"Lub plhaub ruaj ntseg" SSH yog lub network raws tu qauv tsim kom muaj kev ruaj ntseg kev sib txuas ntawm cov tswv, tus qauv dhau qhov chaw nres nkoj 22 (uas yog qhov zoo dua los hloov). SSH cov neeg siv khoom thiab SSH servers muaj rau feem ntau cov kev khiav haujlwm. Yuav luag txhua lub network raws tu qauv ua haujlwm hauv SSH, uas yog, koj tuaj yeem ua haujlwm nyob deb ntawm lwm lub khoos phis tawj, xa cov suab lossis video kwj dhau ntawm cov channel encrypted, thiab lwm yam. Tsis tas li ntawd, koj tuaj yeem txuas mus rau lwm tus tswv sawv cev ntawm tus tswv tsev nyob deb.
Kev lees paub tseeb tshwm sim siv tus password, tab sis cov neeg tsim khoom thiab cov thawj coj ua haujlwm ib txwm siv SSH yuam sij. Qhov teeb meem yog tias tus yuam sij ntiag tug tuaj yeem raug nyiag. Ntxiv ib lo lus zais theoretically tiv thaiv tub sab nyiag ntawm tus yuam sij ntiag tug, tab sis hauv kev xyaum, thaum xa mus thiab caching yuam sij, lawv . Ob-factor authentication daws qhov teeb meem no.
Yuav ua li cas siv ob-factor authentication
Cov tsim tawm los ntawm Honeycomb nyuam qhuav luam tawm , yuav ua li cas los siv cov kev tsim nyog tsim nyog ntawm tus neeg siv khoom thiab cov neeg rau zaub mov.
Cov lus qhia xav tias koj muaj qee tus tswv tsev yooj yim qhib rau Is Taws Nem (bastion). Koj xav txuas rau tus tswv tsev no los ntawm lub laptops lossis khoos phis tawj hauv Is Taws Nem, thiab nkag mus rau txhua lwm yam khoom siv uas nyob tom qab. 2FA ua kom ntseeg tau tias tus neeg tawm tsam tsis tuaj yeem ua ib yam txawm tias lawv nkag mus rau koj lub laptop, piv txwv li los ntawm kev txhim kho malware.
Thawj qhov kev xaiv yog OTP
OTP - ib zaug digital passwords, uas nyob rau hauv rooj plaub no yuav raug siv rau SSH authentication nrog rau tus yuam sij. Cov neeg tsim tawm sau tias qhov no tsis yog qhov kev xaiv zoo tshaj plaws, vim tias tus neeg tawm tsam tuaj yeem tsa lub bastion cuav, cuam tshuam koj OTP thiab siv nws. Tab sis nws zoo dua tsis muaj dab tsi.
Hauv qhov no, ntawm sab server, cov kab hauv qab no tau sau rau hauv Chef config:
metadata.rbattributes/default.rb(ntawmattributes.rb)files/sshdrecipes/default.rb(copy los ntawmrecipe.rb)templates/default/users.oath.erb
Txhua daim ntawv thov OTP raug ntsia rau ntawm tus neeg siv khoom: Google Authenticator, Authy, Duo, Lastpass, ntsia brew install oath-toolkit los yog apt install oathtool openssl, ces ib tug random base16 hlua (qhov tseem ceeb) yog generated. Nws yog hloov dua siab tshiab rau Base32 hom ntawv uas mobile authenticators siv thiab import ncaj qha rau hauv daim ntawv thov.
Raws li qhov tshwm sim, koj tuaj yeem txuas mus rau Bastion thiab pom tias tam sim no nws xav tau tsis yog ib lo lus zais xwb, tab sis kuj tseem muaj OTP code rau kev lees paub:
β ssh -A bastion
Enter passphrase for key '[snip]':
One-time password (OATH) for '[user]':
Welcome to Ubuntu 18.04.1 LTS...Qhov kev xaiv thib ob yog kho vajtse authentication
Hauv qhov no, tus neeg siv tsis tas yuav tsum nkag mus rau OTP code txhua zaus, txij li qhov thib ob dhau los ua cov cuab yeej kho vajtse lossis biometrics.
Ntawm no tus kws ua zaub mov configuration yog me ntsis nyuab dua, thiab tus neeg siv khoom configuration nyob ntawm OS. Tab sis tom qab ua tiav tag nrho cov kauj ruam, cov neeg siv khoom ntawm MacOS tuaj yeem lees paub kev lees paub hauv SSH siv tus lej hla thiab tso tus ntiv tes rau ntawm lub sensor (qhov thib ob).
Cov tswv ntawm iOS thiab Android paub meej tias nkag mus . Qhov no yog cov cuab yeej tshwj xeeb los ntawm Krypt.co, uas tseem muaj kev nyab xeeb dua li OTP.
Ntawm Linux/ChromeOS muaj kev xaiv ua haujlwm nrog YubiKey USB tokens. Tau kawg, tus neeg tawm tsam tuaj yeem nyiag koj lub token, tab sis nws tseem tsis paub tus password.
Tau qhov twg los: www.hab.com