OATH Zwei-Faktor-Authentisierung SSH

Exported from Notepad++
libxml2 git clone https://gitlab.gnome.org/GNOME/libxml2/ cd libxml2 ./autogen.sh ./configure –bindir=/usr/bin –sbindir=/usr/sbin –libdir=/usr/lib64 –includedir=/usr/include –prefix=/usr make -j 4 make install cp -frv include/* /usr/include/ cp -frv .libs/* /usr/lib64/ cp -frv ./libxml-2.0.pc /usr/lib/pkgconfig/ xml2-config –version zypper in gtk-doc xmlsec1 wget http://www.aleksey.com/xmlsec/download/xmlsec1-1.2.29.tar.gz tar -xzf xmlsec1-1.2.29.tar.gz cd xmlsec1-1.2.29 ./configure –bindir=/usr/bin –sbindir=/usr/sbin –libdir=/usr/lib64 –includedir=/usr/include make -j 4 make install cp -frv include/xmlsec/* /usr/include/xmlsec/ ggf. “zypper in -f libxmlsec1-1 libxmlsec1-openssl1 libxmlsec1-gcrypt1 libxmlsec1-gnutls1 libxmlsec1-nss1 xmlsec1” pkg-config (neuer als 0.28) wget http://pkgconfig.freedesktop.org/releases/pkg-config-0.29.2.tar.gz tar -xzf pkg-config-0.29.2.tar.gz cd pkg-config-0.29.2 ./autogen.sh ./configure –bindir=/usr/bin –sbindir=/usr/sbin –libdir=/usr/lib64 –includedir=/usr/include make -j 4 make install libxslt git clone git://git.gnome.org/libxslt wget https://gitlab.gnome.org/GNOME/libxslt/-/archive/master/libxslt-master.tar.gz cd libxslt-master ./autogen.sh ./configure –bindir=/usr/bin –sbindir=/usr/sbin –libdir=/usr/lib64 –includedir=/usr/include make -j 4 #make Python Fehler ignorieren make install qrencode (QR Code zeichnen): wget https://fukuchi.org/works/qrencode/qrencode-4.0.2.tar.gz tar -xzf qrencode-4.0.2.tar.gz cd qrencode-4.0.2 ./configure –bindir=/usr/bin –sbindir=/usr/sbin –libdir=/usr/lib64 –includedir=/usr/include make -j 4 make install caca libs (img2txt): http://caca.zoy.org/wiki/libcaca wget http://caca.zoy.org/files/libcaca/libcaca-0.99.beta19.tar.gz tar -xzf libcaca-0.99.beta19.tar.gz cd libcaca-0.99.beta19 ./bootstrap ./configure –bindir=/usr/bin –sbindir=/usr/sbin –libdir=/usr/lib64 –includedir=/usr/include –enable-java=no #( –enable-java=no testen ??) make -j 4 ggf. zypper in caca-utils caca-utils-debuginfo libcaca-devel libcaca0 automake (aclocal): wget http://ftp.gnu.org/gnu/automake/automake-1.16.tar.gz tar -xzf automake-1.16.tar.gz cd automake-1.16 ./bootstrap ./configure –bindir=/usr/bin –sbindir=/usr/sbin –libdir=/usr/lib64 –includedir=/usr/include make -j 4 mak einstall oath-toolkit: wget http://download.savannah.nongnu.org/releases/oath-toolkit/oath-toolkit-2.6.2.tar.gz wget https://gitlab.com/oath-toolkit/oath-toolkit/-/archive/master/oath-toolkit-master.tar.gz tar -xzf oath-toolkit-master.tar.gz tar -xzf oath-toolkit-2.6.2.tar.gz cd oath-toolkit-2.6.2 ./configure –bindir=/usr/bin –sbindir=/usr/sbin –libdir=/usr/lib64 –includedir=/usr/include ggf. vi ./oathtool/gl/intprops.h -> Jewweils ein “\” ans Ende . Info https://bugzilla.redhat.com/show_bug.cgi?id=1419536 #if _GL_HAS_BUILTIN_OVERFLOW_WITH_NULL # define _GL_ADD_OVERFLOW(a, b, min, max) \ __builtin_add_overflow (a, b, (__typeof__ ((a) + (b)) *) 0) # define _GL_SUBTRACT_OVERFLOW(a, b, min, max) \ __builtin_sub_overflow (a, b, (__typeof__ ((a) – (b)) *) 0) # define _GL_MULTIPLY_OVERFLOW(a, b, min, max) \ __builtin_mul_overflow (a, b, (__typeof__ ((a) * (b)) *) 0) vi ./libpskc/gl/intprops.h -> Hier daselebe wie oben mit “\” vi /usr/include/xmlsec/crypto.h -> //#error No crypto library defined #auskommentieren make -j 4 make install ln -s /usr/local/lib/security/pam_oath.so /lib64/security/pam_oath.so oathtool -V vi /etc/pam.d/sshd -> An oberster Stelle auth required pam_oath.so usersfile=/etc/users.oath digits=6 window=20 #auth include common-auth #Auskommentieren vi /etc/ssh/sshd_config -> PermitRootLogin yes UsePAM yes X11Forwarding yes Subsystem sftp /usr/lib/ssh/sftp-server AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL UseDNS no IgnoreRhosts yes HostbasedAuthentication no ChallengeResponseAuthentication yes PasswordAuthentication no PermitEmptyPasswords no AuthenticationMethods publickey match group root PubkeyAuthentication yes PasswordAuthentication no AuthenticationMethods publickey,keyboard-interactive publickey,keyboard-interactive SSH Public Key generieren, siehe SSH Doku oauth token generieren Info: https://wiki.packets2photons.com/index.php/2FA_with_SSH head -10 /dev/urandom | sha512sum | cut -b 1-30 >> rand_key.txt cat rand_key.txt >> /etc/users.oath vi /etc/users.oath -> HOTP/T30/6 root – c399d685d429433049a2d9cadc6146 oathtool –totp –verbose $(cat rand_key.txt) Hex secret: c399d685d429433049a2d9cadc6146 Base32 secret: YOM5NBOUFFBTASNC3HFNYYKG Digits: 6 Window size: 0 Step size (seconds): 30 Start time: 1970-01-01 00:00:00 UTC (0) Current time: 2019-10-24 10:38:57 UTC (1571913537) Counter: 0x31F843D (52397117) 801435 Für Mobile Phone Vorbereitung oathtool –totp –verbose $(cat rand_key.txt) | grep Base | cut -d ‘ ‘ -f3 > base32_key_format.txt cat base32_key_format.txt YOM5NBOUFFBTASNC3HFNYYKG vi base32_key_format.txt -> otpauth://totp/root@172.17.190.48?secret=YOM5NBOUFFBTASNC3HFNYYKG qrencode -m 1 -s 1 -o root_qr_code.png $(cat base32_key_format.txt) file root_qr_code.png root_qr_code.png: PNG image data, 123 x 123, 1-bit colormap, non-interlaced img2txt -H 35 -W 70 root_qr_code.png …QR Code als Bild… FreeOTP aus dem Google Play Store installieren https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=de QR Code dann aus der App einscannen. ssh Loginversuch: ssh -vvv root@localhost ….. ….Public Key wird gelesen….. debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /root/.ssh/id_ed25519 ED25519 SHA256:vzikuVjgDfUsOwhdr56gsdgdsfgsdgqxbAGoHAGHQLn045puBYiEVlBa/Ok agent debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: /root/.ssh/id_ed25519 ED25519 SHA256:vzikuVjgDfsfdgs56gfswqxbAGoHAGHQLn045puBYiEVlBa/Ok agent debug3: sign_and_send_pubkey: ED25519 SHA256:vzikufdgsds4gfd5VjgDfUsOw32445324oHAGHQLn045puBYiEVlBa/Ok …. ..die OTP Abfrage.. Hier nur aus der Handy App heruas den Coden genrieren und eintragen. debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_