mirror of https://github.com/tildeclub/site.git
updated googleauth.md.
This commit is contained in:
parent
4af0b9472e
commit
cb267a164d
|
|
@ -8,51 +8,55 @@ author: deepend
|
||||||
|
|
||||||
To get started with google authenticator run the following command
|
To get started with google authenticator run the following command
|
||||||
|
|
||||||
'google-authenticator'
|
`google-authenticator`
|
||||||
|
|
||||||
Allow the command to update your Google Authenticator. After running the command, you’ll be asked a couple of questions, the first one being:
|
Allow the command to update your Google Authenticator. After running the
|
||||||
|
command, you’ll be asked a couple of questions, the first one being:
|
||||||
'Do you want authentication tokens to be time-based (y/n)' You need to answer 'yes'(y)
|
This one you need to answer 'yes'(y).
|
||||||
|
|
||||||
You’ll then be presented with a secret key and multiple “scratch codes”.
|
`Do you want authentication tokens to be time-based (y/n)`
|
||||||
We strongly suggest saving these emergency scratch codes in a safe place,
|
|
||||||
like a password manager. These codes are the only way to regain access if
|
You’ll then be presented with a secret key and multiple “scratch codes”.
|
||||||
you lose your phone or lose access to your TOTP app, and each one can
|
We strongly suggest saving these emergency scratch codes in a safe place,
|
||||||
only be used once, so they really are in case of emergency.
|
like a password manager. These codes are the only way to regain access if
|
||||||
|
you lose your phone or lose access to your TOTP app, and each one can
|
||||||
|
only be used once, so they really are in case of emergency.
|
||||||
|
|
||||||
You’ll then be prompted with several questions, The choices are all about balancing security with ease-of-use.
|
You’ll then be prompted with several questions, The choices are all
|
||||||
It begins with:
|
about balancing security with ease-of-use. It begins with:
|
||||||
|
|
||||||
|
`Do you want me to update your "~/.google_authenticator" file (y/n)`
|
||||||
|
|
||||||
'Do you want me to update your "~/.google_authenticator" file (y/n)'
|
|
||||||
You will need to answer 'yes'(y) for google authenticator to work with your login.
|
You will need to answer 'yes'(y) for google authenticator to work with your login.
|
||||||
|
|
||||||
Next question we also suggest answering yes to prevent a replay attack:
|
Next question we also suggest answering yes to prevent a replay attack:
|
||||||
|
|
||||||
'Do you want to disallow multiple uses of the same authentication
|
`Do you want to disallow multiple uses of the same authentication
|
||||||
token? This restricts you to one login about every 30s, but it
|
token? This restricts you to one login about every 30s, but it
|
||||||
increases your chances to notice or even prevent
|
increases your chances to notice or even prevent
|
||||||
man-in-the-middle attacks (y/n)'
|
man-in-the-middle attacks (y/n)`
|
||||||
|
|
||||||
For security reasons we strongly suggest answering 'no'(n) to this next question:
|
For security reasons we strongly suggest answering 'no'(n) to this next question:
|
||||||
|
|
||||||
'By default, tokens are good for 30 seconds and in order to
|
`By default, tokens are good for 30 seconds and in order to
|
||||||
compensate for possible time-skew between the client and the server,
|
compensate for possible time-skew between the client and the server,
|
||||||
we allow an extra token before and after the current time. If you
|
we allow an extra token before and after the current time. If you
|
||||||
experience problems with poor time synchronization, you can increase
|
experience problems with poor time synchronization, you can increase
|
||||||
the window from its default size of 1:30min to about 4min.
|
the window from its default size of 1:30min to about 4min.
|
||||||
Do you want to do so (y/n)'
|
Do you want to do so (y/n)`
|
||||||
|
|
||||||
On the next question we suggest answering 'yes'(y) since rate-limiting means that a remote attacker can only attempt
|
On the next question we suggest answering 'yes'(y) since rate-limiting
|
||||||
a certain number of guesses before being blocked.
|
means that a remote attacker can only attempt a certain number of guesses before being blocked.
|
||||||
|
|
||||||
'If the computer that you are logging into isn't hardened against
|
`If the computer that you are logging into isn't hardened against
|
||||||
brute-force login attempts, you can enable rate-limiting for the
|
brute-force login attempts, you can enable rate-limiting for the
|
||||||
authentication module. By default, this limits attackers to no more
|
authentication module. By default, this limits attackers to no more
|
||||||
than 3 login attempts every 30s.
|
than 3 login attempts every 30s.
|
||||||
Do you want to enable rate-limiting (y/n)'
|
|
||||||
|
|
||||||
Now your configured. Your next login you can login without an SSH key. Make sure you know your account password
|
`Do you want to enable rate-limiting (y/n)`
|
||||||
because login using google-authenticator will still require your password before letting you in.
|
|
||||||
|
Now your configured. Your next login you can login without an SSH key. Make sure you know your account password
|
||||||
|
because login using google-authenticator will still require your password before letting you in.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue