本次二次認(rèn)證方式使用 Google 身份驗(yàn)證器
資源
谷歌身份驗(yàn)證器pam
https://github.com/google/google-authenticator-libpam
移動(dòng)app源碼
https://github.com/google/google-authenticator
Google 身份驗(yàn)證器商店地址
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
Google 身份驗(yàn)證器app下載地址
https://storage.evozi.com/apk/dl/16/09/05/com.google.android.apps.authenticator2.apk?h=4FgH1NXU1UokEVwXN5sVBw&t=1499507124
服務(wù)器配置
同步時(shí)間
/usr/sbin/ntpdate asia.pool.ntp.org >>/var/log/ntpdate.log
安裝依賴包
yum install pam-devel make gcc-c++ wget -y
下載谷歌身份驗(yàn)證器包
wget https://github.com/google/google-authenticator-libpam/archive/1.03.tar.gz
編譯安裝
tar zxf 1.03.tar.gz
cd google-authenticator-libpam-1.03/
./bootstrap.sh
./configure
make
make install
復(fù)制google 身份驗(yàn)證器pam模塊到系統(tǒng)下
cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/
修改ssh的pam登錄模塊為pam_google_authenticator.so
# cat /etc/pam.d/sshd
#%PAM-1.0
#auth required pam_sepermit.so
auth required pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
修改ChallengeResponseAuthentication 為yes
sed -i 's#^ChallengeResponseAuthentication no#ChallengeResponseAuthentication yes#' /etc/ssh/sshd_config
生成key埠对,手機(jī)app上添加賬戶所需要的凛虽。
./google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@node1%3Fsecret%3D6GY7RPMXCVWN6HHVSSX4XM3WWssuer%3Dnode1 ## 二維碼
Your new secret key is: 6GY7RPMXCVWN6HHVSSX4XM3WWI ## 密鑰
Your verification code is 467014
Your emergency scratch codes are: ##后備驗(yàn)證碼保存好宝泵,永久可用歼郭。
66339556
56534014
64738014
23546970
43468735
Do you want me to update your "/root/.google_authenticator" file? (y/n) y ## 配置文件
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds. In order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default
size of +-1min (window size of 3) to about +-4min (window size of
17 acceptable tokens).
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
重啟ssh服務(wù)
service sshd restart
重啟后,不要關(guān)閉當(dāng)前窗口浇揩,以免配置錯(cuò)誤出現(xiàn)登錄不了服務(wù)器始藕。
手機(jī)端配置
本次使用安卓手機(jī),下載app并安裝熄诡。蘋果手機(jī)在蘋果商店里搜索google authenticator并安裝可很。
添加帳號(hào)
輸入剛才生成的key
點(diǎn)擊添加
這時(shí),點(diǎn)擊完成后凰浮,可以看到?jīng)]美30秒一次變換的驗(yàn)證碼
ssh命令登錄
[root@master ~]# ssh 192.168.77.129
Verification code: # 先輸入app上的驗(yàn)證碼
Password: # 在輸入root密碼
Last login: Sat Jul 8 15:55:59 2017 from 192.168.77.1
[root@node1 ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:7D:D4:7A
inet addr:192.168.77.129 Bcast:192.168.77.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe7d:d47a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:275309 errors:0 dropped:0 overruns:0 frame:0
TX packets:165531 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:298600746 (284.7 MiB) TX bytes:24281004 (23.1 MiB)
xshell客戶端登錄
設(shè)置登陸方法為Keyboard Interactive
先輸入谷歌驗(yàn)證碼
在輸入root密碼
成功登錄
