共计 2223 个字符,预计需要花费 6 分钟才能阅读完成。
最近也是服务器各种被入侵,所以在安全上,要万分注意,特此记录,借助 Google 的身份验证插件,获取动态验证码完成 SSH 登陆。
OS:CentOS 7
安装配置:
1、安装 epel 源
yum -y install epel-release
2、安装 Qrencode, 谷歌身份验证器通过该程序生成二维码
yum install -y qrencode
3、安装谷歌身份验证器,编译安装
git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam/<br>./bootstrap.sh<br>./configure –prefix=/usr/local/google-authenticator<br>make && make install
4、拷贝 google 的身份验证器 pam 模块到系统下
cp /usr/local/google-authenticator/lib/security/pam_google_authenticator.so /lib64/security/
5、配置 sshd 的 pam 认证,写在 auth include password-auth 基于密码认证的上面一行, 先基于 google 验证码认证
auth required pam_google_authenticator.so
6、修改 ssh 服务配置
ChallengeResponseAuthentication yes
7、重启 ssh 服务
systemctl restart sshd
8、进入刚才克隆下来的 google-authenticator-libpam 目录,执行
./google-authenticator #基于当前用户做验证,如果切换别的系统用户,请登陆其他用户,执行此命令即可
Do you want authentication tokens to be time-based (y/n) y #输入 y,提示是否基于时间的认证
接下来会生成一张二维码图片:手机上下载身份验证器 app 软件,扫描此二维码
Your new secret key is: JS57SLVUDEEA7SQ7LD6BEBWGAA #此安全 key 需要备份,用于后续更换手机或者二维码丢失,浏览器的身份验证丢失后,通过此安全 key 获取新的验证吗
Your verification code is 005421 #扫描上述二维码后,查看验证吗,输入
Your emergency scratch codes are:
# 以下验证吗,是后续备用的,只能验证一次
45412365
21522365
85124632
85124631
14785216
Do you want me to update your“/root/.google_authenticator”file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n)
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds. In order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default
size of +-1min (window size of 3) to about +-4min (window size of
17 acceptable tokens).
Do you want to do so? (y/n) y
# 安全相关,默认继续
If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
# 安全相关,默认继续
9、xshell 终端配置基于 google 验证登陆 linux 主机
xshell 终端的连接方式改为:keyboard Interactive
二次验证码输入:
输入系统密码:
以上就是基于 Google 身份验证的 SSH 登陆。
:
