"Igobolondo elivikelekile" i-SSH iphrothokholi yenethiwekhi yokusungula ukuxhumana okuphephile phakathi kwabasingathi, ngokujwayelekile phezu kwembobo engu-22 (ongcono ukuyishintsha). Amaklayenti e-SSH namaseva e-SSH ayatholakala kumasistimu amaningi wokusebenza. Cishe noma iyiphi enye iphrothokholi yenethiwekhi isebenza ngaphakathi kwe-SSH, okungukuthi, ungasebenza ukude kwenye ikhompuyutha, udlulise umsindo noma ukusakazwa kwevidiyo ngesiteshi esibethelwe, njll. Ngaphandle kwalokho,
Ukufakazela ubuqiniso kwenzeka kusetshenziswa iphasiwedi, kodwa abathuthukisi nabaphathi besistimu ngokuvamile basebenzisa okhiye be-SSH. Inkinga ukuthi ukhiye oyimfihlo ungantshontshwa. Ukwengeza umushwana wokungena ngokwethiyori kuvikela ekwebiweni kokhiye oyimfihlo, kodwa ekusebenzeni, lapho udlulisela nokhiye wokulondoloza, bayawenza.
Ungakusebenzisa kanjani ukuqinisekiswa kwezinto ezimbili
Onjiniyela abavela ku-Honeycomb basanda kushicilelwa
Imiyalo ithatha ngokuthi unomsingathi othile oyisisekelo ovuleleke ku-inthanethi (i-bastion). Ufuna ukuxhuma kulo msingathi usebenzisa amakhompyutha aphathekayo noma amakhompyutha nge-inthanethi, futhi ufinyelele wonke amanye amadivayisi atholakala ngemva kwawo. I-2FA iqinisekisa ukuthi umhlaseli akakwazi ukwenza okufanayo ngisho noma ekwazi ukufinyelela kukhompuyutha yakho ephathekayo, isibonelo ngokufaka uhlelo olungayilungele ikhompuyutha.
Inketho yokuqala yi-OTP
I-OTP - amaphasiwedi edijithali esikhathi esisodwa, kulokhu azosetshenziselwa ukuqinisekiswa kwe-SSH kanye nokhiye. Onjiniyela babhala ukuthi lena akuyona inketho efanelekile, ngoba umhlaseli angaphakamisa isisekelo somgunyathi, abambe i-OTP yakho futhi ayisebenzise. Kodwa kungcono kunalutho.
Kulokhu, ohlangothini lweseva, imigqa elandelayo ibhalwe ku-Chef config:
metadata.rb
attributes/default.rb
(yeattributes.rb
)files/sshd
recipes/default.rb
(ikhophi kusuka kurecipe.rb
)templates/default/users.oath.erb
Noma yiluphi uhlelo lwe-OTP lufakwe ohlangothini lweklayenti: Isiqinisekisi se-Google, i-Authy, i-Duo, i-Lastpass, ifakiwe brew install oath-toolkit
noma apt install oathtool openssl
, bese kukhiqizwa iyunithi yezinhlamvu ye-base16 engahleliwe (ukhiye). Iguqulelwa kufomethi ye-Base32 esetshenziswa abagunyazi beselula futhi ingeniswe ngqo kuhlelo lokusebenza.
Njengomphumela, ungakwazi ukuxhuma ku-Bastion futhi ubone ukuthi manje ayidingi kuphela umushwana wokungena, kodwa futhi nekhodi ye-OTP yokuqinisekisa:
β ssh -A bastion
Enter passphrase for key '[snip]':
One-time password (OATH) for '[user]':
Welcome to Ubuntu 18.04.1 LTS...
Inketho yesibili ukuqinisekiswa kwehadiwe
Kulokhu, umsebenzisi akadingeki ukuthi afake ikhodi ye-OTP njalo, njengoba isici sesibili siba idivayisi yehadiwe noma i-biometrics.
Lapha ukucushwa kwe-Chef kuyinkimbinkimbi kancane, futhi ukucushwa kweklayenti kuncike ku-OS. Kodwa ngemva kokuqeda zonke izinyathelo, amaklayenti aku-MacOS angaqinisekisa ukuqinisekiswa ku-SSH esebenzisa umushwana wokungena nokubeka umunwe kunzwa (isici sesibili).
Abanikazi be-iOS ne-Android baqinisekisa ukungena ngemvume
Ku-Linux/ChromeOS kunenketho yokusebenza namathokheni e-YubiKey USB. Yebo, umhlaseli angakwazi ukuntshontsha ithokheni yakho, kodwa namanje akawazi umushwana wokungena.
Source: www.habr.com