Show pageOld revisionsBacklinksAdd to bookExport to PDFBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== oath ====== PREREQUISITO: INSTALLARE liboath0 libpam-oath oathtool 1) $ export HEX_SECRET=$(head -15 /dev/urandom | sha1sum | cut -b 1-30) 2) $ oathtool --verbose --totp $HEX_SECRET --digits=8 Risultato -> Hex secret: b5abe8im355c1127sd385a6dd0597x Base32 secret: YWV2RLGFVQUSPLMZTJW5QQQ8 Digits: 8 Window size: 0 Step size (seconds): 30 Start time: 1970-01-01 00:00:00 UTC (0) Current time: 2020-07-26 15:03:57 UTC (1595775837) Counter: 0x32BA74F (53192527) 95354783 3) creare e securizzare "users.oath": touch /etc/users.oath chmod 0600 /etc/users.oath 4) aggiungere le seguenti righe (il codice รจ l'Hex secret) al "users.oath": vi /etc/users.oath # Option User Prefix Seed HOTP/T30/6 vage - b5abe8im355c1127sd385a6dd0597x 5) Rimuovere la variabile "HEX_SECRET": unset HEX_SECRET 6) Configurare le regole per gli accessi: vi /etc/security/login_token.conf # Do not require two-factor from here: + : dennis : 1.1.1.0/24 # lolnope don't need two-factor at all + : lolnope : ALL # Demand two-factor from everywhere and everyone else - : ALL : ALL 7) editare /etc/pam.d/sshd (per la versione con publickey andare al capitolo successivo "SENZA CHIEDERE LA PASSWORD, USANDO OAUTH + PUBLICKEY ") # Exceptions from two-factor auth [success=done default=ignore] pam_access.so accessfile=/etc/security/login_token.conf # Two-factor auth required pam_oath.so usersfile=/etc/users.oath 8) editare /etc/ssh/sshd_config e abilitare "ChallengeResponseAuthentication" ChallengeResponseAuthentication yes 9) riavviare sshd Rif: https://wiki.archlinux.org/index.php/Pam_oath https://dnns.no/two-factor-ssh-using-oathtool-on-ubuntu-18.04.html https://spod.cx/blog/two-factor-ssh-auth-with-pam_oath-google-authenticator.shtml https://semjonov.de/post/2016-03/openssh-oath-totp/ SENZA CHIEDERE LA PASSWORD, USANDO OAUTH + PUBLICKEY 7) editare /etc/pam.d/sshd, commentare "@include common-auth" e aggiungere gli altri parametri come di seguito: # @include common-auth # Exceptions from two-factor auth [success=done default=ignore] pam_access.so accessfile=/etc/security/login_token.conf # Two-factor auth requisite pam_oath.so usersfile=/etc/users.oath # Exceptions from two-factor and publickey auth required pam_sepermit.so # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so 8) editare /etc/ssh/sshd_config: UsePAM yes AuthenticationMethods publickey,keyboard-interactive #NOTA! commentando "keyboard-interactive" si disabilita accesso OATH PasswordAuthentication no ChallengeResponseAuthentication yes 9) Riavviare sshd Rif: https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04 https://www.insecure.ws/linux/openssh_oath.html#configuring-openssh-with-oath-and-public-keys-2-factor-authentication https://www.insecure.ws/linux/openssh_oath.html http://delyan.me/securing-ssh-with-totp/ https://serverfault.com/questions/594135/different-requiredauthentications2-for-sshd-and-sftp-subsystem UTILIZZARE andOTP a manina si va su "aggiungi dettagli", nel campo "Etichetta" inserire il nome a vostro piacere della chiave, in "chiave segreta" inserire il "Base32 secret" tips/otp.txt Last modified: 2020/12/05 16:23by scipio