為Linux服務器的SSH登錄啟用Google兩步驗證

對於Linux服務器而言使用密鑰登錄要比使用密碼登錄安全的多，畢竟當前網上存在多個腳本到處進行爆破。

這類腳本都是通過掃描IP端的開放端口並使用常見的密碼進行登錄嘗試，因此修改端口號也是非常有必要的。

如果你仍然想繼續提高服務器的安全性的話那么還可以考慮使用Google的兩步驗證，每次登錄需輸入口令。

Google Authenticator是開源的兩步驗證工具，任何人都可以在自己的服務上部署兩步驗證來提高安全性。

注：Google Authenticator支持iOS和Android平台，其他平台似乎沒有Google Authenticator。

以下是為CentOS服務器登錄時啟用兩步驗證的步驟：

1、Google Authenticator依賴時間與客戶端進行校驗，因此首先得把服務器時間更新至最新：

root@landian:# service ntpd stop     ===>停止NTP服務
Shutting down ntpd:                  ===>已停止NTP服務
root@landian:# ntpdate pool.ntp.org  ===>進行對時
20 Jan 15:09:24 ntpdate[17021]: adjust time server * offset -0.006584 sec ===> 對時成功，相差0.006584秒

 

2、執行以下命令安裝幾個rpm文件並更新repolist：

root@landian:# cd /tmp                                                          ===> 進入TMP文件夾
root@landian:# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm ===>下載
root@landian:# wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm               ===>下載
root@landian:# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm                               ===>安裝
Preparing... ########################################### [100%]
1:epel-release ########################################### [ 50%]
2:remi-release ########################################### [100%]                   ===>完成安裝
root@landian:# yum repolist                                                         ===>更新repolist
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/metalink | 5.3 kB 00:00 
* base: mirrors.cn99.com
* epel: ftp.riken.jp
* extras: centos.ustc.edu.cn
* remi-safe: mirrors.mediatemple.net
* updates: mirrors.cn99.com
epel | 4.3 kB 00:00 
epel/primary_db | 5.9 MB 00:01 
repo id repo name status
base CentOS-6 - Base 6,696
epel Extra Packages for Enterprise Linux 6 - x86_64 12,215
extras CentOS-6 - Extras 62
remi-safe Safe Remi's RPM repository for Enterprise Linux 6 - x86_64 1,987
updates CentOS-6 - Updates 780
repolist: 21,740                                                                      ===>更新完成

3、為系統安裝Google Authenticator，如果不進行第二步的操作在第三步中可能會提示你No Package

root@landian:# yum install google-authenticator                         ===>安裝Google Authenticator
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirrors.cn99.com
* epel: ftp.riken.jp
* extras: centos.ustc.edu.cn
* remi-safe: mirror.bebout.net
* updates: mirrors.cn99.com
Resolving Dependencies
--> Running transaction check
---> Package google-authenticator.x86_64 0:0-0.3.20110830.hgd525a9bab875.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved                                                        ===>下載完成准備安裝

===================================================================================================
Package Arch Version Repository Size
===================================================================================================
Installing:
google-authenticator x86_64 0-0.3.20110830.hgd525a9bab875.el6 epel 26 k

Transaction Summary
===================================================================================================
Install 1 Package(s)

Total download size: 26 k
Installed size: 51 k
Is this ok [y/N]: y                                                         ===>輸入Y進行確認
Downloading Packages:
google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm | 26 kB 00:00 
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Importing GPG key 0x0608B895:
Userid : EPEL (6) <epel@fedoraproject.org>
Package: epel-release-6-8.noarch (installed)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]: y                                                    ===>輸入Y進行確認
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing : google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64 1/1 
Verifying : google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64 1/1

Installed:
google-authenticator.x86_64 0:0-0.3.20110830.hgd525a9bab875.el6

Complete!                                                                       ===>安裝完成

4、為當前用戶開啟兩步驗證：

root@landian:# google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@landian%3Fsecret%3D4RRUJWKG2ZIU7SC2
===>上面的地址是個圖片，復制地址到瀏覽器打開，然后使用GA手機端掃描添加
Your new secret key is: 4RRUJWKG2ZIU7SC2 ===>這是序列號，你不掃描二維碼的話也可以手動輸入序列號進行添加
Your verification code is 615947 ===>這是驗證碼
Your emergency scratch codes are: ===>下面幾個是緊急驗證碼，如果你要登錄但手機不再身邊那么可以用以下驗證碼
87522227
35333335
84222252
27222238
62272223

Do you want me to update your "~/.google_authenticator" file (y/n) y ===>更新文件輸入Y確認

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y  ===>下面都輸入Y確認

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

5、修改SSH配置文件以便於啟用兩步驗證：直接編輯或下載對應文件到本地再編輯也可

進入/etc/pam.d/目錄下載sshd文件並添加以下內容保存后上傳覆蓋到服務器：
auth      required      pam_google_authenticator.so
進入/etc/ssh/目錄下載sshd_config文件並找到以下內容將no改成yes，然后保存上傳覆蓋到服務器:
#ChallengeResponseAuthentication no
ChallengeResponseAuthentication yes

6、修改完畢這倆文件並上傳到服務器后重啟SSH服務以便於生效：

root@landian:# service sshd restart

7、斷開再次登錄大概就是下面這種樣子了

root@landian:# ssh root@192.168.1.1
Password: ===>這里輸入密碼
Verification code: ===>這里輸入GA手機端生成的驗證碼
root@landian:#