The Raspberry Pi is everywhere now, which is why it’s caught the eye of threat actors and cybercriminals. We’ll show you how to secure your Pi with two-factor authentication.

Raspberry Pi现在无处不在，这就是为什么它引起了威胁参与者和网络犯罪分子的关注。 我们将向您展示如何通过两步验证来保护您的Pi。

惊人的树莓派 (The Amazing Raspberry Pi)

The Raspberry Pi is a single-board computer. It launched in the U.K. in 2012 with the intent of getting children to tinker with, create, and learn code. The original form factor was a credit-card-sized board, powered by a phone charger.

Raspberry Pi是单板计算机。 它于2012年在英国推出，旨在让孩子们修补，创建和学习代码。 最初的尺寸是信用卡大小的板，由电话充电器供电。

It provides HDMI output, USB ports, network connectivity, and runs Linux. Later additions to the line included even smaller versions designed to be incorporated in products or run as headless systems. Prices range from $5 for the minimalist Pi Zero, to $75 for the Pi 4 B/8 GB.

它提供HDMI输出，USB端口，网络连接并运行Linux。 该产品线后来的增加包括甚至更小版本的产品，这些产品设计用于产品或作为无头系统运行。 价格从极简的Pi Zero的5美元到Pi 4 B / 8 GB的75美元不等。

Its success has been incredible; over 30 million of these tiny computers have sold worldwide. Hobbyists have done amazing and inspiring things with them, including floating one to the edge of space and back on a balloon.

它的成功令人难以置信。 这些微型计算机在全球已售出超过3000万台。 业余爱好者已经与他们一起完成了令人惊奇和启发性的事情，包括将一个漂浮在太空边缘然后放回气球上。

Alas, once a computing platform becomes sufficiently widespread it inevitably attracts the attention of cybercriminals. It’s dreadful to think of how many Pi’s are using the default user account and password. If your Pi is public-facing and accessible from the internet by Secure Shell (SSH), it must be secure.

las，一旦计算平台变得足够普及，它不可避免地会引起网络犯罪分子的关注。 考虑到有多少Pi正在使用默认用户帐户和密码，这真是令人恐惧。 如果您的Pi是面向公众的，并且可以通过Secure Shell (SSH)从Internet访问，则它必须是安全的。

Even if you don’t have any valuable data or software on your Pi, you need to protect it because your Pi isn’t the actual target—it’s just a way to get into your network. Once a threat actor has a foothold in a network, he’ll pivot to the other devices in which he’s actually interested.

即使您的Pi上没有任何有价值的数据或软件，您也需要对其进行保护，因为您的Pi并不是真正的目标-这只是进入网络的一种方式。 一旦威胁参与者在网络中立足，他将转向他真正感兴趣的其他设备。

两要素认证 (Two-Factor Authentication)

Authentication—or gaining access to a system—requires one or more factors. Factors are categorized as the following:

身份验证(或获得对系统的访问权限)需要一个或多个因素。 因素分为以下几种：

• Something you know: Such as a password or -phrase.

  您知道的一些信息：例如密码或短语。

• Something you have: Like a cell phone, physical token, or dongle.

  您拥有的东西：例如手机，物理令牌或加密狗。

• Something you are: A biometric reading, like a fingerprint or retinal scan.

  您是：生物识别读数，例如指纹或视网膜扫描。

Multifactor authentication (MFA) requires a password, and one or more items from the other categories. For our example, we’re going to use a password and cell phone. The cell phone will run a Google authenticator app, and the Pi will run a Google authentication module.

多因素身份验证(MFA)要求输入密码以及其他类别中的一项或多项。 对于我们的示例，我们将使用密码和手机。 手机将运行Google身份验证器应用程序，Pi将运行Google身份验证模块。

A cell phone app is linked to your Pi by scanning a QR code. This passes some seed information to your cell phone from the Pi, ensuring their number-generation algorithms produce the same codes simultaneously.  The codes are referred to as time-based, one-time passwords (TOTP).

手机应用通过扫描QR码链接到您的Pi。 这会将一些种子信息从Pi传递到您的手机，以确保其数字生成算法同时生成相同的代码。 这些代码称为基于时间的一次性密码(TOTP)。

When it receives a connection request, your Pi generates a code. You use the authenticator app on your phone to see the current code, and then your Pi will ask you for your password and authentication code. Both your password and the TOTP must be correct before you’re allowed to connect.

当它收到连接请求时，您的Pi会生成一个代码。 您使用手机上的身份验证器应用程序查看当前代码，然后您的Pi会要求您提供密码和验证码。 允许您连接之前，您的密码和TOTP都必须正确。

配置Pi (Configuring the Pi)

If you usually SSH onto your Pi, it’s likely it’s a headless system, so we’ll configure it over an SSH connection.

如果您通常将SSH连接到Pi，则可能是无头系统，因此我们将通过SSH连接对其进行配置。

It’s safest to make two SSH connections: one to do the configuring and testing, and another to act as a safety net. This way, if you lock yourself out of your Pi, you’ll still have the second active SSH connection active. Changing SSH settings won’t affect an in-progress connection, so you can use the second one to reverse any changes and remedy the situation.

建立两个SSH连接是最安全的：一个进行配置和测试，另一个充当安全网。 这样，如果您将自己锁定在Pi之外，您仍将保持第二个活动的SSH连接活动。 更改SSH设置不会影响正在进行的连接，因此您可以使用第二个SSH撤消任何更改并纠正这种情况。

If the worst happens and you’re completely locked out via SSH, you’ll still be able to connect your Pi to a monitor, keyboard, and mouse, and then log in to a regular session. That is, you can still sign in, as long as your Pi can drive a monitor. If it can’t, however, you really need to keep the safety net SSH connection open until you’ve verified that two-factor authentication is working.

如果最坏的情况发生了，并且您已完全通过SSH锁定，您仍然可以将Pi连接到显示器，键盘和鼠标，然后登录到常规会话。 也就是说，只要您的Pi可以驱动显示器，您仍然可以登录。 但是，如果不能，那么您真的需要保持安全网SSH连接的打开状态，直到您确认两因素身份验证有效。

The ultimate sanction, of course, is to reflash the operating system onto the Pi’s micro SD card, but let’s try to avoid that.

当然，最终的制裁是将操作系统重新刷新到Pi的micro SD卡上，但是让我们尝试避免这种情况。

First, we need to make our two connections to the Pi. Both commands take the following form:

首先，我们需要与树莓派建立两个连接。 这两个命令都采用以下形式：

ssh pi@watchdog.local

The name of this Pi is “watchdog,” but you’ll type the name yours instead. If you’ve changed the default username, use that, too; ours is “pi.”

该Pi的名称是“看门狗”，但是您将键入您的名字。 如果您更改了默认用户名，也请使用该用户名。 我们的是“ pi”。

Remember, for safety, type this command twice in different terminal windows so you have two connections to your Pi. Then, minimize one of them, so it’s out of the way and won’t be closed accidentally.

请记住，为安全起见，请在不同的终端窗口中键入此命令两次，以使您与Pi有两个连接。 然后，最小化其中之一，以免干扰，不会意外关闭。

After you connect, you’ll see the greeting message. The prompt will show the username (in this case, “pi”), and the name of the Pi (in this case, “watchdog”).

连接后，您将看到问候消息。 提示符将显示用户名(在本例中为“ pi”)和Pi的名称(在本例中为“看门狗”)。

You need to edit the “sshd_config” file. We’ll do so in the nano text editor:

您需要编辑“ sshd_config”文件。 我们将在nano文本编辑器中执行此操作：

sudo nano /etc/ssh/sshd_config

Scroll through the file until you see the following line:

滚动浏览文件，直到看到以下行：

ChallengeResponseAuthentication no

Replace the “no” with “yes.”

将“否”替换为“是”。

Press Ctrl+O to save your changes in nano, and then press Ctrl+X to close the file. Use the following command to restart the SSH daemon:

按Ctrl + O将更改保存在nano中，然后按Ctrl + X关闭文件。 使用以下命令重新启动SSH守护程序：

sudo systemctl restart ssh

You need to install the Google authenticator, which is a Pluggable Authentication Module (PAM) library. The application (SSH) will call the Linux PAM interface, and the interface finds the appropriate PAM module to service the type of authentication being requested.

您需要安装Google身份验证器，它是一个可插入身份验证模块(PAM)库。 应用程序(SSH)将调用Linux PAM接口，并且该接口找到适当的PAM模块以服务于请求的身份验证类型。

Type the following:

输入以下内容：

sudo apt-get install libpam-google-authenticator

安装应用 (Installing the App)

The Google Authenticator app is available for iPhone and Android, so just install the appropriate version for your cell phone. You can also use Authy and other apps that support this type of authentication code.

Google Authenticator应用适用于iPhone和Android ，因此只需为您的手机安装适当的版本即可。 您还可以使用Authy和其他支持此类身份验证代码的应用。

配置两因素身份验证 (Configuring Two-Factor Authentication)

In the account you’ll be using when you connect to the Pi via SSH, run the following command (do not include the sudo prefix):

在通过SSH连接到Pi时要使用的帐户中，运行以下命令(不包括sudo前缀)：

google-authenticator

You’ll be asked if you want the authentication tokens to be time-based; press Y, and then hit Enter.

系统将询问您是否希望身份验证令牌基于时间； 按Y，然后按Enter。

A Quick Response (QR) code is generated, but it’s scrambled because it’s wider than the 80-column terminal window. Drag the window wider to see the code.

生成了快速响应(QR)代码，但由于它比80列的终端窗口宽，因此已被加扰。 将窗口更宽地拖动以查看代码。

You’ll also see some security codes beneath the QR code. These are written to a file called “.google_authenticator,” but you might want to make a copy of them now. If you ever lose the ability to obtain a TOTP (if you lose your cell phone, for example), you can use these codes to authenticate.

您还将在QR码下方看到一些安全码。 它们被写入名为“ .google_authenticator”的文件中，但是您现在可能想要复制它们。 如果您失去了获得TOTP的能力(例如，如果您丢失了手机)，则可以使用这些代码进行身份验证。

You must answer four questions, the first of which is:

您必须回答四个问题，第一个是：

Do you want me to update your "/home/pi/.google_authenticator" file? (y/n)

Press Y, and then hit Enter.

按Y，然后按Enter。

The next question asks whether you want to prevent multiple uses of the same code within a 30-second window.

下一个问题询问您是否要防止在30秒的窗口内多次使用同一代码。

Press Y, and then hit Enter.

按Y，然后按Enter。

The third question asks whether you want to widen the window of acceptance for the TOTP tokens.

第三个问题询问您是否要扩大TOTP令牌的接受范围。

Press N in answer to this, and then press Enter.

在回答中按N，然后按Enter。

The last question is: “Do you want to enable rate-limiting?”

最后一个问题是：“您要启用速率限制吗？”

Type Y, and then hit Enter.

键入Y，然后按Enter。

You’re returned to the command prompt. If necessary, drag the terminal window wider and/or scroll up in the terminal window so you can see the entire QR code.

您将返回到命令提示符。 如有必要，将终端窗口更宽地拖动和/或在终端窗口中向上滚动，以查看整个QR码。

On your cell phone open the authenticator app, and then press the plus sign (+) at the bottom-right of the screen. Select “Scan a QR Code,” and then scan the QR code in the terminal window.

在您的手机上，打开身份验证器应用程序，然后按屏幕右下角的加号(+)。 选择“扫描QR码”，然后在终端窗口中扫描QR码。

A new entry will appear in the authenticator app named after the hostname of the Pi, and a six-digit TOTP code will be listed beneath it. It’s displayed as two groups of three digits to make reading it easier, but you must type it as one, six-digit number.

一个新条目将出现在身份验证器应用程序中，该应用程序以Pi的主机名命名，并在其下方列出一个六位数的TOTP代码。 它被显示为两组，每组三个数字，以便于阅读，但是您必须将其键入一个六位数的数字。

An animated circle beside the code indicates how much longer the code will be valid: a full circle means 30 seconds, a half-circle means 15 seconds, and so on.

代码旁边的动画圆圈表示该代码有效的时间：一个完整​​的圆圈表示30秒，一个半圆圈表示15秒，依此类推。

链接在一起 (Linking It All Together)

We’ve got one more file to edit. We have to tell SSH which PAM authentication module to use:

我们还有一个文件要编辑。 我们必须告诉SSH使用哪个PAM身份验证模块：

sudo nano /etc/pam.d/sshd

Type the following lines near the top of the file:

在文件顶部附近键入以下几行：

#2FA
auth required pam_google_authenticator.so

You can also choose when you want to be asked for the TOTP:

您还可以选择何时要求输入TOTP：

• After you’ve entered your password: Type the previous lines below “@include common-auth,” as shown in the image above.

  输入密码后：如上图所示，在“ @include common-auth”下面输入前几行。

• Before you’re asked for your password: Type the previous lines above “@include common-auth.”

  在要求您输入密码之前：在“ @include common-auth”上方输入前几行。

Note the underscores (_) used in “pam_google_authenticator.so,” rather than the hyphens (-) we used earlier with the apt-get command to install the module.

请注意“ pam_google_authenticator.so”中使用的下划线(_)，而不是我们之前使用apt-get命令安装模块时使用的连字符(-)。

Press Ctrl+O to write the changes to the file, and then press Ctrl+X to close the editor. We need to restart SSH one final time, and then we’re done:

按Ctrl + O将更改写入文件，然后按Ctrl + X关闭编辑器。 我们需要在最后一次重新启动SSH，然后完成：

sudo systemctl restart ssh

Close this SSH connection, but leave the other safety net SSH connection running until we’ve verified this next step.

关闭此SSH连接，但使其他安全网SSH连接保持运行状态，直到我们验证了此下一步。

Make sure the authenticator app is open and ready on your cell phone, and then open a new SSH connection to the Pi:

确保身份验证器应用已打开并在手机上准备就绪，然后打开与Pi的新SSH连接：

ssh pi@watchdog.local

You should be asked for your password, and then for the code. Type the code from your cell phone without any spaces between the numbers. Like your password, it’s not echoed on the screen.

应该要求您输入密码，然后输入代码。 键入手机中的密码，数字之间不要有空格。 就像您的密码一样，它不会在屏幕上回显。

If everything goes according to plan, you should be allowed to connect to the Pi; if not, use your safety net SSH connection to review the previous steps.

如果一切都按计划进行，则应允许您连接到Pi。 如果不是，请使用您的安全网SSH连接查看前面的步骤。

比抱歉更好安全 (Better Safer Than Sorry)

Did you notice the “r” in “safer” above?

您是否注意到上面“更安全”中的“ r”？

Indeed, you’re now safer than you were previously when connecting to a Raspberry Pi, but nothing is ever 100 percent safe. There are ways to circumvent two-factor authentication. These rely on social engineering, man-in-the-middle and man-at-the-endpoint attacks, SIM swapping, and other advanced techniques that, obviously, we’re not going to describe here.

确实，与连接Raspberry Pi的连接相比，您现在比以前更安全，但是没有100％安全。 有一些方法可以规避两因素身份验证。 这些依赖于社会工程，中间人攻击和端点人攻击， SIM卡交换以及其他高级技术，显然，我们将不在这里描述。

So, why bother with all this if it’s not perfect? Well, for the same reason you lock your front door when you leave, even though there are people who can pick locks—most can’t.

那么，如果这还不够完美，为什么还要烦恼呢？ 好吧，出于同样的原因，即使有人可以选锁，但离开时还是要锁上前门，而大多数人却不能。

翻译自: https://www.howtogeek.com/676077/how-to-set-up-two-factor-authentication-on-a-raspberry-pi/