linux使用google两步验证配置ssh登录

Posted on Posted in 安全
Tips: 本文创建于2015年10月23日,已超过 2 年,内容或图片可能已经失效!

设置linux登录时,用google的两步验证

系统环境:centos6.5

需要的rpm包

各个包原始下载地址

http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm  
http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm  
https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2  
http://fukuchi.org/works/qrencode/qrencode-3.4.4.tar.gz  

需要的依赖包

yum install -y wget gcc make pam-devel libpng-devel  

1、安装 google authenticator PAM插件

tar jxvf libpam-google-authenticator-1.0-source.tar.bz2  
cd libpam-google-authenticator-1.0  
make && make install  

2、安装qrencode,用来在linux命令中生成二维码

tar zxvf qrencode-3.4.4.tar.gz  
cd qrencode-3.4.4  
./configure --prefix=/usr  
make && make install  

3、ssh调用google authenticator PAM插件

vim /etc/pam.d/sshd #在第一行加入  
auth required pam_google_authenticator.so  
  
vim /etc/sshd_config  
ChallengeResponseAuthentication yes #修改no为yes  
  
service sshd restart  

4、使用google authenticator PAM插件为ssh登录账号生成动态验证码

google-authenticator #运行命令  
  
Do you want authentication tokens to be time-based (y/n) y #提示是否要基于时间生成令牌  
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@lhh-centos2%3Fsecret%3DEQK2UTMZ2SKLQ4P3  
Your new secret key is: EQK2UTMZ2SKLQ4P3  
Your verification code is 821497  
Your emergency scratch codes are:  
  10494288  
  36850281  
  40497059  
  27128932  
  40844585  
#上面的网址为生成的二维码图形地址(需要翻墙才能打开),还会生成密钥,以及5个紧急验证码(当无法获取动态验证码时使用,注意:这5个验证码用一个就会少一个!请保存好!)  
Do you want me to update your "/root/.google_authenticator" file (y/n) y    #提示是否要更新验证文件,选择y  
  
Do you want to disallow multiple uses of the same authentication  
token? This restricts you to one login about every 30s, but it increases  
your chances to notice or even prevent man-in-the-middle attacks (y/n) y #禁止使用相同口令  
  
By default, tokens are good for 30 seconds and in order to compensate for  
possible time-skew between the client and the server, we allow an extra  
token before and after the current time. If you experience problems with poor  
time synchronization, you can increase the window from its default  
size of 1:30min to about 4min. Do you want to do so (y/n) n #默认动态验证码在30秒内有效,由于客户端和服务器可能会存在时间差,可将时间增加到最长4分钟  
  
If the computer that you are logging into isn't hardened against brute-force  
login attempts, you can enable rate-limiting for the authentication module.  
By default, this limits attackers to no more than 3 login attempts every 30s.  
Do you want to enable rate-limiting (y/n) #是否限制尝试次数,每30秒只能尝试最多3次  

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 4 =