使用Google计算引擎进行2要素身份验证(两步验证) [英] 2 factor authentication (2 step verification) with Google compute engine
问题描述
是否可以为Google计算引擎启用2因子身份验证(或Google术语为2步验证)? 我对保护我的VM,云存储和开发者控制台感兴趣.
Is there a possibility to enable 2 factor authentication (or 2 step verification a-la Google terminology) for Google compute engine? I'm interested in protecting my VMs, cloud storage and the developers console.
I've tried using the Google Authenticator (libapm) referring to this article Securing SSH with two factor authentication using Google Authenticator on a VM but it didn't succeed (I managed to login with the gcloud compute shell with no additional code).
[1月12日] 一些更新: Google开发人员控制台可完美运行.谢谢.
[Jan 12th] Some updates: Google developer console works perfectly. Thanks.
对于通过计算引擎SSH访问进行两步验证,我再次尝试了所有方法.按照提供的链接中提到的说明进行操作,并执行以下操作:
For 2-step verification with the compute-engine SSH access, I retried everything all over again. Followed the instructions mentioned in the links provided, and did the following:
- 我创建了一个新的Google-Cloud项目.
- 我使用了2个不同的OS实例-Debian 8.2和Ubuntu 15.10.
所有这些测试均失败-没有提示输入验证码. 我在Google计算引擎文档中四处查看,他们明确提到它们仅支持证书身份验证(而不是用户名/密码),因此我无法验证这是否是根本原因.
All of these tests failed - there was no prompt for a verification code. I looked around in the Google compute-engine documentation, and they mention explicitly they support only certificate authentication (rather than username/password), so I cannot verify whether this is the root cause.
有人在Google计算引擎上使用两步验证吗?
Is there anyone using 2-step verification with Google compute-engine?
谢谢
推荐答案
最后-一个解决方案(感谢Google云的支持).
At last - a solution (thanks for Google cloud support).
在我提到的文档上有一些更新:
A couple of updates on top of the document I have referred to:
除了在/etc/pam.d/sshd 中添加一行外,还应注释掉 @include common-auth 行.所以应该是这样的:
Apart of adding a line to /etc/pam.d/sshd, one should also comment out the @include common-auth line. So it should be something like:
auth required pam_google_authenticator.so # from the original instructions
# @include common-auth # commenting out is new...
除了更改/etc/ssh/sshd_config 中的 ChallengeResponseAuthentication 属性之外,还应在 AuthenticationMethods publickey,keyboard-interactive 中添加 AuthenticationMethods publickey,keyboard-interactive 以下行:
Apart of changing the ChallengeResponseAuthentication property in /etc/ssh/sshd_config, one should also add AuthenticationMethods publickey,keyboard-interactive in the following line:
ChallengeResponseAuthentication yes # from the original instructions
AuthenticationMethods publickey,keyboard-interactive # this is new...
当然,这是在安装libpam-google-authenticator,更改sshd和sshd_config(如上所述),重新启动ssh/sshd服务以及为该帐户设置google-authenticator的常规说明之上
Of course, this is on top of the regular instructions of installing libpam-google-authenticator, changing the sshd and sshd_config (as mentioned above), restarting the ssh/sshd service, and setting up the google-authenticator for the account.
最后,还有几点:
- 请仔细考虑这一点-从重新启动ssh/sshd帐户开始,没有适当的2FA,任何人都无法登录.因此,请确保任何人应该具有ssh访问权限-对其进行正确配置.
- 我正在考虑这是否对我们来说是合适的解决方案,因为它需要设置VM(分别单独设置每个VM),并手动为每个帐户和每个VM手动设置身份验证器.不确定这种替代方案的可扩展性.我会很感激您的想法...
- 最后但并非最不重要的-使用apt-get可以简化libpam-google-authenticator的设置,而无需手动安装所有依赖项并进行构建.通过运行为我工作:
- Consider this carefully - from restarting the ssh/sshd account, no one can login without proper 2FA. So make sure anyone who should have ssh access - configured it properly.
- I'm contemplating whether this is the proper solution for us, as it requires setup the VMs (each VM separately), and manual setting up the authenticator per each account and each VM manually. Not sure how scalable is this alternative. I would appreciate your thoughts...
- Last but not least - the setup of libpam-google-authenticator may be simplified by using apt-get, no need for manually installing all dependencies and building it. Worked for me by running:
sudo apt-get install libpam-google-authenticator
sudo apt-get install libpam-google-authenticator
祝你好运!
这篇关于使用Google计算引擎进行2要素身份验证(两步验证)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
