huang zuxing blog @ home the quieter you become, the more you are able to hear.

25Mar/20Off

A way to enable MFA(multiple factor authentication) for ETX, NX, SSH with cost $0

How to Enable Google Authenticator on ETX, NX, SSH ?

This guide will assume you already have existing ETX, NX instances running and only want to incorporate Google Authenticator.

1. Compile or rpm install Google Authenticator on ETX proxy nodes / NX login nodes / SSH nodes.

1.1 Download source code and compile: (Recommended) : google-authenticator-libpam-master.zip

>./bootstrap.sh 

>./configure --prefix=/usr/local/packages/tapeout_google_authenticator

>make 

>make install

1.2 or you can use rpm package

[root@ ]# rpm -ivh google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm 

Preparing...                ########################################### [100%]

   1:google-authenticator   ########################################### [100%]

1.3 To enable google authenticator on a user, command: /usr/bin/google-authenticator (/usr/local/packages/tapeout_google_authenticator/bin/google-authenticator) must be executed one time. This can be automated as part of user creation, and can be pushed to existing users home dir.

 

chameleon05.fab3:(/home/ron)> /usr/bin/google-authenticator

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/ron@chameleon305%3Fsecret%3DXUxx34xxxxQCQG4AIxxx

Your new secret key is: XU3xxxxCQG4AIxxxxxx

Your verification code is 880552

Your emergency scratch codes are:

  47465238

  64249605

  70511083

  66210068

  44749040

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication

token? This restricts you to one login about every 30s, but it increases

your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for

possible time-skew between the client and the server, we allow an extra

token before and after the current time. If you experience problems with poor

time synchronization, you can increase the window from its default

size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force

login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting (y/n) y

1.4 install google authenticator app on smart phone,  add your secret key and verification code

 

ETX setup

2.1 Install Google authenticator on your ETX node designated with Auth role.( check 1.1 )

2.2 Edit /etc/pam.d/exceed-connection-node and add this line in red.

#%PAM-1.0

auth   required pam_sepermit.so

auth   required /usr/local/packages/tapeout_google_authenticator/lib/security/pam_google_authenticator.so secret=${HOME}/.google_authenticator

auth       include   password-auth

#account    required pam_nologin.so

#account    include password-auth

account     required   pam_access.so

account     required   pam_unix.so broken_shadow

account     sufficient   pam_localuser.so

account     sufficient   pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

account     required   pam_permit.so

password   include   password-auth

# pam_selinux.so close should be the first session rule

session    required   pam_selinux.so close

session    required   pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required   pam_selinux.so open env_params

session    optional   pam_keyinit.so force revoke

session    include   password-auth

2.3 ETX login 

etxMFA

 

 

 

 

 

 

 

 

3. NX setup

3.1 Install Google authenticator on your NX login node.(1.1 or 1.2)

3.2 Edit /etc/pam.d/nx and add this line in red.

#%PAM-1.0M-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required   pam_env.so

auth        sufficient   pam_unix.so nullok try_first_pass

auth   required /usr/local/packages/google_authenticator/lib/security/pam_google_authenticator.so secret=${HOME}/.google_authenticator

auth        requisite   pam_succeed_if.so uid >= 500 quiet

auth        sufficient   pam_sss.so use_first_pass

auth        sufficient   pam_ldap.so use_first_pass

#auth        sufficient pam_krb5.so use_first_pass

auth        required   pam_deny.so

account     required   pam_access.so

account     required   pam_unix.so broken_shadow

account     sufficient   pam_localuser.so

account     sufficient   pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

account     required   pam_permit.so

password    requisite   pam_cracklib.so try_first_pass retry=3

password    sufficient   pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    sufficient   pam_sss.so use_authtok

password    sufficient   pam_ldap.so use_authtok

password    required   pam_deny.so

session     optional   pam_keyinit.so revoke

session     required   pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required   pam_unix.so

session     optional   pam_sss.so

session     optional   pam_ldap.so

3.3 NX login:

NXMFA

 

 

 

 

 

 

 

4. SSH:

4.1 Setup Google Authenticator for ssh login node. (1.1 or 1.2)

4.2 Add this line in red in /etc/pam.d/sshd

[root@]# cat /etc/pam.d/sshd

#%PAM-1.0

auth   required /usr/local/packages/tapeout_google_authenticator/lib/security/pam_google_authenticator.so secret=${HOME}/.google_authenticator

auth   required     pam_sepermit.so

auth       include   password-auth

account    required   pam_nologin.so

account    include   password-auth

password   include   password-auth

# pam_selinux.so close should be the first session rule

session    required   pam_selinux.so close

session    required   pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required   pam_selinux.so open env_params

session    required   pam_namespace.so

session    optional   pam_keyinit.so force revoke

session    include   password-auth

 

4.3  Set ChallengeResponseAuthentication to “yes”.

[root@chameleon305]# cat /etc/ssh/sshd_config | grep Challenge

ChallengeResponseAuthentication yes

4.4  Restart sshd.

[root@chameleon305 ~]# /etc/init.d/sshd restart

4.5 Test ssh login. You will now be prompted for Verification code.

hostnode:(/home/ron)> ssh chameleon305

Password:

Verification code: 

Last login: Fri Feb  1 14:39:24 2019 from xxx

chameleon305:ron> 

 

9Sep/09Off

book info: what would google do ?

google
googlerule

15May/09Off

CAPTCHA again

在水木上看到,笑死我了,google!

发信人: ogz (OGC), 信区: GoogleTech
标  题: google的脑残日趋明显啊
发信站: 水木社区 (Fri May 15 14:55:57 2009), 站内

草你大爷的,就注册个帐号,那个是识别码是给人看的么?
--

from google

from google

Tagged as: , No Comments
13Apr/09Off

谷歌数据中心

看了些google的数据中心的资料,总结一下:

谷歌数据中心采用集装箱(container)设计,能源使用效率(PUE)是1.19 ,数值为1代表所有的能耗全部用在设备上,而沒有用在冷卻或供电系统上;1.19,意味着19%的能源被后者耗费。