为了增强服务器安全性,使用google authenticator生成的动态密码进行加固,输入密码的同时需要再次验证动态密码才能登录成功。以下操作均在centos6.5环境下操作。
首先:
1、安装一些必要组件
yuminstall-ygitmakegcclibtoolpam-develqrencodentpdate
2、下载编译安装
gitclonehttps://github.com/google/google-authenticator-libpam.git
cdgoogle-authenticator-libpam/
./bootstrap.sh
./configure make&&makeinstall
ln-s/usr/local/lib/security/pam_google_authenticator.so/usr/lib64/security/
3、配置ssh
vim/etc/ssh/sshd_config
修改如下的配置项:
ChallengeResponseAuthentication yes
UsePAM yes
重启ssh
servicesshdrestart
4、配置PAM
vim /etc/pam.d/sshd
如下:
#auth include password-auth
auth substack password-auth
auth required pam_google_authenticator.so
第一行删除或者注释,第二行和第三行的顺序将确定先输入密码还是动态码
5、配置google authenticator
首先,切换到你需要设置的帐号:
sugoogle google-authenticator
Do you want authentication tokens to be time-based (y/n) y---输入y(会生成一个二维码和secret key,之后的操作会用到这个二维码/密钥(secret key),还有5 个紧急救助码(emergency scratch code),紧急救助码就是当你无法获取认证码时(比如手机丢了),可以当做认证码来用,每用一个少一个,但其实可以手动添加的,建议如果 root 账户使用 Google Authenticator 的话一定要把紧急救助码另外保存一份。)
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/google@ip-172-31-17-35%3Fsecret%3DEUMUWLYHE3WFDCD4FTTC4NHDWU%26issuer%3Dip-172-31-17-35
---如果已经安装qrencode,此处会显示二维码,该二维码也可以通过上面的网址打开---
Your new secret key is: EUMUWLYHE3WFDCD4FTTC4NHDWU
Your verification code is 102411
Your emergency scratch codes are:
31858704
90298886
63354215
17985381
56998209
Do you want me to update your "/home/google/.google_authenticator" file? (y/n)y---输入y(是否更新用户的 Google Authenticator 配置文件,选择y才能使上面操作对当前用户生效,其实就是在对应用户的Home目录下生成了一个.google_authenticator文件,如果你想停用这个用户的 Google Authenticator 验证,只需要删除这个用户Home目录下的.google_authenticator文件就可以了。)
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s,but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n)y---输入y(每次生成的认证码是否同时只允许一个人使用?这里选择y)
By default,a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization,you can increase the window
from its default size of 3 permitted codes (one prevIoUs code,the current
code,the next code) to 17 permitted codes (the 8 prevIoUs codes,and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n)n---输入n(是否增加时间误差?这里选择n)
If the computer that you are logging into isn't hardened against brute-force
login attempts,you can enable rate-limiting for the authentication module.
By default,this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n)y---输入y(是否启用次数限制?这里选择y,默认每 30 秒最多尝试登录 3 次)
6、APP设置
首先从google play 下载google Authenticator,打开app,点击"scan a barcode",扫一下刚刚生成的二维码,或者手动输入secret key,即可得到一个动态密码,该密码每30秒变化一次。使用ssh登录服务器时,需要先输入用户密码,再输入动态密码才可以登录。
7、动态密码登录
[deploy@puppet c]$ ssh google@192.168.1.2
Password:
Verification code: ---此处输入动态密码---
如果出现异常,请查看/var/log/secure进行排查
参考内容:
http://shenyu.me/2016/09/05/centos-google-authenticator.html
http://www.111cn.net/sys/CentOS/88306.htm