一般來說,使用ssh遠程登錄服務器,只需要輸入賬號和密碼,顯然這種方式不是很安全。為了安全着想,可以使用GoogleAuthenticator(谷歌身份驗證器),以便在賬號和密碼之間再增加一個驗證碼,只有輸入正確的驗證碼之后,再輸入密碼才能登錄。這樣就增強了ssh登錄的安全性。賬號、驗證碼、密碼三者缺一個都不能登錄,即使賬號和密碼正確,驗證碼錯誤,同樣登錄失敗。其中,驗證碼是動態驗證碼,並且是通過手機客戶端自動獲取(默認每隔30秒失效一次)
Google Authenticator開源版主頁 https://github.com/google/google-authenticator
一、Ubuntu安裝
1、安裝Google Authenticator
apt-get install libpam-google-authenticator
也可以通過源碼編譯安裝
git clone https://github.com/google/google-authenticator.git cd google-authenticator/libpam/ ./bootstrap.sh ./configure make make install
注意:在Debian7中執行./configure時可能存在以下錯誤提示
configure: error: Unable to find the PAM library or the PAM header files
在此需要安裝libpam0g-dev和libtool
apt-get -y install libpam0g-dev libtool
2、設置Google Authenticator
在手機端搜索安裝 Google Authenticator
google-authenticator Do you want authentication tokens to be time-based (y/n) y
然后出現二維碼,使用手機端Google Authenticator掃碼,接下來服務器端繼續設置
如果沒有出現二維碼,可以將提示的以 https://www.google.com/chart? 開頭的連接復制到瀏覽器中,就可以看到二維碼了
Do you want me to update your "/root/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
修改配置文件
root@test:~# vim /etc/pam.d/sshd #在第一行(即account required pam_nologin.so的下一行)增加以下代碼 auth required pam_google_authenticator.so root@test:~# vim /etc/ssh/sshd_config ChallengeResponseAuthentication yes #修改no為yes root@test:~# service ssh restart
3、手機安裝Google身份驗證器
見Centos安裝步驟
4、登錄
再次登錄的話輸入用戶名后就跟着提示兩部驗證碼,然后才輸入用戶密碼,如下:
root@test1:~$ ssh root@120.17.144.148 -p65322 The authenticity of host '[120.17.144.148]:65322 ([120.17.144.148]:65322)' can't be established. RSA key fingerprint is 6f:d1:19:41:af:25:8d:ee:b9:54:11:c0:cc:c0:6e:cd. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[120.17.144.148]:65322' (RSA) to the list of known hosts. Verification code: Password: Last login: Tue Jan 8 16:55:15 2019 from 121.157.126.116 Welcome to aliyun Elastic Compute Service! [root@test2 ~]#
二、Centos安裝
1、關閉SELINUX
[root@test ~]# vim /etc/selinux/config #永久關閉。需要reboot重啟后生效 SELINUX=enforcing 改為 SELINUX=disabled [root@test ~]# setenforce 0 #臨時性關閉。不需要reboot重啟
2、安裝編輯工具包
[root@test ~]# yum install wget gcc make pam-devel libpng-devel [root@test ~]# yum -y install google-authenticator qrencode mercurial
3、配置ssh服務調用google authenticator PAM插件
[root@test ~]# vim /etc/pam.d/sshd #在第一行(即auth required pam_sepermit.so的下一行)增加以下代碼 auth required pam_google_authenticator.so [root@test ~]# vim /etc/ssh/sshd_config ChallengeResponseAuthentication yes #修改no為yes [root@test ~]# service sshd restart
4、使用google authenticator PAM插件為ssh登錄賬號生成動態驗證碼
注意:哪個賬號需要動態驗證碼,請切換到該賬號下操作。(可以在不同用戶下執行這個命令以生成各自的二次驗證碼)
[root@test ~]# google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@iZ23e3f2jdcZ%3Fsecret%3DD76NMSG26PAUJGAR
Your new secret key is: D76NMSG26PAUJGAR
Your verification code is 829676
Your emergency scratch codes are:
51322579
63010483
39007873
32360318
54935046
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
5、手機安裝Google身份驗證器
通過此工具掃描上一步生成的二維碼圖形,獲取動態驗證碼。
在App Store里直接可以下載Authenticator
然后掃描上面在服務器上生成的二維碼,每個用戶都會有一個單獨的二維碼
接着在ssh的客戶端里設置,如下,設置"Keyboard Interactive"方式登錄
然后再次連接的時候,就會提示先輸入二次身份驗證碼,再輸入用戶密碼。
在Linux客戶機上遠程登錄,效果一樣:
root@test1:~$ ssh root@120.17.144.148 -p65322 The authenticity of host '[120.17.144.148]:65322 ([120.17.144.148]:65322)' can't be established. RSA key fingerprint is 6f:d1:19:41:af:25:8d:ee:b9:54:11:c0:cc:c0:6e:cd. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[120.17.144.148]:65322' (RSA) to the list of known hosts. Verification code: Password: Last login: Tue Jan 8 16:55:15 2019 from 121.157.126.116 Welcome to aliyun Elastic Compute Service! [root@test2 ~]#