Tips: 本文创建于2015年10月23日,已超过 2 年,内容或图片可能已经失效!






yum install -y wget gcc make pam-devel libpng-devel  

1、安装 google authenticator PAM插件

tar jxvf libpam-google-authenticator-1.0-source.tar.bz2  
cd libpam-google-authenticator-1.0  
make && make install  


tar zxvf qrencode-3.4.4.tar.gz  
cd qrencode-3.4.4  
./configure --prefix=/usr  
make && make install  

3、ssh调用google authenticator PAM插件

vim /etc/pam.d/sshd #在第一行加入  
auth required  
vim /etc/sshd_config  
ChallengeResponseAuthentication yes #修改no为yes  
service sshd restart  

4、使用google authenticator PAM插件为ssh登录账号生成动态验证码

google-authenticator #运行命令  
Do you want authentication tokens to be time-based (y/n) y #提示是否要基于时间生成令牌|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DEQK2UTMZ2SKLQ4P3  
Your new secret key is: EQK2UTMZ2SKLQ4P3  
Your verification code is 821497  
Your emergency scratch codes are:  
Do you want me to update your "/root/.google_authenticator" file (y/n) y    #提示是否要更新验证文件,选择y  
Do you want to disallow multiple uses of the same authentication  
token? This restricts you to one login about every 30s, but it increases  
your chances to notice or even prevent man-in-the-middle attacks (y/n) y #禁止使用相同口令  
By default, tokens are good for 30 seconds and in order to compensate for  
possible time-skew between the client and the server, we allow an extra  
token before and after the current time. If you experience problems with poor  
time synchronization, you can increase the window from its default  
size of 1:30min to about 4min. Do you want to do so (y/n) n #默认动态验证码在30秒内有效,由于客户端和服务器可能会存在时间差,可将时间增加到最长4分钟  
If the computer that you are logging into isn't hardened against brute-force  
login attempts, you can enable rate-limiting for the authentication module.  
By default, this limits attackers to no more than 3 login attempts every 30s.  
Do you want to enable rate-limiting (y/n) #是否限制尝试次数,每30秒只能尝试最多3次