如何在Raspberry Pi上设置两因素身份验证

A Raspberry Pi sitting on a laptop keyboard.
Kiklas/ShutterstockKiklas /快门

The Raspberry Pi is everywhere now, which is why it’s caught the eye of threat actors and cybercriminals. We’ll show you how to secure your Pi with two-factor authentication.

Raspberry Pi现在无处不在,这就是为什么它引起了威胁参与者和网络犯罪分子的关注。 我们将向您展示如何通过两步验证来保护您的Pi。

惊人的树莓派 (The Amazing Raspberry Pi)

The Raspberry Pi is a single-board computer. It launched in the U.K. in 2012 with the intent of getting children to tinker with, create, and learn code. The original form factor was a credit-card-sized board, powered by a phone charger.

Raspberry Pi是单板计算机。 它于2012年在英国推出,旨在让孩子们修补,创建和学习代码。 最初的尺寸是信用卡大小的板,由电话充电器供电。

It provides HDMI output, USB ports, network connectivity, and runs Linux. Later additions to the line included even smaller versions designed to be incorporated in products or run as headless systems. Prices range from $5 for the minimalist Pi Zero, to $75 for the Pi 4 B/8 GB.

它提供HDMI输出,USB端口,网络连接并运行Linux。 该产品线后来的增加包括甚至更小版本的产品,这些产品设计用于产品或作为无头系统运行。 价格从极简的Pi Zero的5美元到Pi 4 B / 8 GB的75美元不等。

Its success has been incredible; over 30 million of these tiny computers have sold worldwide. Hobbyists have done amazing and inspiring things with them, including floating one to the edge of space and back on a balloon.

它的成功令人难以置信。 这些微型计算机在全球已售出超过3000万台。 业余爱好者已经与他们一起完成了令人惊奇和启发性的事情,包括将一个漂浮在太空边缘然后放回气球上。

Alas, once a computing platform becomes sufficiently widespread it inevitably attracts the attention of cybercriminals. It’s dreadful to think of how many Pi’s are using the default user account and password. If your Pi is public-facing and accessible from the internet by Secure Shell (SSH), it must be secure.

las,一旦计算平台变得足够普及,它不可避免地会引起网络犯罪分子的关注。 考虑到有多少Pi正在使用默认用户帐户和密码,这真是令人恐惧。 如果您的Pi是面向公众的,并且可以通过Secure Shell (SSH)从Internet访问,则它必须是安全的。

Even if you don’t have any valuable data or software on your Pi, you need to protect it because your Pi isn’t the actual target—it’s just a way to get into your network. Once a threat actor has a foothold in a network, he’ll pivot to the other devices in which he’s actually interested.

即使您的Pi上没有任何有价值的数据或软件,您也需要对其进行保护,因为您的Pi并不是真正的目标-这只是进入网络的一种方式。 一旦威胁参与者在网络中立足,他将转向他真正感兴趣的其他设备。

两要素认证 (Two-Factor Authentication)

Authentication—or gaining access to a system—requires one or more factors. Factors are categorized as the following:

身份验证(或获得对系统的访问权限)需要一个或多个因素。 因素分为以下几种:

  • Something you know: Such as a password or -phrase.

    您知道的一些信息:例如密码或短语。

  • Something you have: Like a cell phone, physical token, or dongle.

    您拥有的东西:例如手机,物理令牌或加密狗。

  • Something you are: A biometric reading, like a fingerprint or retinal scan.

    您是:生物识别读数,例如指纹或视网膜扫描。

Multifactor authentication (MFA) requires a password, and one or more items from the other categories. For our example, we’re going to use a password and cell phone. The cell phone will run a Google authenticator app, and the Pi will run a Google authentication module.

多因素身份验证(MFA)要求输入密码以及其他类别中的一项或多项。 对于我们的示例,我们将使用密码和手机。 手机将运行Google身份验证器应用程序,Pi将运行Google身份验证模块。

A cell phone app is linked to your Pi by scanning a QR code. This passes some seed information to your cell phone from the Pi, ensuring their number-generation algorithms produce the same codes simultaneously.  The codes are referred to as time-based, one-time passwords (TOTP).

手机应用通过扫描QR码链接到您的Pi。 这会将一些种子信息从Pi传递到您的手机,以确保其数字生成算法同时生成相同的代码。 这些代码称为基于时间的一次性密码(TOTP)。

When it receives a connection request, your Pi generates a code. You use the authenticator app on your phone to see the current code, and then your Pi will ask you for your password and authentication code. Both your password and the TOTP must be correct before you’re allowed to connect.

当它收到连接请求时,您的Pi会生成一个代码。 您使用手机上的身份验证器应用程序查看当前代码,然后您的Pi会要求您提供密码和验证码。 允许您连接之前,您的密码和TOTP都必须正确。

配置Pi (Configuring the Pi)

If you usually SSH onto your Pi, it’s likely it’s a headless system, so we’ll configure it over an SSH connection.

如果您通常将SSH连接到Pi,则可能是无头系统,因此我们将通过SSH连接对其进行配置。

It’s safest to make two SSH connections: one to do the configuring and testing, and another to act as a safety net. This way, if you lock yourself out of your Pi, you’ll still have the second active SSH connection active. Changing SSH settings won’t affect an in-progress connection, so you can use the second one to reverse any changes and remedy the situation.

建立两个SSH连接是最安全的:一个进行配置和测试,另一个充当安全网。 这样,如果您将自己锁定在Pi之外,您仍将保持第二个活动的SSH连接活动。 更改SSH设置不会影响正在进行的连接,因此您可以使用第二个SSH撤消任何更改并纠正这种情况。

If the worst happens and you’re completely locked out via SSH, you’ll still be able to connect your Pi to a monitor, keyboard, and mouse, and then log in to a regular session. That is, you can still sign in, as long as your Pi can drive a monitor. If it can’t, however, you really need to keep the safety net SSH connection open until you’ve verified that two-factor authentication is working.

如果最坏的情况发生了,并且您已完全通过SSH锁定,您仍然可以将Pi连接到显示器,键盘和鼠标,然后登录到常规会话。 也就是说,只要您的Pi可以驱动显示器,您仍然可以登录。 但是,如果不能,那么您真的需要保持安全网SSH连接的打开状态,直到您确认两因素身份验证有效。

The ultimate sanction, of course, is to reflash the operating system onto the Pi’s micro SD card, but let’s try to avoid that.

当然,最终的制裁是将操作系统重新刷新到Pi的micro SD卡上,但是让我们尝试避免这种情况。

First, we need to make our two connections to the Pi. Both commands take the following form:

首先,我们需要与树莓派建立两个连接。 这两个命令都采用以下形式:

ssh pi@watchdog.local
ssh pi@watchdog.local in a terminal window.

The name of this Pi is “watchdog,” but you’ll type the name yours instead. If you’ve changed the default username, use that, too; ours is “pi.”

该Pi的名称是“看门狗”,但是您将键入您的名字。 如果您更改了默认用户名,也请使用该用户名。 我们的是“ pi”。

Remember, for safety, type this command twice in different terminal windows so you have two connections to your Pi. Then, minimize one of them, so it’s out of the way and won’t be closed accidentally.

请记住,为安全起见,请在不同的终端窗口中键入此命令两次,以使您与Pi有两个连接。 然后,最小化其中之一,以免干扰,不会意外关闭。

After you connect, you’ll see the greeting message. The prompt will show the username (in this case, “pi”), and the name of the Pi (in this case, “watchdog”).

连接后,您将看到问候消息。 提示符将显示用户名(在本例中为“ pi”)和Pi的名称(在本例中为“看门狗”)。

An SSH connection to a Raspberry Pi in a terminal window.

You need to edit the “sshd_config” file. We’ll do so in the nano text editor:

您需要编辑“ sshd_config”文件。 我们将在nano文本编辑器中执行此操作:

sudo nano /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config in a terminal window.

Scroll through the file until you see the following line:

滚动浏览文件,直到看到以下行:

ChallengeResponseAuthentication no

Replace the “no” with “yes.”

将“否”替换为“是”。

sshd_config file opened in the nano editorwith the ChallengeResponseAuthentication line highlighted, in a terminal window.

Press Ctrl+O to save your changes in nano, and then press Ctrl+X to close the file. Use the following command to restart the SSH daemon:

按Ctrl + O将更改保存在nano中,然后按Ctrl + X关闭文件。 使用以下命令重新启动SSH守护程序:

sudo systemctl restart ssh
sudo systemctl restart ssh in a terminal window.

You need to install the Google authenticator, which is a Pluggable Authentication Module (PAM) library. The application (SSH) will call the Linux PAM interface, and the interface finds the appropriate PAM module to service the type of authentication being requested.

您需要安装Google身份验证器,它是一个可插入身份验证模块(PAM)库。 应用程序(SSH)将调用Linux PAM接口,并且该接口找到适当的PAM模块以服务于请求的身份验证类型。

Type the following:

输入以下内容:

sudo apt-get install libpam-google-authenticator
sudo apt-get install libpam-google-authenticator in a terminal window.

安装应用 (Installing the App)

The Google Authenticator app is available for iPhone and Android, so just install the appropriate version for your cell phone. You can also use Authy and other apps that support this type of authentication code.

Google Authenticator应用适用于iPhone和Android ,因此只需为您的手机安装适当的版本即可。 您还可以使用Authy和其他支持此类身份验证代码的应用。

Google Authenticator App icon on an Android cell phone.

配置两因素身份验证 (Configuring Two-Factor Authentication)

In the account you’ll be using when you connect to the Pi via SSH, run the following command (do not include the sudo prefix):

在通过SSH连接到Pi时要使用的帐户中,运行以下命令(不包括sudo前缀):

google-authenticator

You’ll be asked if you want the authentication tokens to be time-based; press Y, and then hit Enter.

系统将询问您是否希望身份验证令牌基于时间; 按Y,然后按Enter。

A Quick Response (QR) code is generated, but it’s scrambled because it’s wider than the 80-column terminal window. Drag the window wider to see the code.

生成了快速响应(QR)代码,但由于它比80列的终端窗口宽,因此已被加扰。 将窗口更宽地拖动以查看代码。

You’ll also see some security codes beneath the QR code. These are written to a file called “.google_authenticator,” but you might want to make a copy of them now. If you ever lose the ability to obtain a TOTP (if you lose your cell phone, for example), you can use these codes to authenticate.

您还将在QR码下方看到一些安全码。 它们被写入名为“ .google_authenticator”的文件中,但是您现在可能想要复制它们。 如果您失去了获得TOTP的能力(例如,如果您丢失了手机),则可以使用这些代码进行身份验证。

You must answer four questions, the first of which is:

您必须回答四个问题,第一个是:

Do you want me to update your "/home/pi/.google_authenticator" file? (y/n)

Press Y, and then hit Enter.

按Y,然后按Enter。

Do you want me to update your "/home/pi/.google_authenticator" file? (y/n) in a terminal window.

The next question asks whether you want to prevent multiple uses of the same code within a 30-second window.

下一个问题询问您是否要防止在30秒的窗口内多次使用同一代码。

Press Y, and then hit Enter.

按Y,然后按Enter。

Do you want to disallow multiple uses of the same authentication token? (y/n) in a terminal window.

The third question asks whether you want to widen the window of acceptance for the TOTP tokens.

第三个问题询问您是否要扩大TOTP令牌的接受范围。

Press N in answer to this, and then press Enter.

在回答中按N,然后按Enter。

Do you want to do so? (y/n) in a terminal window.

The last question is: “Do you want to enable rate-limiting?”

最后一个问题是:“您要启用速率限制吗?”

Type Y, and then hit Enter.

键入Y,然后按Enter。

Do you want to enable rate-limiting? (y/n) in a terminal window.

You’re returned to the command prompt. If necessary, drag the terminal window wider and/or scroll up in the terminal window so you can see the entire QR code.

您将返回到命令提示符。 如有必要,将终端窗口更宽地拖动和/或在终端窗口中向上滚动,以查看整个QR码。

On your cell phone open the authenticator app, and then press the plus sign (+) at the bottom-right of the screen. Select “Scan a QR Code,” and then scan the QR code in the terminal window.

在您的手机上,打开身份验证器应用程序,然后按屏幕右下角的加号(+)。 选择“扫描QR码”,然后在终端窗口中扫描QR码。

A new entry will appear in the authenticator app named after the hostname of the Pi, and a six-digit TOTP code will be listed beneath it. It’s displayed as two groups of three digits to make reading it easier, but you must type it as one, six-digit number.

一个新条目将出现在身份验证器应用程序中,该应用程序以Pi的主机名命名,并在其下方列出一个六位数的TOTP代码。 它被显示为两组,每组三个数字,以便于阅读,但是您必须将其键入一个六位数的数字。

An animated circle beside the code indicates how much longer the code will be valid: a full circle means 30 seconds, a half-circle means 15 seconds, and so on.

代码旁边的动画圆圈表示该代码有效的时间:一个完整​​的圆圈表示30秒,一个半圆圈表示15秒,依此类推。

链接在一起 (Linking It All Together)

We’ve got one more file to edit. We have to tell SSH which PAM authentication module to use:

我们还有一个文件要编辑。 我们必须告诉SSH使用哪个PAM身份验证模块:

sudo nano /etc/pam.d/sshd
sudo nano /etc/pam.d/sshd in a terminal window.

Type the following lines near the top of the file:

在文件顶部附近键入以下几行:

#2FA
auth required pam_google_authenticator.so
auth required pam_google_authenticator.so added to the sshd file in an editor, in a terminal window.

You can also choose when you want to be asked for the TOTP:

您还可以选择何时要求输入TOTP:

  • After you’ve entered your password: Type the previous lines below “@include common-auth,” as shown in the image above.

    输入密码后:如上图所示,在“ @include common-auth”下面输入前几行。

  • Before you’re asked for your password: Type the previous lines above “@include common-auth.”

    在要求您输入密码之前:在“ @include common-auth”上方输入前几行。

Note the underscores (_) used in “pam_google_authenticator.so,” rather than the hyphens (-) we used earlier with the apt-get command to install the module.

请注意“ pam_google_authenticator.so”中使用的下划线(_),而不是我们之前使用apt-get命令安装模块时使用的连字符(-)。

Press Ctrl+O to write the changes to the file, and then press Ctrl+X to close the editor. We need to restart SSH one final time, and then we’re done:

按Ctrl + O将更改写入文件,然后按Ctrl + X关闭编辑器。 我们需要在最后一次重新启动SSH,然后完成:

sudo systemctl restart ssh
sudo systemctl restart ssh in a terminal window.

Close this SSH connection, but leave the other safety net SSH connection running until we’ve verified this next step.

关闭此SSH连接,但使其他安全网SSH连接保持运行状态,直到我们验证了此下一步。

Make sure the authenticator app is open and ready on your cell phone, and then open a new SSH connection to the Pi:

确保身份验证器应用已打开并在手机上准备就绪,然后打开与Pi的新SSH连接:

ssh pi@watchdog.local
ssh pi@watchdog.local in a terminal window.

You should be asked for your password, and then for the code. Type the code from your cell phone without any spaces between the numbers. Like your password, it’s not echoed on the screen.

应该要求您输入密码,然后输入代码。 键入手机中的密码,数字之间不要有空格。 就像您的密码一样,它不会在屏幕上回显。

If everything goes according to plan, you should be allowed to connect to the Pi; if not, use your safety net SSH connection to review the previous steps.

如果一切都按计划进行,则应允许您连接到Pi。 如果不是,请使用您的安全网SSH连接查看前面的步骤。

比抱歉更好安全 (Better Safer Than Sorry)

Did you notice the “r” in “safer” above?

您是否注意到上面“更安全”中的“ r”?

Indeed, you’re now safer than you were previously when connecting to a Raspberry Pi, but nothing is ever 100 percent safe. There are ways to circumvent two-factor authentication. These rely on social engineering, man-in-the-middle and man-at-the-endpoint attacks, SIM swapping, and other advanced techniques that, obviously, we’re not going to describe here.

确实,与连接Raspberry Pi的连接相比,您现在比以前更安全,但是没有100%安全。 有一些方法可以规避两因素身份验证。 这些依赖于社会工程,中间人攻击和端点人攻击, SIM卡交换以及其他高级技术,显然,我们将不在这里描述。

So, why bother with all this if it’s not perfect? Well, for the same reason you lock your front door when you leave, even though there are people who can pick locks—most can’t.

那么,如果这还不够完美,为什么还要烦恼呢? 好吧,出于同样的原因,即使有人可以选锁,但离开时还是要锁上前门,而大多数人却不能。

翻译自: https://www.howtogeek.com/676077/how-to-set-up-two-factor-authentication-on-a-raspberry-pi/

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/278254.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

vue 开发环境搭建

1.创建vue项目 1.node js 生成项目,编译项目 2.hbuilder 开发环境 1.下载安装node js http://nodejs.cn/download/ 确认是否安装成功 如果安装不了 代码错误2503 解决方法: 管理员命令运行cmd; cd\ cd C:\Users\Administrator\Desktop msiexec/package n…

iphone视图放大_如何将iPhone用作放大镜

iphone视图放大It’s a common problem: Some things are just too hard to see. Usually, they’re too far away, too dark, or too small. With a feature called Magnifier, your iPhone can function as a magnifying glass and sight aid. Here’s how to use it. 这是一…

discord linux_如何在Discord中应用文本格式

discord linuxDiscord allows for text-and audio-based chatting between gamers and other like-minded individuals. If you want to make a bigger impact on Discord, you can use formatting to jazz up your text-based messages. Here’s how. Discord允许游戏玩家和其…

一张图看懂阿里云网络产品[十二]云企业网

2019独角兽企业重金招聘Python工程师标准>>> 摘要: 阿里云致力于为用户提供优质、高效、稳定的网络传输环境,云企业网(Cloud Enterprise Network)将提供一种能够快速构建混合云和分布式业务系统的全球网络,…

# 2019-2020.3 《java程序设计》第一周学习总结

2019-2020-3 《Java 程序设计》第一周学习总结 在本周的学习中,学习到了好多也收获了好多,从最基础的安装虚拟机开始,根据老师的博客中的教程一步一步的进行,在这过程中也遇到了好多问题,因为是初步接触Linux系统&…

如何在Windows 10上跳过回收站以删除文件

Windows 10 normally sends files you delete to the Recycle Bin. They’ll be kept until you empty it—or, in some cases, until Windows 10 automatically empties your Recycle Bin. Here’s how to skip the Recycle Bin and delete files immediately. Windows 10通常…

OSChina 周日乱弹 —— 我叫张一条

2019独角兽企业重金招聘Python工程师标准>>> Osc乱弹歌单(2018)请戳(这里) 【今日歌曲】 莱布妮子 :分享Lube的单曲《Skoro dembel》 《Skoro dembel》- Lube 手机党少年们想听歌,请使劲儿戳&am…

面向对象初识

一. 面向对象初识 1.1 回顾面向过程编程vs函数式编程 # 面向过程编程 测量对象的元素个个数。 s1 fjdsklafsjda count 0 for i in s1:count 1l1 [1,2,3,4] count 0 for i in l1:count 1 面向过程编程def func(s):count 0for i in s:count 1return count …

使用LiveClick升级您的实时书签

If you like to subscribe to feeds using Firefox’s Live Bookmarks feature, the LiveClick extension gives you so many upgrades that I can only cover the highlights of how great it is. 如果您想使用Firefox的“实时书签”功能订阅供稿,则LiveClick扩展程…

操作系统的概论梳理

转载于:https://www.cnblogs.com/hclhechunlu/p/10477470.html

win7下如何显示缅文和使用缅文输入法?

windows 7 操作系统默认不支持缅文,所以缅文在win7上不能显示,当然也没有提供缅文输入法。 一、显示缅文 windows系统下显示缅文字母只需要安装缅文字体就可以了。目前常见的缅文字体就是Zawgyi-One,Zawgyi-One是一种广泛使用的缅文字体。Zaw…

airpods2使用_如何使用AirPods和AirPods Pro:完整指南

airpods2使用Burdun Iliya/ShutterstockBurdun Iliya /快门Just bought yourself or received a new pair of AirPods or AirPods Pro? Welcome to the truly wireless earphones life. Setting up AirPods is quite straightforward, but here’s how to customize and get t…

如何在iPhone上共享视频之前从视频中删除音频

Sometimes, you’d like to share a video with others, but the accompanying audio track is distracting or perhaps introduces privacy concerns. Luckily, there’s a quick way to silence a video using Photos on iPhone and iPad. Here’s how. 有时,您想…

Java 并发工具箱之concurrent包

概述 java.util.concurrent 包是专为 Java并发编程而设计的包。包下的所有类可以分为如下几大类: locks部分:显式锁(互斥锁和速写锁)相关;atomic部分:原子变量类相关,是构建非阻塞算法的基础;executor部分&…

如何提高gps精度_如何在锻炼应用程序中提高GPS跟踪精度

如何提高gps精度l i g h t p o e t/Shutterstocklightpoet /快门Tracking your runs, bike rides, and other workouts is fun because you can see how much you’re improving (or, in my case, dismally failing to improve). For it to be effective, though, you have to …

centos proftp_在CentOS上禁用ProFTP

centos proftpI realize this is probably only relevant to about 3 of the readers, but I’m posting this so I don’t forget how to do it myself! In my efforts to ban the completely insecure FTP protocol from my life entirely, I’ve decided to disable the FTP…

Java通过Executors提供四种线程池

http://cuisuqiang.iteye.com/blog/2019372 Java通过Executors提供四种线程池,分别为:newCachedThreadPool创建一个可缓存线程池,如果线程池长度超过处理需要,可灵活回收空闲线程,若无可回收,则新建线程。n…

MySQL数据库基础(五)——SQL查询

MySQL数据库基础(五)——SQL查询 一、单表查询 1、查询所有字段 在SELECT语句中使用星号“”通配符查询所有字段在SELECT语句中指定所有字段select from TStudent; 2、查询指定字段 查询多个字段select Sname,sex,email from TStudent; 3、查询指定记录…

基于ZXing Android实现生成二维码图片和相机扫描二维码图片即时解码的功能

NextQRCode ZXing开源库的精简版 **基于ZXing Android实现生成二维码图片和相机扫描二维码图片即时解码的功能原文博客 附源码下载地址** 与原ZXingMini项目对比 NextQRCode做了重大架构修改,原ZXingMini项目与当前NextQRCode不兼容 dependencies {compile com.gith…

如何在Windows 7或Vista上安装IIS

If you are a developer using ASP.NET, one of the first things you’ll want to install on Windows 7 or Vista is IIS (internet information server). Keep in mind that your version of Windows may not come with IIS. I’m using Windows 7 Ultimate edition. 如果您…