"Igobolondo elivikelekile" i-SSH iphrothokholi yenethiwekhi yokusungula ukuxhumana okuphephile phakathi kwabasingathi, ngokujwayelekile phezu kwembobo engu-22 (ongcono ukuyishintsha). Amaklayenti e-SSH namaseva e-SSH ayatholakala kumasistimu amaningi wokusebenza. Cishe noma iyiphi enye iphrothokholi yenethiwekhi isebenza ngaphakathi kwe-SSH, okungukuthi, ungasebenza ukude kwenye ikhompuyutha, udlulise umsindo noma ukusakazwa kwevidiyo ngesiteshi esibethelwe, njll. Ngaphandle kwalokho, ungakwazi ukuxhuma kwabanye abasingathi esikhundleni salo msingathi wesilawuli kude.
Ukufakazela ubuqiniso kwenzeka kusetshenziswa iphasiwedi, kodwa abathuthukisi nabaphathi besistimu ngokuvamile basebenzisa okhiye be-SSH. Inkinga ukuthi ukhiye oyimfihlo ungantshontshwa. Ukwengeza umushwana wokungena ngokwethiyori kuvikela ekwebiweni kokhiye oyimfihlo, kodwa ekusebenzeni, lapho udlulisela nokhiye wokulondoloza, bayawenza. . Ukuqinisekiswa kwezinto ezimbili kuyixazulula le nkinga.
Ungakusebenzisa kanjani ukuqinisekiswa kwezinto ezimbili
Onjiniyela abavela ku-Honeycomb basanda kushicilelwa , indlela yokusebenzisa ingqalasizinda efanele kuklayenti neseva.
Imiyalo ithatha ngokuthi unomsingathi othile oyisisekelo ovuleleke ku-inthanethi (i-bastion). Ufuna ukuxhuma kulo msingathi usebenzisa amakhompyutha aphathekayo noma amakhompyutha nge-inthanethi, futhi ufinyelele wonke amanye amadivayisi atholakala ngemva kwawo. I-2FA iqinisekisa ukuthi umhlaseli akakwazi ukwenza okufanayo ngisho noma ekwazi ukufinyelela kukhompuyutha yakho ephathekayo, isibonelo ngokufaka uhlelo olungayilungele ikhompuyutha.
Inketho yokuqala yi-OTP
I-OTP - amaphasiwedi edijithali esikhathi esisodwa, kulokhu azosetshenziselwa ukuqinisekiswa kwe-SSH kanye nokhiye. Onjiniyela babhala ukuthi lena akuyona inketho efanelekile, ngoba umhlaseli angaphakamisa isisekelo somgunyathi, abambe i-OTP yakho futhi ayisebenzise. Kodwa kungcono kunalutho.
Kulokhu, ohlangothini lweseva, imigqa elandelayo ibhalwe ku-Chef config:
metadata.rbattributes/default.rb(yeattributes.rb)files/sshdrecipes/default.rb(ikhophi kusuka kurecipe.rb)templates/default/users.oath.erb
Noma yiluphi uhlelo lwe-OTP lufakwe ohlangothini lweklayenti: Isiqinisekisi se-Google, i-Authy, i-Duo, i-Lastpass, ifakiwe brew install oath-toolkit noma apt install oathtool openssl, bese kukhiqizwa iyunithi yezinhlamvu ye-base16 engahleliwe (ukhiye). Iguqulelwa kufomethi ye-Base32 esetshenziswa abagunyazi beselula futhi ingeniswe ngqo kuhlelo lokusebenza.
Njengomphumela, ungakwazi ukuxhuma ku-Bastion futhi ubone ukuthi manje ayidingi kuphela umushwana wokungena, kodwa futhi nekhodi ye-OTP yokuqinisekisa:
β ssh -A bastion
Enter passphrase for key '[snip]':
One-time password (OATH) for '[user]':
Welcome to Ubuntu 18.04.1 LTS...Inketho yesibili ukuqinisekiswa kwehadiwe
Kulokhu, umsebenzisi akadingeki ukuthi afake ikhodi ye-OTP njalo, njengoba isici sesibili siba idivayisi yehadiwe noma i-biometrics.
Lapha ukucushwa kwe-Chef kuyinkimbinkimbi kancane, futhi ukucushwa kweklayenti kuncike ku-OS. Kodwa ngemva kokuqeda zonke izinyathelo, amaklayenti aku-MacOS angaqinisekisa ukuqinisekiswa ku-SSH esebenzisa umushwana wokungena nokubeka umunwe kunzwa (isici sesibili).
Abanikazi be-iOS ne-Android baqinisekisa ukungena ngemvume . Lobu ubuchwepheshe obukhethekile obuvela ku-Krypt.co, obuvikeleke kakhulu kune-OTP.
Ku-Linux/ChromeOS kunenketho yokusebenza namathokheni e-YubiKey USB. Yebo, umhlaseli angakwazi ukuntshontsha ithokheni yakho, kodwa namanje akawazi umushwana wokungena.
Source: www.habr.com