一般大家都是使用賬號和密碼遠程SSH登錄管理服務器。但SSH賬號和密碼很容易泄露,或者經常遭遇暴力破解。咨詢過前同事賽賽,他們目前使用了谷歌身份驗證器。查看了谷歌身份驗證器的github和其它網上文檔,重新整理歸納。
谷歌身份驗證器生成的是動態驗證碼,默認30秒更新。修改配置,SSH登錄必須在輸入密碼之前輸入動態驗證碼。即使賬號和密碼泄露,驗證碼輸入錯誤,仍然無法登錄。蘋果或者安卓手機端可以安裝身份驗證器App讀取驗證碼。
1.禁用並關閉selinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/configsetenforce 0
2.安裝依賴軟件包
yum -y install gcc make pam-devel libpng-devel libtool wget git
3.添加阿里雲epel源
-
RHEL 6/CentOS 6系列
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo
-
RHEL 7/CentOS 7系列
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
4.安裝Qrencode,谷歌身份驗證器需要調用該程序以便終端生成並顯示二維碼
yum -y install qrencode
5.安裝谷歌身份驗證器
mkdir -p /App/srccd /App/srcgit clone https://github.com/google/google-authenticator.gitcd google-authenticator/libpam/./bootstrap.sh./configuremakemake installcp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/
6./etc/pam.d/sshd第一行后添加谷歌身份驗證器PAM模塊配置
auth required pam_google_authenticator.so
7.修改SSH服務配置/etc/ssh/sshd_config
sed -i 's#^ChallengeResponseAuthentication no#ChallengeResponseAuthentication yes#' /etc/ssh/sshd_config
8.重啟SSH服務
-
RHEL 6/CentOS 6系列
service sshd restart
-
RHEL 7/CentOS 7系列
systemctl restart sshd.service
9.終端切換至需要二次驗證的系統用戶后運行驗證器程序google-authenticator,遇到(y/n)可以都輸入y,為需要遠程SSH登錄的每個用戶生成動態口令
Do you want authentication tokens to be time-based (y/n) y https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/songsong@localhost.localdomain%3Fsecret%3DX3PYDDGPI4BF3DMIVTZ33IRQI4%26issuer%3Dlocalhost.localdomain 二維碼 Your new secret key is: X3PYDDGPI4BF3DMIVTZ33IRQI4 Your verification code is 318806 Your emergency scratch codes are: 34181847 33327793 54307163 36901756 21117069 Do you want me to update your "/home/songsong/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens). Do you want to do so? (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
10.蘋果手機打開App Store搜索Google Authenticator,安卓手機打開應用商店搜索身份驗證器,安裝對應App
-
蘋果手機
-
安卓
11.手機打開安裝的App后點擊開始設置,而后點擊掃描條形碼,掃描終端顯示的二維碼
12.修改SecureCRT的連接屬性,右鍵選擇已有主機連接的Properties,在新彈窗點選SSH2,將Authentication選項中的Keyboard Interactive順序調整至首行 
終端運行驗證器程序google-authenticator內容說明:
Do you want authentication tokens to be time-based (y/n)
輸入y基於時間方式生成驗證口令,輸入n使用計數器方式生成驗證口令。
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/songsong@localhost.localdomain%3Fsecret%3DX3PYDDGPI4BF3DMIVTZ33IRQI4%26issuer%3Dlocalhost.localdomain
顯示二維碼的網頁地址,需要設法能夠訪問到谷歌,方法你懂得。
二維碼
若未安裝Qrencode,則不會顯示二維碼。
Your new secret key is: X3PYDDGPI4BF3DMIVTZ33IRQI4
若未顯示二維碼,谷歌二維碼頁面地址亦無法訪問,java教程則手機端身份驗證器App可以使用輸入提供的秘鑰,符號:之后的內容即為生成的秘鑰。
Your verification code is 318806
臨時生成的6位數字驗證碼,默認30秒到期。
Your emergency scratch codes are: 34181847 33327793 54307163 36901756 21117069
生成的5組應急備用驗證碼,每個驗證碼只能使用一次,使用后立即失效。當多次使用手機App端顯示的驗證碼無效時使用,保存備用。
注意事項:
若使用默認基於時間方式生成動態口令,確保安裝谷歌身份驗證器的服務器和手機系統時間一致,否則無法登錄系統。所以服務器和手機系統定期同步公網公開的時間服務器,這樣可以確保兩者時間一致。