"Tabbataccen harsashi" SSH yarjejeniya ce ta hanyar sadarwa don kafa amintacciyar haɗi tsakanin runduna, daidai da tashar tashar jiragen ruwa 22 (wanda ya fi dacewa don canzawa). Abokan ciniki na SSH da sabar SSH suna samuwa don yawancin tsarin aiki. Kusan kowace ka'idar hanyar sadarwa tana aiki a cikin SSH, wato, zaku iya aiki daga nesa akan wata kwamfuta, watsa sauti ko rafi na bidiyo akan tashar da aka rufaffen, da sauransu. Bayan haka, za ku iya haɗawa da sauran runduna a madadin wannan mai watsa shiri na nesa.
Tabbatarwa yana faruwa ta amfani da kalmar sirri, amma masu haɓakawa da masu gudanar da tsarin suna amfani da maɓallan SSH a al'ada. Matsalar ita ce ana iya sace maɓalli na sirri. Ƙara kalmar wucewa a ka'idar tana karewa daga satar maɓalli na sirri, amma a aikace, lokacin turawa da maɓallai, suna . Tabbatar da abubuwa biyu yana magance wannan matsalar.
Yadda ake aiwatar da tantancewar abubuwa biyu
Masu haɓakawa daga Honeycomb kwanan nan sun buga , yadda ake aiwatar da abubuwan da suka dace akan abokin ciniki da uwar garke.
Umurnin sun ɗauka cewa kana da takamaiman mai watsa shiri buɗe ga Intanet (bastion). Kuna son haɗawa da wannan rundunar daga kwamfutar tafi-da-gidanka ko kwamfutoci ta Intanet, kuma ku shiga duk sauran na'urorin da ke bayansa. 2FA yana tabbatar da cewa maharin ba zai iya yin haka ba ko da sun sami damar shiga kwamfutar tafi-da-gidanka, misali ta shigar da malware.
Zaɓin farko shine OTP
OTP - kalmomin shiga na dijital na lokaci ɗaya, waɗanda a wannan yanayin za a yi amfani da su don tantancewar SSH tare da maɓalli. Masu haɓakawa sun rubuta cewa wannan ba zaɓi ba ne mai kyau, saboda mai hari zai iya tayar da bastion na karya, ya saci OTP ɗin ku kuma yayi amfani da shi. Amma ya fi komai kyau.
A wannan yanayin, a gefen uwar garken, ana rubuta waɗannan layukan cikin tsarin Chef:
metadata.rbattributes/default.rb(naattributes.rb)files/sshdrecipes/default.rb(kwafi dagarecipe.rb)templates/default/users.oath.erb
An shigar da kowane aikace-aikacen OTP a gefen abokin ciniki: Google Authenticator, Authy, Duo, Lastpass, shigar. brew install oath-toolkit ko apt install oathtool openssl, sa'an nan kuma bazuwar tushe16 kirtani (maɓalli). An canza shi zuwa tsarin Base32 wanda masu tabbatar da wayar hannu ke amfani da su kuma ana shigo da su kai tsaye cikin aikace-aikacen.
Sakamakon haka, zaku iya haɗawa zuwa Bastion kuma ku ga cewa yanzu yana buƙatar ba kawai kalmar wucewa ba, har ma da lambar OTP don tantancewa:
➜ ssh -A bastion
Enter passphrase for key '[snip]':
One-time password (OATH) for '[user]':
Welcome to Ubuntu 18.04.1 LTS...Zabi na biyu shine tabbatar da hardware
A wannan yanayin, ba a buƙatar mai amfani don shigar da lambar OTP kowane lokaci, tun da abu na biyu ya zama na'urar kayan aiki ko na'ura.
Anan tsarin Chef ya ɗan fi rikitarwa, kuma tsarin abokin ciniki ya dogara da OS. Amma bayan kammala duk matakan, abokan ciniki akan MacOS na iya tabbatar da ingantaccen aiki a cikin SSH ta amfani da kalmar wucewa da sanya yatsa akan firikwensin (fasali na biyu).
Masu mallakar iOS da Android sun tabbatar da shiga . Wannan fasaha ce ta musamman daga Krypt.co, wacce ta fi aminci fiye da OTP.
A Linux/ChromeOS akwai zaɓi don aiki tare da YubiKey USB tokens. Tabbas, maharin na iya satar alamar ku, amma har yanzu bai san kalmar wucewa ba.
source: www.habr.com