTALLARE liboath0 libpam-oath oathtool
1) $ export HEX_SECRET=$(head -15 /dev/urandom | sha1sum | cut -b 1-30)
2) $ oathtool –verbose –totp $HEX_SECRET –digits=8
Risultato → Hex secret: b5abe8im355c1127sd385a6dd0597x Base32 secret: YWV2RLGFVQUSPLMZTJW5QQQ8 Digits: 8 Window size: 0 Step size (seconds): 30 Start time: 1970-01-01 00:00:00 UTC (0) Current time: 2020-07-26 15:03:57 UTC (1595775837) Counter: 0x32BA74F (53192527)
95354783
3) creare e securizzare “users.oath”:
touch /etc/users.oath chmod 0600 /etc/users.oath
4) aggiungere le seguenti righe (il codice è l'Hex secret) al “users.oath”:
vi /etc/users.oath
# Option User Prefix Seed HOTP/T30/6 vage - b5abe8im355c1127sd385a6dd0597x
5) Rimuovere la variabile “HEX_SECRET”:
unset HEX_SECRET
6) Configurare le regole per gli accessi:
vi /etc/security/login_token.conf
# Do not require two-factor from here: + : dennis : 1.1.1.0/24
# lolnope don't need two-factor at all + : lolnope : ALL
# Demand two-factor from everywhere and everyone else - : ALL : ALL
7) editare /etc/pam.d/sshd (per la versione con publickey andare al capitolo successivo “SENZA CHIEDERE LA PASSWORD, USANDO OAUTH + PUBLICKEY ”)
# Exceptions from two-factor auth [success=done default=ignore] pam_access.so accessfile=/etc/security/login_token.conf # Two-factor auth required pam_oath.so usersfile=/etc/users.oath
8) editare /etc/ssh/sshd_config e abilitare “ChallengeResponseAuthentication”
ChallengeResponseAuthentication yes
9) riavviare sshd
Rif: https://wiki.archlinux.org/index.php/Pam_oath https://dnns.no/two-factor-ssh-using-oathtool-on-ubuntu-18.04.html https://spod.cx/blog/two-factor-ssh-auth-with-pam_oath-google-authenticator.shtml https://semjonov.de/post/2016-03/openssh-oath-totp/
SENZA CHIEDERE LA PASSWORD, USANDO OAUTH + PUBLICKEY
7) editare /etc/pam.d/sshd, commentare “@include common-auth” e aggiungere gli altri parametri come di seguito:
# @include common-auth
# Exceptions from two-factor auth [success=done default=ignore] pam_access.so accessfile=/etc/security/login_token.conf
# Two-factor auth requisite pam_oath.so usersfile=/etc/users.oath
# Exceptions from two-factor and publickey auth required pam_sepermit.so
# Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so
8) editare /etc/ssh/sshd_config:
UsePAM yes AuthenticationMethods publickey,keyboard-interactive #NOTA! commentando “keyboard-interactive” si disabilita accesso OATH PasswordAuthentication no ChallengeResponseAuthentication yes
9) Riavviare sshd
Rif: https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04 https://www.insecure.ws/linux/openssh_oath.html#configuring-openssh-with-oath-and-public-keys-2-factor-authentication https://www.insecure.ws/linux/openssh_oath.html http://delyan.me/securing-ssh-with-totp/ https://serverfault.com/questions/594135/different-requiredauthentications2-for-sshd-and-sftp-subsystem
UTILIZZARE andOTP
a manina si va su “aggiungi dettagli”, nel campo “Etichetta” inserire il nome a vostro piacere della chiave, in “chiave segreta” inserire il “Base32 secret”