阿里雲相關鏈接
https://www.aliyun.com/product/ecs?source=5176.11533457&userCode=kv73ipbs&type=copy
1、環境
系統:centos6.5 x86_64
[root@uu ~]# uname -a
Linux uu 2.6.32-642.el6.x86_64 #1 SMP Wed Apr 13 00:51:26 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux
要求:
時間同步
關閉SELinux
2、安裝
升級git
1.7.1版本過低,現在github不支持1.7.1的git 客戶端的下載了,只有從網上下載高一點的版本,並安裝。
yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel -y yum install gcc perl-ExtUtils-MakeMaker -y yum remove git -y yum update -y nss curl libcurl cd /usr/src wget https://www.kernel.org/pub/software/scm/git/git-2.1.2.tar.gz wget https://www.kernel.org/pub/software/scm/git/git-2.1.2.tar.gz --no-check-certificate tar xzf git-2.1.2.tar.gz cd git-2.1.2 make prefix=/usr/local/git all make prefix=/usr/local/git install echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bashrc source /etc/bashrc #配置git不認證https git config --global http.sslVerify false
3、安裝Google auth
yum install -y git automake libtool pam-devel -y git clone https://github.com/google/google-authenticator-libpam.git cd google-authenticator-libpam/ ./bootstrap.sh ./configure make && make install cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/
4、安裝認證二維碼
這一步可不做,沒有圖形二維碼就手動輸入程序給出的密鑰。
yum install -y git qrencode
5、配置ssh服務
5.1、修改/etc/pam.d/sshd
在/etc/pam.d/sshd里添加下面這條【#放在auth include password-auth之前】
vim /etc/pam.d/sshd
auth required pam_google_authenticator.so no_increment_hotp
5.2、修改/etc/ssh/sshd_config
vim /etc/ssh/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
/etc/init.d/sshd restart
6、配置Google auth
google-authenticator
6.1、添加主機
有2種方式:
輸入“y”后,會有一個二維碼
1、用手機谷歌驗證器掃描這個二維碼即可添加主機。
2、手動輸入二維碼下面的密鑰添加。
然后剩下的會出現5個問題,根據提示全部選“y”即可。
6.2、客戶端
我的是華為手機,貼一下華為應用市場的鏈接
http://a.vmall.com/uowap/index.html#/detailApp/C63790
APP在應用市場搜索谷歌認證器。
可根據需要添加多個客戶端。
7、登錄
輸入手機動態口令
輸入登錄用戶的密碼
8、說明
[root@uu ~]# google-authenticator Do you want authentication tokens to be time-based (y/n) y Warning: pasting the following URL into your browser exposes the OTP secret to Google: https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@uu%3Fsecret%3DJQPBXCQ5UJEARJDKW56QG7PX5M%26issuer%3Duu
Your new secret key is: JQPBXCQ5UJEARJDKW56QG7PX5M
Enter code from app (-1 to skip): 441989
Code confirmed
Your emergency scratch codes are:
15017326
13268423
41466235
66165819
90381302
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
上述共需回答5個y
第1個:問你是否想做一個基於時間的令牌
第2個:是否更新你的google認證文件,由於第一次設置,所以一定選y
第3個:是否禁止口令多用,這里選擇y,禁止它,以防止中間人欺騙。
第4個:默認情況,1個口令的有效期是30s,這里是為了防止主機時間和口令客戶端時間不一致,設置的誤差,可以選擇y,也可選n,看要求嚴謹程度
第5個:是否打開嘗試次數限制,默認情況,30s內不得超過3次登陸測試,防止別人暴力破解。
並且上面這些設置將被存儲在用戶的〜/.google_authenticator文件中,emergency scratch codes 中的5個代碼是緊急代碼,務必牢記,這是在你的動態口令無法使用的情況下使用的,記住,用一個失效一個。后期可以登陸上去后,重新生成!!