CN117579402A

CN117579402A - Platform secondary authentication login system and method

Info

Publication number: CN117579402A
Application number: CN202410066426.0A
Authority: CN
Inventors: 付振新; 樊春; 杨宏辉; 马银萍; 李若淼
Original assignee: Peking University
Current assignee: Peking University
Priority date: 2024-01-17
Filing date: 2024-01-17
Publication date: 2024-02-20

Abstract

The application discloses a platform secondary authentication login system and a method. Wherein, this system includes: the OTP management server inquires whether the account name is registered or not; if the OTP code is registered, sending prompt information for inputting the OTP code to a target platform; if the account name is not registered, sending registration prompt information to the target platform, and after the account name is registered, sending prompt information for inputting the OTP code to the target platform; and the target platform sends the OTP code input by the target object to the OTP management server for secondary authentication, and when the secondary authentication is passed, the target platform executes the access operation corresponding to the access request. The method and the device solve the technical problem that a high-performance computing cluster is easy to be threatened by security caused by OTP key localized storage in the related technology.

Description

Platform secondary authentication login system and method

Technical Field

The application relates to the technical field of network information security, in particular to a platform secondary authentication login system and a method.

Background

High performance computing clusters contain abundant computing resources and have become the primary target of hackers. Improving the security of the high-performance computing cluster and resisting hacking is an important task of the high-performance computing platform.

Most of the existing high-performance computing clusters adopt a direct system login mode, users directly access login nodes through ssh (Secure Shell), then use a slm scheduling tool to submit tasks at the login nodes, all users share one login node or a login node pool formed by a plurality of login nodes, all the login nodes and all the nodes in the computing clusters perform user file isolation through the authority of a Linux file system, and perform computing resource isolation through a Cgroup (Control Groups) mechanism. However, this architecture has a certain security problem, for example, if an account of a certain user is stolen by a hacker, the control authority of the whole cluster can be obtained through the authority-raising vulnerability, and the file security of the whole cluster is threatened. Meanwhile, when part of users record login passwords and login keys in other servers or personal computers and the personal computers are attacked, the high-performance computing clusters are also invaded, and leakage of social passwords also causes the high-performance computing clusters to be invaded.

In view of the above problems, no effective solution has been proposed at present.

Disclosure of Invention

The embodiment of the application provides a platform secondary authentication login system and a platform secondary authentication login method, which are used for at least solving the technical problem that a high-performance computing cluster is easy to be threatened by security caused by OTP (one time programmable) key localized storage in the related technology.

According to an aspect of the embodiments of the present application, there is provided a platform secondary authentication login system, including: the OTP management system comprises a target platform and an OTP management server, wherein the target platform is used for responding to a first account name and a first password input by a target object, carrying out one-time authentication on the first account name and the first password, and sending the first account name to the OTP management server when the one-time authentication passes; transmitting a first OTP code input by a target object to an OTP management server; when the secondary authentication passes, responding to the access request of the target object, and executing the access operation corresponding to the access request; the OTP management server is used for inquiring whether the first account name is registered in the OTP management server; if the first account name is registered, sending first prompt information for prompting the target object to input a first OTP code to the target platform; if the first account name is not registered, sending second prompt information for prompting the target object to register the first account name to the target platform, and after the first account name is registered, sending the first prompt information to the target platform; and performing secondary authentication on the first account name and the first OTP code.

Optionally, the target platform includes: the system comprises a man-machine interaction interface and a pluggable authentication module, wherein the pluggable authentication module is used for responding to a first account name and a first password input by a target object in the man-machine interaction interface, authenticating the first account name and the first password once, and sending the first account name to an OTP management server when the first authentication passes; and sending the first OTP code input by the target object in the man-machine interaction interface to an OTP management server.

Optionally, the target platform further comprises: and the OTP proxy module is used for forwarding information between the pluggable authentication module and the OTP management server through the OTP proxy module.

Optionally, the OTP management server includes: the system comprises a registration module and a database, wherein the registration module is used for inquiring whether a first account name and a first OTP key corresponding to the first account name exist in the database; if the first account name exists, determining that the first account name is registered, and sending first prompt information to a target platform; if the first account name does not exist, determining that the first account name is not registered, and sending second prompt information to the target platform.

Optionally, the system further comprises: the dynamic token application, OTP management server also includes: the system comprises a key generation module, a registration module and a dynamic token application, wherein the registration module is used for responding to a registration request of a target object forwarded by a target platform, calling the key generation module to generate a first OTP key corresponding to a first account name, storing the first account name and the first OTP key into a database, and sending the first OTP key to the dynamic token application bound with the first account name in a target form, wherein the target form comprises at least one of the following: a digital form and a two-dimensional code form; the dynamic token application is used for identifying and storing the first OTP key, and generating a first OTP code corresponding to the first OTP key according to a preset mode, wherein the preset mode comprises one of the following steps: an OTP generation mode based on a time stamp and an OTP generation mode based on a hash message authentication code.

Optionally, the OTP management server further includes: the authentication module is used for acquiring a first OTP (one time programmable) key corresponding to the first account name from the database, generating a second OTP code corresponding to the first OTP key according to a preset mode, and comparing the second OTP code with the first OTP code; if the second OTP code is the same as the first OTP code, determining that the second authentication passes; if the second OTP code is different from the first OTP code, the second authentication is determined not to pass.

Optionally, the target platform is configured to send login confirmation information to the target object after receiving the first prompt information, obtain the first OTP code from the dynamic token application in response to a confirmation instruction of the target object, and send the first OTP code to the OTP management server.

Optionally, the target platform includes: the error prompting module is used for sending first error information to the target object when the primary authentication fails, wherein the first error information is used for prompting that the first account name or the first password has errors; when receiving the second prompt message, sending second error message to the target object, wherein the second error message is used for prompting that the first account name is not registered in the OTP management server; and when the secondary authentication fails, sending third error information to the target object, wherein the third error information is used for prompting that the first OTP code has errors.

Optionally, the OTP management server is configured to obtain, after receiving the first OTP code, a number of OTP codes sent by a source IP address corresponding to the target platform within a preset time period; if the number exceeds a preset number threshold, prohibiting the target platform corresponding to the source IP address from accessing the OTP management server; and if the number does not exceed the preset number threshold, continuing to perform secondary authentication on the first account name and the first OTP code.

Optionally, only a preset designated account name can access the OTP proxy module, and the information forwarded by the OTP proxy module carries a first secret key corresponding to the OTP proxy module; the OTP management server only receives the access of the OTP proxy module, when the OTP management server receives the access request from the OTP proxy module, the OTP management server is used for checking a first secret key in the access request and validity checking the access request, and when all the checking passes, corresponding operation corresponding to the access request is executed.

According to another aspect of the embodiment of the present application, there is also provided a platform secondary authentication login method, including: responding to the first account name and the first password input by the target object, and performing one-time authentication on the first account name and the first password; when the first account name passes the authentication, the first account name is sent to an OTP management server, wherein the OTP management server is used for inquiring whether the first account name is registered in the OTP management server, if the first account name is registered, the OTP management server sends first prompt information for prompting the target object to input a first OTP code to the target platform, if the first account name is unregistered, the OTP management server sends second prompt information for prompting the target object to register the first account name to the target platform, and after the first account name is registered, the OTP management server sends the first prompt information to the target platform; responding to the first prompt information, and sending a first OTP code input by the target object to an OTP management server, wherein the OTP management server is used for carrying out secondary authentication on the first account name and the first OTP code; and when the secondary authentication is passed, responding to the access request of the target object, and executing the access operation corresponding to the access request.

According to another aspect of the embodiment of the present application, there is also provided a platform secondary authentication login method, including: receiving a first account name which is sent by a target platform and passes through one-time authentication, and inquiring whether the first account name is registered in an OTP management server or not; if the first account name is registered, sending first prompt information for prompting the target object to input a first OTP code to the target platform; if the first account name is not registered, sending second prompt information for prompting the target object to register the first account name to the target platform, and after the first account name is registered, sending the first prompt information to the target platform; and receiving the first OTP code sent by the target platform, and performing secondary authentication on the first account name and the first OTP code.

According to another aspect of the embodiments of the present application, there is further provided a nonvolatile storage medium, where the nonvolatile storage medium includes a stored computer program, and a device where the nonvolatile storage medium is located executes the above-mentioned platform secondary authentication login method by running the computer program.

According to another aspect of the embodiments of the present application, there is also provided an electronic device including: the system comprises a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the platform secondary authentication login method through the computer program.

In the platform secondary authentication login system of the embodiment of the application, a target platform performs primary authentication on an account name and a password input by a target object, and when the authentication passes, the account name is sent to an OTP management server, and the OTP management server inquires whether the account name is registered or not; if the OTP code is registered, sending prompt information for inputting the OTP code to a target platform; if the account name is not registered, sending registration prompt information to the target platform, and after the account name is registered, sending prompt information for inputting the OTP code to the target platform; and the target platform sends the OTP code input by the target object to the OTP management server for secondary authentication, and executes the access operation corresponding to the access request when the secondary authentication is passed. The OTP management server is introduced to store the OTP secret key in a centralized manner, the OTP server is utilized to perform secondary authentication, and even if a target platform is broken, an intruder cannot know the corresponding OTP secret key, so that the OTP secret key leakage can be avoided, the safety of the high-performance computing cluster is improved, and the technical problem that the high-performance computing cluster is easily threatened by safety caused by the OTP secret key localized storage in the related technology is effectively solved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:

FIG. 1 is a schematic diagram of an alternative platform secondary authentication logon system according to an embodiment of the present application;

FIG. 2 is a schematic diagram of an alternative computer terminal according to an embodiment of the present application;

FIG. 3 is a flow chart of an alternative platform secondary authentication login method according to an embodiment of the present application;

fig. 4 is a flow chart of another alternative platform secondary authentication login method according to an embodiment of the present application.

Detailed Description

In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.

It should be noted that the terms "first," "second," and the like in the description and claims of this application and the accompanying drawings are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

For a better understanding of the embodiments of the present application, some nouns or translations of terms that appear during the description of the embodiments of the present application are explained first as follows:

ssh: is an encrypted network protocol for securely connecting remotely to a computer or server for command line operations, file transfer, and other network services.

OTP (One Time Password, one-time password): the OTP authentication is a mode of authentication by utilizing an automatically generated password, and is often used as a second authentication mode in two-factor authentication.

PAM (Pluggable Authentication Modules, pluggable authentication module): by providing a plurality of dynamic link libraries and a set of unified APIs, the service provided by the system is separated from the authentication mode of the service, so that a system administrator can flexibly configure different authentication modes for different services according to the needs without changing the modules of the service program.

Example 1

In order to improve login security of various service platforms, the embodiment of the present application provides a platform secondary authentication login system, as shown in fig. 1, where the system includes: target platform 11 and OTP management server 12, wherein:

The target platform 11 responds to the first account name and the first password input by the target object, performs primary authentication on the first account name and the first password, and sends the first account name to the OTP management server when the primary authentication passes;

after receiving the first account name, OTP management server 12 inquires whether the first account name is registered in the OTP management server; if the first account name is registered, sending first prompt information for prompting the target object to input a first OTP code to the target platform; if the first account name is not registered, sending second prompt information for prompting the target object to register the first account name to the target platform, and after the first account name is registered, sending the first prompt information to the target platform;

after receiving the first prompt message, the target platform 11 sends a first OTP code input by a target object to an OTP management server;

the OTP management server carries out secondary authentication on the received first account name and the first OTP code;

when the secondary authentication passes, the target platform 11 responds to the access request of the target object, and performs an access operation corresponding to the access request.

It should be noted that the platform secondary authentication login system can be applied to a common service platform and also can be applied to a high-performance computing cluster, and accordingly, the service platform only relates to one login node, while the high-performance computing cluster generally relates to a plurality of login nodes, so that in the application scenario of the high-performance computing cluster, the target platform is only one login node in the cluster. In the embodiment of the present application, a high-performance computing cluster is taken as an example, and the functions of each module of the platform secondary authentication login system are specifically described.

Optionally, the target platform includes: the system comprises a man-machine interaction interface and a pluggable authentication module, wherein the pluggable authentication module responds to a first account name and a first password input by a target object in the man-machine interaction interface, performs one-time authentication on the first account name and the first password, and sends the first account name to an OTP management server when the one-time authentication passes.

Specifically, the PAM module mainly has four parts Auth, account, password, session, the Auth module is mainly responsible for performing Password verification and the like of a user, the Account module is responsible for verifying authority of an Account, the Password module is responsible for modifying the user Password, the Session module is mainly used for configuring and managing a Session, in the embodiment of the application, the secondary authentication, that is, the OTP code authentication, is mainly implemented in the Auth module in the PAM module, different control levels can be set for each rule in the PAM module, and common control levels are as follows: require, requisite, sufficient, optional and Include. Wherein, the request and the request are all items which need to be satisfied in the login process, and the request is not real-time feedback failure information, but waits for the completion of verification and feeds back the failure information; the required is real-time feedback failure information, namely, failure information is returned immediately as long as verification fails, and the subsequent verification step is not continuously executed; for the diffient, if this module succeeds and no forced entry has failed before, then authentication of this module succeeds and failure of the diffient will not result in failure of the authentication module. In this embodiment, the secondary authentication is a mandatory authentication option, so the control level corresponding to the secondary authentication is required.

The target platform further comprises: the OTP proxy module is limited by the communication requirement of the PAM module, the PAM module cannot directly perform TCP/IP Socket communication and needs to communicate in a UNIX Socket mode, so that the OTP proxy module is utilized between the PAM module and the OTP management server for information forwarding.

Accordingly, the OTP management server includes: registration module and database. After receiving the first account name sent by the PAM module, the OTP management server inquires whether the first account name and a first OTP key corresponding to the first account name exist in a database by utilizing a registration module.

If the first account name and the first OTP key corresponding to the first account name exist in the database, determining that the first account is registered, sending first prompt information to the target platform, and after receiving the first prompt information, sending a first OTP code input by the target object in the man-machine interaction interface to the OTP management server by the target platform.

If the first account name and the first OTP key corresponding to the first account name do not exist in the database, determining that the first account is unregistered, and responding to a registration request of a target object at the moment, using a registration module in an OTP management server to respond to the registration request of the target object forwarded by the target platform, calling a key generation module to generate the first OTP key corresponding to the first account name, storing the first account name and the first OTP key into the database, and sending the first OTP key to a dynamic token application bound with the first account name in a target form, wherein the target form comprises at least one of the following: digital form, two-dimensional code form.

Optionally, the platform secondary authentication login system further comprises: the dynamic token application is used for identifying and storing the first OTP key, and generating a first OTP code corresponding to the first OTP key according to a preset mode, wherein the preset mode comprises one of the following steps: an OTP generation mode based on a time stamp and an OTP generation mode based on a hash message authentication code.

The OTP generation mode based on the time stamp is to generate a shared secret key, the shared secret key is usually a random character string, the two parties are verified to generate the time stamp (usually 30 seconds or 60 seconds) by using a time step, then the shared secret key and the time stamp are used as input, a hash value is generated by utilizing a hash function (such as SHA-1, SHA-256 and the like), the generated hash value is intercepted into a digit (6 bits or 8 bits) with a fixed length, and the intercepted hash value is formatted (such as converted into a decimal number) to generate a final real-time OTP code; the OTP generation mode based on the hash message authentication code is to select a hash function and a corresponding key, take login times as input, perform hash operation on the input login times by using the hash function and the key, generate a hash value, extract a number with a fixed length from the hash value and format the number as a real-time OTP code.

When the registration module in the OTP management server determines that the user is not registered, prompt information is sent to the man-machine interaction interface in the target platform to prompt the user to register immediately, if the user selects to register immediately, the OTP management server generates a corresponding first OTP key and stores the key into a database of the OTP management server, the OTP key in a digital form or the OTP key in a two-dimensional code form is sent to the man-machine interaction interface of the target platform, the user can manually input the OTP key or scan the two-dimensional code of the OTP key in the dynamic token application to bind, meanwhile, the OTP management server can be automatically connected with the mobile token application and automatically send the OTP key to the mobile token application to bind, and after the binding is successful, the dynamic token application automatically stores the corresponding OTP key.

Based on the centralized storage of the OTP key, even if a target platform, namely a login node, is broken, an intruder can acquire the OTP code input by a user, but cannot acquire the OTP key of the user, so that the safety of the OTP key can be ensured, and after viruses are cleared, the OTP key distributed before can be continuously used, so that the safety of a high-performance computing cluster is ensured.

Optionally, the OTP management server further includes: the authentication module acquires a first OTP key corresponding to the first account name from the database, generates a second OTP code corresponding to the first OTP key according to a preset mode, and compares the second OTP code with the first OTP code; if the second OTP code is the same as the first OTP code, determining that the second authentication passes; if the second OTP code is different from the first OTP code, the second authentication is determined not to pass.

Specifically, the secondary authentication can adopt a real-time authentication mode, namely, after the user inputs the first OTP code, the system can immediately authenticate the validity of the password, and decides whether the user is allowed to log in or not according to the authentication result.

Considering that the platform secondary authentication login system may be subjected to enumeration attack and other invasion actions, the access control on the source IP address is required besides the secondary verification on the OTP, so that the login security of the platform secondary authentication login system is further improved.

Optionally, after the OTP management server receives the first OTP code, acquiring the number of OTP codes sent by the source IP address corresponding to the target platform within a preset time period; if the number exceeds a preset number threshold, prohibiting the target platform corresponding to the source IP address from accessing the OTP management server; and if the number does not exceed the preset number threshold, continuing to perform secondary authentication on the first account name and the first OTP code.

The conventional OTP secondary authentication mode has the simplicity of realization, a user only needs to download a mobile phone dynamic token application, and manually input digital information in the dynamic token application or the code scanning function of the dynamic token application scans the two-dimensional code displayed on the webpage of the target platform to bind, so that the user can log in the system, but the user still needs to log in the target platform at first, then open the dynamic token application to check the real-time OTP code and input the real-time OTP code into the target platform to realize the system login, so that the complexity of user input is increased, and in order to improve user experience, the corresponding node login can be realized by using the authentication mode of login confirmation in the embodiment of the application.

Specifically, after receiving the first prompt information, the target platform may send login confirmation information to the target object, automatically acquire the first OTP code from the dynamic token application in response to a confirmation instruction of the target object, and send the first OTP code to the OTP management server.

It should be noted that, an attacker may select a mode of randomly sending a login request to invade a corresponding high-performance computing cluster, so that if a user mistakenly touches a login permission module, the problem of misplaced login is easily caused, and for safety reasons, the time from the user ssh login to the user click confirmation is limited on the basis of the scheme, and the operation is limited to be completed within 20 seconds. Meanwhile, log analysis is carried out on the IP address of the user request in the background, and the corresponding address is blocked in time for abnormal log requests. By the mode, a user does not need to check and input the real-time OTP code any more, and convenience of user login is improved.

The original google-authenticator tool can only carry out text prompt when a user inputs an OTP code, but the user cannot always know whether the password is input wrong or the OTP code is wrong when login fails, and the original google-authenticator tool does not have a prompt mechanism for the user which does not register the OTP, and when the user does not register the OTP or inputs the OTP code by a user name, the user is confused, and in order to solve the problem, the embodiment of the application also provides an error prompt function.

Optionally, an error prompting module is introduced into the target platform, and the error prompting module can send first error information to the target object when the primary authentication fails, wherein the first error information is used for prompting that the first account name or the first password has errors; when receiving the second prompt message, sending second error message to the target object, wherein the second error message is used for prompting that the first account name is not registered in the OTP management server; and when the secondary authentication fails, sending third error information to the target object, wherein the third error information is used for prompting that the first OTP code has errors.

Specifically, only the preset designated account name can access the OTP proxy module, and the OTP proxy service can be operated by adding the corresponding user as an administrator, so that other users in the cluster can not access the communication interface, the number of the corresponding users in the administrator can be set according to actual requirements, and only one user administrator can also have a plurality of user administrators.

Optionally, the information forwarded by the OTP proxy module carries a first key corresponding to the OTP proxy module; the OTP management server only receives the access of the OTP proxy module, when the OTP management server receives the access request from the OTP proxy module, the OTP management server is used for checking a first secret key in the access request and validity checking the access request, and when all the checking passes, corresponding operation corresponding to the access request is executed.

The high-performance computing cluster system has the system failure condition caused by various reasons, such as multiple login node users, complex task types, unexpected crash of login nodes and the like, and in order to discover early processing, the cluster connectivity outside the cluster needs to be automatically tested, namely, the availability of the cluster is detected regularly through simulating an authentication login process, and the high-performance computing cluster can be automatically logged in through a paramiko tool. By the method, the survival state of the login authentication service can be detected, and the survival state of the target platform, namely the login node, the connection condition of the network to the login node and the database survival state of the login node can be detected at the same time.

Example 2

On the basis of the platform secondary authentication login system provided in the embodiments, the embodiments of the present application provide a platform secondary authentication login method implemented by a target platform, it should be noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different from that herein.

The target platform in the embodiments of the present application may be a mobile terminal, a computer terminal, or a similar computing device. Fig. 2 shows a hardware block diagram of a computer terminal (or mobile device) for implementing a platform secondary authentication login method. As shown in fig. 2, the computer terminal 20 (or mobile device 20) may include one or more (shown as 202a, 202b, … …,202 n) processors 202 (the processors 202 may include, but are not limited to, a microprocessor MCU, a programmable logic device FPGA, etc. processing means), a memory 204 for storing data, and a transmission means 206 for communication functions. In addition, the method may further include: a display, an input/output interface (I/O interface), a Universal Serial BUS (USB) port (which may be included as one of the ports of the BUS), a network interface, a power supply, and/or a camera. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 2 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the computer terminal 20 may also include more or fewer components than shown in FIG. 2, or have a different configuration than shown in FIG. 2.

It should be noted that the one or more processors 202 and/or other data processing circuits described above may be referred to herein generally as "data processing circuits. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module, or incorporated, in whole or in part, into any of the other elements in the computer terminal 20 (or mobile device). As referred to in the embodiments of the present application, the data processing circuit acts as a processor control (e.g., selection of the path of the variable resistor termination to interface).

The memory 204 may be used to store software programs and modules of application software, such as a program instruction/data storage device corresponding to the platform secondary authentication login method in the embodiment of the present application, and the processor 202 executes the software programs and modules stored in the memory 204, thereby executing various functional applications and data processing, that is, implementing the vulnerability detection method of the application program. Memory 204 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 204 may further include memory located remotely from the processor 202, which may be connected to the computer terminal 20 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission means 206 is used for receiving or transmitting data via a network. The specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 20. In one example, the transmission device 206 includes a network adapter (Network Interface Controller, NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 206 may be a Radio Frequency (RF) module for communicating with the internet wirelessly.

The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 20 (or mobile device).

In the above operating environment, the embodiment of the application provides a platform secondary authentication login method, as shown in fig. 3, which includes the following steps:

step S302, responding to a first account name and a first password input by a target object, and performing primary authentication on the first account name and the first password;

step S304, when the one-time authentication is passed, the first account name is sent to an OTP management server, wherein the OTP management server is used for inquiring whether the first account name is registered in the OTP management server, if the first account name is registered, the OTP management server sends first prompt information for prompting the target object to input a first OTP code to the target platform, if the first account name is unregistered, the OTP management server sends second prompt information for prompting the target object to register the first account name to the target platform, and after the first account name is registered, the OTP management server sends the first prompt information to the target platform;

Step S306, responding to the first prompt information, and sending a first OTP code input by the target object to an OTP management server, wherein the OTP management server is used for carrying out secondary authentication on the first account name and the first OTP code;

step S308, when the secondary authentication is passed, responding to the access request of the target object, and executing the access operation corresponding to the access request.

The steps of the platform secondary authentication login method are described below in connection with specific implementation procedures.

Optionally, the pluggable authentication module in the target platform responds to the first account name and the first password input by the target object in the man-machine interaction interface, performs one-time authentication on the first account name and the first password, and sends the first account name to the OTP management server when the one-time authentication passes.

Correspondingly, after receiving the first account name sent by the PAM module, the OTP management server uses a registration module in the OTP management server to inquire whether the first account name and a first OTP key corresponding to the first account name exist in a database.

Optionally, the dynamic token application identifies and stores the first OTP key, and generates a first OTP code corresponding to the first OTP key according to a preset manner, where the preset manner includes one of: an OTP generation mode based on a time stamp and an OTP generation mode based on a hash message authentication code.

Optionally, the OTP management server obtains a first OTP key corresponding to the first account name from the database, generates a second OTP code corresponding to the first OTP key according to a preset manner, and compares the second OTP code with the first OTP code; if the second OTP code is the same as the first OTP code, determining that the second authentication passes; if the second OTP code is different from the first OTP code, the second authentication is determined not to pass.

In the embodiment of the application, the target platform authenticates the account name and the password input by the target object once, and when the authentication passes, the account name is sent to the OTP management server, and the OTP management server inquires whether the account name is registered or not; if the OTP code is registered, sending prompt information for inputting the OTP code to a target platform; if the account name is not registered, sending registration prompt information to the target platform, and after the account name is registered, sending prompt information for inputting the OTP code to the target platform; and the target platform sends the OTP code input by the target object to the OTP management server for secondary authentication, and executes the access operation corresponding to the access request when the secondary authentication is passed. The OTP management server is introduced to store the OTP secret key in a centralized manner, the OTP server is utilized to perform secondary authentication, and even if a target platform is broken, an intruder cannot know the corresponding OTP secret key, so that the OTP secret key leakage can be avoided, the safety of the high-performance computing cluster is improved, and the technical problem that the high-performance computing cluster is easily threatened by safety caused by the OTP secret key localized storage in the related technology is effectively solved.

Example 3

On the basis of the platform secondary authentication login system provided by the embodiment, the embodiment of the application provides a platform secondary authentication login method implemented by an OTP management server, as shown in fig. 4, the method comprises the following steps:

Step S402, receiving a first account name which is sent by a target platform and passes through one-time authentication, and inquiring whether the first account name is registered in an OTP management server;

step S404, if the first account name is registered, sending first prompt information for prompting the target object to input a first OTP code to the target platform;

step S406, if the first account name is not registered, sending second prompt information for prompting the target object to register the first account name to the target platform, and after the first account name is registered, sending the first prompt information to the target platform;

step S408, the first OTP code sent by the target platform is received, and the first account name and the first OTP code are subjected to secondary authentication.

When the registration module in the OTP management server determines that the user is not registered, prompt information is sent to the man-machine interaction interface in the target platform to prompt the user to register immediately, if the user selects to register immediately, the OTP management server generates a corresponding first OTP key and stores the key into a database of the OTP management server, digital information or two-dimensional code information containing the first OTP key is sent to the man-machine interaction interface of the target platform, the user can manually input the digital information in the dynamic token application to bind, or can scan the two-dimensional code displayed on the man-machine interaction interface in the target platform by utilizing the code scanning function of the dynamic token application to bind, and store the corresponding first OTP key.

Based on the method, even if a target platform, namely a login node, is broken, an intruder can acquire an OTP code input by a user, but cannot acquire the OTP key of the user, so that the safety of the OTP key can be ensured, and after viruses are cleared, the OTP key distributed before can be continuously used, so that the safety of a high-performance computing cluster is ensured.

In the embodiment of the application, a first account name which is sent by a target platform and passes through one-time authentication is received, and an OTP management server inquires whether the first account name is registered in the OTP management server; if the first account name is registered, sending first prompt information for prompting the target object to input a first OTP code to the target platform; if the first account name is not registered, sending second prompt information for prompting the target object to register the first account name to the target platform, and after the first account name is registered, sending the first prompt information to the target platform; and performing secondary authentication on the first account name and the first OTP code. The OTP management server is introduced to store the OTP secret key in a centralized manner, the OTP server is utilized to perform secondary authentication, and even if a target platform is broken, an intruder cannot know the corresponding OTP secret key, so that the OTP secret key leakage can be avoided, the safety of the high-performance computing cluster is improved, and the technical problem that the high-performance computing cluster is easily threatened by safety caused by the OTP secret key localized storage in the related technology is effectively solved.

Example 4

According to an embodiment of the present application, there is further provided a nonvolatile storage medium, where the nonvolatile storage medium includes a stored computer program, and a device where the nonvolatile storage medium is located executes the platform secondary authentication login method in embodiment 2 or embodiment 3 by running the computer program.

According to an embodiment of the present application, there is further provided a processor configured to execute a computer program, where the computer program executes the platform secondary authentication login method in embodiment 2 or embodiment 3.

According to an embodiment of the present application, there is also provided an electronic device including: a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the platform secondary authentication login method in embodiment 2 or embodiment 3 by the computer program.

Alternatively, the computer program may perform the following steps when run: responding to the first account name and the first password input by the target object, and performing one-time authentication on the first account name and the first password; when the first account name passes the authentication, the first account name is sent to an OTP management server, wherein the OTP management server is used for inquiring whether the first account name is registered in the OTP management server, if the first account name is registered, the OTP management server sends first prompt information for prompting the target object to input a first OTP code to the target platform, if the first account name is unregistered, the OTP management server sends second prompt information for prompting the target object to register the first account name to the target platform, and after the first account name is registered, the OTP management server sends the first prompt information to the target platform; responding to the first prompt information, and sending a first OTP code input by the target object to an OTP management server, wherein the OTP management server is used for carrying out secondary authentication on the first account name and the first OTP code; and when the secondary authentication is passed, responding to the access request of the target object, and executing the access operation corresponding to the access request.

Alternatively, the computer program may perform the following steps when run: receiving a first account name which is sent by a target platform and passes through one-time authentication, and inquiring whether the first account name is registered in an OTP management server or not; if the first account name is registered, sending first prompt information for prompting the target object to input a first OTP code to the target platform; if the first account name is not registered, sending second prompt information for prompting the target object to register the first account name to the target platform, and after the first account name is registered, sending the first prompt information to the target platform; and receiving the first OTP code sent by the target platform, and performing secondary authentication on the first account name and the first OTP code.

The foregoing embodiment numbers are merely for the purpose of description and do not represent the advantages or disadvantages of the embodiments.

In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of units may be a logic function division, and there may be another division manner in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution, in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.

The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.

Claims

1. A platform secondary authentication logon system, comprising: a target platform and a one-time password OTP management server, wherein,

the target platform is used for responding to a first account name and a first password input by a target object, carrying out one-time authentication on the first account name and the first password, and sending the first account name to the OTP management server when one-time authentication passes; transmitting a first OTP code input by the target object to the OTP management server; when the secondary authentication is passed, responding to the access request of the target object, and executing the access operation corresponding to the access request;

the OTP management server is used for inquiring whether the first account name is registered in the OTP management server; if the first account name is registered, sending first prompt information for prompting the target object to input the first OTP code to the target platform; if the first account name is not registered, sending second prompt information for prompting the target object to register the first account name to the target platform, and after the first account name is registered, sending the first prompt information to the target platform; and carrying out secondary authentication on the first account name and the first OTP code.

2. The system of claim 1, wherein the target platform comprises: a man-machine interaction interface and a pluggable authentication module, wherein,

the pluggable authentication module is used for responding to the first account name and the first password input by the target object in the man-machine interaction interface, authenticating the first account name and the first password once, and sending the first account name to the OTP management server when the first authentication passes; and sending the first OTP code input by the target object in the man-machine interaction interface to the OTP management server.

3. The system of claim 2, wherein the target platform further comprises: an OTP proxy module, wherein,

and information forwarding is performed between the pluggable authentication module and the OTP management server through the OTP proxy module.

4. The system of claim 1, wherein the OTP management server includes: a registration module and a database, wherein,

the registration module is used for inquiring whether the first account name and a first OTP key corresponding to the first account name exist in the database; if yes, determining that the first account name is registered, and sending the first prompt information to the target platform; and if the first account name does not exist, determining that the first account name is not registered, and sending the second prompt information to the target platform.

5. The system of claim 4, wherein the system further comprises: the dynamic token application, the OTP management server further comprises: a key generation module, wherein,

the registration module is configured to respond to a registration request of the target object forwarded by the target platform, invoke the key generation module to generate a first OTP key corresponding to the first account name, store the first account name and the first OTP key in the database, and send the first OTP key in a target form to the dynamic token application bound to the first account name, where the target form includes at least one of: a digital form and a two-dimensional code form;

the dynamic token application is configured to identify and store the first OTP key, and generate the first OTP code corresponding to the first OTP key according to a preset manner, where the preset manner includes one of the following: an OTP generation mode based on a time stamp and an OTP generation mode based on a hash message authentication code.

6. The system of claim 5, wherein the OTP management server further comprises: an authentication module, wherein,

The authentication module is used for acquiring the first OTP key corresponding to the first account name from the database, generating a second OTP code corresponding to the first OTP key according to the preset mode, and comparing the second OTP code with the first OTP code; if the second OTP code is the same as the first OTP code, determining that the second authentication passes; and if the second OTP code is different from the first OTP code, determining that the secondary authentication is not passed.

7. The system of claim 5, wherein the system further comprises a controller configured to control the controller,

the target platform is used for sending login confirmation information to the target object after receiving the first prompt information, responding to the confirmation instruction of the target object, acquiring the first OTP code from the dynamic token application, and sending the first OTP code to the OTP management server.

8. The system of claim 1, wherein the target platform comprises: an error prompting module, wherein,

the error prompting module is used for sending first error information to the target object when the primary authentication fails, wherein the first error information is used for prompting that the first account name or the first password has errors; when the second prompt message is received, second error information is sent to the target object, wherein the second error information is used for prompting that the first account name is not registered in the OTP management server; and when the secondary authentication fails, sending third error information to the target object, wherein the third error information is used for prompting that the first OTP code has errors.

9. The system of claim 1, wherein the system further comprises a controller configured to control the controller,

the OTP management server is used for acquiring the number of OTP codes sent by the source IP address corresponding to the target platform in a preset time period after receiving the first OTP code; if the number exceeds a preset number threshold, prohibiting the target platform corresponding to the source IP address from accessing the OTP management server; and if the number does not exceed the preset number threshold, continuing to perform secondary authentication on the first account name and the first OTP code.

10. The system of claim 3, wherein the system further comprises a controller configured to control the controller,

only a preset designated account name can access the OTP proxy module, and the information forwarded by the OTP proxy module carries a first secret key corresponding to the OTP proxy module;

the OTP management server only receives the access of the OTP proxy module, when receiving the access request from the OTP proxy module, the OTP management server is used for checking the first secret key in the access request and validity checking the access request, and when all the checking passes, corresponding operation corresponding to the access request is executed.

11. The platform secondary authentication login method is applied to a target platform and is characterized by comprising the following steps of:

responding to a first account name and a first password input by a target object, and performing primary authentication on the first account name and the first password;

when one authentication passes, the first account name is sent to an OTP management server, wherein the OTP management server is used for inquiring whether the first account name is registered in the OTP management server, if so, sending first prompt information for prompting the target object to input a first OTP code to the target platform, if not, sending second prompt information for prompting the target object to register the first account name to the target platform, and after the first account name is registered, sending the first prompt information to the target platform;

responding to the first prompt information, and sending a first OTP code input by the target object to the OTP management server, wherein the OTP management server is used for carrying out secondary authentication on the first account name and the first OTP code;

and when the secondary authentication is passed, responding to the access request of the target object, and executing the access operation corresponding to the access request.

12. The platform secondary authentication login method is applied to an OTP management server and is characterized by comprising the following steps of:

receiving a first account name which is sent by a target platform and passes through one-time authentication, and inquiring whether the first account name is registered in the OTP management server;

if the first account name is registered, sending first prompt information for prompting a target object to input a first OTP code to the target platform;

if the first account name is not registered, sending second prompt information for prompting the target object to register the first account name to the target platform, and after the first account name is registered, sending the first prompt information to the target platform;

and receiving the first OTP code sent by the target platform, and performing secondary authentication on the first account name and the first OTP code.

13. A non-volatile storage medium, characterized in that the non-volatile storage medium comprises a stored computer program, wherein a device in which the non-volatile storage medium is located performs the platform secondary authentication login method according to any one of claims 11 to 12 by running the computer program.

14. An electronic device, comprising: a memory and a processor, wherein the memory stores a computer program, the processor being configured to execute the platform secondary authentication login method of any one of claims 11 to 12 by the computer program.