centos google authenticator 安装及配置

前端之家收集整理的这篇文章主要介绍了centos google authenticator 安装及配置前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

为了增强服务器安全性,使用google authenticator生成的动态密码进行加固,输入密码的同时需要再次验证动态密码才能登录成功。以下操作均在centos6.5环境下操作。


首先:

1、安装一些必要组件

yuminstall-ygitmakegcclibtoolpam-develqrencodentpdate


2、下载编译安装

gitclonehttps://github.com/google/google-authenticator-libpam.git
cdgoogle-authenticator-libpam/
./bootstrap.sh
./configure
make&&makeinstall
ln-s/usr/local/lib/security/pam_google_authenticator.so/usr/lib64/security/


3、配置ssh

vim/etc/ssh/sshd_config

修改如下的配置项:

ChallengeResponseAuthentication yes

UsePAM yes

重启ssh

servicesshdrestart


4、配置PAM

vim /etc/pam.d/sshd

如下:

#auth include password-auth

auth substack password-auth

auth required pam_google_authenticator.so

第一行删除或者注释,第二行和第三行的顺序将确定先输入密码还是动态码


5、配置google authenticator

首先,切换到你需要设置的帐号:

sugoogle
google-authenticator

Do you want authentication tokens to be time-based (y/n) y---输入y(会生成一个二维码和secret key,之后的操作会用到这个二维码/密钥(secret key),还有5 个紧急救助码(emergency scratch code),紧急救助码就是当你无法获取认证码时(比如手机丢了),可以当做认证码来用,每用一个少一个,但其实可以手动添加的,建议如果 root 账户使用 Google Authenticator 的话一定要把紧急救助码另外保存一份。)

Warning: pasting the following URL into your browser exposes the OTP secret to Google:

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/google@ip-172-31-17-35%3Fsecret%3DEUMUWLYHE3WFDCD4FTTC4NHDWU%26issuer%3Dip-172-31-17-35

---如果已经安装qrencode,此处会显示二维码,该二维码也可以通过上面的网址打开---


Your new secret key is: EUMUWLYHE3WFDCD4FTTC4NHDWU

Your verification code is 102411

Your emergency scratch codes are:

31858704

90298886

63354215

17985381

56998209


Do you want me to update your "/home/google/.google_authenticator" file? (y/n)y---输入y(是否更新用户的 Google Authenticator 配置文件,选择y才能使上面操作对当前用户生效,其实就是在对应用户的Home目录下生成了一个.google_authenticator文件,如果你想停用这个用户的 Google Authenticator 验证,只需要删除这个用户Home目录下的.google_authenticator文件就可以了。)


Do you want to disallow multiple uses of the same authentication

token? This restricts you to one login about every 30s,but it increases

your chances to notice or even prevent man-in-the-middle attacks (y/n)y---输入y(每次生成的认证码是否同时只允许一个人使用?这里选择y)


By default,a new token is generated every 30 seconds by the mobile app.

In order to compensate for possible time-skew between the client and the server,

we allow an extra token before and after the current time. This allows for a

time skew of up to 30 seconds between authentication server and client. If you

experience problems with poor time synchronization,you can increase the window

from its default size of 3 permitted codes (one prevIoUs code,the current

code,the next code) to 17 permitted codes (the 8 prevIoUs codes,and the 8 next codes). This will permit for a time skew of up to 4 minutes

between client and server.

Do you want to do so? (y/n)n---输入n(是否增加时间误差?这里选择n)


If the computer that you are logging into isn't hardened against brute-force

login attempts,you can enable rate-limiting for the authentication module.

By default,this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting? (y/n)y---输入y(是否启用次数限制?这里选择y,默认每 30 秒最多尝试登录 3 次)


6、APP设置

首先从google play 下载google Authenticator,打开app,点击"scan a barcode",扫一下刚刚生成二维码,或者手动输入secret key,即可得到一个动态密码,该密码每30秒变化一次。使用ssh登录服务器时,需要先输入用户密码,再输入动态密码才可以登录

7、动态密码登录


[deploy@puppet c]$ ssh google@192.168.1.2

Password:

Verification code: ---此处输入动态密码---


如果出现异常,请查看/var/log/secure进行排查


参考内容

http://shenyu.me/2016/09/05/centos-google-authenticator.html

http://www.111cn.net/sys/CentOS/88306.htm

猜你在找的CentOS相关文章