为了增强服务器安全性,使用google authenticator生成的动态密码进行加固,输入密码的同时需要再次验证动态密码才能登录成功。以下操作均在centos6.5环境下操作。


首先:

1、安装一些必要组件

yum install -y git make gcc libtool pam-devel qrencode ntpdate


2、下载编译安装

git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam/
./bootstrap.sh
./configure
make && make install
ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/


3、配置ssh

vim /etc/ssh/sshd_config

修改如下的配置项:

ChallengeResponseAuthentication yes

UsePAM yes

重启ssh

service sshd restart


4、配置PAM

vim /etc/pam.d/sshd

如下:

#auth       include      password-auth

auth       substack     password-auth

auth       required     pam_google_authenticator.so

第一行删除或者注释,第二行和第三行的顺序将确定先输入密码还是动态码


5、配置google authenticator

首先,切换到你需要设置的帐号:

su google
google-authenticator

Do you want authentication tokens to be time-based (y/n) y    ---输入y(会生成一个二维码和secret key,之后的操作会用到这个二维码/密钥(secret key),还有5 个紧急救助码(emergency scratch code),紧急救助码就是当你无法获取认证码时(比如手机丢了),可以当做认证码来用,每用一个少一个,但其实可以手动添加的,建议如果 root 账户使用 Google Authenticator 的话一定要把紧急救助码另外保存一份。)

Warning: pasting the following URL into your browser exposes the OTP secret to Google:

  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/google@ip-172-31-17-35%3Fsecret%3DEUMUWLYHE3WFDCD4FTTC4NHDWU%26issuer%3Dip-172-31-17-35

                                                                                  

---如果已经安装qrencode,此处会显示二维码,该二维码也可以通过上面的网址打开---

 

                                                                                          

Your new secret key is: EUMUWLYHE3WFDCD4FTTC4NHDWU

Your verification code is 102411

Your emergency scratch codes are:

  31858704

  90298886

  63354215

  17985381

  56998209


Do you want me to update your "/home/google/.google_authenticator" file? (y/n)y    ---输入y(是否更新用户的 Google Authenticator 配置文件,选择 y 才能使上面操作对当前用户生效,其实就是在对应用户的 Home 目录下生成了一个 .google_authenticator 文件,如果你想停用这个用户的 Google Authenticator 验证,只需要删除这个用户 Home 目录下的 .google_authenticator 文件就可以了。)


Do you want to disallow multiple uses of the same authentication

token? This restricts you to one login about every 30s, but it increases

your chances to notice or even prevent man-in-the-middle attacks (y/n)y    ---输入y(每次生成的认证码是否同时只允许一个人使用?这里选择 y)


By default, a new token is generated every 30 seconds by the mobile app.

In order to compensate for possible time-skew between the client and the server,

we allow an extra token before and after the current time. This allows for a

time skew of up to 30 seconds between authentication server and client. If you

experience problems with poor time synchronization, you can increase the window

from its default size of 3 permitted codes (one previous code, the current

code, the next code) to 17 permitted codes (the 8 previous codes, the current

code, and the 8 next codes). This will permit for a time skew of up to 4 minutes

between client and server.

Do you want to do so? (y/n)n    ---输入n(是否增加时间误差?这里选择 n )


If the computer that you are logging into isn't hardened against brute-force

login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting? (y/n)y    ---输入y(是否启用次数限制?这里选择 y,默认每 30 秒最多尝试登录 3 次)


6、APP设置

首先从google play 下载google Authenticator,打开app,点击"scan a barcode",扫一下刚刚生成的二维码,或者手动输入secret key,即可得到一个动态密码,该密码每30秒变化一次。使用ssh登录服务器时,需要先输入用户密码,再输入动态密码才可以登录。

centos google authenticator 安装及配置_google

7、动态密码登录


[deploy@puppet c]$ ssh google@192.168.1.2

Password: 

Verification code: ---此处输入动态密码---


如果出现异常,请查看/var/log/secure进行排查


参考内容:

http://shenyu.me/2016/09/05/centos-google-authenticator.html

http://www.111cn.net/sys/CentOS/88306.htm