"Chengetedza goko" SSH itiweki protocol yekumisikidza yakachengeteka kubatana pakati pevaenzi, zvakajairwa pamusoro pechiteshi 22 (zviri nani kuchinja). SSH vatengi uye SSH maseva anowanikwa kune akawanda anoshanda masisitimu. Inenge chero imwe network protocol inoshanda mukati meSSH, kureva kuti, unogona kushanda kure pane imwe komputa, fambisa odhiyo kana vhidhiyo rwizi pamusoro peyakavanzika chiteshi, nezvimwe. Uyezve, unogona kubatanidza kune mamwe mauto panzvimbo yeiyi iri kure.
Kuvimbiswa kunoitika uchishandisa password, asi vagadziri uye masisitimu maneja vanoshandisa makiyi eSSH. Dambudziko nderekuti kiyi yega yega inogona kubiwa. Kuwedzera passphrase theoretically inodzivirira kubva pakubiwa kwekiyi yakavanzika, asi mukuita, kana uchiendesa uye caching makiyi, ivo. . Kuvimbiswa kwezvinhu zviviri kunogadzirisa dambudziko iri.
Maitiro ekuita maviri-factor authentication
Vagadziri kubva kuHuchi huchangobva kuburitswa , maitiro ekushandisa zvivakwa zvakakodzera pane mutengi uye server.
Iyo mirairo inofungidzira kuti iwe une imwe yakakosha host yakavhurika kuInternet (bastion). Iwe unoda kubatanidza kune ino host kubva kumalaptops kana makomputa kuburikidza neInternet, uye uwane mamwe ese maturusi ari kuseri kwayo. 2FA inova nechokwadi chekuti anorwisa haagone kuita zvimwe chete kunyangwe akawana mukana kune yako laptop, semuenzaniso nekuisa malware.
Yekutanga sarudzo ndeye OTP
OTP - imwe-nguva yedhijitari mapassword, ayo mune ino kesi anozoshandiswa SSH yekusimbisa pamwe nekiyi. Vagadziri vanonyora kuti iyi haisi sarudzo yakanaka, nekuti munhu anorwisa anogona kusimudza bastion yekunyepera, tora OTP yako oishandisa. Asi zviri nani pane chinhu.
Muchiitiko ichi, padivi reseva, mitsara inotevera yakanyorwa muChef config:
metadata.rbattributes/default.rb(yeattributes.rb)files/sshdrecipes/default.rb(kopi kubvarecipe.rb)templates/default/users.oath.erb
Chero OTP application inoiswa padivi remutengi: Google Authenticator, Authy, Duo, Lastpass, yakaiswa brew install oath-toolkit kana apt install oathtool openssl, ipapo yakasarudzika base16 tambo (kiyi) inogadzirwa. Iyo inoshandurwa kuita iyo Base32 fomati iyo nhare mbozha dzinoshandisa uye inounzwa kunze zvakananga mukushandisa.
Nekuda kweizvozvo, iwe unokwanisa kubatana neBastion uye woona kuti ikozvino haidi chete passphrase, asiwo OTP kodhi yekusimbisa:
β ssh -A bastion
Enter passphrase for key '[snip]':
One-time password (OATH) for '[user]':
Welcome to Ubuntu 18.04.1 LTS...Yechipiri sarudzo ndeye hardware authentication
Muchiitiko ichi, mushandisi haafanirwe kuisa iyo OTP kodhi nguva dzese, sezvo chechipiri chinhu chinova chigadziriso chehardware kana biometric.
Pano iyo Chef gadziriso yakatonyanya kuomarara, uye mutengi kumisikidzwa kunoenderana neOS. Asi mushure mekupedza matanho ese, vatengi paMacOS vanogona kusimbisa huchokwadi muSSH vachishandisa passphrase uye nekuisa chigunwe pane sensor (yechipiri chinhu).
iOS uye Android varidzi vanosimbisa kupinda . Iyi ndiyo tekinoroji yakakosha kubva kuKrypt.co, iyo yakatochengetedzeka kupfuura OTP.
PaLinux/ChromeOS pane sarudzo yekushanda neYubiKey USB tokens. Ehe, munhu anorwisa anogona kuba chiratidzo chako, asi iye haasati aziva passphrase.
Source: www.habr.com